Cat9k Migration Best Practices for Cisco SDA

Introduction

This document describes the guidelines and recommendations when a user tries to migrate legacy catalyst switches 3k/4k/6k that run the SD-Access fabric network to Catalyst 9k switches.

Background Information

Cisco Software-Defined Access (SD-Access), a solution within Cisco Digital Network Architecture (Cisco DNA) which is built on intent-based network principles, provides a transformational shift in building, managing, and securing networks, making them faster and easier to operate, with improved business efficiency. By decoupling network functions from hardware, it creates a virtual overlay over the underlying physical network infrastructure.

Presumption

The SD-Access network is up with Cisco Digital Network Architecture Center (DNAC) and Catalyst switches. The Catalyst switches are deployed in either one of the fabric roles such as Border, Control Plane and Edge. The network availability for the client endpoints can be disrupted and there are no critical workloads that cannot be a teardown. The physical connectivity from the new Edge nodes to client endpoints and new Border/Control plane nodes to the external networks must be established. Also, the new device added to the network has connectivity to DNAC through the underlay network.

Migration Guidelines

Migration from legacy Catalyst 3k/4k/6k switches to Catalyst 9k switches can be a challenge. It is important to select the right model of new switches for the fabric device roles in the migration plan.

The need for migration to a newer platform could be for different reasons in the network. New features in the SD-Access fabric are not supported on the legacy catalyst platforms. Some of the examples are listed here:

Fabric in a Box (FIAB) is not supported as shown in the image.

SDA features post DNAC release 2.1.2.x are not supported as shown in the image. For example, Directed Broadcast.

SDA 2.0 not supported as shown in the image.

Replace 3k/4k/6k to 9k in SD-Access fabric:

Resources that help you to compare and choose the new 9k platforms for your network are listed here. Refer to the Switch Selector Tool: https://www.cisco.com/c/en/us/products/switches/switch-selector.html.

Benefits of upgrade to new 9k switch models:

• https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9200-series-switches/nb-06-upgrading-cat-9200-fc-cte-en.pdf
• https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-upgrading-cat-9300-fc-cte-en.pdf?dtid=osscdc000283
• https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-upgrading-cat-9400-fc-cte-en.html
• https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-upgrading-cat-9500-fc-cte-en.html
• https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9600-series-switches/nb-06-upgrading-cat-9600-fc-cte-en.html

Migration workflow in SD-Access Fabric:

Cisco DNAC that manages SD-Access Fabric switches currently doesn’t support migration of the fabric devices to new platforms. However, SD-Access fabric devices can be replaced with a similar device and model with the RMA workflow wizard in DNAC.

Reference for RMA workflow: https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-user-guide-list.html

Navigate to Manage your Inventory > Replace a Faulty device for details.

Migration from legacy switches to Catalyst 9k:

Different legacy Fabric device roles that can be migrated to new catalyst 9k switches are listed here.

• Edge Node (Catalyst 9200, 9300, 9400 and 9500 series switches are recommended)
• Border Node (Catalyst 9300, 9400, 9500 and 9600 series switches are recommended)
• Control plane Node (Catalyst 9300, 9400, 9500 and 9600 series switches are recommended)

Remove the device from SD-Access fabric:

You need to remove the legacy Catalyst 3k/4k/6k switch from the fabric first. The legacy catalyst fabric devices can be deleted from the fabric and inventory before the addition of the new device. Based on the fabric device role, select the option.

Follow these steps in order to remove the device from the fabric

1. Take a snapshot of the Fabric device configuration.

2. Some of the examples would be

2.1. Edge – Static port assignments, any authentication methods on the ports

2.2. Borders – Layer2 / Layer3 Handoff configuration for the Virtual Networks that connect to an external network.

Fabric Edge:

The port assignment for the host onboard needs to be cleared before the delete of an edge node from the fabric. Remove the extended Node/Policy Extended node/IoT devices from the Edge node before the edge node removal. Remove Fabric Edge from Fabric as shown in the image.

Error with ports assigned as shown in the image: 

Fabric Border/Control Plane: The fabric border/Control plane can be removed from the fabric with external handoffs configured.

Delete the device from the inventory: Once the device is removed from the fabric, the switch needs to be removed from the inventory. Select the configuration cleanup option in order to wipe off the configuration from the deleted device in the delete operation.

At this point, the legacy switch can be physically removed from the fabric and replaced with Cat 9K.

New Device Discovery: Use the LAN Automation option in order to discover the new switches.

Cisco LAN Automation provides key benefits to Enterprise customers. Refer to the guide in order to discover new switches with LAN automation. The recommended way to discover switches for SD-Access fabric.

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/215336-lan-automation-step-by-step-deployment.html. 

Manual configuration of underlay:

The new switches that need to be replaced with old switches can be discovered manually on the DNAC by the configuration of the Management interface, Loopback, CLI, SNMP, VTY and neighbor interface IP address/route to have reachability from the DNAC to switches. This is not a recommended method because it involves a lot of manual configuration and is more prone to errors.

Network/Fabric configuration: Provision of the discovered new switches to the Fabric site. Follow the fabric device provision guide to deploy the fabric node based on the fabric device role.

Some of the key things to remember:

• Edge Nodes - Connect the endpoints to the Edge node. Do host onboard with the VLAN, scalable group and authentication methods that existed before.
• Internal Border/Control Plane nodes – Configure the Layer3/Layer2 Handoff for the Virtual Networks to the internal Datacenter/traditional Layer2 network.
• External Border nodes – Configure the Handoff and IP connectivity between the Peer transit routers.
• If there are templates pushed to fabric devices earlier it needs to be pushed again.

Deployment guide for SD-Access: Refer to https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/SD-Access-Distributed-Campus-Deployment-Guide-2019JUL.html for the SD-Access fabric deployment guide.

Caveats

• No hitless migration – Endpoints and external networks need to configure again.
• No Configuration backed up from DNAC for the old switches – Configuration from the faulty device cannot be replayed on the new device. Note down the current configuration.
• User need to configure all the management and Network configurations of the new devices.
• Endpoint clients need to re-initiate connection to authentication servers and external services.

Related Information

• Compatibility matrix for SDA: https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/sda_compatibility_matrix/index.html
• Technical Support & Documentation - Cisco Systems