pod01

Lab Task 4 - Scenario 1 (Overview)

In this lab scenario, the objective is to enable seamless communication between the Datacenter and Branch networks while ensuring security and manageability.

The infrastructure is divided into multiple domains: NDFC (Datacenter), Catalyst Center (Branch), and Secure Cloud Control (Firewall Management).

To achieve full end-to-end connectivity, we will onboard devices onto the appropriate platforms, configure network interfaces, and enforce security policies.

Step 1: Onboarding Devices to Catalyst Center and Nexus Dashboard Fabric Controller (NDFC)

To ensure centralized automation and policy-based management, network devices must be integrated into Cisco Catalyst Center and Nexus Dashboard Fabric Controller (NDFC).

Catalyst Center: Used for managing the Branch network (Catalyst 8kV):

  • Add cat8kv-01 as a managed device
  • Assign it to a site in Catalyst Center

NDFC: Controls the Datacenter network (NX-OS Fabric):

  • Register nxos9kv-01 and assign it to the Datacenter fabric

Step 2: Configuring VLANs and Interfaces

After onboarding the devices, the next step is to configure VLANs and routing.

Branch Side (Catalyst Center Domain):

  • VLAN 10 (10.0.0.0/24) should be assigned to cat8kv-01.
    Allow traffic between G2 (towards Firewall) and G3 (towards branch clients).
  • Ensure Layer 3 routing is in place.

Datacenter Side (NDFC Domain):

  • VLAN 1001 (10.0.1.0/24) must be configured on nxos9kv-01
    Allow VLAN propagation through E1/2 and E1/4.
  • Default route towards the Firewall (172.16.1.1/30)

Step 3: Securing and Routing Through the Firewall (Secure Cloud Control)

Since the firewall (ftdv-01) is already onboarded into Secure Cloud Control, the next step is to configure security policies.

Traffic Rules:

Allow Datacenter ↔ Branch (10.0.1.0/24 ↔ 10.0.0.0/24).
Permit routing between 172.16.0.0/30 and 172.16.1.0/30.
Verification Steps:

Ensure no unnecessary open access.
Implement logging for traffic monitoring.

Validating End-to-End Connectivity
Once configurations are in place, connectivity should be tested.

Ping test: datacenter-client01 (10.0.1.10) → branch-client01 (10.0.0.10).