1.0 Architecture Flashcards
In a Cisco Catalyst switch equipped with two supervisor modules, an administrator must temporally remove the active supervisor from the chassis to perform hardware maintenance on it. Which mechanism ensures that the active supervisor removal is not disruptive to the network operation?
A.SSO
B.NSF/NSR
C.VRRP
D.HSRP
A.SSO
Explanation Stateful Switchover (SSO) provides protection for network edge devices with dual Route Processors (RPs) that represent a single point of failure in the network design, and where an outage might result in loss of service for customers.
A company plans to implement intent-based networking in its campus infrastructure. Which design facilities migrate from a traditional campus design to a programmer fabric designer?
A. two-tier
B. three-tier
C. routed access
D. Layer 2 access
routed access
Explanation
For campus designs requiring simplified configuration, common end-to-end troubleshooting tools, and the fastest convergence, a design using Layer 3 switches in the access layer (routed access) in combination with Layer 3 switching at the distribution layer and core layers provides the most rapid convergence of data and control plane traffic flows.
What is the benefit of deploying an on-premises infrastructure versus a cloud infrastructure deployment?
A. faster deployment times because the additional infrastructure does not need to be purchased
B. lower latency between systems that are physically located near each other
C. less power and cooling resources needed to run infrastructure on-premises
D. ability to quickly increase compute power without the need to install additional hardware
B. lower latency between systems that are physically located near each other
Explanation
The difference between on-premise and cloud is essentially where this hardware and software resides. On-premise means that a company keeps all of this IT environment onsite either managed by themselves or a third-party. Cloud means that it is housed offsite with someone else responsible for monitoring and maintaining it.
What are two reasons a company would choose a cloud deployment over an on-prem deployment? (Choose two)
A. Cloud resources scale automatically to an increase in demand. On-prem requires additional capital expenditure
B. Cloud deployments require long implementation times due to capital expenditure processes. OnPrem deployments can be accomplished quickly using operational expenditure processes
C. In a cloud environment, the company controls technical issues. On-prem environments rely on the service provider to resolve a technical issue
D. In a cloud environment, the company is in full control of access to their data. On-prem risks access to data due to service provider outages
E. Cloud costs adjust up or down depending on the amount of resources consumed. On- Prem costs for hardware, power, and space are ongoing regardless of usage
A. Cloud resources scale automatically to an increase in demand. On-prem requires additional capital expenditure
E. Cloud costs adjust up or down depending on the amount of resources consumed. On- Prem costs for hardware, power, and space are ongoing regardless of usage
Which benefit is offered by a cloud infrastructure deployment but is lacking in an on-premises deployment?
A. storage capacity
B. efficient scalability
C. virtualization
D. supported systems
B. efficient scalability
Which of the following best describes the hierarchical LAN
design model? (Choose all that apply.)
1. It allows for easier troubleshooting.
2. It is highly scalable.
3. It provides a simplified design.
4. It offers improved performance.
5. It is the best design for modern data centers.
6. It allows for faster problem isolation.
- It allows for easier troubleshooting.
- It is highly scalable.
- It provides a simplified design.
- It offers improved performance.
- It allows for faster problem isolation.
The access layer is also commonly referred to as the
_____.
1. endpoint layer
2. aggregation layer
3. end-user layer
4. network edge
- network edge
What is the maximum number of distribution switches that
can be deployed within a hierarchical LAN design building
block?
1. Four
2. Two
3. Six
4. No limit
- Two
Which of the following enterprise network architectures is
also, known as the collapsed core?
1. Three-tier design
2. Simplified campus design
3. Two-tier design
4. Leaf–spine design
- Two-tier design
Which network blocks can provide access to cloud
providers for end-users? (Choose two.)
1. WAN edge
2. Internet edge
3. Network services edge
4. Data center
- WAN edge
- Internet edge
Which technologies are used to deploy a simplified campus
design? (Choose all that apply.)
1. Clustering technologies
2. Stacking technologies
3. Virtual switching systems (VSSs)
4. StackWise
5. Daisy-chaining
- Clustering technologies
- Stacking technologies
- Virtual switching systems (VSSs)
- StackWise
What are the different design principles of an enterprise network?
Two-tier design (collapsed core)
Three-tier design
Layer 2 access layer (STP based)
Layer 3 access layer (routed access)
Simplified campus design
Software-Defined Access (SD-Access)
Explain a Two-Tier Design (collapsed core)
Smaller campus networks may have multiple departments
spread across multiple floors within a building. In these
environments, a core layer may not be needed, and collapsing
the core function into the distribution layer can be a cost-effective
solution (as no core layer means no core layer devices)
that requires no sacrifice of most of the benefits of the three-tier
hierarchical model.
Explain a Three-Tier Design
Three-tier designs separate the core and distribution layers and
are recommended when more than two pairs of distribution
switches are required. Multiple pairs of distribution switches
are typically required for the following reasons:
When implementing a network for a large enterprise campus
composed of multiple buildings, where each building requires a
dedicated distribution layer
When the density of WAN routers, Internet edge devices, data center
servers and network services are growing to the point where they can
affect network performance and throughput
When geographic dispersion of the LAN access switches across many
buildings in a larger campus facility would require more fiber-optic
interconnects back to a single collapsed core
When multiple distribution layers need to be interconnected, it
becomes necessary to use a core layer
Explain Layer 2 Access Layer (STP Based)
Traditional LAN designs use a Layer 2 access layer and a Layer
3 distribution layer. The distribution layer is the Layer 3 IP
gateway for access layer hosts. Whenever possible, it is
recommended to restrict a VLAN to a single access layer switch
to eliminate topology loops, which are common points of
failure in LANs, even when STP is enabled in the network.
Restricting a VLAN to a single switch provides a loop-free
design, but at the cost of network flexibility because all hosts
within a VLAN are restricted to a single access switch. Some
organizations require that the same Layer 2 VLAN be extended
to multiple access layer switches to accommodate an
application or a service. The looped design causes STP to block
links, which reduces the bandwidth from the rest of the
network and can cause slower network convergence.
Explain Layer 3 Access Layer (Routed Access)
Routed access is an alternative configuration in which Layer 3
is extended all the way to the access layer switches. In this
design, access layer switches act as full Layer 3 routed nodes
(providing both Layer 2 and Layer 3 switching), and the access to-
distribution Layer 2 uplink trunks are replaced with Layer 3
point-to-point routed links. Consequently, the Layer 2/Layer 3
the demarcation point is moved from the distribution switch to the
access switch
What are the advantages of routed access to distribution design over the Layer 2 access layer design?
- No first-hop redundancy protocol is required: It eliminates the
need for first-hop redundancy protocols such as HSRP and VRRP. - No STP required: Because there are no Layer 2 links to block, this
design eliminates the need for STP. - Increased uplink utilization: Both uplinks from access to
distribution can be used, increasing the effective bandwidth available
to the end-users and endpoints connected to the access layer switches. - Easier troubleshooting: It offers common end-to-end
troubleshooting tools (such as ping and traceroute). - Faster convergence: It uses fast-converging routing protocols such
as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open
Shortest Path First (OSPF).
What do the design of Routed access and Layer 2 access loop-free design NOT support?
does not support spanning VLANs across multiple access
Explain what a simplified campus design is:
The simplified campus design relies on switch clustering such
as a virtual switching system (VSS) and stacking technologies
such as StackWise, in which multiple physical switches act as a
single logical switch. Clustering and stacking technologies can
be applied to any of the campus building blocks to simplify
them even further
What are the advantages of a Simplified Campus Design?
The simplified campus design is loop-free, highly available,
flexible, resilient, and easy to manage
-
Simplified design: By using the single logical distribution layer
design, there are fewer boxes to manage, which reduces the amount of
time spent on ongoing provisioning and maintenance. -
No first-hop redundancy protocol required: It eliminates the
need for first-hop redundancy protocols such as HSRP and VRRP
because the default IP gateway is on a single logical interface. -
Reduced STP dependence: Because EtherChannel is used, it
eliminates the need for STP for a Layer 2 access design; however, STP
is still required as a failsafe in case multiple access switches are
interconnected. -
Increased uplink utilization: With EtherChannel, all uplinks from
access to distribution can be used, increasing the effective bandwidth
available to the end users and endpoints connected to the access layer
switches. -
Easier troubleshooting: The topology of the network from the
distribution layer to the access layer is logically a hub-and-spoke
topology, which reduces the complexity of the design and
troubleshooting. -
Faster convergence: With EtherChannel, all links are in forwarding
state, and this significantly optimizes the convergence time following a
node or link failure event because EtherChannel provides fast subsecond
failover between links in an uplink bundle. -
Distributed VLANs: With this design, VLANs can span multiple
access switches without the need to block any links.
Explain what Software-Defined Access (SD_Access) Design is
SD-Access, the industry’s first intent-based networking
solution for the enterprise is built on the principles of the
Cisco Digital Network Architecture (DNA). It is a combination
of the campus fabric design and the Digital Network
Architecture Center (Cisco DNA or DNAC). SD-Access adds
fabric capabilities to the enterprise network through
automation using SD-Access technology, and it provides
automated end-to-end segmentation to separate user, device,
and application traffic without requiring a network redesign.
With its fabric capabilities, SD-Access provides services such as
host mobility and enhanced security in addition to the normal
switching and routing capabilities
What is the main reason SD-Access uses VXLAN data
encapsulation instead of LISP data encapsulation?
1. VXLAN supports IPv6.
2. VXLAN supports Layer 2 networks.
3. VXLAN has a much smaller header.
4. VXLAN has a better ring to it.
- VXLAN supports Layer 2 networks.
True or false: The VXLAN header used for SD-Access is
exactly the same as the original VXLAN header.
1. True
2. False
False
Which is the control plane used by SD-Access?
- LISP control plane
- EVPN MP-BGP
- Multicast
- VXLAN control plane
- LISP control plane
Which field was added to the VXLAN header to allow it to
carry SGT tags?
1. Group Policy ID
2. Scalable Group ID
3. Group Based Tag
4. Group Based Policy
- Group Policy ID
Which types of network environments were SD-Access
designed for?
1. Data center
2. Internet
3. Enterprise campus and branch
4. Service provider
5. WAN
6. Private cloud
- WAN
Which of the following components are part of the SDAccess
fabric architecture? (Choose all that apply.)
1. WLCs
2. Cisco routers
3. Cisco firewalls
4. Cisco switches
5. Access points
6. Cisco ISE
7. Cisco DNA Center
8. Intrusion prevention systems
- WLCs
- Cisco routers
- Cisco switches
- Access points
- Cisco ISE
- Cisco DNA Center
What are the main components of the Cisco SD-WAN
solution? (Choose four.)
1. vManage network management system (NMS)
2. vSmart controller
3. SD-WAN routers
4. vBond orchestrator
5. vAnalytics
6. Cisco ISE
7. Cisco DNA Center
- vManage network management system (NMS)
- vSmart controller
- SD-WAN routers
- vBond orchestrato
True or false: The vSmart controller establishes permanent
and IPsec connections to all SD-WAN routers in the SDWAN
fabric.
1. True
2. False
- False
True or false: SD-WAN only works over the Internet or
MPLS networks.
1. True
2. False
- False
Which of the following is the single pane of glass for the
SD-WAN solution?
1. DNA Center
2. vBond
3. vManage
4. vSmart
- vManage
What is the main function of the vBond orchestrator?
1. To authenticate the vManage NMS and the SD-WAN routers and
orchestrate connectivity between them
2. To authenticate the vSmart controllers and the SD-WAN routers
and orchestrate connectivity between them
3. To authenticate the vSmart controllers and the vManage NMS and
orchestrate connectivity between them
- To authenticate the vSmart controllers and the SD-WAN routers
and orchestrate connectivity between them
Which description of an SD-Access wireless network infrastructure deployment is true?
A. The access point is part of the fabric underlay
B. The wireless client is part of the fabric overlay
C. The access point is part the fabric overlay
D. The WLC is part of the fabric underlay
C. The access point is part the fabric overlay
Explanation
Access Points
+ AP is directly connected to FE (or to an extended node switch)
+ AP is part of Fabric overlay
When a wired client connects to an edge switch in an SDA fabric, which component decides whether the client has access to the network?
A. RADIUS server
B. control-plane node
C. Identity Service Engine
D. edge node
C. Identity Service Engine
Which controller is the single plane of management for Cisco SD-WAN?
A. vEdge
B. vManage
C. vSmart
D. vBond
B. vManage
Your answers are shown below:
Question 1
Which description of an SD-Access wireless network infrastructure deployment is true?
A. The access point is part of the fabric underlay
B. The wireless client is part of the fabric overlaywrong
C. The access point is part the fabric overlaycorrect
D. The WLC is part of the fabric underlay
Explanation
Access Points
+ AP is directly connected to FE (or to an extended node switch)
+ AP is part of Fabric overlay
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKEWN-2020.pdf
Question 2
When a wired client connects to an edge switch in an SDA fabric, which component decides whether the client has access to the network?
A. RADIUS server
B. control-plane node
C. Identity Service Enginecorrect
D. edge nodewrong
Question 3
Which controller is the single plane of management for Cisco SD-WAN?
A. vEdge
B. vManagecorrect
C. vSmart
D. vBond
Explanation
The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
+ vManage – This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network.
+ vSmart controller – This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture.
+ vBond orchestrator – This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT).
+ vEdge router – This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.
Which statement about a Cisco APIC controller versus a more traditional SDN controller is true?
A. APIC uses a policy agent to translate policies into instruction
B. APIC uses an imperative model
C. APIC supports OpFlex as a Northbound protocol
D. APIC does support a Southbound REST API
A. APIC uses a policy agent to translate policies into instruction
Explanation
The southbound protocol used by APIC is OpFlex that is pushed by Cisco as the protocol for policy enablement across physical and virtual switches.
Southbound interfaces are implemented with some called Service Abstraction Layer (SAL), which talks to the network elements via SNMP and CLI.
Note: Cisco OpFlex is a southbound protocol in a software-defined network (SDN).
What the role of a fusion in an SD-Access solution?
A. performs route leaking between user-defined virtual networks and shared services
B. provides connectivity to external networks
C. acts as a DNS server
D. provides additional forwarding capacity to the fabric
A. performs route leaking between user-defined virtual networks and shared services
Explanation
Today the Dynamic Network Architecture Software Defined Access (DNA-SDA) solution requires a fusion router to perform VRF route leaking between user VRFs and Shared-Services, which may be in the Global routing table (GRT) or another VRF. Shared Services may consist of DHCP, Domain Name System (DNS), Network Time Protocol (NTP), Wireless LAN Controller (WLC), Identity Services Engine (ISE), DNAC components which must be made available to other virtual networks (VN’s) in the Campus
On which protocol or technology is the fabric data plane based in Cisco SD-Access fabric?
A. VXLAN
B. LISP
C. IS-IS
D. Cisco TrustSec
A. VXLAN
Explanation
The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN encapsulation is UDP-based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not. Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy.
Which function does a fabric edge node perform in an SD-Access deployment?
A. Encapsulates end-user data traffic into LISP.
B. Connects endpoints to the fabric and forwards their traffic
C. Connects the SD-Access fabric to another fabric or external Layer 3 networks
D. Provides reachability border nodes in the fabric underlay
B. Connects endpoints to the fabric and forwards their traffic
Explanation
There are five basic device roles in the fabric overlay:
+ Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for
the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services
Which action is the vSmart controller responsible for in an SD-WAN deployment?
A. manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric
B. onboard vEdge nodes into the SD-WAN fabric
C. distribute security information for tunnel establishment between vEdge routers
D. gather telemetry data from vEdge routers
C. distribute security information for tunnel establishment between vEdge routers
Explanation
+ Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay (-> Therefore answer “onboard vEdge nodes into the SD-WAN fabric” mentioned about vBond). The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information.
+ Management plane (vManage) is responsible for central configuration and monitoring. The vManage controller is the centralized network management system that provides a single pane of glass GUI interface to easily deploy, configure, monitor and troubleshoot all Cisco SD-WAN components in the network. (-> Answer “manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric” and answer “gather telemetry data from vEdge routers” are about vManage)
+ Control plane (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement (-> Answer “distribute security information for tunnel establishment between vEdge routers” is about vSmart)
How does a fabric AP fit in the network?
A. It is in FlexConnect mode and must be connected directly to the fabric border node
B. It is in local mode and must be connected directly to the fabric border node
C. It is in local mode and must connected directly to the fabric edge switch
D. It is in FlexConnect mode and must be connected directly to the fabric edge switch
C. It is in local mode an must connected directly to the fabric edge switch
Explanation
Fabric mode APs continue to support the same wireless media services that traditional APs support; apply AVC, quality of service (QoS), and other wireless policies; and establish the CAPWAP control plane to the fabric WLC. Fabric APs join as local-mode APs and must be directly connected to the fabric edge node switch to enable fabric registration events, including RLOC assignment via the fabric WLC. The fabric edge nodes use CDP to recognize APs as special wired hosts, applying special port configurations and assigning the APs to a unique overlay network within a common EID space across a fabric. The assignment allows management simplification by using a single subnet to cover the AP infrastructure at a fabric site.
What are two device roles in Cisco SD-Access fabric? (Choose two)
A. vBond controller
B. edge node
C. access switch
D. core switch
E. border node
B. edge node
E. border node
Explanation
There are five basic device roles in the fabric overlay:
+ Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services