23. Fabric Technologies Flashcards
What are the capabilities, features and functionalities of SD-access?
- Network automation
- Network assurance and analytics
- Host mobility
- Identity services
- Policy enforcement
- Secure segmentation
- Network virtualization
What is Network automation in SD-access?
Replaces manual network device configurations with network device management –> Cisco DNA
What is Network assurance and analytics in SD-access?
Proactive prediction of network/security related risks
What is Host mobility in SD-access?
Provides access to (non)-wired clients
What is Identity services in SD-access?
Cisco ISE identifies users and devices connecting to the network and provides information to implement security policies for access control and segmentation
What is Policy enforcement in SD-access?
SGACLs (access lists) based on identity instead of IP
What is Secure segmentation in SD-access?
Easer to segmen the network to support guests, IoT, etc
What is Network virtualization in SD-access?
One single physical infrastructure to support multiple VRF instances. Also called virtual networks
What are the 2 SD-access components?
- Cisco campus fabric solution
- Cisco DNA Center
When do we speak of the Cisco campus fabric solution?
When the fabric is managed through the CLI
When do we speak of SD-Access
When the fabric is managed through Cisco DNA Center
What is the campus fabric?
A Cisco validated fabric overlay solution that includes all of the features and protocols to operate the network infrastructure.
What are the four layers in the architecture?
- Physical
- Network
- Control
- Management
What is placed in the physical layer?
All Cisco network devices that actively particapate in the SD-Access fabric must support all of the hardware ASICs and FPGAs.
What is placed in the network layer?
Consist of the underlay and overlay network. These work together to deliver data packets to and from networking devices participating in SD-Access.
Overlay is virtual.
What are the 2 underlay modes?
Manual through the CLI –> Change protocols
Automated through Cisco DNA –> P&P, IS-IS auto
What is the underlay network?
Physical network the should ensure high availability, scalability an performance. Adviced is to use L3 routed campus design with IS-IS
What is the overlay network?
SD-access fabric that is fully automated. Includes all the control plane protocols and addressing.
What are the 3 basic control planes in SD-Access fabric?
- Control plane based on LISP
- Data plane based on VXLAN
- Policy plane based on Cisco Trustsec
What is the name of the enhanced VXLAN?
VXLAN-GPO and supports Trustsec SGTs
Why is VXLAN preffered over LISP in the data plane?
VXLAN supports IP/UDP based MAC-in-IP encapsulation. For this reason it can be used on L2 and L3
What are Trustsec SGTs?
Tags that can be assigned to authenticated groups. Network policies can be applied through SD-Access based on this tag instead of IP/MAC.
What is the advantage of Trustsec tags for SD-Access?
- Network address independent GP based on tags
-
What are the 5 basic roles in SD-Access?
- Control plane node
- Fabric border node (core layer device)
- Fabric edge node (access/distribution switch)
- Fabric WLAN controller
- Intermediate nodes
How many roles can be assigned to a SD-Access device?
Multiple, minimum is one
What is the Control plane node?
A LISP map server/resolver (MS/MR) with enhanced functions for SD-Access. Maintains a simple host tracking database for EID’s to RLOCs
How does the Control plane node work?
Maps all EID locations to the fabric edge/border node and capable of doing EID lookups.
Receives registrations from fabric edge/border nodes.
Must be a Cisco switch or router operating in-/outside the SD-WAN fabric
What is the Fabric border node?
LISP proxy tunnel routers that connect external L3 networks to the SD-Access fabric and translates reachability and policy information, as VRF & SGT from one domain to another.
What are the 3 types of Fabric border nodes?
- Internal border (only known)
- Default border (outside)
- Internal default (connects internal and default with each other)
What is the Fabric edge node?
Provides onboarding and mobility services for wired users/devices. It is a LISP tunnel router that provides anycast gateway, endpoint authentication, and assignment to overlay host pools, as well as group-based policy enforcement
How does a Fabric edge node work?
It first identifies and authenticates (802.1X) wired endpoints in order to place them in a host pool and SGT group. Then registers a specific EID host address with the Control plane node.
Provides (de)-encapsulation to and from its connect endpoints.
What is the Fabric WLAN controller?
Connects APs and wireless endpoints to the fabric. The WLC is external and connects through a internal border node.
What is the difference for a WLC in SD-Access?
Traffic travels on VXLAN encapsulated instead of CAPWAP.
What are Intermediate nodes?
Switches or routers that do not provide any active rol in the SD-Access fabric
What is placed in the controller layer?
Provides the subsystems for the management layer and consists of Cisco DNA center and Cisco ISE
What are the 3 main controller susbsytems?
- Cisco Network Control Platform
- Cisco Network Data Platform
- Cisco ISE
What is Cisco Network Control Platform?
Subsystem integrated directly into Cisco DNA that provides all of the underlay and fabric automation and orchestration services for the physical and network layers.
What does Cisco Network Control Platform use for configuration?
NETCONF/YANG, SNMP, SSH/Telnet and provides network automation status and info to the management layer
What is Cisco Network Data Platform?
Subsystem integrated directly into Cisco DNA that does datacollection and analytics
What does Cisco Network Data Platform do?
Analyzes and correlates various network vents through multiple sources (NetFlow, SPAN) and identifies historical trends. Provides this to ISE and NCP Cisco Network Data Platform
What is Cisco ISE?
Provides all the identity and policy services for the physical and network layer
What is placed in the management layer?
The GUI of Cisco DNA Center
What are the 4 main components of SD-WAN?
- vManage
- vSmart controller
- SD-WAN routers
- vBond orchestrator
What is vManage?
GUI for SD-WAN
What is vSmart controller?
The brain of SD-WAN and have cpre-installed redentials to authenticate every SD-WAN router that comes online
How does vSmart controller work?
After authentication it creates a permanent DTLS tunnel to each SD-WAN router to esthablish OMP neighborships.
What is OMP?
The Cisco Overlay Management Protocol
What is a SD-WAN router?
SD-WAN routers deliver the essential WAN, security and multicloud capabilities of the SD-WAN solution and are available as hardware, software, clud or VR at the perimeter of a site.
How does a SD-WAN router function?
It automatically establishes a DTLS tunnel wit ha vController to form a OMP neighborship
It also establishes IPsec session with other SD-WAN routers
What are the two types of SD-WAN routers?
vEdge
cEdge - Viptela integrated in IOS-XE
What are they advanced security features of cEdge?
- AMP & AMP Threat Grid
- Enterprise firewall
- Cisco Umbrella
- URL filtering
- The Snort intrusion prevention system
- Embedded platform security
What is the vBond orchestrator?
Authenticaes the vSmare controllers and SD-WAN routers and orchestrates connectivity between them.
What is unique about the vBond orchestrator?
It is a SD-WAN router that only performs orchestrator functions and the only device that must have a public IP so that SD-WAN routers can connect to it.
What are the major components of vBond orchestrator?
- Control plane connection
- NAT traversel
- Load balancing
What is Control plane connection?
Each vBond orchestrator has a permanent DTLS tunnel with a vSmart controller and uses DTLS connections to communicatie with SD-WAN routers
What is NAT traversel?
vBond orchestrato facilitates the initial orchestration between SD-WAN routers and vSmart controllers, when one of them is behind a NAT device.
What is load balancing vBond orchestrator?
In a domain with multiple vSmart Controllers the orchestrator automatically load balances SD-WAN routers
What are the capabilities of vAnalytics?
- Visibility into applications
- Forecasting and what if analysis
- Intelligent recommendations
Which SD-WAN component are available as physical devices?
- vSmart controllers
- SD-WAN routers
What is vQoE?
Viptela Quality of Experience
Provides the quality of Cloud SaaS connections score
What is Cloud OnRamp?
Delivers the best application QoE for SaaS application by continuously monitoring SaaS performance across diverse paths
What does the vSmart controller do?
It pushes down configuration and policies to SD-WAN routers
What does the vBond orchestrator do?
Holds al devies together
