23. Fabric Technologies

Question 1

What are the capabilities, features and functionalities of SD-access?

Answer 1

• Network automation
• Network assurance and analytics
• Host mobility
• Identity services
• Policy enforcement
• Secure segmentation
• Network virtualization

Question 2

What is Network automation in SD-access?

Answer 2

Replaces manual network device configurations with network device management –> Cisco DNA

Question 3

What is Network assurance and analytics in SD-access?

Answer 3

Proactive prediction of network/security related risks

Question 4

What is Host mobility in SD-access?

Answer 4

Provides access to (non)-wired clients

Question 5

What is Identity services in SD-access?

Answer 5

Cisco ISE identifies users and devices connecting to the network and provides information to implement security policies for access control and segmentation

Question 6

What is Policy enforcement in SD-access?

Answer 6

SGACLs (access lists) based on identity instead of IP

Question 7

What is Secure segmentation in SD-access?

Answer 7

Easer to segmen the network to support guests, IoT, etc

Question 8

What is Network virtualization in SD-access?

Answer 8

One single physical infrastructure to support multiple VRF instances. Also called virtual networks

Question 9

What are the 2 SD-access components?

Answer 9

• Cisco campus fabric solution

- Cisco DNA Center

Question 10

When do we speak of the Cisco campus fabric solution?

Answer 10

When the fabric is managed through the CLI

Question 11

When do we speak of SD-Access

Answer 11

When the fabric is managed through Cisco DNA Center

Question 12

What is the campus fabric?

Answer 12

A Cisco validated fabric overlay solution that includes all of the features and protocols to operate the network infrastructure.

Question 13

What are the four layers in the architecture?

Answer 13

• Physical
• Network
• Control
• Management

Question 14

What is placed in the physical layer?

Answer 14

All Cisco network devices that actively particapate in the SD-Access fabric must support all of the hardware ASICs and FPGAs.

Question 15

What is placed in the network layer?

Answer 15

Consist of the underlay and overlay network. These work together to deliver data packets to and from networking devices participating in SD-Access.

Overlay is virtual.

Question 16

What are the 2 underlay modes?

Answer 16

Manual through the CLI –> Change protocols

Automated through Cisco DNA –> P&P, IS-IS auto

Question 17

What is the underlay network?

Answer 17

Physical network the should ensure high availability, scalability an performance. Adviced is to use L3 routed campus design with IS-IS

Question 18

What is the overlay network?

Answer 18

SD-access fabric that is fully automated. Includes all the control plane protocols and addressing.

Question 19

What are the 3 basic control planes in SD-Access fabric?

Answer 19

• Control plane based on LISP
• Data plane based on VXLAN
• Policy plane based on Cisco Trustsec

Question 20

What is the name of the enhanced VXLAN?

Answer 20

VXLAN-GPO and supports Trustsec SGTs

Question 21

Why is VXLAN preffered over LISP in the data plane?

Answer 21

VXLAN supports IP/UDP based MAC-in-IP encapsulation. For this reason it can be used on L2 and L3

Question 22

What are Trustsec SGTs?

Answer 22

Tags that can be assigned to authenticated groups. Network policies can be applied through SD-Access based on this tag instead of IP/MAC.

Question 23

What is the advantage of Trustsec tags for SD-Access?

Answer 23

• Network address independent GP based on tags

-

Question 24

What are the 5 basic roles in SD-Access?

Answer 24

• Control plane node
• Fabric border node (core layer device)
• Fabric edge node (access/distribution switch)
• Fabric WLAN controller
• Intermediate nodes

Question 25

How many roles can be assigned to a SD-Access device?

Answer 25

Multiple, minimum is one

Question 26

What is the Control plane node?

Answer 26

A LISP map server/resolver (MS/MR) with enhanced functions for SD-Access. Maintains a simple host tracking database for EID’s to RLOCs

Question 27

How does the Control plane node work?

Answer 27

Maps all EID locations to the fabric edge/border node and capable of doing EID lookups.

Receives registrations from fabric edge/border nodes.

Must be a Cisco switch or router operating in-/outside the SD-WAN fabric

Question 28

What is the Fabric border node?

Answer 28

LISP proxy tunnel routers that connect external L3 networks to the SD-Access fabric and translates reachability and policy information, as VRF & SGT from one domain to another.

Question 29

What are the 3 types of Fabric border nodes?

Answer 29

• Internal border (only known)
• Default border (outside)
• Internal default (connects internal and default with each other)

Question 30

What is the Fabric edge node?

Answer 30

Provides onboarding and mobility services for wired users/devices. It is a LISP tunnel router that provides anycast gateway, endpoint authentication, and assignment to overlay host pools, as well as group-based policy enforcement

Question 31

How does a Fabric edge node work?

Answer 31

It first identifies and authenticates (802.1X) wired endpoints in order to place them in a host pool and SGT group. Then registers a specific EID host address with the Control plane node.

Provides (de)-encapsulation to and from its connect endpoints.

Question 32

What is the Fabric WLAN controller?

Answer 32

Connects APs and wireless endpoints to the fabric. The WLC is external and connects through a internal border node.

Question 33

What is the difference for a WLC in SD-Access?

Answer 33

Traffic travels on VXLAN encapsulated instead of CAPWAP.

Question 34

What are Intermediate nodes?

Answer 34

Switches or routers that do not provide any active rol in the SD-Access fabric

Question 35

What is placed in the controller layer?

Answer 35

Provides the subsystems for the management layer and consists of Cisco DNA center and Cisco ISE

Question 36

What are the 3 main controller susbsytems?

Answer 36

• Cisco Network Control Platform
• Cisco Network Data Platform
• Cisco ISE

Question 37

What is Cisco Network Control Platform?

Answer 37

Subsystem integrated directly into Cisco DNA that provides all of the underlay and fabric automation and orchestration services for the physical and network layers.

Question 38

What does Cisco Network Control Platform use for configuration?

Answer 38

NETCONF/YANG, SNMP, SSH/Telnet and provides network automation status and info to the management layer

Question 39

What is Cisco Network Data Platform?

Answer 39

Subsystem integrated directly into Cisco DNA that does datacollection and analytics

Question 40

What does Cisco Network Data Platform do?

Answer 40

Analyzes and correlates various network vents through multiple sources (NetFlow, SPAN) and identifies historical trends. Provides this to ISE and NCP Cisco Network Data Platform

Question 41

What is Cisco ISE?

Answer 41

Provides all the identity and policy services for the physical and network layer

Question 42

What is placed in the management layer?

Answer 42

The GUI of Cisco DNA Center

Question 43

What are the 4 main components of SD-WAN?

Answer 43

• vManage
• vSmart controller
• SD-WAN routers
• vBond orchestrator

Question 44

What is vManage?

Answer 44

GUI for SD-WAN

Question 45

What is vSmart controller?

Answer 45

The brain of SD-WAN and have cpre-installed redentials to authenticate every SD-WAN router that comes online

Question 46

How does vSmart controller work?

Answer 46

After authentication it creates a permanent DTLS tunnel to each SD-WAN router to esthablish OMP neighborships.

Question 47

What is OMP?

Answer 47

The Cisco Overlay Management Protocol

Question 48

What is a SD-WAN router?

Answer 48

SD-WAN routers deliver the essential WAN, security and multicloud capabilities of the SD-WAN solution and are available as hardware, software, clud or VR at the perimeter of a site.

Question 49

How does a SD-WAN router function?

Answer 49

It automatically establishes a DTLS tunnel wit ha vController to form a OMP neighborship
It also establishes IPsec session with other SD-WAN routers

Question 50

What are the two types of SD-WAN routers?

Answer 50

vEdge

cEdge - Viptela integrated in IOS-XE

Question 51

What are they advanced security features of cEdge?

Answer 51

• AMP & AMP Threat Grid
• Enterprise firewall
• Cisco Umbrella
• URL filtering
• The Snort intrusion prevention system
• Embedded platform security

Question 52

What is the vBond orchestrator?

Answer 52

Authenticaes the vSmare controllers and SD-WAN routers and orchestrates connectivity between them.

Question 53

What is unique about the vBond orchestrator?

Answer 53

It is a SD-WAN router that only performs orchestrator functions and the only device that must have a public IP so that SD-WAN routers can connect to it.

Question 54

What are the major components of vBond orchestrator?

Answer 54

• Control plane connection
• NAT traversel
• Load balancing

Question 55

What is Control plane connection?

Answer 55

Each vBond orchestrator has a permanent DTLS tunnel with a vSmart controller and uses DTLS connections to communicatie with SD-WAN routers

Question 56

What is NAT traversel?

Answer 56

vBond orchestrato facilitates the initial orchestration between SD-WAN routers and vSmart controllers, when one of them is behind a NAT device.

Question 57

What is load balancing vBond orchestrator?

Answer 57

In a domain with multiple vSmart Controllers the orchestrator automatically load balances SD-WAN routers

Question 58

What are the capabilities of vAnalytics?

Answer 58

• Visibility into applications
• Forecasting and what if analysis
• Intelligent recommendations

Question 59

Which SD-WAN component are available as physical devices?

Answer 59

• vSmart controllers

- SD-WAN routers

Question 60

What is vQoE?

Answer 60

Viptela Quality of Experience

Provides the quality of Cloud SaaS connections score

Question 61

What is Cloud OnRamp?

Answer 61

Delivers the best application QoE for SaaS application by continuously monitoring SaaS performance across diverse paths

Question 62

What does the vSmart controller do?

Answer 62

It pushes down configuration and policies to SD-WAN routers

Question 63

What does the vBond orchestrator do?

Answer 63

Holds al devies together