28 - Examining the Cisco SD-Access solution

Question 1

Cisco SD-Access is part of the Cisco ___. ___ also includes Software defined WAN and the Application Centric Infrastructure (ACI)

Answer 1

Digital Network Architecture (CDN)

Question 2

The campus fabric architecture enables the use of __ networks (overlay) that are running on a __ network (underlay) to create alternative topologies to connect devices. Overlay networks are commonly used to provide L2 and L3 logical networks with virtual machine mobility in data centre fabrics (ACI, VXLAN, fabricpath) and also in WANs to provide secure tunnelling from remote sites (MPLS, DMVPN, GRE).

Answer 2

virtual, physical

Question 3

___ network – defined by the physical switches and routers that are parts of the campus fabric. All network elements of the underlay network must establish IP connectivity via the use of a routing protocol. Theoretically any topology and routing protocol can be used, but the implementation of a well designed L3 foundation to the campus edge is highly recommended.

Answer 3

Underlay

Question 4

___ network – runs over the underlay to create a virtualised network. Virtual networks isolate both data plane traffic and control plane behaviour among the virtualised networks from the underlay network. Virtualisation is achieved inside the campus fabric by encapsulating user traffic over IP tunnels that are sourced and terminated that the boundaries of the fabric.

Answer 4

Overlay

Question 5

__ overlays – emulate a LAN segment and can be used to transport IP and non-IP frames. __ overlays carry a single subnet over the L3 underlay. __ overlays are useful in emulating physical topologies and are subject to L2 flooding.

Answer 5

Layer 2

Question 6

___ overlays – abstract IP-based connectivity from physical connectivity and allow multiple IP networks as parts of each virtual network. Overlapping IP address space is supported across different __ overlays as long as the network virtualisation is preserved outside of the fabric, using existing network virtualisation functions such as VRF-lite and MPLS L3 VPN.

Answer 6

Layer 3

Question 7

With the demand for new services, __ is the key consideration. __ is a critical component of managing modern networks. Organisations need to appropriately protect resources and make changes efficiently in response to real-time needs. Tracking VLANs, ACLs, and IP addresses to ensure that optimal policy and security compliance can be challenging. The overlay network approach solves these problems.

Answer 7

security

Question 8

The fabric underlay provisioning can be done __ and __.

Answer 8

manual, automated

Question 9

With manual underlay you can reuse your __ IP network as the fabric underlay.

Answer 9

existing

Question 10

What are the key requirements for a manual underlay?

Answer 10

• IP reached from edge to edge, border, CP
• Can be L2 or L3 (L3 recommended)
• Can be any IGP (ISIS recommended for scalability and integration with DNAC

Question 11

What are the key considerations for a manual underlay?

Answer 11

• MTU (fabric header adds 50 bytes)

* Latency (RTT of =/< 100ms)

Question 12

What are the key requirements for an automated underlay?

Answer 12

• User standard PnP for bootstrap
• Assumes a new or erased configuration
• Users a global “underlay” address pool

Question 13

What are the key considerations for an automated underlay?

Answer 13

• PnP pre-setup is required

* 100% prescriptive (not custom)

Question 14

In the traditional internet architecture, the IP address of an endpoint denotes both its location and identity. Using the same value for both endpoint location and identity severely limits the security and management of traditional enterprise networks. ___ is a protocol that enables the separation of endpoint identification and its location.

Answer 14

Locator Identity Separation Protocol (LISP)

Question 15

When using LISP, the device IP address represents only the device __. When the device moves its IP address remains the same in both locations, and only the __changes.

Answer 15

identity, location ID

Question 16

LISP is a routing ___ that provides new semantics for IP addressing.

Answer 16

architecture

Question 17

The LISP routing architecture design separates the device identity, or endpoint identifier (EID), from its location, or routing locator (RLOC), into two different numbering spaces. Splitting the EID and RLOC functions yields several advantages. One such advantage is host __.

Answer 17

mobility

Question 18

What are the LISP name spaces?

Answer 18

• Endpoint identifier (EID) addresses – IP addresses and prefixes identifying the endpoints. EID reachability across LISP sites is achieved by resolving EID-to-RLOC mappings.
• Routing locator (RLOC) addresses – IP addresses and prefixes identifying the different routers in the IP network. Reachability within RLOC space is achieved by traditional routing methods.

Question 19

LISP uses a ___ routing model in which traffic that is destined for an EID is encapsulated and sent to an authoritative RLOC. This process is done rather than sending directly to the destination EID. It is based on the results of a lookup in a mapping database.

Answer 19

map-and-encapsulate

Question 20

LISP uses a ___ protocol approach rather than requiring a pre-configuration of tunnel endpoints. It is designed to work in a multihoming environment, and it supports communications between LISP and non-LISP sites for interworking.

Answer 20

dynamic tunnelling encapsulation

Question 21

An __ is a LISP site edge device that receives packets from site-facing interfaces (internal hosts) and encapsulates them to remote LISP sites, or natively forwards them to non-lisp sites.

Answer 21

Ingress tunnel router (ITR)

Question 22

An __ is a LISP site edge device that receives packets from core-facing interfaces (the transport infrastructure), de-encapsulates LISP packets and delivers them to local EIDs at the site

Answer 22

Egress tunnel router (ETR)

Question 23

A __ is a LISP infrastructure device that LISP-site ETRs register their EID prefixes to. The __ stores registered EID prefixes in a mapping database where they are associated to RLOCs. All LISP sites use the LISP-mapping system to resolve EID-to-RLOC mappings

Answer 23

Map server (MS)

Question 24

A __ is a LISP infrastructure device to which LISP site ITRs send LISP map-request queries when resolving EID-to-RLOC mappings

Answer 24

Map resolver (MR)

Question 25

A __ is a LISP infrastructure device that provides connectivity between non-LISP sites and lisp sites by attaching non-LSP traffic that is destined to lisp sites and encapsulating this traffic to ETRs devices that are deployed at LISP sites

Answer 25

Proxy ITR (PITR)

Question 26

A __ is a LISP infrastructure device that allows EIDs at LISP sites to successfully communicate with devices that are located at non-LISP sites

Answer 26

Proxy ETR (PETR)

Question 27

Also known as ALT, is a device that you deploy to build out an overlay network that provides a mechanism for managing EID prefix aggregation. It advertises EID prefixes in an alternative BGP topology over GRE, including the MR.

Answer 27

Alternative topology

Question 28

The fabric control plane is based on LISP which has its own encapsulation. LISP has one limitation that it only supports only L3 overlay. It cannot carry the MAC address as it discards the L2 ethernet header. In Cisco SD-Access fabric, the MAC address also needs to be carried and so, ___ is used in the data plane.

Answer 28

VXLAN

Question 29

__ supports both L2 and L3 overlay. It preserves the original Ethernet header.

Answer 29

VXLAN

Question 30

VXLAN is designed to provide the same L2 network services as VLAN does, but with greater __ and __.

Answer 30

extensibility, flexibility

Question 31

VLANs have several features that make them a limiting factor is date centre networks:

Answer 31

• Inefficient use of available network links
• Rigid requirements on device placement
• Limited scalability

Question 32

VXLAN offers the following benefits:

Answer 32

• Flexible placement of multitenant segments throughout the DC. VXLAN extends L2 segments over the underlay L3 network, crossing traditional L2 boundaries
• Supports 16 million coexistent segments
• Better utilisation of available network paths. Because VLAN uses STP which blocks redundant paths, you may not end up using half of the links. VXLAN packets are transferred through the underlying network based on its L3 header.

Question 33

The VXLAN is a L2 overlay scheme over a L3 network. It uses the __ encapsulation to extend L2 segments across the DC network.

Answer 33

MAC-in-UDP

Question 34

VXLAN uses __ devices to map devices in local segments to VXLAN segments. __ performs encapsulation and de-encapsulation of the L2 traffic. Each __ has at least two interfaces: a switch interface on the local LAN segment and an IP interface in the transport IP network.

Answer 34

VTEP

Question 35

The VXLAN is a relatively new technology, so data centres contain devices that are not capable of supporting VXLAN, such as legacy hypervisors, physical servers, and network services appliances. Those devices reside on classic VLAN segments. You would enable VLAN-VXLAN connectivity by using a ___ . A __ is a VTEP device that combines a VXLAN segment and a classic VLAN segment into one common L2 domain.

Answer 35

VXLAN L2 gateway

Question 36

A __, also known as a VXLAN router, routes between different VXLAN segments.

Answer 36

VXLAN L3 gateway

Question 37

VXLAN ___is the latest version of VXLAN. It adds special fields in the header to carry the virtual network IDs and SGTs. The outer part of the header consists of the IP and MAC. It uses a UDP header with a source and destination port. The source port is a hash value that is created using the original source information and prevents polarisation in the underlay. The destination port is always 4789. The frame can be identified as a VXLAN frame using a specific UDP designation port number. The VXALN header has special reserved fields to carry the SGT and virtual ID information.

Answer 37

Group Policy Extension (GPO)

Question 38

The campus fabric is composed of fabric __ nodes, __ nodes, __ nodes, and __ nodes.

Answer 38

control plane , edge , intermediate , border

Question 39

__ nodes – map system that manages Endpoint ID to Device relationships

Answer 39

Control plane

Question 40

__ nodes – a fabric devices (e.g core) that connects external L3 networks to the SD-Access fabric

Answer 40

Border

Question 41

__ nodes – a fabric device (e.g access or distribution) that connects wired endpoints to the SD-Access fabric

Answer 41

Edge

Question 42

Fabric ___ – WLC that is fabric-enabled

Answer 42

Wireless controller

Question 43

Fabric ___ – APs that are fabric enabled

Answer 43

Mode APs

Question 44

__ nodes – the underlay

Answer 44

intermediate

Question 45

The SD-Access fabric __ node is based on the LISP map server (MS) and map-resolver (MR) functionality combined on the same node.

Answer 45

control plane

Question 46

The control plane node enables the following functions

Answer 46

• Host tracking database- HTDB is a central repository of EiD to fabric edge node bindings
• Map server – the LISP MS is used to populate the HTDB from registration messages from fabric edge devices
• Map resolver – the LISP MR is used to respond to map queries from fabric edge devices requesting RLOC-mapping information for destination EIDs.

Question 47

The SD-Access fabric edge nodes are the equivalent of an access layer switch in a traditional campus LAN design. The edge nodes implement a L3 access design with the addition of the following fabric functions:

Answer 47

• Endpoint registration – after an endpoint is detected by the fabric edge, it is added the a local host tracking database called the EID-table.
• Mapping of user to virtual network – endpoints are places in virtual networks by assigning the endpoint to a VLAN
• Anycast L3 gateway – a common gateway (IP and MAC addresses) can be used at every node that shares a common EID subnet providing optimal forwarding and mobility across different RLOCs
• LISP forwarding – instead of a typical routing-based decision, the fabric edge nodes query the map resolve to determine the RLOC associated with the destination EID and use that information as the traffic destination
• VXLAN encapsulation /de-encapsulation – the fabric edge nodes use the RLOC associated with the destination IP address to encapsulate the traffic with VXLAN headers.

Question 48

The ___ nodes serve as the gateway between the SD-Access fabric site and the networks external to the fabric. The fabric border node is responsible for network virtualisation interworking and SGT propagation from the fabric to the rest of the network.

Answer 48

fabric border

Question 49

Border nodes implement the following functions:

Answer 49

• Advertisement of EID subnets – SD access configures BGP as the preferred routing protocol used to advertise the EID prefixes outside the fabric and traffic destined to EID subnets from outside the fabric goes through the border nodes.
• Fabric domain exit point - the external fabric border is the gateway of last resort for the fabric edge nodes
• Mapping of LISP instance to VRF – the fabric border can extend network virtualisation from inside the fabric to outside the fabric by using external VRF instances to preserve virtualisation
• Policy mapping – the fabric border node also maps SGT information from within the fabric to be appropriately maintained when exiting the fabric.

Question 50

The fabric __ nodes are part of the L3 network that interconnects the edge nodes to the border nodes. In a three-tier campus design using a core, distribution, and access, the fabric intermediate nodes are the equivalent of the distribution switches.

Answer 50

intermediate

Question 51

Integrates with the control plane for wireless and the fabric control plane. Both __ and non-fabric WLCs provide AP image and configuration management, client session management, and mobility services. __ provide additional services for fabric integration by registering MAC addresses of wireless clients into the host tracking database of the fabric control plane during wireless client join events and by supplying fabric edge RLOC location updates during client roam events

Answer 51

Fabric WLC

Question 52

APs are Cisco 802.11AC wave 2 and wave 1 APs associated with the fabric WLC that have been configured with one or more fabric-enabled SSIDs

Answer 52

Fabric mode AP

Question 53

For sites where a single switch or switch stack is supporting all the Ethernet connectivity at that site, SD-Access is available without having to deploy separate devices for each fabric role

Answer 53

Fabric in a box

Question 54

Create a ___ by assigning control plane node, edge node, and border node functionality to a single switch device

Answer 54

fabric in a box

Question 55

Cisco SD-Access automates user access policy so organisations can make sure that the right policies are established for any user or device with any application access the network. The two most important solution components are Cisco __ and Cisco __.

Answer 55

ISE, DNA centre

Question 56

How does Cisco ISE integrate in SD-Access?

Answer 56

• Part of SD-Access for policy implementation, enabling dynamic mapping of users and devices to scalable groups and simplifying end-to-end policy enforcement
• Users and devices shown in a simple and flexible interface
• Integrates with Cisco DNAC by using Cisco Platform Exchange Grid (pxGrid) and REST APIs for exchange of client information and automation

Question 57

How does DNAC integrate in SD-Access?

Answer 57

• SD access is enabled with an application package that runs as part of Cisco DNA software for designing, provisioning, applying policy, and facilitating the creation of an intelligent campus wired and wireless network with assurance.
• Centrally manages major configuration and operations workflow areas

Question 58

What are the 5 elements of the DNA centre SD-Access workflow?

Answer 58

• Design
• Policy
• Provision
• Assurance
• Platform

Question 59

Configures device global settings, network site profiles for physical device inventory, DNS, DHCP, IP address, software image management, plug-and-play, and user access

Answer 59

Design

Question 60

Defines business intent for provisioning the network, including creation of virtual networks, assignment of endpoints to virtual networks, and policy contract definition for groups

Answer 60

Policy

Question 61

Provisions devices for management and creates fabric domains, control plane nodes, border nodes, edge nodes, fabric wireless.

Answer 61

Provision

Question 62

Enables proactive monitoring and insights to confirm that user experience meets configured intent, using network, client, and application health dashboards, issue management, and sensor-driven testing

Answer 62

Assurance

Question 63

Allows programmatic access to the network and system integration with third-party systems using APIs, using feature set bundles, configurations, a run-time dashboard, and a developer toolkit.

Answer 63

Platform

Question 64

Some benefits of SD access wireless are:

Answer 64

• Centralized wireless control plane
• Optimised distributed data plane
• Seamless L2 roaming everywhere
• Simplified guest and mobility tunnelling
• Policy simplification
• Segmentation made easy