Ch 23: Fabric Technologies Flashcards

1
Q

What is the main reason SD-Access uses VXLAN data encapsulation instead of LISP data encapsulation?

  1. VXLAN supports IPv6.
  2. VXLAN supports Layer 2 networks.
  3. VXLAN has a much smaller header.
  4. VXLAN has a better ring to it.
A

2.

Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header, and this allows SD-Access to support Layer 2 and Layer 3 overlays.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

T/F: The VXLAN header used for SD-Access is exactly the same as the original VXLAN header.

A

False.

The original VXLAN specification was enhanced for SD-Access to support Cisco TrustSec Scalable Group Tags (SGTs). This was accomplished by adding new fields to the first 4 bytes of the VXLAN header in order to transport up to 64,000 SGTs. The new VXLAN format is called VXLAN Group Policy Option (GPO), and it is defined in the IETF draft draft-smith-vxlan-group-policy-05.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which is the control plane used by SD-Access?

  1. LISP control plane
  2. EVPN MP-BGP
  3. Multicast
  4. VXLAN control plane

What operates at these layers:

  • Data plane = ?
  • Policy plane = ?
  • Management Plane = ?
A

1.

The SD-Access fabric control plane is based on Locator/ID Separation Protocol (LISP).

(Data plane = VXLAN)

(Policy plane = TrustSec)

(Management Plane = Cisco DNA Center)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which field was added to the VXLAN header to allow it to carry SGT tags?

  1. Group Policy ID
  2. Scalable Group ID
  3. Group Based Tag
  4. Group Based Policy
A

1.

The VXLAN-GPO specification includes a 16-bit identifier that is used to carry the SGT tag called the Group Policy ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which types of network environments was SD-Access designed for?

  1. Data center
  2. Internet
  3. Enterprise campus and branch
  4. Service provider
  5. WAN
  6. Private cloud
A

3.

Cisco SD-Access was designed for enterprise campus and branch network environments and not for other types of network environments, such as data center, service provider, and WAN environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following components are part of the SD-Access fabric architecture? (Choose all that apply.)

  1. WLCs
  2. Cisco routers
  3. Cisco firewalls
  4. Cisco switches
  5. Access points
  6. Cisco ISE
  7. Cisco DNA Center
  8. Intrusion prevention systems
A

1, 2, 4, 5, 6, and 7. The SD-Access architecture includes the following components: Catalyst switches are supported, including NX-OS.

  • Cisco switches: Provide wired (LAN) access to the fabric. Multiple types of Cisco
  • Cisco routers: Provide WAN and branch access to the fabric. Multiple types of Cisco ASR 1000, ISR, and CSR routers, including the CSRv and ISRv cloud routers, are supported.
  • Cisco wireless: Cisco WLCs and APs provide wireless (WLAN) access to the fabric.
  • Cisco controller appliances: There are only two types of appliances to consider: Cisco DNA Center and Cisco ISE. Cisco ISE supports both VM and physical appliance deployment models.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the main components of the Cisco SD-WAN solution? (Choose four.)

  1. vManage network management system (NMS)
  2. vSmart controller
  3. SD-WAN routers
  4. vBond orchestrator
  5. vAnalytics
  6. Cisco ISE
  7. Cisco DNA Center
A

1, 2, 3, and 4.

The Cisco SD-WAN solution is composed of four main components and an optional analytics service:

  1. vManage network management system (NMS)
  2. vSmart controller
  3. SD-WAN routers
  4. vBond orchestrator
  5. vAnalytics (optional)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

T/F: The vSmart controller establishes permanent UDP connections to all SD-WAN routers in the SD-WAN fabric.

A

False.

The vSmart controller establishes permanent and secure Datagram Transport Layer Security (DTLS) connections to all SD-WAN routers in the SD-WAN fabric and runs a proprietary routing protocol called Overlay Management Protocol (OMP) over each of the DTLS tunnels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

T/F: SD-WAN only works over the Internet or MPLS networks.

A

False.

SD-WAN is transport agnostic and can use any type of IP-based underlay transport networks, such as the Internet, satellite, dedicated circuits, 3G/4G LTE, and MPLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is the single pane of glass for the SD-WAN solution?

  1. DNA Center
  2. vBond
  3. vManage
  4. vSmart
A

3.

vManage is the single pane of glass for the SD-WAN solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is the main function of the vBond orchestrator?

  1. To authenticate the vManage NMS and the SD-WAN routers and orchestrate connectivity between them
  2. To authenticate the vSmart controllers and the SD-WAN routers and orchestrate connectivity between them
  3. To authenticate the vSmart controllers and the vManage NMS and orchestrate connectivity between them
A

2.

The main function of the vBond orchestrator is to authenticate the vSmart controllers and the SD-WAN routers and orchestrate connectivity between them.

Controllers <-> vBond Orchestrator <-> Routers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Cisco DNA and SD-Access?

A

Cisco Digital Network Architecture (Cisco DNA: Cisco DNA is the solution for the future of intent based networking in Cisco enterprise networks.

Cisco SD-Access fabric is one of the main components and provides

  • policy-based network segmentation
  • host mobility for wired and wireless hosts
  • enhanced security
  • other benefits in a fully automated fashion

Cisco SD-Access was designed for enterprise campus and branch network environments and not for other types of network environments, such as data center, service provider, and WAN environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is SD-WAN?

A

The Cisco SD-WAN fabric is a cloud-based WAN solution for enterprise and data center networks that was developed to address all the new WAN requirements.

Traditional WANs are typically designed using MPLS or other overlay solutions, such as Dynamic Multipoint Virtual Private Network (DMVPN) or Intelligent WAN (IWAN) to provide connectivity between different campus and branch sites.

However, with the rise of software as a service (SaaS) cloud applications such as Microsoft Office 365 and Salesforce. com, and public infrastructure as a service (IaaS) cloud services from Amazon Web Services (AWS), Google Compute Engine (GCE), and Microsoft Azure, traffic patterns are changing so that the majority of enterprise traffic flows to public clouds and the Internet.

Such changes are creating new requirements for security, application performance, cloud connectivity, WAN management, and operations that traditional WAN solutions were not designed to address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the two main components of SD-Access?

A

SD-Access has two main components:

The campus fabric is a Cisco-validated fabric overlay solution that includes all of the features and protocols (control plane, data plane, management plane, and policy plane) to operate the network infrastructure. When the campus fabric solution is managed using the command-line interface (CLI) or an application programming interface (API) using Network Configuration Protocol (NETCONF)/YANG, the solution is considered to be a campus fabric solution. When the campus fabric solution is managed via the Cisco DNA Center, the solution is considered to be SD-Access, as illustrated in Figure 23-1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an SD-Access extension node?

A

Cisco access layer switches that do not actively participate in the SD-Access fabric but that are part of it because of automation are referred to as SD-Access extension nodes.

The following are the physical layer devices of the SD-WAN fabric:

  • Cisco switches: Switches provide wired (LAN) access to the fabric. Multiple types of Cisco Catalyst switches are supported, as well as Nexus switches.
  • Cisco routers: Routers provide WAN and branch access to the fabric. Multiple types of Cisco ASR 1000, ISR, and CSR routers, including the CSRv and ISRv cloud routers, are supported.
  • Cisco wireless: Cisco WLCs and APs provide wireless (WLAN) access to the fabric.
  • Cisco controller appliances: Cisco DNA Center and Cisco ISE are the two controller appliances required.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The network layer consists of the __________ network and the ________ network.

A

The network layer consists of the underlay network and the overlay network. These two sub-layers work together to deliver data packets to and from the network devices participating in SD-Access. All this network layer information is made available to the controller layer.

The network underlay is the underlying physical layer, and its sole purpose is to transport data packets between network devices for the SD-Access fabric overlay.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the recommended network underlay design? At what layer and which protocols are recommmended?

A

The underlay network for SD-Access should be configured to ensure performance, scalability, and high availability because any problems with the underlay can affect the operation of the fabric overlay.

While it is possible to use a Layer 2 network underlay design running Spanning Tree Protocol (STP), it is not recommended.

The recommended design for the network underlay is to use a Layer 3 routed access campus design using IS-IS as the IGP. IS-IS offers operational advantages such as neighbor establishment without IP dependencies, peering capability using loopback addresses, and agnostic treatment of IPv4, IPv6, and non-IP traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define the two models of underlay are supported:

  • Manual underlay
  • Automated underlay
A

Manual underlay: This type of underlay network is configured and managed manually (such as with a CLI or an API) rather than through Cisco DNA Center. An advantage of the manual underlay is that it allows customization of the network to fit any special design requirements (such as changing the IGP to OSPF); in addition, it allows SD-Access to run on the top of a legacy (or third-party) IP-based network.

Automated underlay: In a fully automated network underlay, all aspects of the underlay network are configured and managed by the Cisco DNA Center LAN Automation feature. The LAN Automation feature creates an IS-IS routed access campus design and uses the Cisco Network Plug and Play features to deploy both unicast and multicast routing configuration in the underlay to improve traffic delivery efficiency for SD-Access. An automated underlay eliminates misconfigurations and reduces the complexity of the network underlay. It also greatly simplifies and speeds the building of the network underlay. A downside to an automated underlay is that it does not allow manual customization for special design requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the SD-Fabric?

A

The SD-Access fabric is the overlay network, and it provides policy-based network segmentation, host mobility for wired and wireless hosts, and enhanced security beyond the normal switching and routing capabilities of a traditional network.

In SD-Access, the fabric overlay is fully automated, regardless of the underlay network model used (manual or automated). It includes all necessary overlay control plane protocols and addressing, as well as all global configurations associated with operation of the SD-Access fabric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

T/F: An overlay network that is managed via a CLI or API using NETCONF/ YANG, is considered to be a campus fabric solution and not SD-Access.

A

True.

It is also possible to manually configure the overlay network without using DNA Center; however, when the overlay network is managed via the CLI or API using NETCONF/ YANG, the solution is considered to be a campus fabric solution and not SD-Access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are three basic planes of operation in the SD-Access fabric?

A

There are three basic planes of operation in the SD-Access fabric:

  1. Control plane: based on Locator/ID Separation Protocol (LISP)
  2. Data plane: based on Virtual Extensible LAN (VXLAN)
  3. Policy plane: based on Cisco TrustSec
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the SD-Access Control Plane?

A

The SD-Access fabric control plane is based on Locator/ID Separation Protocol (LISP). LISP is an IETF standard protocol defined in RFC 6830 that is based on a simple endpoint ID (EID) to routing locator (RLOC) mapping system to separate the identity (endpoint IP address) from its current location (network edge/border router IP address).

LISP dramatically simplifies traditional routing environments by eliminating the need for each router to process every possible IP destination address and route. It does this by moving remote destination information to a centralized mapping database called the LISP map server (MS) (a control plane node in SD-Access), which allows each router to manage only its local routes and query the map system to locate destination EIDs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The tunneling technology used for the fabric data plane is based on ___________________.

A

The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN).

VXLAN encapsulation is IP/UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not.

Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy. The differences between the LISP and VXLAN packet formats are illustrated in Figure 23-4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

VXLAN encapsulation is ____ / ____ based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric.

A

VXLAN encapsulation is IP/UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

SD-Access fabric uses what type of data encapsulation for the data plane? and why?

A

Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not.

26
Q

MAC-in-IP/UDP Encapsulation Supports ___________ Overlay.

IP-in-IP/UDP Encapsulation Supports __________ Overlay.

Which encapsulation is used by LISP and which is used by VXLAN?

A

MAC-in-IP/UDP Encapsulation Supports Layer 2 and Layer 3 Overlay.

IP-in-IP/UDP Encapsulation Supports Layer 3 Overlay​​.

See attached diagram of the header layout for LISP and VXLAN.

27
Q

What are SGTs?

A

The original VXLAN specification was enhanced for SD-Access to support Cisco TrustSec Scalable Group Tags (SGTs).

This was accomplished by adding new fields to the first 4 bytes of the VXLAN header in order to transport up to 64,000 SGT tags. The new VXLAN format is called VXLAN Group Policy Option (VXLAN-GPO).

28
Q

The new fields in the VXLAN-GPO packet format include the following. What are these?

  • Group Policy ID:
  • Group Based Policy Extension Bit (G Bit)
  • Don’t Learn Bit (D Bit)
  • Policy Applied Bit (A Bit)
A

The new fields in the VXLAN-GPO packet format include the following:

  • Group Policy ID: 16-bit identifier that is used to carry the SGT tag.
  • Group Based Policy Extension Bit (G Bit): 1-bit field that, when set to 1, indicates an SGT tag is being carried within the Group Policy ID field and set to 0 when it is not.
  • Don’t Learn Bit (D Bit): 1-bit field that when set to 1 indicates that the egress virtual tunnel endpoint (VTEP) must not learn the source address of the encapsulated frame.
  • Policy Applied Bit (A Bit): 1-bit field that is only defined as the A bit when the G bit field is set to 1. When the A bit is set to 1, it indicates that the group policy has already been applied to this packet, and further policies must not be applied by network devices. When it is set to 0, group policies must be applied by network devices, and they must set the A bit to 1 after the policy has been applied.
29
Q

What happens on the SD-Access Fabric Policy Plane?

A

The fabric policy plane is based on Cisco TrustSec. Cisco TrustSec SGT tags are assigned to authenticated groups of users or end devices. Network policy (for example, ACLs, QoS) is then applied throughout the SD-Access fabric, based on the SGT tag instead of a network address (MAC, IPv4, or IPv6).

This allows for the creation of network policies such as security, quality of service (QoS), policy-based routing (PBR), and network segmentation, based only on the SGT tag and not the network address (MAC, IPv4, or IPv6) of the user or endpoint.

30
Q

T/F: Extended policy enforcement to external networks (such as cloud or data center networks) is possible with TrustSec SGT by transporting the tags to Cisco TrustSec-aware devices using SGT Exchange Protocol (SXP).

A

True.

TrustSec SGT tags provide several advantages for Cisco SD-Access, such as:

  • Support for both network-based segmentation using VNs (VRF instances) and group-based segmentation (policies)
  • Network address-independent group-based policies based on SGT tags rather than MAC, IPv4, or IPv6 addresses, which reduces complexity
  • Dynamic enforcement of group-based policies, regardless of location for both wired and wireless traffic
  • Policy constructs over a legacy or third-party network using VXLAN
  • Extended policy enforcement to external networks (such as cloud or data center networks) by transporting the tags to Cisco TrustSec-aware devices using SGT Exchange Protocol (SXP).
31
Q

The operation of the SD-Access fabric requires multiple different device roles, each with a specific set of responsibilities. There are five basic device roles in the fabric overlay.

What are the functions of these:

  1. Control plane node:
  2. Fabric border node
  3. Fabric edge node
  4. Fabric WLAN controller (WLC)
  5. Intermediate nodes
A

The operation of the SD-Access fabric requires multiple different device roles, each with a specific set of responsibilities. Each SD-Access-enabled network device must be configured for one (or more) of these roles. During the planning and design phase, it is important to understand the fabric roles and to select the most appropriate network devices for each role.

There are five basic device roles in the fabric overlay:

  1. Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay. (MS/MR)
  2. Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric. (PxTR)
  3. Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
  4. Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
  5. Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.

Figure 23-6 illustrates the different SD-Access fabric design roles and how nodes in the fabric can play multiple roles. For example, the core layer routers in this figure are acting as fabric border nodes and control plane nodes.

32
Q

What is a “fabric edge node”? What is it’s role and what does it provide?

A

A fabric edge node provides onboarding and mobility services for wired users and devices (including fabric-enabled WLCs and APs) connected to the fabric. It is a LISP tunnel router (xTR) that also provides the anycast gateway, endpoint authentication, and assignment to overlay host pools (static or DHCP), as well as group-based policy enforcement (for traffic to fabric endpoints).

A fabric edge first identifies and authenticates wired endpoints (through 802.1x), in order to place them in a host pool (SVI and VRF instance) and scalable group (SGT assignment). It then registers the specific EID host address (that is, MAC, /32 IPv4, or /128 IPv6) with the control plane node.

A fabric edge provides a single Layer 3 anycast gateway (that is, the same SVI with the same IP address on all fabric edge nodes) for its connected endpoints and also performs the encapsulation and de-encapsulation of host traffic to and from its connected endpoints.

33
Q

What is a “fabric control plane node”?

A

A fabric control plane node is a LISP map server/resolver (MS/MR) with enhanced functions for SD-Access, such as fabric wireless and SGT mapping. It maintains a simple host tracking database to map EIDs to RLOCs.

The control plane (host database) maps all EID locations to the current fabric edge or border node, and it is capable of multiple EID lookup types (IPv4, IPv6, or MAC).

The control plane receives registrations from fabric edge or border nodes for known EID prefixes from wired endpoints and from fabric mode WLCs for wireless clients. It also resolves lookup requests from fabric edge or border nodes to locate destination EIDs and updates fabric edge nodes and border nodes with wired and wireless client mobility and RLOC information.

34
Q

What are “fabric border nodes”?

A

Fabric border nodes are LISP proxy tunnel routers (PxTRs) that connect external Layer 3 networks to the SD-Access fabric and translate reachability and policy information, such as VRF and SGT information, from one domain to another.

35
Q

There are three types of (fabric) border nodes. What is the function of each?

  1. Internal border - (rest of company)
  2. Default border - ( outside)
  3. Internal + default border - (anywhere)
A

There are three types of border nodes:

  1. Internal border (rest of company): Connects only to the known areas of the organization (for example, WLC, firewall, data center).
  2. Default border (outside): Connects only to unknown areas outside the organization. This border node is configured with a default route to reach external unknown net- works such as the Internet or the public cloud that are not known to the control plane nodes.
  3. Internal + default border (anywhere): Connects transit areas as well as known areas of the company. This is basically a border that combines internal and default border functionality into a single node.
36
Q

What are the functions of a Fabric Wireless Controller (WLC)?

A

The WLC is external to the fabric and connects to the SD-Access fabric through an internal border node.

A fabric enabled WLC:

  • connects APs and wireless endpoints to the SD-Access fabric
  • provides onboarding and mobility services for wireless users and endpoints connected to the SD-Access fabric
  • performs PxTR registrations to the fabric control plane (on behalf of the fabric edges) and can be thought of as a fabric edge for wireless clients.

The control plane node maps the host EID to the current fabric access point and fabric edge node location the access point is attached to.

37
Q

What is different about SD-Access wireless deployments from traditional wireless deployments?

A

The main difference is that the data and control planes are separate from the WLC in SD-Access. This allows the data plane to be distributed to the APs.

In traditional wireless deployments, the WLC is typically centralized, and all control plane and data plane (wireless client data) traffic needs to be tunneled to the WLC through the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel.

In SD-Access, the wireless control plane remains centralized, but the data plane is distributed using VXLAN directly from the fabric-enabled APs. Figure 23-7 illustrates a traditional wireless deployment compared to an SD-Access wireless deployment.

38
Q

T/F: Fabric APs establish a VXLAN tunnel to the fabric edge to transport wireless client data traffic through the VXLAN tunnel instead of the CAPWAP tunnel.

A

True.

For this to work, the AP must be directly connected to the fabric edge or a fabric extended node. Using a VXLAN tunnel to transport the wireless data traffic increases performance and scalability because the wireless client data traffic doesn’t need to be tunneled to the WLC via CAPWAP, as in traditional wireless deployments because the routing decision is taken directly by the fabric edge. In addition, SGT- and VRF-based policies for wireless users on fabric SSIDs are applied at the fabric edge in the same way as for wired users. Wireless clients (SSIDs) use regular host pools for traffic and policy enforcement (the same as wired clients), and the fabric WLC registers client EIDs with the control plane node (as located on the edge)

39
Q

The __________ layer provides all of the management subsystems for the management layer, and this is all provided by Cisco DNA Center and Cisco ISE

A

The controller layer provides all of the management subsystems for the management layer, and this is all provided by Cisco DNA Center and Cisco ISE.

Figure 23-8 illustrates the different components that comprise the controller layer and how they interact with each other as well as with the campus fabric.

40
Q

What is the role of the Virtual network (VN) in SD-Access?

A

Virtual network (VN): The VN provides virtualization at the device level, using VRF instances to create multiple Layer 3 routing tables. VRF instances provide segmentation across IP addresses, allowing for overlapped address space and traffic segmentation. In the control plane, LISP instance IDs are used to maintain separate VRF instances. In the data plane, edge nodes add a VXLAN VNID to the fabric encapsulation.

41
Q

In SD-Access, what is the role of the Host pool?

A

Host pool: A host pool is a group of endpoints assigned to an IP pool subnet in the SDA-Access fabric. Fabric edge nodes have a Switched Virtual Interface (SVI) for each host pool to be used by endpoints and users as their default gateway. The SD-Access fabric uses EID mappings to advertise each host pool (per instance ID), which allows host-specific (/32, /128, or MAC) advertisement and mobility. Host pools can be assigned dynamically (using host authentication, such as 802.1x) and/or statically (per port).

42
Q

In SD-Access, what is the role of a “Scalable Group”?

A

Scalable group: A scalable group is a group of endpoints with similar policies. The SD-Access policy plane assigns every endpoint (host) to a scalable group using TrustSec SGT tags.

Assignment to a scalable group can be either static per fabric edge port or using dynamic authentication through AAA or RADIUS using Cisco ISE. The same scalable group is configured on all fabric edge and border nodes.

Scalable groups can be defined in Cisco DNA Center and/or Cisco ISE and are advertised through Cisco TrustSec. There is a direct one-to-one relationship between host pools and scalable groups. Therefore, the scalable groups operate within a VN by default. The fabric edge and border nodes include the SGT tag ID in each VXLAN header, which is carried across the fabric data plane. This keeps each scalable group separate and allows SGACL policy and enforcement.

43
Q

In SD-Access, what is the role of the “Anycast Gateway”?

A

Anycast gateway: The anycast gateway provides a pervasive Layer 3 default gateway where the same SVI is provisioned on every edge node with the same SVI IP and MAC address. This allows an IP subnet to be stretched across the SD-Access fabric.

For example, if the subnet 10.1.0.0/24 is provisioned on an SD-Access fabric, this subnet will be deployed across all of the edge nodes in the fabric, and an endpoint located in that subnet can be moved to any edge node within the fabric without a change to its IP address or default gateway. This essentially stretches these subnets across all of the edge nodes throughout the fabric, thereby simplifying the IP address assignment and allowing fewer but larger IP subnets to be deployed. In essence, the fabric behaves like a logical switch that spans multiple buildings, where an endpoint can be unplugged from one port and plugged into another port on a different building, and it will seem as if the endpoint is connecting to the same logical switch, where it can still reach the same SVI and other endpoints in the same VLAN.

44
Q

There are three main controller subsystems. What are their roles?

  1. Cisco Network Control Platform (NCP)
  2. Cisco Network Data Platform (NDP)
  3. Cisco Identity Services Engine (ISE)
A

There are three main controller subsystems:

  1. Cisco Network Control Platform (NCP): This is a subsystem integrated directly into Cisco DNA Center that provides all the underlay and fabric automation and orchestration services for the physical and network layers. NCP configures and manages Cisco network devices using NETCONF/YANG, Simple Network Management Protocol (SNMP), SSH/Telnet, and so on and then provides network automation status and other information to the management layer.
  2. Cisco Network Data Platform (NDP): NDP is a data collection and analytics and assurance subsystem that is integrated directly into Cisco DNA Center. NDP analyzes and correlates various network events through multiple sources (such as NetFlow and Switched Port Analyzer [SPAN]) and identifies historical trends. It uses this information to provide contextual information to NCP and ISE, and it provides network operational status and other information to the management layer.
  3. Cisco Identity Services Engine (ISE): The basic role of ISE is to provide all the identity and policy services for the physical layer and network layer. ISE provides network access control (NAC) and identity services for dynamic endpoint-to-group mapping and policy definition in a variety of ways, including using 802.1x, MAC Authentication Bypass (MAB), and Web Authentication (WebAuth). ISE also collects and uses the contextual information shared from NDP and NCP (and other systems, such as Active Directory and AWS). ISE then places the profiled endpoints into the correct scalable group and host pool. It uses this information to provide information to NCP and NDP, so the user (management layer) can create and manage group-based policies. ISE is also responsible for programming group-based policies on the network devices.
45
Q

What is the user UX/UI management layer in SD-Access called?

A

The Cisco DNA Center management layer is the user interface/user experience (UI/UX) layer, where all the information from the other layers is presented to the user in the form of a centralized management dashboard. It is the intent-based networking aspect of Cisco DNA.

A full understanding of the network layer (LISP, VXLAN, and Cisco TrustSec) or controller layer (Cisco NCP, NDP, and ISE) is not required to deploy the fabric in SD-Access. Nor is there a requirement to know how to configure each individual network device and feature to create the consistent end-to-end behavior offered by SD-Access.

The management layer abstracts all the complexities and dependencies of the other layers and provides the user with a simple set of GUI tools and workflows to easily manage and operate the entire Cisco DNA network (hence the name Cisco DNA Center).

Cisco DNA Center applications are designed for simplicity and are based on the primary workflows defined by Cisco DNA Center: design, policy, provision, and assurance.

46
Q

SD-Access has two main components, what are they?

A

SD-Access has two main components:

  1. Cisco Campus fabric solution
  2. Cisco DNA Center

The campus fabric is a Cisco-validated fabric overlay solution that includes all of the features and protocols (control plane, data plane, management plane, and policy plane) to operate the network infrastructure. When the campus fabric solution is managed using the command-line interface (CLI) or an application programming interface (API) using Network Configuration Protocol (NETCONF)/YANG, the solution is considered to be a campus fabric solution.

When the campus fabric solution is managed via the Cisco DNA Center, the solution is considered to be SD-Access, as illustrated in Figure 23-1.

47
Q

What is UTM?

A

Unified Threat Management (UTM) is an all-in-one security solution delivered in a single appliance and typically includes the following security features: firewall, VPN, intrusion prevention, antivirus, antispam, and web content filtering.

Cisco offers this solution with SD-WAN on Meraki gear.

48
Q

What is Viptela?

A

Cisco SD-WAN (based on Viptela): This is the preferred solution for organizations that require an SD-WAN solution with cloud-based initiatives that provides granular segmentation, advanced routing, advanced security, and complex topologies while connecting to cloud instances.

49
Q

What are the four main components of the Cisco SD-WAN solution?

A

The Cisco SD-WAN solution has four main components and an optional analytics service:

  1. vManage Network Management System (NMS): This is a single pane of glass (GUI) for managing the SD-WAN solution.
  2. vSmart controller: This is the brains of the solution.
  3. SD-WAN routers: SD-WAN involves both vEdge and cEdge routers.
  4. vBond orchestrator: This authenticates and orchestrates connectivity between SD-WAN routers and vSmart controllers.
  5. vAnalytics: This is an optional analytics and assurance service.
50
Q

What is the tool used to configure and manage Cisco SD-WAN?

A

The vManage NMS is a single pane of glass network management system (NMS) GUI that is used to configure and manage the full SD-WAN solution. It enables centralized provisioning and simplifies network changes.

51
Q

What type of tunnel is established between the vSmart controller and every SD-WAN router in the fabric?

A

vSmart controllers (which are the brains of the SD-WAN solution) have pre-installed credentials that allow them to authenticate every SD-WAN router that comes online. These credentials ensure that only authenticated devices are allowed access to the SD-WAN fabric.

After successful authentication, each vSmart controller establishes a permanent DTLS tunnel to each SD-WAN router in the SD-WAN fabric and uses these tunnels to establish Overlay Management Protocol (OMP) neighborships with each SD-WAN router. OMP is a proprietary routing protocol similar to BGP that can advertise routes, next hops, keys, and policy information needed to establish and maintain the SD-WAN fabric.

52
Q

What is OMP?

A

OMP is a Cisco proprietary routing protocol similar to BGP that can advertise routes, next hops, keys, and policy information needed to establish and maintain the SD-WAN fabric.

The vSmart controller processes the OMP routes learned from the SD-WAN routers (or other vSmart controllers) to determine the network topology and calculate the best routes to network destinations. Then it advertises reachability information learned from these routes to all the SD-WAN routers in the SD-WAN fabric.

53
Q

What device in Cisco SD-WAN implements all the control plane policies created on vManage, such as service chaining, traffic engineering, and segmentation per VPN topology.

A

vSmart controllers also implement all the control plane policies created on vManage, such as service chaining, traffic engineering, and segmentation per VPN topology.

For example, when a policy is created on vManage for an application (such as YouTube) that requires no more than 1% loss and 150 ms latency, that policy is downloaded to the vSmart controller. vSmart converts the policy into a format that all the SD-WAN routers in the fabric can under- stand, and it automatically implements the policy on all SD-WAN routers without the need to rely on a CLI. The vSmart controller also works in conjunction with the vBond orchestrator to authenticate the devices as they join the network and to orchestrate connectivity between the SD-WAN routers.

54
Q

T/F: Cisco SD-WAN routers are available as hardware, software, cloud, or virtualized routers.

A

True.

Cisco SD-WAN routers deliver the essential WAN, security, and multicloud capabilities of the Cisco SD-WAN solution, and they are available as hardware, software, cloud, or virtual- ized routers that sit at the perimeter of a site, such as a remote office, branch office, campus, or data center.

55
Q

What are the two different SD-WAN router options available for the Cisco SD-WAN solution?

A

There are two different SD-WAN router options available for the Cisco SD-WAN solution:

  1. vEdge: The original Viptela platforms running Viptela software.
  2. cEdge: Viptela software integrated with Cisco IOS-XE. This is supported on CSR, ISR, ASR1K, ENCS, and the cloud-enabled CSRv and ISRv platforms.
56
Q

What part of Cisco SD-WAN authenticates the vSmart controllers and the SD-WAN routers?

A

The vBond orchestrator authenticates the vSmart controllers and the SD-WAN routers and orchestrates connectivity between them.

It is the only device that must have a public IP address so that all SD-WAN devices in the network can connect to it.

A vBond orchestrator is an SD-WAN router that only performs vBond orchestrator functions.

57
Q

Explain functions of the major components of the vBond orchestrator.

  1. Control plane connection:
  2. NAT traversal:
  3. Load balancing:
A

The major components of the vBond orchestrator are:

  1. Control plane connection: Each vBond orchestrator has a permanent control plane connection over a DTLS tunnel with each vSmart controller. In addition, the vBond orchestrator uses DTLS connections to communicate with SD-WAN routers when they come online, to authenticate them and to facilitate their ability to join the network. Basic authentication of an SD-WAN router is done using certificates and RSA cryptography.
  2. NAT traversal: The vBond orchestrator facilitates the initial orchestration between SD-WAN routers and vSmart controllers when one or both of them are behind NAT devices. Standard peer-to-peer techniques are used to facilitate this orchestration.
  3. Load balancing: In a domain with multiple vSmart controllers, the vBond orchestrator automatically performs load balancing of SD-WAN routers across the vSmart controllers when routers come online.
58
Q

What is the only device in SD-WAN that needs an external IP?

A

The vBond orchestrator authenticates the vSmart controllers and the SD-WAN routers and orchestrates connectivity between them. It is the only device that must have a public IP address so that all SD-WAN devices in the network can connect to it.

59
Q

Basic authentication of an SD-WAN router is done using _________ and __________.

A

Basic authentication of an SD-WAN router is done using certificates and
RSA cryptography.

60
Q

What is OnRamp?

A

The Cisco SD-WAN solution includes a set of functionalities addressing optimal cloud SaaS application access and IaaS connectivity, called Cloud OnRamp. Cloud OnRamp delivers the best application quality of experience (QoE) for SaaS applications by continuously monitoring SaaS performance across diverse paths and selecting the best-performing path based on performance metrics (jitter, loss, and delay). In addition, it simplifies hybrid cloud and multicloud IaaS connectivity by extending the SD-WAN fabric to the public cloud while at the same time increasing high availability and scale.

61
Q

What is BFD?

A

Bidirectional Forwarding Detection (BFD) is a network protocol that is used to detect faults between two forwarding engines connected by a link. It provides low-overhead detection of faults even on physical media that doesn’t support failure detection of any kind, such as Ethernet, virtual circuits, tunnels and MPLS Label Switched Paths.

Bidirectional Forwarding Detection (BFD) runs through the DTLS session between the remote site and the regional hub. For SD-WAN, it is leveraged to detect path liveliness (up/down) and measure quality (loss/latency/jitter and IPsec tunnel MTU).

62
Q

What is vQoE?

A

The quality of cloud SaaS application connection is quantified as a Viptela Quality of Experience (vQoE) score on a scale of 0 to 10, with 0 being the worst quality and 10 being the best. vQoE can be observed in the vManage GUI.