Ch 23: Fabric Technologies Flashcards
What is the main reason SD-Access uses VXLAN data encapsulation instead of LISP data encapsulation?
- VXLAN supports IPv6.
- VXLAN supports Layer 2 networks.
- VXLAN has a much smaller header.
- VXLAN has a better ring to it.
2.
Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header, and this allows SD-Access to support Layer 2 and Layer 3 overlays.
T/F: The VXLAN header used for SD-Access is exactly the same as the original VXLAN header.
False.
The original VXLAN specification was enhanced for SD-Access to support Cisco TrustSec Scalable Group Tags (SGTs). This was accomplished by adding new fields to the first 4 bytes of the VXLAN header in order to transport up to 64,000 SGTs. The new VXLAN format is called VXLAN Group Policy Option (GPO), and it is defined in the IETF draft draft-smith-vxlan-group-policy-05.
Which is the control plane used by SD-Access?
- LISP control plane
- EVPN MP-BGP
- Multicast
- VXLAN control plane
What operates at these layers:
- Data plane = ?
- Policy plane = ?
- Management Plane = ?
1.
The SD-Access fabric control plane is based on Locator/ID Separation Protocol (LISP).
(Data plane = VXLAN)
(Policy plane = TrustSec)
(Management Plane = Cisco DNA Center)
Which field was added to the VXLAN header to allow it to carry SGT tags?
- Group Policy ID
- Scalable Group ID
- Group Based Tag
- Group Based Policy
1.
The VXLAN-GPO specification includes a 16-bit identifier that is used to carry the SGT tag called the Group Policy ID.
Which types of network environments was SD-Access designed for?
- Data center
- Internet
- Enterprise campus and branch
- Service provider
- WAN
- Private cloud
3.
Cisco SD-Access was designed for enterprise campus and branch network environments and not for other types of network environments, such as data center, service provider, and WAN environments.
Which of the following components are part of the SD-Access fabric architecture? (Choose all that apply.)
- WLCs
- Cisco routers
- Cisco firewalls
- Cisco switches
- Access points
- Cisco ISE
- Cisco DNA Center
- Intrusion prevention systems
1, 2, 4, 5, 6, and 7. The SD-Access architecture includes the following components: Catalyst switches are supported, including NX-OS.
- Cisco switches: Provide wired (LAN) access to the fabric. Multiple types of Cisco
- Cisco routers: Provide WAN and branch access to the fabric. Multiple types of Cisco ASR 1000, ISR, and CSR routers, including the CSRv and ISRv cloud routers, are supported.
- Cisco wireless: Cisco WLCs and APs provide wireless (WLAN) access to the fabric.
- Cisco controller appliances: There are only two types of appliances to consider: Cisco DNA Center and Cisco ISE. Cisco ISE supports both VM and physical appliance deployment models.
What are the main components of the Cisco SD-WAN solution? (Choose four.)
- vManage network management system (NMS)
- vSmart controller
- SD-WAN routers
- vBond orchestrator
- vAnalytics
- Cisco ISE
- Cisco DNA Center
1, 2, 3, and 4.
The Cisco SD-WAN solution is composed of four main components and an optional analytics service:
- vManage network management system (NMS)
- vSmart controller
- SD-WAN routers
- vBond orchestrator
- vAnalytics (optional)
T/F: The vSmart controller establishes permanent UDP connections to all SD-WAN routers in the SD-WAN fabric.
False.
The vSmart controller establishes permanent and secure Datagram Transport Layer Security (DTLS) connections to all SD-WAN routers in the SD-WAN fabric and runs a proprietary routing protocol called Overlay Management Protocol (OMP) over each of the DTLS tunnels.
T/F: SD-WAN only works over the Internet or MPLS networks.
False.
SD-WAN is transport agnostic and can use any type of IP-based underlay transport networks, such as the Internet, satellite, dedicated circuits, 3G/4G LTE, and MPLS.
Which of the following is the single pane of glass for the SD-WAN solution?
- DNA Center
- vBond
- vManage
- vSmart
3.
vManage is the single pane of glass for the SD-WAN solution.
Which of the following is the main function of the vBond orchestrator?
- To authenticate the vManage NMS and the SD-WAN routers and orchestrate connectivity between them
- To authenticate the vSmart controllers and the SD-WAN routers and orchestrate connectivity between them
- To authenticate the vSmart controllers and the vManage NMS and orchestrate connectivity between them
2.
The main function of the vBond orchestrator is to authenticate the vSmart controllers and the SD-WAN routers and orchestrate connectivity between them.
Controllers <-> vBond Orchestrator <-> Routers
What is Cisco DNA and SD-Access?
Cisco Digital Network Architecture (Cisco DNA: Cisco DNA is the solution for the future of intent based networking in Cisco enterprise networks.
Cisco SD-Access fabric is one of the main components and provides
- policy-based network segmentation
- host mobility for wired and wireless hosts
- enhanced security
- other benefits in a fully automated fashion
Cisco SD-Access was designed for enterprise campus and branch network environments and not for other types of network environments, such as data center, service provider, and WAN environments.
What is SD-WAN?
The Cisco SD-WAN fabric is a cloud-based WAN solution for enterprise and data center networks that was developed to address all the new WAN requirements.
Traditional WANs are typically designed using MPLS or other overlay solutions, such as Dynamic Multipoint Virtual Private Network (DMVPN) or Intelligent WAN (IWAN) to provide connectivity between different campus and branch sites.
However, with the rise of software as a service (SaaS) cloud applications such as Microsoft Office 365 and Salesforce. com, and public infrastructure as a service (IaaS) cloud services from Amazon Web Services (AWS), Google Compute Engine (GCE), and Microsoft Azure, traffic patterns are changing so that the majority of enterprise traffic flows to public clouds and the Internet.
Such changes are creating new requirements for security, application performance, cloud connectivity, WAN management, and operations that traditional WAN solutions were not designed to address.
What are the two main components of SD-Access?
SD-Access has two main components:
The campus fabric is a Cisco-validated fabric overlay solution that includes all of the features and protocols (control plane, data plane, management plane, and policy plane) to operate the network infrastructure. When the campus fabric solution is managed using the command-line interface (CLI) or an application programming interface (API) using Network Configuration Protocol (NETCONF)/YANG, the solution is considered to be a campus fabric solution. When the campus fabric solution is managed via the Cisco DNA Center, the solution is considered to be SD-Access, as illustrated in Figure 23-1.
What is an SD-Access extension node?
Cisco access layer switches that do not actively participate in the SD-Access fabric but that are part of it because of automation are referred to as SD-Access extension nodes.
The following are the physical layer devices of the SD-WAN fabric:
- Cisco switches: Switches provide wired (LAN) access to the fabric. Multiple types of Cisco Catalyst switches are supported, as well as Nexus switches.
- Cisco routers: Routers provide WAN and branch access to the fabric. Multiple types of Cisco ASR 1000, ISR, and CSR routers, including the CSRv and ISRv cloud routers, are supported.
- Cisco wireless: Cisco WLCs and APs provide wireless (WLAN) access to the fabric.
- Cisco controller appliances: Cisco DNA Center and Cisco ISE are the two controller appliances required.
The network layer consists of the __________ network and the ________ network.
The network layer consists of the underlay network and the overlay network. These two sub-layers work together to deliver data packets to and from the network devices participating in SD-Access. All this network layer information is made available to the controller layer.
The network underlay is the underlying physical layer, and its sole purpose is to transport data packets between network devices for the SD-Access fabric overlay.
What is the recommended network underlay design? At what layer and which protocols are recommmended?
The underlay network for SD-Access should be configured to ensure performance, scalability, and high availability because any problems with the underlay can affect the operation of the fabric overlay.
While it is possible to use a Layer 2 network underlay design running Spanning Tree Protocol (STP), it is not recommended.
The recommended design for the network underlay is to use a Layer 3 routed access campus design using IS-IS as the IGP. IS-IS offers operational advantages such as neighbor establishment without IP dependencies, peering capability using loopback addresses, and agnostic treatment of IPv4, IPv6, and non-IP traffic.
Define the two models of underlay are supported:
- Manual underlay
- Automated underlay
Manual underlay: This type of underlay network is configured and managed manually (such as with a CLI or an API) rather than through Cisco DNA Center. An advantage of the manual underlay is that it allows customization of the network to fit any special design requirements (such as changing the IGP to OSPF); in addition, it allows SD-Access to run on the top of a legacy (or third-party) IP-based network.
Automated underlay: In a fully automated network underlay, all aspects of the underlay network are configured and managed by the Cisco DNA Center LAN Automation feature. The LAN Automation feature creates an IS-IS routed access campus design and uses the Cisco Network Plug and Play features to deploy both unicast and multicast routing configuration in the underlay to improve traffic delivery efficiency for SD-Access. An automated underlay eliminates misconfigurations and reduces the complexity of the network underlay. It also greatly simplifies and speeds the building of the network underlay. A downside to an automated underlay is that it does not allow manual customization for special design requirements.
What is the SD-Fabric?
The SD-Access fabric is the overlay network, and it provides policy-based network segmentation, host mobility for wired and wireless hosts, and enhanced security beyond the normal switching and routing capabilities of a traditional network.
In SD-Access, the fabric overlay is fully automated, regardless of the underlay network model used (manual or automated). It includes all necessary overlay control plane protocols and addressing, as well as all global configurations associated with operation of the SD-Access fabric.
T/F: An overlay network that is managed via a CLI or API using NETCONF/ YANG, is considered to be a campus fabric solution and not SD-Access.
True.
It is also possible to manually configure the overlay network without using DNA Center; however, when the overlay network is managed via the CLI or API using NETCONF/ YANG, the solution is considered to be a campus fabric solution and not SD-Access.
What are three basic planes of operation in the SD-Access fabric?
There are three basic planes of operation in the SD-Access fabric:
- Control plane: based on Locator/ID Separation Protocol (LISP)
- Data plane: based on Virtual Extensible LAN (VXLAN)
- Policy plane: based on Cisco TrustSec
What is the SD-Access Control Plane?
The SD-Access fabric control plane is based on Locator/ID Separation Protocol (LISP). LISP is an IETF standard protocol defined in RFC 6830 that is based on a simple endpoint ID (EID) to routing locator (RLOC) mapping system to separate the identity (endpoint IP address) from its current location (network edge/border router IP address).
LISP dramatically simplifies traditional routing environments by eliminating the need for each router to process every possible IP destination address and route. It does this by moving remote destination information to a centralized mapping database called the LISP map server (MS) (a control plane node in SD-Access), which allows each router to manage only its local routes and query the map system to locate destination EIDs.
The tunneling technology used for the fabric data plane is based on ___________________.
The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN).
VXLAN encapsulation is IP/UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not.
Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy. The differences between the LISP and VXLAN packet formats are illustrated in Figure 23-4.
VXLAN encapsulation is ____ / ____ based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric.
VXLAN encapsulation is IP/UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric.