Chapter 10 - SD-Access Design Flashcards

1
Q

Which of the following is not a key benefit of SD-Access?

  1. Compatibility
  2. Automation
  3. Policy
  4. Assurance
A

A.

Automation, policy, and assurance are key benefits of SD-Access; compatibility is not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the main components of SD-Access architecture? (Choose two.)

  1. SD-Access fabric
  2. Redundancy
  3. Cisco DNA Center
  4. Modularity
A

A and C.

The SD-Access fabric and Cisco DNA Center are two main components of SD-Access architecture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following describes the logical mapping and resolution of the endpoint ID to its location in the SD-Access control plane?

  1. VXLAN
  2. SGT
  3. Scalable groups
  4. LISP
A

D.

The two main things that LISP keeps track of are the routing locator (RLOC) or router location and the endpoint identifier (EID), which is the IP address or MAC address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does Cisco DNA Center make changes on Cisco ISE?

  1. LISP
  2. pxGRID
  3. REST API
  4. VXLAN
A

C.

Cisco ISE is tightly integrated with DNA Center through REST APIs to provide the SGT information needed to enforce policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which wireless integration with SD-Access uses CAPWAP for both the control plane and the data plane?

  1. Fabric wireless
  2. Over-the-top
  3. Local mode
  4. FlexConnect
A

B.

With the over-the-top (OTT) method of wireless integration with the SD-Access fabric, the control plane and data plane traffic from the APs use CAPWAP-based tunnels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following segmentation options uses SGTs to manage group-based polices between groups of endpoints with a VN?

  1. Microsegmentation
  2. pxGRID
  3. Local mode
  4. Macrosegmentation
A

A.

Microsegmentation enables data plane isolation and provides a simple way to manage group-based policies between groups of endpoints with a VN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following best describes a medium site with many wiring closets or multiple buildings?

  1. 10,000 endpoints and 32 VNs
  2. 50,000 endpoints and 64 VNs
  3. 75,000 endpoints and 96 VNs
  4. 25,000 endpoints and 64 VNs
A

D.

Medium sites can support up to 25,000 endpoints and up to 64 VNs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following multicast protocols is used for RP redundancy in SD-Access?

  1. SSM
  2. IGMP
  3. VXLAN
  4. MSDP
A

D.

Multicast Source Discovery Protocol (MSDP) can be used for RP redundancy.

Multicast Source Discovery Protocol, or MSDP. as the name Implies, is a Protocol for exchanging the Source of the Multicast Senders (the S from the (S,G) pair entry) between RPs (Rendezvous Points ).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How many VNI segments are possible with VXLAN?

  1. 16 million
  2. 8092
  3. 8 million
  4. 4092
A

A.

There are 16 million VNI segments possible with VXLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What device fuses the SD-Access VNs into the GRT of the external network?

  1. Border node
  2. DNA Center
  3. Core switch
  4. Fusion router
A

D.

The fusion router fuses the SD-Access VNs into the organization’s GRT, Global Routing Table, of the external network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following multicast protocols are supported with SD-Access? (Choose two.)

  1. SSM
  2. RP
  3. PIM
  4. CAPWAP
A

A and C. SSM and PIM multicast protocols are supported with SD-Access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the preferred connectivity for WLCs? (Choose two.)

  1. Cisco DNA Center
  2. SGTs
  3. VSS
  4. Switch stacks
A

C and D.

VSS and Switch stacks are the preferred connectivity for WLCs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following best describes the limits for a very small site for SD-Access?

  1. 2000 endpoints and 8 VNs
  2. 3000 endpoints and 12 VNs
  3. 1000 endpoints and 4 VNs
  4. 4000 endpoints and 16 VNs
A

A. A very small site in SD-Access supports up to 2000 endpoints and 8 VNs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following gives you contextual insights for quick issue resolution and capacity planning?

  1. Integration
  2. Assurance
  3. Policy
  4. Automation
A

B. Assurance provides contextual insights for quick issue resolution and capacity planning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is not an example of a technology that is used to create overlay networks?

  1. OSPF
  2. MPLS
  3. GRE
  4. DMVPN
A

A. OSPF is not a technology used to create overlay networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is used for endpoints in different VNs to communicate with each other?

  1. VXLAN
  2. SGTs
  3. VRFs
  4. Fusion router
A

D. A Fusion router is used to allow endpoints in different VNs to communicate with each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which VRF instance do fabric mode APs use? (Hint: It is the same VRF instance that is used for the underlay in the SD-Access fabric.)

  1. INFRA
  2. MGMT
  3. SGT
  4. GRE
A

A. Fabric mode APs use the INFRA VRF instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Edge and border nodes get _________ downloaded from ISE to enforce policy based on SGTs.

  1. scalable groups
  2. VNs
  3. VRF instances
  4. SGACLs
A

D. Edge and border nodes get SGACLs downloaded from ISE to enforce policy based on SGTs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What SD-Access site size supports up to 10,000 endpoints, 32 VNs, and up to 200 APs?

  1. Very small site
  2. Small site
  3. Medium site
  4. Large site
A

B. A small site in SD-Access supports up to 10,000 endpoints and 32 VNs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following APs is supported for fabric mode wireless in SD-Access?

  1. 802.11n
  2. 802.11g
  3. 802.11ac Wave 1
  4. 802.11a
A

C. 802.11ac Wave 1 is supported for fabric mode wireless in SD-Access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Within the VXLAN header, how may SGTs are supported in the Group ID section?

  1. 16 million
  2. 4000
  3. 8 million
  4. 64,000
A

D. Within a VXLAN header, 64,000 SGTs are supported in the Group ID section.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What technology is leveraged to enable SGT information to be inserted into the VXLAN headers in the data plane?

  1. GRT
  2. Cisco TrustSec
  3. ISE
  4. IPsec
A

B. Cisco TrustSec is leveraged to enable SGT information to be inserted into the VXLAN headers in the data plane.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following best describes data plane isolation with a VN using SGTs?

  1. Microsegmentation
  2. Macrosegmentation
  3. VRFs
  4. VNs
A

A. Data plane isolation with a VN using SGTs describes microsegmentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What SD-Access wireless method uses VXLAN in the data plane?

  1. Over-the-top
  2. Local mode
  3. Fabric wireless
  4. FlexConnect
A

C. Fabric wireless uses VXLAN in the data plane.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

The routing locator (RLOC) and the __________ are the two main things that LISP keeps track of.

  1. mapping database
  2. group ID (GID)
  3. global routing table (GRT)
  4. endpoint identifier (EID)
A

D. The routing locator (RLOC) and the endpoint identifier are the two main things that LISP keeps track of.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

During the integration of ISE and DNA Center, which of the following are used to establish trust through ISE?

  1. REST APIs
  2. pxGRID services
  3. Scalable groups
  4. SGACLs
A

B. The integration of ISE and DNA Center uses pxGRID services to establish trust through ISE.

With Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

27
Q

What routing protocol does Cisco DNA Center LAN automation use to deploy underlay routing configurations?

  1. BGP
  2. RIPv2
  3. EIGRP
  4. IS-IS
A

D. Cisco DNA Center LAN automation uses IS-IS to deploy underlay routing configurations.

28
Q

Open and programmable for third-party integrated solutions best describes which key benefit of SD-Access?

  1. Integration
  2. Assurance
  3. Policy
  4. Automation
A

A. Integration is a key SD-Access benefit for open and programmable third-party integrated solutions.

29
Q

Which of the following involves a collection of physical switches and routers running a dynamic Layer 3 routing protocol used for the transport in SD-Access?

  1. Overlay
  2. LAN automation
  3. Underlay
  4. LISP
A

C. The underlay is a collection of physical switches and routers running a dynamic Layer 3 routing protocol used for the transport in SD-Access.

30
Q

Which of the following solutions can be integrated with Cisco DNA Center for IPAM? (Choose two.)

  1. Infoblox
  2. SolarWinds
  3. Microsoft DHCP
  4. BlueCat
A

A and D. Infoblox and BlueCat IPAM solutions can be integrated with Cisco DNA Center.

31
Q

Which key benefit of SD-Access can be described as automated configurations that help enable group-based security policies and network segmentation?

  1. Automation
  2. Assurance
  3. Policy
  4. Integration
A

C. Policy is a key benefit of SD-Access that can be described as automated configurations that help enable group-based security policies and network segmentation.

32
Q

Which of the following is used in the SD-Access control plane to handle the mapping and resolving of endpoint addresses?

  1. VXLAN
  2. LISP
  3. SGTs
  4. RLOCs
A

B. LISP is used in the SD-Access control plane to handle the mapping and resolving of endpoint addresses.

33
Q

Which type of routing protocols use areas and advertise information about the network topology instead of advertising the complete routing table?

  1. Distance vector
  2. Hybrid
  3. Link state
  4. Path vector
A

C. Link state routing protocols use areas and advertise information about the network topology instead of advertising the complete routing table.

34
Q

Which of the following supports AAA services, groups, policy, and endpoint profiling?

  1. ISE
  2. DNA Center
  3. Cisco TrustSec
  4. VXLAN
A

A. ISE supports AAA services, groups, policy, and endpoint profiling.

35
Q

What is the next hop after the border nodes to external networks?

  1. Edge nodes
  2. WLC
  3. Fusion routers
  4. Transit routers
A

C. Fusion routers are the next hop after the border nodes to external networks.

36
Q

Which of the following provides the logical overlay created by Virtual Extensible VLAN (VXLAN) packet encapsulation along with a Group Policy Object (GPO)?

  1. Fabric data plane
  2. Fabric control plane
  3. Fabric policy plane
  4. Security policy plane
A

A. A fabric data plane provides the logical overlay created by Virtual Extensible VLAN (VXLAN) packet encapsulation along with a Group Policy Object (GPO).

37
Q

Which of the following is a separate routing and forwarding instance that provides isolation for host pools?

  1. VXLAN
  2. SGT
  3. Virtual network
  4. Scalable group
A

C. A virtual network is a separate routing and forwarding instance that provides isolation for host pools.

38
Q

Which site reference model supports up to 50,000 endpoints and 64 VNs?

  1. Very small site
  2. Small site
  3. Medium site
  4. Large site
A

D. A large site in SD-Access supports up to 50,000 endpoints and 64 VNs.

39
Q

Which underlay workflow provides a hierarchical structure for the management of network settings?

  1. Device discovery
  2. LAN automation
  3. Fabric sites
  4. Global and site settings
A

D. The global and site settings underlay workflow provides a hierarchical structure for the management of network settings.

40
Q

What moves the remote destination information to a centralized map database?

  1. VXLAN
  2. LISP
  3. Fabric data plane
  4. ISE
A

B. LISP moves the remote destination information to a centralized map database.

41
Q

What benefit of SD Access does this describe:

Contextual insights enable quick issue resolution and capacity planning.

A

Assurance.

42
Q

What is a GPO? What plane does this exist in in SD Access?

A

Fabric data plane: This plane provides a logical overlay created by Virtual Extensible LAN (VXLAN) packet encapsulation along with a Group Policy Object (GPO).

VXLAN with GPO provides support for both Layer 2 and Layer 3 virtual overlays and the ability to use VRF instances or virtual networks along with SGTs for secure policy.

43
Q

What is the EID? What type of address can it be?

A

Endpoint Identifier. This can be a MAC or IP address.

44
Q

Where does LISP run? Which plane in SD Access?

A

LISP runs on a control plane node within the SD-Access fabric.

The control plane node contains the settings, protocols, and tables to provide the endpoint-to-location mapping system for the fabric overlay.

45
Q

The SD-Access fabric uses _______ encapsulation for the fabric data plane over the top of the ______ network

A

The SD-Access fabric uses VXLAN encapsulation for the fabric data plane over the top of the underlay network.

46
Q

VXLAN encapsulations are _________ (what protocols) based, using port ______, which effectively creates the overlay within the SD-Access fabric.

A

VXLAN encapsulations are IP/UDP based, using port 4789, which effectively creates the overlay within the SD-Access fabric.

47
Q

What is a VNI in SD-Access? Hint: It is part of the VXLAN header.

A

Virtual Network Identifier.

Inside the VXLAN header is a VXLAN network identifier (VNI) that defines the virtual network that the data plane traffic is a part of.

In addition, scalable group tags (SGTs) are defined in the Group ID field of the VXLAN header as part of the group-based policy option.

48
Q

The Cisco DNA Center appliance exposes all controller functionality through ______bound REST APIs to enable automation and integration possibilities.

A

The Cisco DNA Center appliance exposes all controller functionality through northbound REST APIs to enable automation and integration possibilities.

49
Q

What is pxGrid? What does it enable SD-Access to integrate with?

A

The SD-Access solution integrates with Cisco ISE through Cisco Platform Exchange Grid (pxGrid) and REST APIs for the exchange of client information and automation of fabric-related configurations.

In addition, third-party IPAM solutions with Infoblox and BlueCat can be integrated with Cisco DNA Center. Cisco DNA Center has a set of network underlay workflows and fabric overlay workflows related to automation:

50
Q

What is ‘fabric mode wireless”?

A

There are two methods of integrating wireless into an SD-Access network. The preferred method, referred to as fabric mode wireless, extends the SD-Access benefits for wired users over to wireless users.

Fabric mode wireless requires fabric mode–enabled WLCs and fabric mode–enabled APs. The fabric mode APs are the latest 802.11ac Wave 2 and Wave 1 APs associated with the WLCs that are configured with fabric-enabled SSIDs.

The WLCs configured for fabric mode communicate with the fabric control plane by registering MAC addresses, SGTs, and virtual networks. APs use a CAPWAP tunnel to the WLC for the control plane communication, much like traditional Cisco Unified

51
Q

What is OTT?

A

The alternative method of connecting WAPs is over-the-top (OTT). This method uses the traditional Cisco Unified Wireless local-mode configurations for wireless access.

If you need to support older model APs, you can use the over-the-top method of wireless integration with the SD-Access fabric. When you use this method, the control plane and data plane traffic from the APs continue to use CAPWAP-based tunnels for both control and data traffic.

Fabric mode is preferred and takes advantage of the benefits of SD-Access like sending data through a VXLAN tunnel directly, bypassing the WLC.

52
Q

The integration of ISE and DNA Center is done by establishing trust through ISE ________ services and by enabling External RESTful Services (ERS) to allow policies and contracts to flow between systems.

A

integration of ISE and DNA Center is done by establishing trust through ISE pxGRID services and by enabling External RESTful Services (ERS) to allow policies and contracts to flow between systems.

Cisco DNA Center can create SGTs and send them to Cisco ISE via REST APIs.

53
Q

Cisco ________ is a critical component of SD-Access for policy enforcement; it allows for the dynamic mapping of users and endpoints to scalable groups, thereby simplifying the end-to-end security policy in the fabric.

A

Cisco ISE is a critical component of SD-Access for policy enforcement; it allows for the dynamic mapping of users and endpoints to scalable groups, thereby simplifying the end-to-end security policy in the fabric.

54
Q

To support group-based policy end-to-end, Cisco TrustSec is leveraged to enable SGT information to be inserted into the ________ headers in the data plane traffic while also supporting multiple virtual networks (VNs).

A

To support group-based policy end-to-end, Cisco TrustSec is leveraged to enable SGT information to be inserted into the VXLAN headers in the data plane traffic while also supporting multiple virtual networks (VNs).

55
Q

DNA Center uses ____________ to communicate to ISE.

ISE uses _______ to communicate with DNA Center.

A

See attached diagram.

56
Q

What is an SGT?

How many bits is it?

Where is it carried?

What manages SGTs?

A

A scalable group tag (SGT) consists of a 16-bit value contained in the VXLAN header. SGTs are also known as security groups.

Cisco ISE manages the SGTs for a given SD-Access fabric.

Although Cisco DNA Center drives the management of the policies, Cisco ISE is tightly integrated with DNA Center through REST APIs to provide the SGT information needed to enforce policy.

57
Q

What is CTS?

A

TrustSec is a complementary enforcement technology that allows endpoint security management without the need to maintain access lists on all the network devices where the endpoints are connected.

58
Q

T/F: TrustSec assigns a SGT to a user’s traffic at ingress but it is not enforced until egress.

A

True.

The ultimate goal of TrustSec is to assign an SGT to a user’s or device’s traffic at ingress (inbound into the network) and then enforce the access elsewhere in the infrastructure.

The tag is assigned at login and enforced within the network (egress enforcement).

Each TrustSec design must have the following:

  • SGT classification: ISE is used to classify devices based on authentication/authorization policies.
  • SGT propagation: Propagation is done either inline or by using SGT Exchange Protocol (SXP).
59
Q

T/F: Fusion routers are only needed if you are leaking routes from one Virtual Network to antother.

A

True.

Route leaking is not permitted by default. In the Service Provider world these virtual networks would represent different companies.

60
Q

The output of ________________ is the creation of a virtual network.

A

Macrosegmentation: Use macrosegmentation when you want to group many like users or devices together. The outcome of macrosegmentation is the creation of a virtual network.

Macrosegmentation provides path isolation at both the control and the data planes for a group of user traffic. To enable any inter-VN traffic communication, the use of an external firewall or fusion router is required.

61
Q

What is Microsegmentation?

A

Microsegmentation: Use microsegmentation for data plane isolation within a VN using SGTs.

This type of segmentation provides data plane isolation and provides a simple way to manage group-based policies between groups of endpoints in a VN.

62
Q

When you design SD-Access, each fabric site has its own set of ________ nodes, _______ nodes, and ________ nodes.

A

When you design SD-Access, each fabric site has its own set of control plane nodes, border nodes, and edge nodes.

63
Q

T/F: Within SD-Access, the LISP control plane assigns to every endpoint a VN.

A

True.

A virtual network (VN) is a separate VRF instance that provides isolation for host pools or IP subnets. VNs serve the same basic purpose as VRF instances in traditional networks.

Within SD-Access, the LISP control plane assigns to every endpoint a VN.

Any communication between endpoints in different VNs must go through a fusion router or firewall. VN assignment is based on the attached host pool. VNs are configured on all of the border and edge nodes in the SD-Access fabric. In addition, a default VN is used for any pools that are not assigned specific VNs.