Cisco SD-WAN Flashcards
Cisco SD-WAN benefits
Centralized network and policy management: It enables operational simplicity, resulting in reduced change control and deployment times.
Transport link independent: It enables a mix of MPLS and low-cost broadband or any combination of transports in an active-active mode, optimizing capacity and reducing bandwidth costs. Transport-independent overlay: It extends to the data center, branch, and cloud. Deployment flexibility: It is a separated control plane and data plane. Robust and comprehensive security: It includes strong encryption of data, end-to-end network segmentation, router and controller certificate identity with a zero-trust security model, control plane protection, application firewall, and insertion of Cisco Umbrella, firewalls, and other network services. Seamless connectivity: It is connectivity to a public cloud and movement of the WAN edge to the branch. Application visibility and recognition: Application-aware policies with real-time service-level agreement (SLA) enforcement. Dynamic optimization of SaaS applications: It results in improved application performance for users. Rich analytics with visibility into applications and infrastructure: It enables rapid troubleshooting and helps with forecasting and analysis for effective resource planning.
vSMART Controllers
Centralized controllers, called vSmart controllers, oversee the control plane of the Cisco SD-WAN fabric, efficiently managing the provisioning, maintenance, and security for the entire Cisco SD-WAN overlay network.
Cisco vSmart controllers are a scale-out control plane function of the Cisco SD-WAN fabric.
The main characteristics of the control plane with Cisco vSmart controllers are as follows:
Facilitates fabric discovery Disseminates control plane information between the Cisco WAN Edge routers Distributes data plane and application-aware routing policies to the Cisco WAN Edge routers Implements control plane policies, such as service chaining, multitopology, and multihop Dramatically reduces control plane complexity Highly resilient
Cisco vBond orchestrator
automatically authenticates all other Cisco SD-WAN devices when they join the Cisco SD-WAN overlay network.
The Cisco vBond orchestrator is a multitenant element of the Cisco SD-WAN fabric. Cisco vBond is the first point of contact and performs initial authentication when devices are connecting to the organization overlay. Cisco vBond facilitates the mutual discovery of the control and management elements of the fabric by using a zero-trust certificate-based allowed-list model. Cisco vBond automatically distributes a list of Cisco vSmart controllers and the Cisco vManage system to the Cisco WAN Edge routers during the deployment process.
For situations in which the Cisco vSmart controllers, Cisco vManage system, or Cisco WAN Edge routers themselves are behind NAT, the Cisco vBond orchestrator facilitates the function of NAT traversal by allowing the learning of public (post-NAT) and private (pre-NAT) IP addresses. The discovery of public and private IP addresses allows connectivity to be established across public (internet, 4G) and private (MPLS, point-to-point) WAN transports.
The Cisco vBond orchestrator itself should reside in the public IP space or on the private IP space with 1:1 NAT so that all remote, especially internet-only, sites can reach it. When tied to the Domain Name System (DNS), this reachable vBond IP address allows for zero-touch deployment.
Cisco vBond should be highly resilient. If Cisco vBond is down, no other device can join the overlay. When deployed as an on-premises solution by the customer, it is the responsibility of the customer to provide adequate infrastructure resiliency.
Cisco vBond can run in a single or multitenant mode.
Cisco vManage network management system (NMS)
provides a simple yet powerful set of graphical dashboards for monitoring network performance on all devices in the overlay network from a centralized monitoring station. Also, the Cisco vManage NMS provides centralized software installation, upgrade, and provisioning, whether for a single device or as a bulk operation for many devices simultaneously. Cisco vManage provides a single pane of glass for Day 0, Day 1, and Day 2 operations.
The management plane has the following characteristics:
Single pane of glass for Day 0, Day 1, and Day 2 operations Real-time alerting Centralized provisioning Configuration standardization Simplicity of deploying Simplicity of change Supports various programmatic application programming interfaces (APIs)
Orchestration Plane
The orchestration plane has the following characteristics:
performs initial authentication orchestrates the connectivity between the management, control, and data plane requires a public IP address or 1:1 Network Address Translation (NAT) facilitates NAT traversal authorizes all control connections (allow list model) distributes a list of Cisco vSmart controllers to all Cisco WAN Edge routers
main characteristics of the data plane with Cisco WAN Edge routers
The main characteristics of the data plane with Cisco WAN Edge routers are as follows:
Provides secure data plane with other WAN Edge routers Establishes a secure control plane with Cisco vSmart controllers (OMP) Implements data plane and application-aware routing policies Exports performance statistics Leverages traditional routing protocols such as Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Virtual Router Redundancy Protocol (VRRP) Supports Zero-Touch Provisioning (ZTP) and Cisco plug-and-play (PnP) Physical and virtual form factor
The main characteristics of the programmatic APIs are as follows:
Programmatic control over all aspects of Cisco vManage administration
Secure HTTPS interface GET, PUT, POST, DELETE methods Authentication and authorization Bulk API calls Python scripting
HTTP methods
GET: Retrieve or read information.
PUT: Update an object. POST: Create an object. DELETE: Remove an object.
The main characteristics of Cisco vAnalytics are as follows:
A cloud-based analytics engine
Data anonymization Optional solution element Opt-in customer model Analyze fabric telemetry Capacity projections Service level agreement (SLA) violation trends Utilization anomaly detection Application quality of experience (QoE) Carrier grading
The Cisco vAnalytics platform offers these advantages:
Visibility: Cisco vAnalytics platform provides visibility into application and network performance based on information collected from your overlay and correlated information from other networks, which provides insight into application performance and anomalous applications over a period.
Forecasting: The Cisco vAnalytics platform can help you plan for sites that may need additional bandwidth in the next three to six months. What-If Scenarios: What-if scenarios help you identify opportunities for balancing cost, performance, and availability of networks and applications. Recommendations: The Cisco vAnalytics platform runs machine learning algorithms to identify opportunities to fine-tune the WAN. For example, the Cisco vAnalytics platform can recommend application-aware routing policies based on historical information from your environment. In addition, the Cisco vAnalytics platform can mine data across various network service providers and recommend network service providers for a specific location.
Cisco IOS XE now supports the use of a single “universalk9” image to deploy Cisco IOS XE SD-WAN and Cisco IOS XE functionality on the following device
Cisco 1000 Series Aggregation Services Routers (ASRs)
Cisco Cloud Services Routers (CSRs) 1000V Series Cisco ISR 1000 Series Integrated Services Routers Cisco ISR 4000 Series Integrated Services Routers Cisco 1101 Industrial Integrated Services Router Cisco Integrated Services Virtual Router (ISRv)
This universalk9 image supports two modes
autonomous mode (for Cisco IOS XE features) and controller mode (for Cisco SD-WAN features) and it is available in release 17.2.x and later.
Switching Between Modes
When the device mode is switched from the autonomous mode to the controller mode, the startup configuration and the information in NVRAM (certificates) are erased. This action is the same as the write erase command.
When you switch to the controller mode from the autonomous mode and switch back to the autonomous mode, the Cisco IOS XE configuration is not restored because the startup configuration is empty. You need to manually restore the configuration from the backup.
When you switch to the autonomous mode from the controller mode and switch back to the controller mode, the original configuration in the controller mode is preserved.
You can deploy the three controller types (vManage, vSmart, and vBond) according to the following models:
In a cloud managed by the Cisco CloudOps team: This is the recommended model, and controllers can be deployed in Amazon Web Services (AWS) or Microsoft Azure by the Cisco CloudOps team. Single or multiple zones are available for deployment. Most customers opt for Cisco cloud-hosted controllers due to the ease of deployment and flexibility in scaling. Cisco provisions the controllers with certificates and meeting requirements for scale and redundancy. Cisco is responsible for backups, snapshots, and disaster recovery. The customer is given access to Cisco vManage to create configuration templates and control and data policies for their devices. When you choose a cloud-based subscription for your Cisco SD-WAN controllers, Cisco deploys the Cisco SD-WAN controllers—specifically, Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller—on the public cloud. Cisco then provides you with administrator access. By default, a single Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller are deployed in the primary cloud region, and an extra Cisco vBond Orchestrator and Cisco vSmart Controller are deployed in the secondary or backup region.
In a managed service provider (MSP) or partner-hosted cloud: This is privately cloud-hosted or can be publicly cloud-hosted and deployed in AWS or Azure. The MSP or partner is typically responsible for provisioning the controllers and responsible for backups and disaster recovery. On-premises in a private cloud or data center that is owned by an organization: The customer is typically responsible for provisioning the controllers and for backups and disaster recovery. Some customers, such as financial institutions or government-based entities, may choose to run on-premises deployments mainly for security and compliance reasons.
The main features of Cisco SD-WAN Security are the following:
Enterprise firewall with application awareness: A stateful firewall with NBAR2 application detection engine to provide application visibility and granular control, capable of detecting thousands of applications.
Intrusion prevention system (IPS) and intrusion detection system (IDS): Threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits (signature violations). Note that the IPS feature works in the network intrusion detection and prevention mode. Cisco URL Filtering: Enforces acceptable use controls to block or allow URLs based on 82 different categories or a web reputation score. Cisco Advanced Malware Protection (AMP) for Endpoints: Cisco AMP for Endpoints uses global threat intelligence, advanced sandboxing, and real-time malware blocking to prevent breaches. It also continuously analyzes file activity across your extended network, so you can quickly detect, contain, and remove advanced malware. DNS/Web-Layer Security: A leading security solution for malware, phishing, and unacceptable requests by blocking based on DNS requests. These DNS requests are redirected from their intended DNS server to Cisco Umbrella or to a custom DNS server. Secure Sockets Layer (SSL)/TLS Proxy: This feature allows you to configure an edge device as a transparent SSL/TLS proxy. Such proxy devices can then decrypt incoming and outgoing TLS traffic to enable their inspection by Security Policy. Secure Internet Gateway: Secure access to the internet and SaaS is delivered as a fully automated solution by Cisco Umbrella and lays the building block for secure access service edge (SASE).