Cisco SD-WAN Flashcards

1
Q

Cisco SD-WAN benefits

A

Centralized network and policy management: It enables operational simplicity, resulting in reduced change control and deployment times.

Transport link independent: It enables a mix of MPLS and low-cost broadband or any combination of transports in an active-active mode, optimizing capacity and reducing bandwidth costs.

Transport-independent overlay: It extends to the data center, branch, and cloud.

Deployment flexibility: It is a separated control plane and data plane.

Robust and comprehensive security: It includes strong encryption of data, end-to-end network segmentation, router and controller certificate identity with a zero-trust security model, control plane protection, application firewall, and insertion of Cisco Umbrella, firewalls, and other network services.

Seamless connectivity: It is connectivity to a public cloud and movement of the WAN edge to the branch.

Application visibility and recognition: Application-aware policies with real-time service-level agreement (SLA) enforcement.

Dynamic optimization of SaaS applications: It results in improved application performance for users.

Rich analytics with visibility into applications and infrastructure: It enables rapid troubleshooting and helps with forecasting and analysis for effective resource planning.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

vSMART Controllers

A

Centralized controllers, called vSmart controllers, oversee the control plane of the Cisco SD-WAN fabric, efficiently managing the provisioning, maintenance, and security for the entire Cisco SD-WAN overlay network.

Cisco vSmart controllers are a scale-out control plane function of the Cisco SD-WAN fabric.

The main characteristics of the control plane with Cisco vSmart controllers are as follows:

Facilitates fabric discovery

Disseminates control plane information between the Cisco WAN Edge routers

Distributes data plane and application-aware routing policies to the Cisco WAN Edge routers

Implements control plane policies, such as service chaining, multitopology, and multihop

Dramatically reduces control plane complexity

Highly resilient
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cisco vBond orchestrator

A

automatically authenticates all other Cisco SD-WAN devices when they join the Cisco SD-WAN overlay network.

The Cisco vBond orchestrator is a multitenant element of the Cisco SD-WAN fabric. Cisco vBond is the first point of contact and performs initial authentication when devices are connecting to the organization overlay. Cisco vBond facilitates the mutual discovery of the control and management elements of the fabric by using a zero-trust certificate-based allowed-list model. Cisco vBond automatically distributes a list of Cisco vSmart controllers and the Cisco vManage system to the Cisco WAN Edge routers during the deployment process.

For situations in which the Cisco vSmart controllers, Cisco vManage system, or Cisco WAN Edge routers themselves are behind NAT, the Cisco vBond orchestrator facilitates the function of NAT traversal by allowing the learning of public (post-NAT) and private (pre-NAT) IP addresses. The discovery of public and private IP addresses allows connectivity to be established across public (internet, 4G) and private (MPLS, point-to-point) WAN transports.

The Cisco vBond orchestrator itself should reside in the public IP space or on the private IP space with 1:1 NAT so that all remote, especially internet-only, sites can reach it. When tied to the Domain Name System (DNS), this reachable vBond IP address allows for zero-touch deployment.

Cisco vBond should be highly resilient. If Cisco vBond is down, no other device can join the overlay. When deployed as an on-premises solution by the customer, it is the responsibility of the customer to provide adequate infrastructure resiliency.

Cisco vBond can run in a single or multitenant mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cisco vManage network management system (NMS)

A

provides a simple yet powerful set of graphical dashboards for monitoring network performance on all devices in the overlay network from a centralized monitoring station. Also, the Cisco vManage NMS provides centralized software installation, upgrade, and provisioning, whether for a single device or as a bulk operation for many devices simultaneously. Cisco vManage provides a single pane of glass for Day 0, Day 1, and Day 2 operations.

The management plane has the following characteristics:

Single pane of glass for Day 0, Day 1, and Day 2 operations

Real-time alerting

Centralized provisioning

Configuration standardization

Simplicity of deploying

Simplicity of change

Supports various programmatic application programming interfaces (APIs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Orchestration Plane

A

The orchestration plane has the following characteristics:

performs initial authentication

orchestrates the connectivity between the management, control, and data plane

requires a public IP address or 1:1 Network Address Translation (NAT)

facilitates NAT traversal

authorizes all control connections (allow list model)

distributes a list of Cisco vSmart controllers to all Cisco WAN Edge routers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

main characteristics of the data plane with Cisco WAN Edge routers

A

The main characteristics of the data plane with Cisco WAN Edge routers are as follows:

Provides secure data plane with other WAN Edge routers

Establishes a secure control plane with Cisco vSmart controllers (OMP)

Implements data plane and application-aware routing policies

Exports performance statistics

Leverages traditional routing protocols such as Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Virtual Router Redundancy Protocol (VRRP)

Supports Zero-Touch Provisioning (ZTP) and Cisco plug-and-play (PnP)

Physical and virtual form factor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The main characteristics of the programmatic APIs are as follows:

A

Programmatic control over all aspects of Cisco vManage administration

Secure HTTPS interface

GET, PUT, POST, DELETE methods

Authentication and authorization

Bulk API calls

Python scripting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HTTP methods

A

GET: Retrieve or read information.

PUT: Update an object.

POST: Create an object.

DELETE: Remove an object.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The main characteristics of Cisco vAnalytics are as follows:

A

A cloud-based analytics engine

Data anonymization

Optional solution element

Opt-in customer model

Analyze fabric telemetry

Capacity projections

Service level agreement (SLA) violation trends

Utilization anomaly detection

Application quality of experience (QoE)

Carrier grading
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Cisco vAnalytics platform offers these advantages:

A

Visibility: Cisco vAnalytics platform provides visibility into application and network performance based on information collected from your overlay and correlated information from other networks, which provides insight into application performance and anomalous applications over a period.

Forecasting: The Cisco vAnalytics platform can help you plan for sites that may need additional bandwidth in the next three to six months.

What-If Scenarios: What-if scenarios help you identify opportunities for balancing cost, performance, and availability of networks and applications.

Recommendations: The Cisco vAnalytics platform runs machine learning algorithms to identify opportunities to fine-tune the WAN. For example, the Cisco vAnalytics platform can recommend application-aware routing policies based on historical information from your environment. In addition, the Cisco vAnalytics platform can mine data across various network service providers and recommend network service providers for a specific location.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cisco IOS XE now supports the use of a single “universalk9” image to deploy Cisco IOS XE SD-WAN and Cisco IOS XE functionality on the following device

A

Cisco 1000 Series Aggregation Services Routers (ASRs)

Cisco Cloud Services Routers (CSRs) 1000V Series

Cisco ISR 1000 Series Integrated Services Routers

Cisco ISR 4000 Series Integrated Services Routers

Cisco 1101 Industrial Integrated Services Router

Cisco Integrated Services Virtual Router (ISRv)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This universalk9 image supports two modes

A

autonomous mode (for Cisco IOS XE features) and controller mode (for Cisco SD-WAN features) and it is available in release 17.2.x and later.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Switching Between Modes

A

When the device mode is switched from the autonomous mode to the controller mode, the startup configuration and the information in NVRAM (certificates) are erased. This action is the same as the write erase command.

When you switch to the controller mode from the autonomous mode and switch back to the autonomous mode, the Cisco IOS XE configuration is not restored because the startup configuration is empty. You need to manually restore the configuration from the backup.

When you switch to the autonomous mode from the controller mode and switch back to the controller mode, the original configuration in the controller mode is preserved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You can deploy the three controller types (vManage, vSmart, and vBond) according to the following models:

A

In a cloud managed by the Cisco CloudOps team: This is the recommended model, and controllers can be deployed in Amazon Web Services (AWS) or Microsoft Azure by the Cisco CloudOps team. Single or multiple zones are available for deployment. Most customers opt for Cisco cloud-hosted controllers due to the ease of deployment and flexibility in scaling. Cisco provisions the controllers with certificates and meeting requirements for scale and redundancy. Cisco is responsible for backups, snapshots, and disaster recovery. The customer is given access to Cisco vManage to create configuration templates and control and data policies for their devices. When you choose a cloud-based subscription for your Cisco SD-WAN controllers, Cisco deploys the Cisco SD-WAN controllers—specifically, Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller—on the public cloud. Cisco then provides you with administrator access. By default, a single Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller are deployed in the primary cloud region, and an extra Cisco vBond Orchestrator and Cisco vSmart Controller are deployed in the secondary or backup region.

In a managed service provider (MSP) or partner-hosted cloud: This is privately cloud-hosted or can be publicly cloud-hosted and deployed in AWS or Azure. The MSP or partner is typically responsible for provisioning the controllers and responsible for backups and disaster recovery.

On-premises in a private cloud or data center that is owned by an organization: The customer is typically responsible for provisioning the controllers and for backups and disaster recovery. Some customers, such as financial institutions or government-based entities, may choose to run on-premises deployments mainly for security and compliance reasons.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The main features of Cisco SD-WAN Security are the following:

A

Enterprise firewall with application awareness: A stateful firewall with NBAR2 application detection engine to provide application visibility and granular control, capable of detecting thousands of applications.

Intrusion prevention system (IPS) and intrusion detection system (IDS): Threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits (signature violations). Note that the IPS feature works in the network intrusion detection and prevention mode.

Cisco URL Filtering: Enforces acceptable use controls to block or allow URLs based on 82 different categories or a web reputation score.

Cisco Advanced Malware Protection (AMP) for Endpoints: Cisco AMP for Endpoints uses global threat intelligence, advanced sandboxing, and real-time malware blocking to prevent breaches. It also continuously analyzes file activity across your extended network, so you can quickly detect, contain, and remove advanced malware.

DNS/Web-Layer Security: A leading security solution for malware, phishing, and unacceptable requests by blocking based on DNS requests. These DNS requests are redirected from their intended DNS server to Cisco Umbrella or to a custom DNS server.

Secure Sockets Layer (SSL)/TLS Proxy: This feature allows you to configure an edge device as a transparent SSL/TLS proxy. Such proxy devices can then decrypt incoming and outgoing TLS traffic to enable their inspection by Security Policy.

Secure Internet Gateway: Secure access to the internet and SaaS is delivered as a fully automated solution by Cisco Umbrella and lays the building block for secure access service edge (SASE).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly