SD-Access

Question 1

What are the two main networks that the Cisco SD-Access Fabric consists of?

Answer 1

1) Underlay network – the physical topology for L2 and L3 connectivity, that can use any routing protocol.

2) Overlay network - runs on top of the overlay to create a virtualized network (a logical topology).

Question 2

What is the role of an underlay network?

Answer 2

Establish physical connectivity from one edge device to another.

Question 3

What is the role of the overlay network?

Answer 3

To create the logical topology on top of the underlay network, using encapsulation technology (e.g. GRE or IPSec)

Question 4

What are some requirements and considerations when migrating an existing network to Cisco SD-Access?

Answer 4

1) There should be IP reachability within the network
2) Switches in the overlay are designated and configured as edge and border nodes
3) Ensure that there is connectivity between the devices in the underlay network
4) Recommended to use IS-IS as the routing protocol (easiest to automate using Cisco DNA Center, and does not have an IP address dependency for neighbors)

Question 5

What are some advantages of using IS-IS with Cisco SD-Access in the underlay network?

Answer 5

1) Able to establish neighbors without IP dependencies
2) Can peer using loopback address
3) Agnostic treatment of IPv4, IPv6, and non-IP

Question 6

What does Cisco SD-Access use to configure the overlay network for fabric data plane encapsulation?

Answer 6

VXLAN, which encapsulates complete L2 frames for transport in the underlay. Overlay networks are identified by the VXLAN network identifier (VNI), and carries the scalable group tags (SGTs)

Question 7

What Cisco technology is the Cisco SD-Access fabric policy plane based on?

Answer 7

Cisco TrustSec

Question 8

With Cisco TrustSec, what is used to enforce access policies for users, applications, and devices?

Answer 8

A classification group (scalable group or SGT)

Question 9

Cisco TrustSec and scalable group tags classifies traffic according to…?

Answer 9

The contextual identity of the endpoint instead of the IP address

Question 10

When is an SGT usually assigned to a user or device? When is it enforced?

Answer 10

Assigned at the ingress (inbound into the network). Enforced elsewhere in the infrastructure (e.g. a data center). Switches, routers, and firewalls use the SGT to make forwarding decisions.

Question 11

What is driven by Cisco Identity Services Engine (ISE), and what orchestrates this?

Answer 11

ISE drives:
1) AAA services, groups, policy, endpoint profiling

These are orchestrated by Cisco DNA Center’s policy authoring workflows.

Question 12

What two technologies allows ISE and DNA Center to integrate?

Answer 12

Cisco Platform Exchange Grid (pxGrid) and REST APIs

Question 13

What is the minimum recommended nodes for ISE for redundancy?

Answer 13

2

Question 14

What component of ISE do Cisco SD-Access fabric edge node switches send authentication requests to?

Answer 14

The Policy Services Node (PSN) persona running on ISE

Question 15

In Cisco SD-Access, what is the role of the control plane node?

Answer 15

Acts as the LISP map server/map resolver (MS/MR) that manages EID to device relationships

Question 16

In Cisco SD-Access, what is the role of the border node?

Answer 16

Fabric device (like a core switch) that connects external L3 networks to the Cisco SD-Access fabric. Also:

1) Uses BGP to advertise EID prefixes outside the fabric. Traffic going to its EID prefixes go through this node.
2) Acts as the gateway of last resort for fabric edge nodes
3) Can extend network virtualization from inside the fabric to outside the fabric by using external VRF instances to preserve the virtualization
4) Maps SGT information from within the fabric to be appropriately maintained when it exits the fabric

Question 17

In Cisco SD-Access, what is the role of the edge node?

Answer 17

Fabric device (access or distribution) that connects wired endpoints to the Cisco SD-Access fabric. Also does the following:

1) Registers endpoints to the control plane
2) Assigns a user/device to an SGT
3) Queries the MR to determine the RLOC(s) associated with destination EIDs
4) Uses the RLOC associated with the destination IP to encapsulate traffic with VXLAN headers. Also decapsulates VXLAN traffic.

Question 18

In Cisco SD-Access, what is the role of the fabric wireless controller?

Answer 18

A fabric-enabled WLC

Question 19

In Cisco SD-Access, what is the role of the fabric mode AP?

Answer 19

A fabric-enabled AP

Question 20

In Cisco SD-Access, what is the role of the intermediate node?

Answer 20

Any underlay device

Question 21

What is a fusion router?

Answer 21

A router that is aware of the prefixes available inside each VPN instance (from static routing or route peering)

Question 22

What does a fusion router do generically? How about its role in SD-Access?

Answer 22

Generically, a fusion router is designed to route traffic between separate VRF instances, or to route traffic to/from a VRF instance to a shared pool of resources (e.g. DHCP, DNS, etc)

In SD-Access, a fusion router only provides access to shared services for the endpoints in the fabric