sd access ise

Question 1

over lay tunnels

Answer 1

GRE-vxlan
mpls - bgp evpn
ipsec - sd-wan
capwap -ACI
LISP - OTV

Question 2

GRE

Answer 2

VXLAN

Question 3

MPLS

Answer 3

BGP EVPN

Question 4

IPSEC

Answer 4

SD-WAN

Question 5

CAPWAP

Answer 5

ACI

Question 6

LISP

Answer 6

OTV

Question 7

diffrent fabrics are connected trhough what

Answer 7

transit controller access node TC ip based vrf lite mpls or
sd-access

Question 8

SD access roles

Answer 8

cattalyst center GUI and API for intent based automation of fabric devices

Question 9

Fabric Border Nodes

Answer 9

a fabric device that connects external L3 and l2 networks to the cisco SD-ACCESS fabric

Question 10

Edge nodes

Answer 10

A fabric device that connects wired endpoinst to the cisco SD-Aess fabric and optionally enforces microsegmentation policy

Question 11

control plane node

Answer 11

Map system that tracks endpoint to tfrabric node relatiossip

Question 12

SD access roles

Answer 12

Catalyst Center - GUI API
Fabric Border Nodes - ASBR for l2 l3
Edge Nodes - Endpoint connections
Controler Plane Node - Maps endpoint to fabric node

Question 13

Border node

Answer 13

usually the “default gateway”

Question 14

Edge node

Answer 14

Authenticate and aauthorize endpoints with ISE 801.x ISE = Radius tacas
Register endpoint IDS EID . IPV4 mac address to control plane node
Encapsulation Decapsulation.

Question 15

control plane node.

Answer 15

maintains host tracking dataabase
receibed EID reigstrations from border node and edge nodes
Performs lisp lookups endpoint and border node subscribes to CP
Basically RR .

Question 16

what is LISP

Answer 16

Location id separation protocol
routing protocol in control point of sd access
decopuples endpoint idfrom ip location .
Assigns RLOC (routing locator ) to all network devices at different locations within fabric.

Question 17

LISP example

Answer 17

ip to rloc: 1.2.3.4/32 -> en1
mac to rloc AA:BB:CC:DD -> en1
address resolution 1.2.3.4 -> AA:BB:CC:DD

if user changes destionation RLOC keeps track of endoint of user

Question 18

RLOC = endpoint EID = user

Answer 18

user does not have to know where other users physical location is (rloc) is only need to know eid ask control plane for rloc

Question 19

optional components

Answer 19

Extended node a l2 only switch extends fabcric connectivity and optionaly enforces micro segmentatoin.

Question 19

Fabric wireless controller and fabric APS

Answer 19

connects wirteslls endpoints ot the sd-access fabric

Question 20

intermediate nodes

Answer 20

moves data between fabric nodes can be one or many hops

Question 20

IS ISE required to perform micro segmentation in an SD-ACCESS fabric

Answer 20

yes

Question 21

what 2 types of virtual networks exists

Answer 21

l2 eqvivlent to vlan and l3 eqvivelent for VRF

Question 22

all endpoints which conntect to sd-access fabric have to do what

Answer 22

connect in to an virtual network

Question 23

in which virtual networks are which devices in

Answer 23

fabric devices underlay GRT
Fabric acces points extended NODES = INFRA_VN

User-defined vns optional

DEFAULT-VN default VN not deployed by bdefault.

Question 24

explain macro and micro segmentation

Answer 24

macro 2 different vn do not talk to eachtoher
micro groups inside 1 vn do not talk to eachother = security gruop tag SGt .
You can also make it so that individual devices cannot talk to eachother inside a sgt (security group tag

Question 25

what are SD-Access fabric SGT
and what do they do where are they assigned?

Answer 25

Edge Nodes and Fabric APs assign a unique Security Group Tag (SGT) to each end endpoint in concert with ISE.

Edge Nodes and Fabric APs add an SGT to the fabric encapsulation.

SGTs are used to implement IP-address-independent traffic policies.

SGTs can be extended to numerous other networking technologies e.g., Cisco Secure Firewall, Cisco SD-WAN, some third-party devices, etc.

Question 26

Catalyst scenter security groups
you edit them here

Answer 26

many different security groups for deifferent users

create vn campus_vn

then yo ucan assign security group to vn

Question 27

what ar the minium requirements of sd-access fabric route roles

Answer 27

one controll node one
one Fabric Border Nodes
one fabric edge node

Question 28

setsps of setting up a network with catalyst center

Answer 28

import devices to catalyst center
provision them to a site building 22
then you go to frabric sites and createa site
make building 22 to be a fabric site
assign created virutal networks to this fabric site to make sure they have access to the different VNenable lisp pub sub border node
add ip address pool to virtual network. and select traffic type.

Question 29

you can colocate a border node edge node control node all in one

Question 30

when using ise how is the authentication different from using cisco trustec

Answer 30

trustsec propogates sgt hop by hop every device must support it
with ise can take differnet paths.