SD-WAN, SDA, Fabric Flashcards
SD-WAN, SD-Access, ACI
Why type of Tunnels does SD-WAN leverage?
IPSec
What is the name of the device where SD-WAN Policy is defined?
The Controller
What are the 4 main components of Cisco SD-WAN and what are their functions?
vManage - GUI and API VM used to configure and manage SD-WAN
vSmart - the controller that pushes the policy and acts as the data plane for the SD-WAN
vEdge / cEdge - These are the SD-WAN Edge Routers
vBond - the out of band orchestrator
What is cEdge and how is it different from vEdge?
cEdge is a Cisco ISR router running Viptella firmware. The main difference is that cEdge supports advanced security features that vEdge does not.
What features does cEdge have that vEdge does not?
- Cisco AMP and Threat Grid
- Enterprise Firewall
- Cisco Umbrella DNS
- URL Filtering
- Snort IPS
What are the three main features of vBond?
- Control Plane Connection - permanent control plane connection to each vSmart controller
- NAT Traversal
- Load Balancing - load balances routers to vSmart controllers when more than one exist in a domain
What are the benefits of SD-WAN?
- Lower Costs and Reduce Risks with simple WAN automation and Orchestration
- Extend Enterprise networks seamlessly into the public cloud
- Provide optimal user experience for SaaS applications
- Leverage a transport-independent WAN for lower cost and higher diversity. This means the underlay network can be any type of IP-based network, such as the Internet, MPLS, 3G/4G LTE, satellite, or dedicated circuits.
- Enhance application visibility and use that visibility to improve performance with intelligent path control to meet SLAs for business-critical and real-time applications.
- Provide end-to-end WAN traffic segmentation
What are some limitations of Cisco SD-WAN?
- Base SD-WAN license only allows for a Hub-and-Spoke topology
- If there are two vManage, they must be Active/Passive
- vAnalytics feature requires an additional license
- vBond must have a public IP address (or NAT’d private)
- Some ISR/ASR modules may not be compatible with cEdge
- Deep Packet Inspection (DPI) requires additional licensing
What are the four different SD-WAN traffic forwarding options when configuring a policy?
- Active/Active: Load Balanced
- Active/Active Weighted: Load balanced based on bandwidth
- Active/Standby Pinning: Application traffic has a preferred route unless it is down
- Application Aware SLA: application traffic chooses a route based on network metrics such as loss and jitter
In SD-WAN, what is OMP?
Overlay Management Protocol - this is the control plane information and controller policies that is sent from vSmart to the vEdge. Sent over TCP using SSL
What are the three different types of SD-WAN deployment models?
- Public: on AWS
- Hybrid: on-prem using Public IPs
- Hybrid w/ Private IP: when ISP rejects public IP route
What is a TLOC extension?
A connection between two vEdge routers at the same site that create a “U-shaped” topological connection to two redundant WAN links.
TLOC = Transport Locator
When deploying a vEdge or cEdge router using Zero Touch Provisioning (ZTP), what is the first thing the router attempts to communicate with?
A ZTP Server that is hosted and managed by Cisco on the Internet
When deploying a vEdge or cEdge router using Zero Touch Provisioning (ZTP), what are the only protocols enabled on the outside interface by default?
DNS, DHCP, and ICMP
When DPI is not enabled in SD-WAN, what are the 6 parameters used to identify an application within a policy?
1 -2) Source and Destination IP address
3 - 4) Source and Destination Port
5) DSCP value (QoS)
6) Protocol Number
When using Application Awareness and Deep Packet Inspection (DPI), what protocol is used to detect latency and jitter on a WAN circuit?
BFD - Bi-Directional Forwarding Detection
In Cisco SD-WAN, what VPN ID is reserved for out-of-band management?
VLAN 512
What is SD-WAN Cloud OnRamp for IaaS?
A feature that allows us to deploy virtual vEdge devices to IaaS platforms (AWS and Azure only) to bring SD-WAN into the public cloud.
What is SD-WAN Cloud OnRamp for SaaS?
A feature that extends HTTP(S) probes to the SaaS platform to determine the best path to the SaaS.
What is the name of the metric used to measure how good a connection is to an OnRamp SaaS application?
VQoE - Viptela Quality of Experience.
Value is 0 - 10
What are the challenges of traditional networks that Software Defined Networks sets out to overcome?
- Layer 2 Scaling in large networks
- Layer 3 Roaming (Wireless)
- CLI configuration in large networks (manual config)
- Security and QoS
What are the three elements that make up Cisco Campus Fabric when discussing SDN?
- VXLAN - Tunnel
- LISP - Routing
- CTS (Cisco TrustSec [ISE])
What are the two critical entities of SD-Access?
- Campus Fabric
- DNA Center
What are the four “Layers” of SD-Access?
- Physical Layer: devices
- Network Layer: underlay/overlay
- Control Layer: DNA Center/ISE
- Management Layer: DNA Center GUI
What are the 6 physical components of an SD-Access deployment?
- Fabric Edge Node
- Control Plane Node
- Fabric Border Node
- Fabric WLC
- Intermediate Nodes
- SD Controller (DNA Center/ISE)
What is the recommended Interior Gateway Protocol to be used in a Cisco SD-Access solution?
IS-IS
What SDA component is used to connect user endpoint devices to the SDA Fabric?
Fabric Edge Node
What SDA component uses the LISP protocol to map device endpoint locations?
Control Plan Node(s)
What SDA component connects to other networks (internal or external)?
- Fabric Border Nodes
NOTE:
Internal Border Nodes connect to internal networks
External Border Nodes connect to external networks (BGP/Internet)
What is the difference between a Fabric WLC and a standard WLC?
Fabric WLC is aware of the Software Defined Access fabric. Wireless APs under control of the Fabric WLC can connect to other switches in the fabric using VXLAN tunnels.
Which two SDA component roles can be combined to a single device in smaller networks?
Fabric Border Node & Control Plane Node
In SD Access, which protocols are responsible for the the Data Plane, the Control Plane, and the Policy Plane?
- Data: VXLAN
- Control: LISP
- Policy: CTS (Cisco TrustSec [ISE])
What are the Cisco recommended network layer configurations for nodes running SD Access?
- Interior Gateway Protocol: IS-IS is preferred
- Increase MTU by 50 Bytes
- Layer 3 connectivity end-to-end
What two engines does DNA Center run as the Control Node?
- NCP: Network Control Platform (aka APIC-EM)
- NDP: Network Data Platform
What function does the NCP subsystem perform?
- Automation of Underlay and Overlay Configurations
What function does the NDP subsystem perform?
- Network Assurance
What are the 4 workflows in DNA configuration?
1.) Design - network settings and profiles
2.) Policy - ISE and Security
3.) Provision - assign SDA roles
4.) Assurance - network health
When using LISP and VXLAN in an SD Access deployment, what are the two interchangeable terms used for a network device ID?
VTEP - Virtual Tunnel Endpoint (VXLAN)
RLOC - Routing Locator
When applying CTS Policy to SD Access, what are two types of segmentation that can be accomplished?
Micro-segmentation - blocking hosts on the same subnet from talking to each other.
Macro-segmentation - creation of Virtual Networks (VRFs)
When creating virtual networks within a VXLAN deployment. Which VXLAN field facilitates CTS policy across a virtual network?
The VXLAN VNID (Virtual Network Identifier)
The 802.1X (TrustSec) acronym SGT was changed to mean something different for the purpose of use within SD Access CTS. What was it changed to?
Changed from Security Group Tag to Scalable Group Tag
The new VXLAN specification is now called what? How many SGT tags does it support?
VXLAN-GPO; up to 64,000 SGT Tags
What are the new fields and sizes for a VXLAN-GPO packet header?
Group Policy ID: 16 bit
Group Based Policy Extension: 1 bit
Don’t Learn Bit (D Bit): 1 bit
Policy Applied Bit (A Bit): 1 bit
What type of segmentation does SGT facilitate within SD Access CTS Policy?
Micro-Segmentation
Where is SD Access CTS Policy defined?
It is defined inside of DNA Center then passed to Cisco ISE
When using a Fabric WLC in SD Access, where does the control and data traffic traverse?
- Control traffic goes over the CAPWAP tunnel
- Data traffic goes over the VXLAN
When roaming in a LISP (SDA) Fabric and a client roams to a new ETR, what does the “old” ETR do when it receives a packet from the ITR?
1.) Tells the ITR to send a new map-request to the control node (aka Map Server)
2.) Forwards the packet to the new ETR
NOTE: In this scenario a control node has already sent a map-register to the “old” ETR with the new location of the client…
What is the difference between an External and Internal Border node in an SDA Fabric?
- Internal Border nodes map-registers IGP subnets to the Control Node
- External Border node acts as the destination for all “unknown” destinations like a Default Gateway.
Which Cisco 9k switches are designed to be a Core switch?
Catalyst 9500 and 9600
*In an SDA deployment these could also be a Fabric Border or Control Node
Which Cisco 9k switches are designed to be a Fabric Edge switch?
Catalyst 9200, 9300 and 9400 - these were designed to replace the old 2k, 3k, and 4k access switches.
9500 is also capable of being a fabric edge node although it is designed to be a core switch
Which Cisco routers are preferable for use in SDA fabric?
- ASR1000
- ISRv (virtual)
- CSRv (virtual/cloud)
What two roles in an SDA Fabric would a Cisco router serve?
- Control Node
- Fabric Border Node
What are the recommended models of Cisco devices for use as a Fabric WLC in an SDA deployment?
- Catalyst 9800 WLC
- Catalyst Embedded WLC (on Catalyst 9300 Switch)
- Catalyst 9800-CL (cloud)
What Cisco devices are recommended as Wireless APs in an SDA deployment?
- Catalyst 9100 APs
What piece of hardware is used to deploy the physical instance of DNA Center?
Cisco UCS M5 Server
NOTE: DNA Center recently became available as a Virtual Appliance
What are the “Three A’s” of SD Access?
- Automation
- Analytics
- Assurance
What services does the DNA Center Analytics Engine provide for network engineers?
- SNMP
- Syslog
- Netflow
- Streaming Telemetry
What new tool does SD Access Assurance provide for network engineers?
Path Trace
What communication protocol does ISE use to push policies to 3rd party devices such as third party firewalls and switches?
pxGrid - Platform Exchange Grid
What Cisco products make up the Encrypted Traffic Analytics solution?
- StealthWatch
- ISE
- Catalyst 9k devices (not 9200s)
In an SD Access environment, where do Anycast gateways get deployed?
On all Fabric Edge nodes
In the Design workflow of DNA Center, what are the key elements you would configure?
- The Network Hierarchy (Geographically)
- Network Devices and settings
- Image Repository
- Network Profiles
- Auth Templates
In the Policy workflow of DNA Center, what are the key elements you would configure?
- Virtual Networks
- Group Based Access
- IP Based Access
What happens in the DNA Center Provisioning workflow?
- Device Onboarding
- Automated Underlay Configuration (If the devices support it)
What information can DNA Center provide in the Assurance workflow?
- Client Health
- Connectivity data
- Historical Network data
- Detected Issues
- AI suggested resolution steps
