Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CCNP Core > Chap 23 - Fabric Technologies > Flashcards

Chap 23 - Fabric Technologies Flashcards

1
Q

What 7 capabilities are leveraged by SD-Access?

A
  • Network automation
  • Network assurance and analytics
  • Network virtualization
  • Host mobility
  • Identity Services
  • Policy enforcement
  • Secure segmentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What 2 main components make up SD-Access?

A
  • Cisco campus fabric solution
  • Cisco DNA Center
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When is the campus fabric solution just called a Campus Fabric Solution

A

When the campus fabric is managed using the CLI or an API using Network Configuration Protocol (Netconf/Yang)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is SD-Access?

A

When the Campus Fabric Solution is managed with Cisco DNA Center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is NETCONF/YANG?

What does it do?
What is NETCONF?
What is YANG?

A
  • Provides a standardized way to configure network devices
  • Netconf is the protocol
  • Yang is the modeling language
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 4 layers that make up SD-Access?

A
  • Physical layer
  • Network layer (underlay and overlay networks)
  • Controller layer
  • Management layer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What 5 devices are in the Physical layer?

A
  • Routers
  • Switches
  • Wireless
  • ISE
  • Cisco DNA Center
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What 2 things make up the Network layer?
And what does each one consist of?

A
  • Underlay network (settings, protocols)
  • Overlay network (LISP, VXLAN, CTS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is in the Controller layer?

What are 2 devices in the controller layer?
What are 2 platforms in the controller layer?
On which of the devices do the 2 platforms reside?

A
  • DNA Center
  • ISE
  • Network Control Platform (NCP)
  • Network Data Platform (NDP)
  • They reside on DNA-C
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is in the Management layer and what are 5 functions it serves?

A
  • DNA Center GUI
  • Functions:
    • Automation
    • Design
    • Policy
    • Provision
    • Assurance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a switch called that does not participate in the SD-Access fabric but is part of it because of automation?

A

SD-Access Extension Node

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What 2 things must infrastructure devices support in order to participate in SD-Access?

A
  • They must support all of the hardware ASICs
  • They must support Field Programmable Gate Arrays
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what 2 controllers are required for SD-Access?

A
  • Identity Services Engine (ISE)
  • DNA Center
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of the underlay network?

A

its sole purpose is to transport data packets between network devices for the SD-Access fabric overlay.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an overlay network and what is its purpose?

A
  • It is a virtual tunneled network that connects all of the network devices to form a fabric of interconnected nodes
  • It abstracts the inherent complexities and limitations of the underlay network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How should the underlay network be configured?

When configuring it what are 3 goals to achieve?
Why is it so important to achieve these goals?

A
  • It should ensure
    • performance
    • scalability
    • high availability
  • Because any problems with the underlay will affect the operation of the fabric overlay.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Is it possible to use STP in the underlay network?

A

It is possible but it is not recommended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the recommended designs for Layer 2 and Layer 3 in the underlay network?

A
  • Layer 3 routed access layer
  • ISIS as the IGP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What 3 reasons are why ISIS is the recommended IGP for the underlay network?

A
  • Neighbor establishment without IP dependencies
  • Peering capability using loopback addresses
  • Agnostic treatment of IPv4, IPv6, and non-IP traffic.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What 2 models of underlay are supported?

A
  • Manual underlay
  • Automated underlay
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the manual model of underlay?

A

It is configured and managed manually (such as with a CLI or an API) rather than through Cisco DNA Center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are 2 advantages of the manual model of underlay?

A
  • It allows customization of the network to fit any special design requirements (such as changing the IGP to OSPF)
  • It allows SD-Access to run on the top of a legacy (or third-party) IP-based network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the Automated Model of underlay?

A

It is configured and managed by the Cisco DNA Center LAN Automation feature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does the Cisco DNA Center LAN Automation feature do when used to configure the underlay network?

A
  • Creates an IS-IS routed access campus design
  • Uses the Cisco Network Plug and Play features to deploy both unicast and multicast routing configuration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are 3 advantages of using the Automated model of underlay?
* Eliminates misconfigurations * Reduces the complexity of the network underlay * Greatly simplifies and speeds the building of the network underlay.
26
What is a disadvantage of using the Automated model of underlay?
It does not allow manual customization for special design requirements.
27
What are 3 things that the Overlay Network (SD-Access Fabric) provides?
* Provides policy-based network segmentation * Host mobility for wired and wireless hosts * Enhanced security beyond the normal switching and routing capabilities of a traditional network
28
What type of model is the Overlay Network, manual or automated?
Always fully automated regardless of what model is used on the underlay network
29
What 2 things does the Overlay network include?
* All necessary overlay control plane protocols and addressing * All global configurations associated with operation of the SD-Access fabric.
30
If the Overlay is manually configured without the use of Cisco DNA Center what is it called?
A campus fabric solution (not SD-Access)
31
What are the 3 basic planes of operation of SD-Access fabric?
* Control plane (based on Locator/ID Separation Protocol (LISP)) * Data plane, based on Virtual Extensible LAN (VXLAN) * Policy plane, based on Cisco TrustSec
32
What is LISP?
* Based on a simple endpoint ID (EID) to routing locator (RLOC) mapping system * It separates the identity (endpoint IP address) from its current location (network edge/border router IP address).
33
How does LISP simplify traditional routing environments?
* Uses Pull Routing * By moving remote destination information to the LISP map server (MS) (a control plane node in SD-Access) * This allows each router to manage only its local routes and query the map system to locate destination EIDs.
34
What are 4 advantages for SD-Access when using LISP as the control plane?
* Smaller routing tables * Dynamic host mobility for wired and wireless endpoints * Address-agnostic mapping (IPv4, IPv6, and/ or MAC) * Built-in network segmentation through VRF instances.
35
What enhancements to LISP have been added for SD-Access?
* Distributed Anycast Gateway * VN Extranet * Fabric Wireless
36
What is the tunneling technology for SD-Access based on?
Virtual Extensible LAN (VXLAN)
37
What encapsulation is used by VXLAN?
* MAC-in-IP encapsulation * It can be forwarded by any IP-based network (legacy or third party) * In this way it creates the overlay network for the SD-Access fabric.
38
Why doesn't SD-Access use LISP encapsulation instead of VXLAN encapsulation?
Because VXLAN is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not.
39
What does VXLAN allow for?
* It allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) * Gives it the ability to operate over any IP-based network * Has built-in network segmentation (VRF instance/VN) * Has built-in group-based policy
40
What is the difference between the LISP packet and the VXLAN packet?
* Lisp only encapsulates the original layer 3 header (IP-in-IP/UDP encapsulation) * VXLAN encapsulates the original L2 (Ethernet) and L3 (IP) headers (MAC-in-IP/UDP)
41
How was the original VXLAN specification enhanced for SD-Access?
* By adding new fields to the first 4 bytes of the VXLAN header in order to transport up to 64,000 TrustSec SGT tags * This was done to support TrustSec
42
What is the new SD-Access specification called?
VXLAN Group Policy Option (VXLAN GPO)
43
What are SGTs in SD-Access?
TrustSec Scalable Group Tags
44
What are the 4 new fields called in the VXLAN-GPO packet format?
* Group Policy ID * Group-based Policy Extension Bit (G Bit) * Don't Learn Bit (D Bit) * Policy Applied Bit (A Bit)
45
In the VXLAN-GPO what is the Group Policy ID?
16-bit identifier that is used to carry the SGT tag.
46
In the VXLAN-GPO what is the Group-based Policy Extension Header (G Bit)?
1-bit field that, when set to 1, indicates an SGT tag is being carried within the Group Policy ID field and set to 0 when it is not.
47
In the VXLAN-GPO what is the Don't Learn Bit (D Bit)?
1-bit field that when set to 1 indicates that the egress virtual tunnel endpoint (VTEP) must not learn the source address of the encapsulated frame.
48
In the VXLAN-GPO what is A-bit? What does the A stand for When is the A-bit set? What does it mean when the A bit is set to 1? What does it meaa when the A bit is set to 0?
* Policy Applied * It is only defined as the A bit when the G bit field is set to 1 * If set to 1 it means that the group policy has already been applied to this packet, and further policies must not be applied by network devices. * If set to 0 It means that group policies must be applied by network devices, and they must set the A bit to 1 after the policy has been applied.
49
What are Cisco TrustSec SGT tags? Who are they assigned to? What do they take the place of? What are 4 types of policies these tags can be used for?
* Assigned to authenticated groups of users or end devices * They take the place of ACLs * Security, QOS, Policy-based Routing (PBR), network segmentation
50
What 5 advantages do SGT tags bring to SD-Access?
* Support for VRF segmentation * Group-based segmentation (policies) * Reduces complexity by basing group policies on SGT tags instead of IP/MAC addresses * Dynamic enforcement of group-based policies regardless of location * Extends policy enforcement to external networks (cloud, data center) by using SGT Exchange Protocol (SXP) to send SGT tags to TrustSec-aware devices
51
What are the 5 basic device roles in SD-Access?
* Control plane node * Fabric border node * Fabric edge node * Fabric WLAN controller * Intermediate nodes
52
What is the Control Plane Node? What is the control plane node comparable to? What SD-Access enhanced functions does it have? What is the function of the database on the control plane node? What are 3 types of lookups the database can do? How is the database populated? What kind of hardware/software should this device support and where can it be located? What brand of hardware should it be?
* LISP MS/MR * Fabric wireless and SGT mappings * It maps EIDs to RLOCs * IPV4, IPV6, and MAC * It receives EID-to-RLOC registrations from fabric border and edge nodes for wired clients and from fabric WLCs for wireless clients * Hardware/software should be scalable to support all mappings * It should be a Cisco router or switch inside or outside the fabric
53
What is the Fabric Border Node? What is it comparable to? What 2 things does it connect? What 2 things does it translate? What are the 3 types of Fabric Border Nodes and what do they connect to?
* Comparable to LISP Proxy xTRs * It connects the fabric to external layer 3 networks * It translates reachability and policy information from one domain to another * This fabric device (for example, core layer device) connects external Layer 3 networks to the SD-Access fabric. * 3 Types: * Internal Border Node - only to known areas of the internal network * Default Border Node - only to unknown areas outside the organization * Internal+Default Border Node - connects to both internal and unknown networks
54
What is the Fabric Edge Node? What is it comparable to? What 4 things does it provide? What kind of device must this be?
* LISP xTR * It provides: * Anycast gateway * End point authentication * Assignment to overlay host pools (DHCP or static) * Group-based policy enforcement * Must be a Cisco switch or router operating in the fabric overlay
55
What is the Fabric WLAN Controller? What is its function? Where is it located and what does it connect to? What 2 services does it provide and who are the services for? How does it connect its clients to the fabric? What would the mapping of these clients consist of? What is the difference in how this fabric WLC carries traffic vs. traditional WLCs?
* It connects APs and wireless endpoints to the SDA fabric. * Located outside the fabric and connects to an Internal Border Node * Onboarding and mobility services to fabric-connected wireless users and endpoints * it provides LISP Proxy xTR EID-to-RLOC registrations to the MS/MR * Maps the host EID to the current Access Point and to the Edge Node where that AP connects * Control plane traffic continues to use CAPWAP tunnels that are encapsulated in VXLAN tunnel and data plane traffic is re-mapped to the Fabric Edge Node (switch where the AP is) where it is encapsulated in its own VXLAN tunnel
56
What is the Intermediate Node?
These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.
57
What are the 3 steps the Fabric Edge Node does when a wired client connects? What are 3 types of host addresses that can be used in SD-Access?
* First identifies and authenticates wired endpoints (through 802.1x) * Places them in a host pool (SVI and VRF instance) and into a scalable group (SGT assignment) * Then registers the specific EID host address with the control plane node * Types of host addresses: * MAC host address * IPv4 host address * IPv6 host address
58
What else does the Fabric Edge Node do?
* Provides a single Layer 3 anycast gateway (that is, the same SVI with the same IP address on all fabric edge nodes) for its connected endpoints * Performs the encapsulation and de-encapsulation of host traffic to and from its connected endpoints.
59
How do Fabric Border Nodes work?
* They are LISP proxy tunnel routers (PxTRs) * They connect external Layer 3 networks to the SD-Access fabric * They translate reachability and policy information, such as VRF and SGT information, from one domain to another.
60
What does a Fabric Wireless Controller connect?
A fabric-enabled WLC connects APs and wireless endpoints to the SD-Access fabric.
61
How does a Fabric Wirelss Controller connect to the fabric?
The WLC is external to the fabric and connects to the SD-Access fabric through an internal border node.
62
What tasks does a Fabric Wireless Controller perform?
* Provides onboarding and mobility services for wireless users and endpoints connected to the SD-Access fabric * Performs PxTR registrations to the fabric control plane (on behalf of the fabric edges) * Can be thought of as a fabric edge for wireless clients * Maps the host EID to the current fabric access point and fabric edge node location the access point is attached to
63
Why is tunneling wireless traffic over VXLAN better than a CAPWAP tunnel?
VXLAN increases performance and scalability
64
What does the Virtual Network (VN) provide? What does it use to do this? What are created in the process?
The VN provides virtualization at the device level, using VRF instances to create multiple Layer 3 routing tables.
65
What does a VRF provide and what does this allow for? What 2 things does this allow for?
* Traffic segmentation across IP addresses * Allows for overlapping address space
66
What does the Control Plane use to maintain separate VRF instances?
LISP instance IDs
67
How does the Data Plane maintain separate VRF instances?
Edge nodes add a VXLAN ID (VNID) to the fabric encapsulation.
68
What is a Host Pool? What 2 things does a host pool consist of? How are members assigned to the host pool? What do members of the host pool have in common? How are host pools advertised?
* It consists of: * A group of assigned endpoints * An SVI * They can be assigned based on 802.1x authentication or statically by switchport * The SVI for the host pool their default gateway * EID mappings are used to advertise each host pool itself as well as host-specific advertisements and mobility
69
What are Scalable Groups? What does a scalable group represent? Are scalable groups global throughout the fabric? Who does the assignment? Who is assigned to these groups? What 2 things can this assignment be based on? How are scalable groups related to host pools? What does this relationship result in? How does the network know who is in a scalable group?
* A group of endpoints with similar policies * Yes * The SD-Access policy plane * Every endpoint (host) using TrustSec SGT tags * Assignment based on: * Static per fabric edge port * Dynamic through AAA or RADIUS authentication by Cisco ISE * There is a direct one-to-one relationship between them * The scalable group and its members operate within a single VN * Every VXLAN packet carries the SGT tag
70
What is an Anycast Gateway?
A pervasive Layer 3 default gateway where the same SVI is provisioned on every edge node with the same IP and MAC address
71
What does the Controller Layer do?
The controller layer provides all of the management subsystems for the management layer, and this is all provided by Cisco DNA Center and Cisco ISE.
72
What are the 3 main Controller Layer subsystems?
* Cisco Network Control Platform (NCP) * Cisco Network Data Platform (NDP) * Cisco Identity Services Engine (ISE)
73
What is the Cisco Network Control Platform (NCP)? Where is it? What 2 things does it provide? What 3 protocols does it use?
* Integrated directly into Cisco DNA Center * It provides * automation * orchestration * It uses: * NETCONF/YANG * SNMP * SSH/Telnet
74
What is the Cisco Network Data Platform (NDP)? Where is it? What 3 things make up this subsystem? What 2 sources of information does NDP use? What does it do with the information?
* It is integrated into DNA-C * It is made up of * data collection * analytics * assurance * Sources include Netflow and SPAN * It identifies historical trends and then uses this information to provide contextual information to NCP and ISE, and it provides network operational status and other information to the management layer
75
What does the Cisco Network Data Platform (NDP) do?
* It analyzes and correlates various network events through multiple sources (such as NetFlow and Switched Port Analyzer [SPAN]) * It identifies historical trends and then uses this information to provide contextual information to NCP and ISE, and it provides network operational status and other information to the management layer
76
What is the basic role of ISE?
The basic role of ISE is to provide all the identity and policy services for the physical layer and network layer.
77
How does ISE provide network access control (NAC) and identity services for dynamic endpoint-to-group mapping and policy definition?
It uses 802.1x, MAC Authentication Bypass (MAB), and Web Authentication (WebAuth).
78
How does ISE interact with NDP and NCP?
* ISE collects and uses the contextual information shared from NDP and NCP ( also Active Directory and AWS) and then places the profiled endpoints into the correct scalable group and host pool. ISE uses this information to provide information to NCP and NDP, so the user (management layer) can create and manage group-based policies * ISE is also responsible for programming group-based policies on the network devices.
79
How does ISE and DNA Center integrate with each other?
* The NDP subsystem shares contextual analytics information with Cisco ISE and NCP subsystems and provides this information to the user (management layer) * The NCP subsystem integrates directly with Cisco ISE and NDP subsystems to provide contextual automation information between them * ISE integrates directly with Cisco NCP and NDP subsystems (Cisco DNA Center) to provide contextual identity and policy information
80
What is the Cisco DNA Center?
* It is the user interface/user experience (UI/UX) layer, where all the information from the other layers is presented to the user in the form of a centralized management dashboard. * It is the intent-based networking aspect of Cisco DNA
81
Is there a need for a full understanding of the network layer (LISP, VXLAN, and Cisco TrustSec) or controller layer (Cisco NCP, NDP, and ISE) ?
No the management layer abstracts all the complexities and dependencies of the other layers and provides the user with a simple set of GUI tools and workflows to easily manage and operate the entire Cisco DNA network
82
What are the 4 primary workflows defined by Cisco DNA?
* Design * Policy * Provision * Assurance
83
What is the Design Workflow for?
To logically define the SD-Access fabric.
84
What are 4 of the Design Workflow tools?
\* Network Hierarchy \* Network Settings \* Image Repository \* Network Profiles
85
In the Design Workflow tools what does Network Hierarchy do?
It is used to set up geolocation, building, and floorplan details and associate them with a unique site ID.
86
In the Design Workflow tools what does Network Settings do?
It is used to set up network servers (such as DNS, DHCP, and AAA), device credentials, IP management, and wireless settings.
87
In the Design Workflow tools what does Image Repository do?
It is used to manage the software images and/or maintenance updates, set version compliance, and download and deploy images.
88
In the Design Workflow tools what does Network Profiles do?
It is used to define LAN, WAN, and WLAN connection profiles (such as SSID) and apply them to one or more sites.
89
What are 6 of the tools in DNA Policy Workflow?
\* Dashboard \* Group-based Access Control \* IP-based Access Control \* Application \* Traffic Copy \* Virtual Network
90
In the DNA Policy Workflow tools what does Dashboard do?
It is used to monitor all the VNs, scalable groups, policies, and recent changes.
91
In the DNA Policy Workflow tools what does Group-based Access Control do?
It is used to create group-based access control policies, which are the same as SGACLs. Cisco DNA Center integrates with Cisco ISE to simplify the process of creating and maintaining SGACLs.
92
In the DNA Policy Workflow tools what does IP-based Access Control do?
It is used to create IP-based access control policy to control the traffic going into and coming out of a Cisco device in the same way that an ACL does.
93
In the DNA Policy Workflow tools what does Application tool do?
It is used to configure QoS in the network through application policies.
94
In the DNA Policy Workflow tools what does Traffic Copy do?
It is used to configure Encapsulated Remote Switched Port Analyzer (ERSPAN) to copy the IP traffic flow between two entities to a specified remote destination for monitoring or troubleshooting purposes.).
95
In the DNA Policy Workflow tools what does Virtual Network do?
It is used to set up the virtual networks (or use the default VN) and associate various scalable groups.
96
In the DNA Provision Workflow what are 4 tools?
\* Devices \* Fabrics \* Fabric Devices \* Host Onboardings
97
In the DNA Provision Worflow what does Devices do?
It is used to assign devices to a site ID, confirm or update the software version, and provision the network underlay configurations.
98
In the DNA Provision Worflow what does Fabrics do?
It is used to set up the virtual networks (or use the default VN) and associate various scalable groups.
99
In the DNA Provision Worflow what does Fabric Devices do?
It is used to add devices to the fabric domain and specify device roles (such as control plane, border, edge, and WLC).
100
In the DNA Provision Worflow what does Host Onboarding do?
It is used to define the host authentication type (static or dynamic) and assign host pools (wired and wireless) to various VNs.
101
What are 4 of the DNA Assurance Workflow?
\* Dashboard \* Client 360 \* Devices 360 \* Issues
102
In the DNA Assurance Workflow what does Dashboard do?
It is used to monitor the global health of all (fabric and non-fabric) devices and clients, with scores based on the status of various sites.
103
In the DNA Assurance Workflow what does Client 360 do?
It is used to monitor and resolve client-specific status and issues (such as onboarding and app experience), with links to connected devices.
104
In the DNA Assurance Workflow what does Devices 360 do?
It is used to monitor and resolve device-specific status and issues (such as resource usage and loss and latency), with links to connected clients.
105
In the DNA Assurance Workflow what does Issues do?
It is used to monitor and resolve open issues (reactive) and/or developing trends (proactive) with clients and devices at various sites.
106
What are 6 reasons customers are looking into SD-WAN?
\* Lower costs and reduce risks \* Extend their enterprise networks into the public cloud \* Optimal user experience for SaaS applications \* Leverage a transport-independent WAN for lower cost and higher diversity (underlay is any type of IP network (Internet, MPLS, etc) \* Improve application performance with intelligent path control \* End-to-end WAN traffic segmentation and encryption
107
What are the 2 SD-WAN solutions offered by Cisco?
\* Cisco SD-WAN based on Viptela \* Meraki SD-WAN
108
What is Cisco SD-WAN?
\* Viptella based \* Cloud-delivered overlay WAN architecture \* Preferred solution for organizations that require an SD-WAN solution with cloud-based initiatives \* provides granular segmentation, advanced routing, advanced security, and complex topologies while connecting to cloud instances
109
What is Meraki SD-WAN?
\* Recommended solution for organizations that require unified threat management (UTM) solutions with SD-WAN functionality or that are existing Cisco Meraki customers looking to expand to SD-WAN.
110
What is Unified Threat Management (UTM)?
An all-in-one security solution delivered in a single appliance in Meraki implementations.
111
What are 6 features provided with Unified Threat Management (UTM)?
\* Firewall \* VPN \* Intrusion prevention \* Antivirus \* Antispam \* Web content filtering
112
What are the 4 main components that make up SD-WAN?
\* vManage Network Management System \* vSmart Controller \* SD-WAN routers \* vBond Orchestrator
113
What is the vManage Network Management System (NMS)?
\* A single pane of glass network management system (NMS) GUI \* Used to configure and manage the full SD-WAN solution \* Enables centralized provisioning and simplifies network changes.
114
What is the vSmart Controller?
\* Brains of SD-WAN solution \* Establishes OMP neighborships with SD-WAN routers \* Learns routes and network topology \*Calculates best routes \* Advertises reachability info to SD-WAN routers \* Implements control plane policies created by vManage \* also works in conjunction with the vBond orchestrator to authenticate the devices as they join the network and to orchestrate connectivity between the SD-WAN routers.
115
How does the vSmart Controller ensure that only authorized devices join the fabric?
\* vSmart Controller has pre-installed credentials that ensures only authenticated devices join the SD-WAN fabric
116
What is Overlay Management Protocol (OMP)?
\* Proprietary protocol similar to BGP used by vSmart Controllers to form neighborships with SD-WAN routers \* Used to advertise routes, next hops, keys, and policy information needed to establish and maintain the SD-WAN fabric
117
What does the vSmart Controller do after authenticating a device?
\* It establishes a permanent DTLS tunnel to each SD-WAN router in the SD-WAN fabric \* It uses these tunnels to establish Overlay Management Protocol (OMP) neighborships with each SD-WAN router.
118
What are the 2 types of SD-WAN routers?
\* vEdge - Viptela platforms running Viptela software \* cEdge - Viptela software integrated with Cisco IOS-XE
119
What platforms are available for cEdge routers?
\* CSR \* ISR \* ASR1k \* ENCS \* Cloud-enabled CSRv and ISRv
120
In general, what do SD-WAN routers do?
They deliver the essential WAN, security, and multicloud capabilities of the Cisco SD-WAN solution,
121
Do SD-WAN routers have any local intelligence built in?
They have local intelligence to make site-local decisions regarding routing, high availability (HA), interfaces, ARP management, and ACLs.
122
What do cEdge routers do that vEdge routers cannot?
A main differentiator between SD-WAN cEdge routers and vEdge routers is that cEdge routers support advanced security features,
123
What general functions do SD-WAN routers support?
\* SD-WAN overlay control \* Data plane functions
124
What standard router features do SD-WAN routers support?
OSPF, BGP, ACLs, QOS, Routing policies
125
Where do SD-WAN routers sit in the SD-WAN fabric?
They sit at the perimeter of a site, such as a remote office, branch office, campus, or data center.
126
What 2 types of connections do SD-WAN routers provide?
\* Connect with vSmart Controller over DTLS tunnel and use OMP to form a neighborship \* Connects with other SD-WAN routers using IPSec
127
What is DTLS?
\* Datagram Transport Layer Security \* UDP based \* Preserves the semantics of the underlying transport \* Prevents eavesdropping, tampering, and message forgery
128
What do SD-WAN routers use the OMP neighborship with the vSmart Controller for?
To exchange routing information
129
What does the vBond Orchestrator authenticate?
\* SD-WAN routers \* vSmart Controllers
130
What is the only SD-WAN device that needs a public IP?
The vBond Orchestrator needs a public IP so that all SD-WAN devices in the network can connect to it.
131
What kind of device is the SD-WAN vBond Orchestrator?
An SD-WAN router that only performs the Orchestrator tasks.
132
What are the 3 major components of the vBond Orchestrator?
\* Control plane connection \* NAT Traversal \* Load Balancing
133
What functions does the Control Plane connection perform in the vBond Orchestrator?
\* Permanent connection over DTLS tunnel with every vSmart Controller \* DTLS connections with SD-WAN routers to authenticate them when they come on line and to facilitate their ability to join the network
134
What kind of authentication does the vBond Orchestrator use to authenticate SD-WAN routers?
Basic authentication of an SD-WAN router is done using certificates and RSA cryptography.
135
What does the vBond Orchestrator do when performing its NAT Traversal function?
It facilitates the initial orchestration between SD-WAN routers and vSmart controllers when one or both of them are behind NAT devices.
136
What kind of techniques are used by the Orchestrator when performing NAT Traversal?
Standard peer-to-peer techniques
137
What does the vBond Orchestrator do when performing its Load Balancing function?
In a domain with multiple vSmart controllers, the vBond orchestrator automatically performs load balancing of SD-WAN routers across the vSmart controllers when routers come online.
138
What 3 functions does the Optional vAnalytics perform?
\* Visibility into applications and infrastructure across the WAN \* Forecasting and what-if analysis \* Intelligent recommendations
139
How can vAnalytics help to reduce costs?
vAnalytics can also help predict how much bandwidth is truly required for any location, and this is useful in deciding whether a circuit can be downgraded to a lower bandwidth to reduce costs.
140
How can vAnalytics troubleshoot WAN connections?
If a site is experiencing latency or packet loss vAnalytics will detect this. It will then compare what it finds with other organizations in the area and can report results to the service provider
141
Which 2 SD-WAN components are ONLY available as VMs?
\* vManage \* vSmart
142
How does Cisco Cloud OnRamp deliver the best application quality of experience for SaaS applications?
By continuously monitoring SaaS performance across diverse paths and selecting the best-performing path based on performance metrics (jitter, loss, and delay).
143
How does Cisco Cloud OnRamp simplify hybrid cloud and multicloud IaaS connectivity ?
By extending the SD-WAN fabric to the public cloud while at the same time increasing high availability and scale.
144
How does Cisco Cloud OnRamp find the best performing Internet exit point towward a SaaS provider?
The SD-WAN router at the remote site starts sending small HTTP probes to the SaaS application through both DIA circuits to measure latency and loss.
145
What is a DIA link?
Dedicated Internet Access
146
What is Bidrectional Forwarding Detection (BFD)?
a detection protocol originally designed to provide fast forwarding path failure detection times between two adjacent routers.
147
How does SD-WAN Cloud OnRamp use BFD?
In a case where a remote office can reach the SaaS provider via its own Internet connection or as an alternative go through the company's main office SD-WAN uses BFD over the DTLS session between the branch and main offices to see if the Internet connection through the main office is better than the branch's own Internet access connection.
148
What is a campus fabric?
Cisco-validated fabric overlay solution that includes all of the features and protocols to operate the network infrastructure.
149
What 4 things make up the features and protocols to operate the network infrastructure as a Campus Fabric Network
* Control plane * Data plane * Management plane * Policy plane
150
What makes SD-Access unique and powerful?
Combining multiple existing technologies and automated management by DNA Center.
151
What does SGACL stand for and what is it?
* Security Group Access Control List * An ACL based on identity instead of IP address
152
What does VRF stand for, what is it called in SD-Access, and what is it?
* Virtual Routing and Forwarding * In SD-Access it's called a Virtual Network (VN) * It is an instance of a virtual network with it's own set of access policies. SD-Access can support multiple VNs
153
What are 4 reasons why Cisco recommends IS-IS for the SD-Access overlay network?
* IS-IS performs better than EIGRP and OSPF * It is able to form neighborships without dependence on TCP/IP * It can form neighbor relationships using loopback addresses * It can support both IP and non-IP protocols
154
What routing protocol is used between SD-Access fabric border routers and Fusion routers?
BGP
155
What 2 things are Fusion routers used for?
* Connect the SD-Access fabric to shared services such as DNS, DHCP, NTP * Connects ISE, DNAC, and WLCs to the SD-Access fabric so that their services are accessible to virtual networks (VNs) and their endpoints
156
Which SD-WAN component distributes security information between vEdge routers to facilitate data plane tunnel creation?
vSmart Controller
157
What are 8 steps to follow when preparing to upgrade DNA-C?
* SUPER-ADMIN-ROLE permissions * Perform a backup * Perform a system update * Verify access through firewall to www.ciscoconnectdna.com:443 * Have CCO ID available * Allocate at least 6 hours * Confirm that root partition has at least 2GB free * Confirm that data partition has at least 32 GB free and is not more than 70% full

CCNP Core (46 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions