SD-WAN, SDA, Fabric

Question 1

Why type of Tunnels does SD-WAN leverage?

Answer 1

IPSec

Question 2

What is the name of the device where SD-WAN Policy is defined?

Answer 2

The Controller

Question 3

What are the 4 main components of Cisco SD-WAN and what are their functions?

Answer 3

vManage - GUI and API VM used to configure and manage SD-WAN
vSmart - the controller that pushes the policy and acts as the data plane for the SD-WAN
vEdge / cEdge - These are the SD-WAN Edge Routers
vBond - the out of band orchestrator

Question 4

What is cEdge and how is it different from vEdge?

Answer 4

cEdge is a Cisco ISR router running Viptella firmware. The main difference is that cEdge supports advanced security features that vEdge does not.

Question 5

What features does cEdge have that vEdge does not?

Answer 5

• Cisco AMP and Threat Grid
• Enterprise Firewall
• Cisco Umbrella DNS
• URL Filtering
• Snort IPS

Question 6

What are the three main features of vBond?

Answer 6

• Control Plane Connection - permanent control plane connection to each vSmart controller
• NAT Traversal
• Load Balancing - load balances routers to vSmart controllers when more than one exist in a domain

Question 7

What are the benefits of SD-WAN?

Answer 7

• Lower Costs and Reduce Risks with simple WAN automation and Orchestration
• Extend Enterprise networks seamlessly into the public cloud
• Provide optimal user experience for SaaS applications
• Leverage a transport-independent WAN for lower cost and higher diversity. This means the underlay network can be any type of IP-based network, such as the Internet, MPLS, 3G/4G LTE, satellite, or dedicated circuits.
• Enhance application visibility and use that visibility to improve performance with intelligent path control to meet SLAs for business-critical and real-time applications.
• Provide end-to-end WAN traffic segmentation

Question 8

What are some limitations of Cisco SD-WAN?

Answer 8

• Base SD-WAN license only allows for a Hub-and-Spoke topology
• If there are two vManage, they must be Active/Passive
• vAnalytics feature requires an additional license
• vBond must have a public IP address (or NAT’d private)
• Some ISR/ASR modules may not be compatible with cEdge
• Deep Packet Inspection (DPI) requires additional licensing

Question 9

What are the four different SD-WAN traffic forwarding options when configuring a policy?

Answer 9

• Active/Active: Load Balanced
• Active/Active Weighted: Load balanced based on bandwidth
• Active/Standby Pinning: Application traffic has a preferred route unless it is down
• Application Aware SLA: application traffic chooses a route based on network metrics such as loss and jitter

Question 10

In SD-WAN, what is OMP?

Answer 10

Overlay Management Protocol - this is the control plane information and controller policies that is sent from vSmart to the vEdge. Sent over TCP using SSL

Question 11

What are the three different types of SD-WAN deployment models?

Answer 11

• Public: on AWS
• Hybrid: on-prem using Public IPs
• Hybrid w/ Private IP: when ISP rejects public IP route

Question 12

What is a TLOC extension?

Answer 12

A connection between two vEdge routers at the same site that create a “U-shaped” topological connection to two redundant WAN links.

TLOC = Transport Locator

Question 13

When deploying a vEdge or cEdge router using Zero Touch Provisioning (ZTP), what is the first thing the router attempts to communicate with?

Answer 13

A ZTP Server that is hosted and managed by Cisco on the Internet

Question 14

When deploying a vEdge or cEdge router using Zero Touch Provisioning (ZTP), what are the only protocols enabled on the outside interface by default?

Answer 14

DNS, DHCP, and ICMP

Question 15

When DPI is not enabled in SD-WAN, what are the 6 parameters used to identify an application within a policy?

Answer 15

1 -2) Source and Destination IP address
3 - 4) Source and Destination Port
5) DSCP value (QoS)
6) Protocol Number

Question 16

When using Application Awareness and Deep Packet Inspection (DPI), what protocol is used to detect latency and jitter on a WAN circuit?

Answer 16

BFD - Bi-Directional Forwarding Detection

Question 17

In Cisco SD-WAN, what VPN ID is reserved for out-of-band management?

Answer 17

VLAN 512

Question 18

What is SD-WAN Cloud OnRamp for IaaS?

Answer 18

A feature that allows us to deploy virtual vEdge devices to IaaS platforms (AWS and Azure only) to bring SD-WAN into the public cloud.

Question 19

What is SD-WAN Cloud OnRamp for SaaS?

Answer 19

A feature that extends HTTP(S) probes to the SaaS platform to determine the best path to the SaaS.

Question 20

What is the name of the metric used to measure how good a connection is to an OnRamp SaaS application?

Answer 20

VQoE - Viptela Quality of Experience.

Value is 0 - 10

Question 21

What are the challenges of traditional networks that Software Defined Networks sets out to overcome?

Answer 21

• Layer 2 Scaling in large networks
• Layer 3 Roaming (Wireless)
• CLI configuration in large networks (manual config)
• Security and QoS

Question 22

What are the three elements that make up Cisco Campus Fabric when discussing SDN?

Answer 22

• VXLAN - Tunnel
• LISP - Routing
• CTS (Cisco TrustSec [ISE])

Question 23

What are the two critical entities of SD-Access?

Answer 23

• Campus Fabric
• DNA Center

Question 24

What are the four “Layers” of SD-Access?

Answer 24

• Physical Layer: devices
• Network Layer: underlay/overlay
• Control Layer: DNA Center/ISE
• Management Layer: DNA Center GUI

Question 25

What are the 6 physical components of an SD-Access deployment?

Answer 25

- Fabric Edge Node - Control Plane Node - Fabric Border Node - Fabric WLC - Intermediate Nodes - SD Controller (DNA Center/ISE)

Question 26

What is the recommended Interior Gateway Protocol to be used in a Cisco SD-Access solution?

Answer 26

IS-IS

Question 27

What SDA component is used to connect user endpoint devices to the SDA Fabric?

Answer 27

Fabric Edge Node

Question 28

What SDA component uses the LISP protocol to map device endpoint locations?

Answer 28

Control Plan Node(s)

Question 29

What SDA component connects to other networks (internal or external)?

Answer 29

- Fabric Border Nodes NOTE: Internal Border Nodes connect to internal networks External Border Nodes connect to external networks (BGP/Internet)

Question 30

What is the difference between a Fabric WLC and a standard WLC?

Answer 30

Fabric WLC is aware of the Software Defined Access fabric. Wireless APs under control of the Fabric WLC can connect to other switches in the fabric using VXLAN tunnels.

Question 31

Which two SDA component roles can be combined to a single device in smaller networks?

Answer 31

Fabric Border Node & Control Plane Node

Question 32

In SD Access, which protocols are responsible for the the Data Plane, the Control Plane, and the Policy Plane?

Answer 32

- Data: VXLAN - Control: LISP - Policy: CTS (Cisco TrustSec [ISE])

Question 33

What are the Cisco recommended **network layer** configurations for nodes running SD Access?

Answer 33

- Interior Gateway Protocol: IS-IS is preferred - Increase MTU by 50 Bytes - Layer 3 connectivity end-to-end

Question 34

What two engines does DNA Center run as the Control Node?

Answer 34

- NCP: Network Control Platform (aka APIC-EM) - NDP: Network Data Platform

Question 35

What function does the NCP subsystem perform?

Answer 35

- Automation of Underlay and Overlay Configurations

Question 36

What function does the NDP subsystem perform?

Answer 36

- Network Assurance

Question 37

What are the 4 workflows in DNA configuration?

Answer 37

1.) Design - network settings and profiles 2.) Policy - ISE and Security 3.) Provision - assign SDA roles 4.) Assurance - network health

Question 38

When using LISP and VXLAN in an SD Access deployment, what are the two interchangeable terms used for a network device ID?

Answer 38

VTEP - Virtual Tunnel Endpoint (VXLAN) RLOC - Routing Locator

Question 39

When applying CTS Policy to SD Access, what are two types of segmentation that can be accomplished?

Answer 39

Micro-segmentation - blocking hosts on the **same subnet** from talking to each other. Macro-segmentation - creation of Virtual Networks (VRFs)

Question 40

When creating virtual networks within a VXLAN deployment. Which VXLAN field facilitates CTS policy across a virtual network?

Answer 40

The VXLAN VNID (Virtual Network Identifier)

Question 41

The 802.1X (TrustSec) acronym SGT was changed to mean something different for the purpose of use within SD Access CTS. What was it changed to?

Answer 41

Changed from Security Group Tag to **Scalable** Group Tag

Question 42

The new VXLAN specification is now called what? How many SGT tags does it support?

Answer 42

VXLAN-GPO; up to 64,000 SGT Tags

Question 43

What are the new fields and sizes for a VXLAN-GPO packet header?

Answer 43

Group Policy ID: 16 bit Group Based Policy Extension: 1 bit Don't Learn Bit (D Bit): 1 bit Policy Applied Bit (A Bit): 1 bit

Question 44

What type of segmentation does SGT facilitate within SD Access CTS Policy?

Answer 44

Micro-Segmentation

Question 45

Where is SD Access CTS Policy defined?

Answer 45

It is defined inside of DNA Center then passed to Cisco ISE

Question 46

When using a Fabric WLC in SD Access, where does the control and data traffic traverse?

Answer 46

- Control traffic goes over the CAPWAP tunnel - Data traffic goes over the VXLAN

Question 47

When roaming in a LISP (SDA) Fabric and a client roams to a new ETR, what does the "old" ETR do when it receives a packet from the ITR?

Answer 47

1.) Tells the ITR to send a new map-request to the control node (aka Map Server) 2.) Forwards the packet to the new ETR NOTE: In this scenario a control node has already sent a map-register to the "old" ETR with the new location of the client...

Question 48

What is the difference between an External and Internal Border node in an SDA Fabric?

Answer 48

- Internal Border nodes map-registers IGP subnets to the Control Node - External Border node acts as the destination for all "unknown" destinations like a Default Gateway.

Question 49

Which Cisco 9k switches are designed to be a Core switch?

Answer 49

Catalyst 9500 and 9600 *In an SDA deployment these could also be a Fabric Border or Control Node

Question 50

Which Cisco 9k switches are designed to be a Fabric Edge switch?

Answer 50

Catalyst 9200, 9300 and 9400 - these were designed to replace the old 2k, 3k, and 4k access switches. 9500 is also capable of being a fabric edge node although it is designed to be a core switch

Question 51

Which Cisco routers are preferable for use in SDA fabric?

Answer 51

- ASR1000 - ISRv (virtual) - CSRv (virtual/cloud)

Question 52

What two roles in an SDA Fabric would a Cisco router serve?

Answer 52

- Control Node - Fabric Border Node

Question 53

What are the recommended models of Cisco devices for use as a Fabric WLC in an SDA deployment?

Answer 53

- Catalyst 9800 WLC - Catalyst Embedded WLC (on Catalyst 9300 Switch) - Catalyst 9800-CL (cloud)

Question 54

What Cisco devices are recommended as Wireless APs in an SDA deployment?

Answer 54

- Catalyst 9100 APs

Question 55

What piece of hardware is used to deploy the physical instance of DNA Center?

Answer 55

Cisco UCS M5 Server NOTE: DNA Center recently became available as a Virtual Appliance

Question 56

What are the "Three A's" of SD Access?

Answer 56

- Automation - Analytics - Assurance

Question 57

What services does the DNA Center Analytics Engine provide for network engineers?

Answer 57

- SNMP - Syslog - Netflow - Streaming Telemetry

Question 58

What new tool does SD Access Assurance provide for network engineers?

Answer 58

Path Trace

Question 59

What communication protocol does ISE use to push policies to 3rd party devices such as third party firewalls and switches?

Answer 59

pxGrid - Platform Exchange Grid

Question 60

What Cisco products make up the Encrypted Traffic Analytics solution?

Answer 60

- StealthWatch - ISE - Catalyst 9k devices (not 9200s)

Question 61

In an SD Access environment, where do Anycast gateways get deployed?

Answer 61

On all Fabric Edge nodes

Question 62

In the Design workflow of DNA Center, what are the key elements you would configure?

Answer 62

- The Network Hierarchy (Geographically) - Network Devices and settings - Image Repository - Network Profiles - Auth Templates

Question 63

In the Policy workflow of DNA Center, what are the key elements you would configure?

Answer 63

- Virtual Networks - Group Based Access - IP Based Access

Question 64

What happens in the DNA Center Provisioning workflow?

Answer 64

- Device Onboarding - Automated Underlay Configuration (If the devices support it)

Question 65

What information can DNA Center provide in the Assurance workflow?

Answer 65

- Client Health - Connectivity data - Historical Network data - Detected Issues - AI suggested resolution steps