28. Examining the Cisco SD-Access Solution

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

T/F: Multiple overlay networks can run across the same underlay.

True; Multiple overlay networks can run across the same underlay network to support multitenancy through virtualization.

What feature creates an independent layer of trust between TrustSec devices?

TrustSec Network Device Admission Control

Describe a LISP proxy ITR.

A PITR is a LISP infrastructure device that provides connectivity between non-LISP sites and LISP sites by attracting non-LISP traffic that is destined to LISP sites and encapsulating this traffic to ETR's devices that are deployed at LISP sites.

What is the DNA -C SDA four step workflow?

-design -policy -provision -assurance

What changes/stays the same when a device moves using LISP?

-device IP stays the same -location ID changes

What fabric functions do edge nodes implement?

-endpoint registration -mapping of user to virtual network -anycast L3 gateway -LISP forwarding -VXLAN encapsulation and de-encapsulation

What are the steps in the AP SDA join process?

-fabric edge registers EID of AP -AP joins WLC -WLC checks if AP is fabric enabled -if yes, WLC queries control node for AP fabric domain -WLC performs L2 LISP registration for AP at the control node -control node notifies fabric edge of AP and passes its metadata -edge node processes information and creates VXLAN tunnel interface to the AP's IP address

What are the LISP infrastructure devices?

-map server -map resolver -proxy Ingress Tunnel Router (ITR) -proxy Egress Tunnel Router (ETR) -alternative topology (ALT)

What are the LISP host mobility deployment models?

-with extended subnet -across subnets

What are the LISP Name Spaces? (two parts)

-EID -RLOC

What are the benefits of VXLAN over VLAN?

-Flexible placement of multitenant segments throughout the data center. -VXLAN supports 16 million coexistent segments -Better utilization of available network paths.

What are the requirements for a Manual Underlay?

-IP reached from edge to edge, border, CP -Can be Layer 2 or Layer 3 (Layer 3 recommended) -Can be any IGP (IS-IS is recommended for scalability and integration with DNA Center)

What are the types of overlays?

-L2 -L3

What are the considerations for a Manual Underlay?

-MTU (fabric header adds 59 bytes) -latency (RTT of 100 ms or less)

What are the considerations for a Manual Underlay?

-PnP pre-setup is required -100% prescriptive (not custom)

What are the requirements for a ManAutomatedual Underlay?

-Use standard PnP for bootstrap -Assumes a new or erased configuration -Uses a global "underlay" address pool

What functions do border nodes implement?

-advertise EID subnets -fabric domain exit point -mapping of LISP instance to VRF -policy mapping

What are the benefits of SDA?

-centralized wireless control plane -optimized distributed data plane -seamless L2 roaming -simplified guest mobility -policy simplification -segmentation made easy

What are the steps in SDA client onboarding?

-client authenticates with WLAN -WLC gets SGT from ISE and updates the AP with VNID and SFT -WLC proxy registers the client's SGT and VNID to control node -control node notifies edge node of client MAC address and policy based on ISE and SGT -client initiates DHCP request -AP encapsulates request in VXLAN header with VNID -edge node maps VNID to VLAN and forward DHCP request -client receives IP address from DHCP server -DHCP snooping triggers client registration

What are the types of fabric nodes?

-control plane -border -edge -intermediate

List all fabric device types.

-control plane node -border node -edge node -fabric WLC -fabric mode AP

What are the steps in the LISP packet flow?

1. endpoint performs DNS lookup 2. endpoint traffic goes through LISP ITR 3. ITR checks mapping entry to find destination RLOC (if unknown, sends map request to map resolver) 4. ITR performs IP-in-IP encapsulation and transmits data to ETR RLOC 5. ETR receives packet, de-encapsulates it, and forward it to its final destination

What does Cisco TrustSec provide in SDA?

Cisco TrustSec provides software-defined segmentation that dynamically organizes endpoints into logical groups called security groups. Security, also known as scalable groups are assigned based on business decisions using a richer context than an IP address.

What is at the heart of the automation of SDA?

DNA-C

Describe a LISP proxy ETR.

A PETR is a LISP infrastructure device that allows EIDs at LISP sites to successfully communicate with devices that are located at non-LISP sites.

What benefits does Cisco SD-Access provide

A transformational management solution that reduces operational expenses and enhances business agility. Consistent management of wired and wireless network provisioning and policy. Automated network segmentation and group-based policy. Contextual insights for fast issue resolution and capacity planning. Open and programmable interfaces for integration with third-party solutions.

Describe a LISP map resolver.

An MR is a LISP infrastructure device to which LISP site ITRs send LISP Map-Request queries when resolving EID-to-RLOC mappings.

Describe a LISP map server.

An MS is a LISP infrastructure device that LISP-site ETRs register their EID prefixes to. The MS stores registered EID prefixes in a mapping database where they are associated to RLOCs. All LISP sites use the LISP-mapping system to resolve EID-to-RLOC mappings.

Describe an SGT.

An SGT is a 16-bit value that Cisco ISE assigns to the user or endpoint's session upon login. The network infrastructure views the SGT as another attribute to assign to the session and inserts the Layer 2 tag to all traffic from that session.

Describe a LISP ALT.

An alternative topology, also known as ALT, is a device that you deploy to build out an overlay network that provides a mechanism for managing EID prefix aggregation. It advertises EID prefixes in an alternate BGP topology over GRE, including to the MR.

Describe an over-the-top design for unified wireless.

An over-the-top centralized design still provides IP address management, simplified configuration and troubleshooting, and roaming at scale.

How does VXLAN offer better network path utilization?

Because VLAN uses STP, which blocks the redundant paths in a network, you may end up not using half of the network links. VXLAN packets are transferred through the underlying network based on its Layer 3 header and can take complete advantage of Layer 3 routing, ECMP routing, and link aggregation protocols to use all available paths.

Describe fabric WLCs

Both fabric WLCs and non-fabric WLCs provide AP image and configuration management, client session management, and mobility services. Fabric WLCs provide additional services for fabric integration by registering MAC addresses of wireless clients into the host tracking database.

What does Cisco SD-Access use for automation?

Cisco SD-Access uses the new Cisco Digital Network Architecture (DNA) Center that was built on the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) for end-to-end automation.

Describe the benefits of SDA.

Centralized wireless control plane: The same innovative RF features that Cisco has today in Cisco Unified Wireless Network (CUWN) deployments will be used in SD-Access Wireless as well. Wireless operations stay the same as with CUWN in terms of RRM, client onboarding, and client mobility and so on which simplifies IT adoption. Optimized distributed data plane: The data plane is distributed at the edge switches for optimal performance and scalability without the hassles usually associated with distributing traffic (spanning VLANs, subnetting, large broadcast domains, and so on) Seamless L2 roaming everywhere: SD-Access Fabric allows clients to roam seamlessly across the campus while retaining the same IP address. Simplified guest and mobility tunneling: An anchor WLC controller is not needed anymore and the guest traffic can directly go to the DMZ without hopping through a foreign controller. Policy simplification: SD-Access breaks the dependencies between policy and network constructs (IP address and VLANs) simplifying the way you can define and implement policies for both wired and wireless clients. Segmentation made easy: Segmentation is carried end-to-end in the fabric and is hierarchical, based on Virtual Networks (VNIs) and Scalable Group Tags(SGTs). Same segmentation policy is applied to both wired and wireless users.

What is the SDA dashboard?

Cisco DNA controller

What does SD-access mark a transition to/from?

Cisco SD-Access fabric consists of an automatic physical underlay and a programmable overlay with constructs such as virtual networks and segments that can be further mapped to neighborhoods and groups of users. This new approach enables enterprise networks to transition from traditional VLAN-centric design architecture to a new user group-centric design architecture.

What are LISP site devices? What functions do LISP site devices perform?

Ingress tunnel router: An ITR is a LISP site edge device that receives packets from site-facing interfaces (internal hosts) and encapsulates them to remote LISP sites, or natively forwards them to non-LISP sites. Egress tunnel router: An ETR is a LISP site edge device that receives packets from core-facing interfaces (the transport infrastructure), de-encapsulates LISP packets and delivers them to local EIDs at the site.

Describe the steps in the DNA-C SDA workflow.

Design—Configures device global settings, network site profiles for physical device inventory, DNS, DHCP, IP addressing, Software Image Management, plug-and-play, and user access. Policy — Defines business intent for provisioning into the network, including creation of virtual networks, assignment of endpoints to virtual networks, and policy contract definition for groups. Provision—Provisions devices for management and creates fabric domains, control plane nodes, border nodes, edge nodes, fabric wireless, Cisco Unified Wireless Network wireless, transit, and external connectivity. Assurance—Enables proactive monitoring and insights to confirm that user experience meets configured intent, using network, client, and application health dashboards, issue management, and sensor-driven testing.

How does dynamic SGT classification occur?

Dynamic classification occurs via an authentication sequence, via 802.1x, MAB, or web authentication. When the authentication is not available, static classification methods are necessary.

Describe L3 overlays

Layer 3 overlays abstract IP-based connectivity from physical connectivity and allow multiple IP networks as parts of each virtual network.

Describe EID

End-point Identifier (EID) Addresses: Consists of the IP addresses and prefixes identifying the end-points. EID reachability across LISP sites is achieved by resolving EID-to-RLOC mappings.

How can you enable VLAN-VXLAN connectivity? Why do you need to do this?

Legacy equipment does not support VXLAN, and therefore resides in a classical CLAN. Enable VLAN-VXLAN connectivity with a VXLAN L2 gateway

What does a fabric enabled AP convert 802.11 traffic into?

Fabric-enabled AP converts 802.11 traffic to 802.3 and encapsulates it into VXLAN encoding virtual network ID and SGT information of the clien

Describe fabric in a box.

For sites where a single switch or switch stack (examples: Catalyst 9400, Catalyst 9300) is supporting all the Ethernet connectivity at that site, SD-Access is available without having to deploy separate devices for each fabric role.

What are the functions do control plane nodes enable?

Host tracking database—The Host Tracking Database (HTDB) is a central repository of EID-to-fabric-edge node bindings. Map server—The LISP MS is used to populate the HTDB from registration messages from fabric edge devices. Map resolver—The LISP MR is used to respond to map queries from fabric edge devices requesting RLOC-mapping information for destination EIDs.

How does static SGT classification occur?

In static classification, you can map the tag to an IP address, subnet, VLAN, or interface rather than relying on an authorization from Cisco ISE.

What are the drawbacks of VLANs?

Inefficient use of available network links Rigid requirements on device placement Limited scalability

Describe an edge node

It identifies and authenticates the endpoints, and registers the endpoint ID information in the fabric host-tracking database.; A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SD-Access Fabric

Describe a border node

It serves as the gateway between the fabric domain and the network outside of the fabric; A Fabric device (e.g. Core) that connects External L3 network(s) to the SD-Access Fabric

What overlay layers does VXLAN support

L2 and L3

When is extended subnet LISP host mobility usually deployed?

LISP Host Mobility with an extended subnet is usually deployed when geo-clustering or live workload mobility is required between data center sites.

How do LISP devices allow for bidirectional flow?

LISP devices typically implement ITR and ETR functions at the same time to allow establishment of bidirectional flows. When this is indeed the case, the LISP devices are referred to as xTR.

What kind of tunneling does LISP use? Is it compatible with non-LISP sites?

LISP uses a dynamic tunneling encapsulation approach rather than requiring a pre-configuration of tunnel endpoints. It is designed to work in a multihoming environment, and it supports communications between LISP and non-LISP sites for interworking.

Describe an L2 overlay

Layer 2 overlays emulate a LAN segment and can be used to transport IP and non-IP frames. Layer 2 overlays carry a single subnet over the Layer 3 underlay. Layer 2 overlays are useful in emulating physical topologies and are subject to Layer 2 flooding.

Define LISP.

Locator Identity Separation Protocol (LISP) is a protocol that enables separation of endpoint identification and its location. It is used as part of SDA.

Describe a control plane node

Map System that manages Endpoint ID to Device relationships; It runs a host-tracking database to map location information

What are the limitations of traditional networks (in terms of SDA)

Network operations can be extremely expensive, with approximately $60B spent on IT operations (in-house and outsourcing) annually. Network management is very time consuming, 95% of changes are manual in nature. 90% of policy violation are due to human error. 75% of Operating Expense is spent on network visibility and troubleshooting

Do L3 overlays support overlapped IP address spaces?

Overlapping IP address space is supported across different Layer 3 overlays as long as the network virtualization is preserved outside of the fabric, using existing network virtualization functions, such as VRF-Lite and MPLS Layer 3VPN.

Which two LISP infrastructure components are required ot support LISP-to-non-LISP interworking?

PITR, PETR

Describe RLOC

Route Locator (RLOC) Addresses: Consists of the IP addresses and prefixes identifying the different routers in the IP network. Reachability within the RLOC space is achieved by traditional routing methods.

What are the overlay and underlay in SDA?

The campus fabric architecture enables the use of virtual networks (overlay networks) that are running on a physical network (underlay network) to create alternative topologies to connect devices.

What are fabric boundaries?

The fabric boundaries include borders for ingress and egress to a fabric, fabric edge switches for wired clients, and fabric APs for wireless clients.

Describe intermediate nodes.

The fabric intermediate nodes are part of the Layer 3 network that interconnects the edge nodes to the border nodes. In a three-tier campus design using a core, distribution, and access, the fabric intermediate nodes are the equivalent of the distribution switches.

Describe fabric mode APs

The fabric mode APs are Cisco 802.11AC Wave 2 and Wave 1 APs associated with the fabric WLC that have been configured with one or more fabric-enabled SSIDs. Fabric mode APs continue to support the same 802.11ac wireless media services that traditional APs support; apply AVC, quality of service (QoS), and other wireless policies, and establish the CAPWAP control plane to the fabric WLC.

What are the source and destination ports of VXLAN GPO?

The source port is a hash value that is created using the original source information and prevents polarization in the underlay. The destination port is always 4789.

What is recommended of the underlay to ensure performance, scalability, and HA?

Theoretically, any topology and routing protocol can be used, but the implementation of a well-designed Layer 3 foundation to the campus edge is highly recommended.

What does VXLAN use to map devices in local segments to VXLAN segments?

VTEP devices

Describe VTEP.

VTEP performs encapsulation and de-encapsulation of the Layer 2 traffic. Each VTEP has at least two interfaces: a switch interface on the local LAN segment and an IP interface in the transport IP network.

What is the latest version VXLAN? What does it add?What are the headers?

VXLAN Group Policy Extension (GPO) is the latest version of VXLAN. It adds special fields in the header to carry the virtual network IDs and the SGTs. The outer part of the header consists of the IP and MAC address. It uses a UDP header with a source and destination port.

Where is CAPWAP used when WLCs and APs are fabric enabled?

When the WLC and AP's are fabric enabled CAPWAP is only used for the control plane data.

When might you use LISP Host Mobility across subnets?

You can generally use it in cold migration scenarios (such as fast bring-up of disaster recovery facilities in a timely manner, cloud bursting or data center migration/consolidation

What information does ISE provide to DNA-C to enable SDA?

authorization, authentication, groups, policies

In SDA, what protocols are the control and data and policy plane based on?

control = LISP data = VXLAN policy = TrustSec

What is the core principle that LISP host mobility is based on?

decoupling identity from topology

How can SGTs be assigned?

dynamically or statically

What fabric device applies all wireless specific features like SSID policies, AVC, and QoS

fabric enabled AP

What are the types of fabric underlay?

manual, automated

What routing model does LISP use?

map-and-encapsualte

How do DNAC and ISE inegrate?

through PxGrid and REST APIs

How is network virtualization preserved outside of the fabric?

virtualization technologies like VRF-lite, MPLS VPN


Kaugnay na mga set ng pag-aaral

Supply Chain Management Final Part 2

View Set

Blood Vessels and Circulation Chapter 19

View Set

Life Insurance Exam Practice Pt. 2

View Set