Home > SD-WAN & SD-Access Solutions

SD-WAN & SD-Access Solutions

March 16th, 2020 in ENCOR 350-401 Go to comments

Quick summary:

Three major building blocks that make up SDA: the control plane, the data plane and the policy plane.

SD-Access
+ Control-Plane based on LISP
+ Data-Plane based on VXLAN
+ Policy-Plane based on TrustSec

Question 1

Explanation

There are five basic device roles in the fabric overlay:
+ Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for
the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.

SD_Access_Fabric.jpg

Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide

Question 2

Explanation

+ Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay (-> Therefore answer A mentioned about vBond). The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information.

+ Management plane (vManage) is responsible for central configuration and monitoring. The vManage controller is the centralized network management system that provides a single pane of glass GUI interface to easily deploy, configure, monitor and troubleshoot all Cisco SD-WAN components in the network. (-> Answer C and answer D are about vManage)

+ Control plane (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement (-> Answer B is about vSmart)

Question 3

Explanation

The southbound protocol used by APIC is OpFlex that is pushed by Cisco as the protocol for policy enablement across physical and virtual switches.

Southbound interfaces are implemented with some called Service Abstraction Layer (SAL), which talks to the network elements via SNMP and CLI.

Note: Cisco OpFlex is a southbound protocol in a software-defined network (SDN).

Question 4

Explanation

Today the Dynamic Network Architecture Software Defined Access (DNA-SDA) solution requires a fusion router to perform VRF route leaking between user VRFs and Shared-Services, which may be in the Global routing table (GRT) or another VRF. Shared Services may consist of DHCP, Domain Name System (DNS), Network Time Protocol (NTP), Wireless LAN Controller (WLC), Identity Services Engine (ISE), DNAC components which must be made available to other virtual networks (VN’s) in the Campus.

Reference: https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/213525-sda-steps-to-configure-fusion-router.html

Question 5

Explanation

Fabric mode APs continue to support the same wireless media services that traditional APs support; apply AVC, quality of service (QoS), and other wireless policies; and establish the CAPWAP control plane to the fabric WLC. Fabric APs join as local-mode APs and must be directly connected to the fabric edge node switch to enable fabric registration events, including RLOC assignment via the fabric WLC. The fabric edge nodes use CDP to recognize APs as special wired hosts, applying special port configurations and assigning the APs to a unique overlay network within a common EID space across a fabric. The assignment allows management simplification by using a single subnet to cover the AP infrastructure at a fabric site.

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-sdg-2019oct.html

Question 6

Explanation

The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN encapsulation is UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not. Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy.

Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide

Question 7

Explanation

Access Points
+ AP is directly connected to FE (or to an extended node switch)
+ AP is part of Fabric overlay

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKEWN-2020.pdf

Question 8

Explanation

The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).

+ vManage – This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network.

+ vSmart controller – This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture.

+ vBond orchestrator – This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT).

+ vEdge router – This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.

Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Design-2018OCT.pdf

Comments
  1. Ciscolad
    March 18th, 2020

    Question 7

    Which description of an SD-Access wireless network infrastructure deployment is true?
    A. The access point is part of the fabric underlay
    B. The WLC is part of the fabric underlay
    C. The access point is part the fabric overlay
    D. The wireless client is part of the fabric overlay

    Should be C. The access point is part the fabric overlay? correct?

  2. brad
    March 19th, 2020

    I don’t think so, an AP can’t be part of the overlay.
    Take a look at the OCG. You have to study all the topic before ….

  3. brad
    March 19th, 2020

    Sorry Ciscolad,

    I think you are right : Access Points
     AP is directly connected to FE (or to an extended node switch)
     AP is part of Fabric overlay
     AP belongs to the INFRA_VN which is mapped to the global routing
    table (new in DNAC 1.1)
     AP joins the WLC in Local mode

  4. Suho
    April 20th, 2020

    Which action is the vSmart controller responsible for in an SD-WAN deployment?
    A. onboard vEdge nodes into the SD-WAN fabric
    B. distribute security information for tunnel establishment between vEdge routers
    C. manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric
    D. gather telemetry data from vEdge routers

    Is there A anser right? It’s looks some strange… What does it mean?

  5. ida
    April 24th, 2020

    Which action is the vSmart controller responsible for in an SD-WAN deployment?
    A. onboard vEdge nodes into the SD-WAN fabric
    B. distribute security information for tunnel establishment between vEdge routers
    C. manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric
    D. gather telemetry data from vEdge routers

    B is right

  6. MG
    May 9th, 2020

    Which action is the vSmart controller responsible for in an SD-WAN deployment?
    A. onboard vEdge nodes into the SD-WAN fabric
    B. distribute security information for tunnel establishment between vEdge routers
    C. manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric
    D. gather telemetry data from vEdge routers

    B is right
    *******
    vSmart controller – This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector.

  7. Chan
    May 15th, 2020

    A. vBond
    B. vSmart
    C+D. vManage

  8. Rohl
    May 24th, 2020

    Does anyone has SD-WAN (300-415) dumps.

  9. randy227
    May 25th, 2020

    Which statement about a Cisco APIC controller versus a more traditional SDN controller is true?
    A. APIC uses a policy agent to translate policies into instructions
    B. APIC supports OpFlex as a Northbound protocol
    C. APIC does support a Southbound REST API
    D. APIC uses an imperative model

    I think its “A” but not completely sure. I don’t think its “B” because Cisco OpFlex is a southbound protocol in a software-defined network (SDN). Is this correct?

  10. Savy
    June 1st, 2020

    Dear all fri/brothers,
    Did anyone has exam ENCOR (300-415) in this afew days. Do they have new question ?
    Pls kindly feel free share me because I will exam in next afew days. Big thank you in advance

  11. Heamgu
    June 10th, 2020

    I don’t think question #2 is the B. For me the best answer for this question is the A.
    This is the reason:

    The major components of the vBond orchestrator are:
    Control plane connection—Each vBond ​orchestrator has a persistent control plane connection in the form of a DTLS tunnel with each vSmart controller in its domain. In addition, the vBond orchestrator uses DTLS connections to communicate with vEdge routers when they come online, to authenticate the router, and to facilitate the router’s ability to join the network. Basic authentication of a vEdge router is done using certificates and RSA cryptography.

    Authentication—The vSmart controller has pre-installed credentials that allow it to authenticate every new vEdge router that comes online. These credentials ensure that only authenticated devices are allowed access to the network.

    Source: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/system-overview.html

  12. RON BERSERKER
    June 11th, 2020

    Q2
    The vBond orchestrator orchestrates the initial control connection between vSmart controllers and vEdge routers. It creates DTLS tunnels to the vSmart controllers and vEdge routers to authenticate each node that is requesting control plane connectivity. This authentication behavior assures that only valid customer nodes can participate in the Cisco SD-WAN overlay network. The DTLS connections with vSmart controllers are permanent so that the vBond controller can inform the vSmart controllers as vEdge routers join the network. The DTLS connections with vEdge routers are temporary; once the vBond orchestrator has matched a vEdge router with a vSmart controller, there is no need for the vBond orchestrator and the vEdge router to communicate with each other.

    That means that the tunnel between vBond and vEdges is just for authentication (Onboard vEdge nodes), after that the tunnel is ended. So I think answer A is for vBond.

    Source: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/system-overview.html

  13. Sandeep Singh
    June 23rd, 2020
  14. Darkcom
    June 29th, 2020

    Hi guys,

    The ENCOR exam have not any labs?

  15. Pawan
    July 9th, 2020

    Can anyone help me with the questions? Thank You.

  16. Slon
    September 11th, 2020

    where i can find questions?

  17. wallyelder
    November 25th, 2020

    i am so satisfacted.my english is poor, sorry :). thx for approving my user greetings wally

  1. No trackbacks yet.