Software-Defined Networking (SDN) Explained

Questions and Answers

Software-defined networking (SDN), software-defined LAN (SD-LAN), and software-defined access are all examples of software-defined technologies.

False (B)

The data plane in traditional networking devices is responsible for running algorithms to populate forwarding tables.

False (B)

In traditional networking, the control plane is centralized, allowing for easier management and updates.

False (B)

The southbound interface (SBI) is used for communication between the administrator and the networking devices.

False (B)

OpenFlow is an example of a Northbound Interface (NBI) used in SDN architectures.

False (B)

Northbound interfaces (NBIs) commonly utilize SOAP APIs, leveraging XML for data formatting.

False (B)

Cisco's Application Policy Infrastructure Controller (APIC) is used as the SDN controller within the enterprise network.

False (B)

Cisco DNA Center proactively detects network issues and recommends remediation steps based on a built-in Cisco TAC knowledge base.

True (A)

Traditional WANs always require internet access to be backhauled through a central data center, regardless of application needs.

False (B)

In SD-WAN, the underlay network is a virtual topology built on top of the physical infrastructure, providing secure tunnels for data transmission.

False (B)

VBond is responsible for enforcing policies and distributing route information in a Cisco SD-WAN environment.

False (B)

In a Cisco SD-WAN implementation, vManage provides the GUI for configuring and monitoring the SD-WAN environment.

True (A)

In SD-WAN, edge routers exclusively exist as hardware appliances and cannot be virtualized.

False (B)

SD Access relies on IP address-based Access Control Lists (ACLs) for policy enforcement, similar to traditional network access control methods.

False (B)

In traditional ACLs, a user retains network access permissions even after changing their IP address.

False (B)

In SD Access, a user's network access rights are dynamically managed based on their location within the network.

False (B)

In SD Access, Cisco DNA Center resides in the network layer managing the physical underlay network and the virtualized overlay network.

False (B)

The SD Access overlay network, also known as the virtual fabric, operates independently of the physical network infrastructure.

True (A)

Flashcards

Software-Defined Networking (SDN)

Networking where software manages and automates network resources.

Data Plane

The part of a network device that forwards data packets.

Control Plane

The part of a network device that makes decisions about how to forward traffic.

Management Plane

The interface used by administrators to configure and manage a network device.

Southbound Interface (SBI)

An API used for communication between an SDN controller and network devices.

Northbound Interface (NBI)

An API used for communication between applications and an SDN controller.

Cisco APIC

Cisco's SDN controller for data centers, part of ACI.

Cisco DNA Center

Cisco's SDN controller for enterprise networks, enabling intent-based networking.

SD-WAN Overlay Network

A virtual network topology built on top of the physical network infrastructure.

vManage Function

vManage provides the interface for configuration in Cisco SD-WAN.

vBond Function

vBond discovers the physical network and enables zero-touch provisioning.

vSmart Function

vSmart enforces policies and distributes route information using OMP.

SD-WAN Edge Routers

They forward traffic in the data plane; can be physical or virtual.

SD Access Identity

SD Access identifies users based on their identity instead of their IP address.

SD Access Security Groups

Managing access using security groups rather than IP addresses.

Cisco DNA Center Role

It sends instructions to devices using southbound APIs.

Cisco ISE Role

It grants permissions for different identities in SD Access.

SD Access Physical Layer

The actual infrastructure devices like routers, switches, and wireless LAN controllers.

Study Notes

Software-Defined Technologies Overview

• Software-defined technologies include software-defined networking (SDN), software-defined WAN (SD-WAN), and software-defined access

Software-Defined Networking (SDN)

Traditional Networking Planes

• Traditional networking devices like routers and switches have three planes of operation:
  • Data plane focuses on forwarding frames or packets as quickly as possible
  • Control plane runs algorithms (e.g., OSPF on routers, spanning tree protocol on switches) to populate forwarding tables
  • Management plane is the interface used by administrators for configuration (e.g., SSH)

Distributed vs. Centralized Control Plane

• Traditional networking uses a distributed control plane, where each device has its own control plane
• SDN can centralize control planes within an SDN controller
• The SDN controller manages the algorithms and configurations, pushing updates to devices

Southbound Interface (SBI)

• Communication between the SDN controller and the devices uses an application programming interface (API)
• The API from the controller to the device is called a southbound interface (SBI)
• Examples of SBIs include OpenFlow and Cisco's proprietary OpFlex

Northbound Interface (NBI)

• Administrators express their intent (e.g., traffic treatment, security levels) through an application that communicates with the controller
• The application uses a northbound interface (NBI) to talk to the controller
• NBIs use REST APIs (Representational State Transfer), which employ HTTP verbs to send and retrieve information
• Data exchanged via REST APIs is often formatted in JSON (JavaScript Object Notation)

Cisco SDN Solutions

• Cisco SDN controllers may or may not use a centralized control plane, depending on the setup
• Data Center: Cisco Application Policy Infrastructure Controller (APIC), part of Application Centric Infrastructure (ACI), is the SDN controller
• Enterprise Network: Cisco DNA Center (Digital Network Architecture) enables intent-based networking

Cisco DNA Center Capabilities

• Network design: Draw topologies, pre-configure devices for plug-and-play deployment
• Day-to-day configuration: Manage configurations via Cisco DNA Center
• Troubleshooting and monitoring: Proactive issue detection with recommended remediation steps from a built-in Cisco TAC knowledge base
• Platform support: Allows for writing applications to interact with Cisco DNA Center programmatically using APIs

Software-Defined WAN (SD-WAN)

Traditional WAN Limitations

• Traditional WANs use technologies like MPLS or Metro Ethernet for predictable performance
• Internet access may require backhauling through headquarters, causing inefficiency

SD-WAN Benefits

• SD-WAN addresses the migration of applications to the cloud (e.g., AWS, Azure, Google Cloud, Microsoft Office)
• SD-WAN allows remote sites to directly access the internet without backhauling
• SD-WAN supports various WAN connections like cellular, Metro Ethernet, cable modem, and MPLS

Overlay Network

• SD-WAN creates a virtual topology (overlay network) on top of the physical infrastructure (underlay network)
• Virtual secured tunnels are established through the WAN, with control plane functions centralized in the SD-WAN controller

Cisco SD-WAN (Viptela)

• Cisco acquired Viptela in 2017, using their technology for SD-WAN solutions
• SD-WAN components are organized into layers: data plane, control plane, and management/orchestration planes

SD-WAN Components and Their Functions

• vManage provides the interface for configuration
• vBond discovers the physical network and enables zero-touch provisioning
• vSmart enforces policies and distributes route information using the Overlay Management Protocol (OMP)
• Edge Routers forward traffic in the data plane and can be physical (Viptela vEdge) or virtual (Cisco CSR 1000V, vEdge Cloud Router)

SD-WAN Implementation Example

• A topology includes a main campus, branch locations, and physical/cloud data centers connected via various WAN technologies
• Cisco vEdge routers at each location communicate securely over dynamically formed IPsec tunnels, forming the data plane
• Control elements (vManage, vBond, vSmart) connect to edge routers for provisioning and configuration

vManage Interface

• Cisco provides a read-only vManage interface for exploration via their dCloud service
• The demo includes vSmart devices, WAN edge routers, vBond devices, and a vManage instance
• It allows inspection of monitoring tools

Software-Defined Access (SD Access)

Function and Features

• SD Access is a next-generation policy enforcement solution
• It is considered an advancement or replacement for traditional access control lists (ACLs)
• It utilizes security group ACLs instead of IP address-based ACLs
• SD Access identifies users based on their identity defined on Cisco Identity Services Engine (ISE), not their IP address

Virtualization

• Multiple virtual networks can share the same physical network with different policies

Comparison with Traditional ACLs

• Traditional ACLs require manual configuration of access rules based on IP addresses and TCP ports

Traditional ACL Limitations

• If a user changes their IP address by moving to a different subnet, the ACL rule becomes ineffective
• Traditional Access Control Lists (ACLs) can be limiting in today's mobile workforce because granting or denying access based on ACLs becomes difficult

Software-Defined Access (SD Access)

• SD Access uses security groups to manage access
• A security group, like "IT," can contain members such as "Kevin" and "Charles"
• Cisco Identity Services Engine (ISE) defines the identity of each member
• Instead of traditional ACLs based on IP addresses, SD Access uses security group ACLs
• A security group ACL might permit the "IT" security group to access a specific server on a specific port
• For example, if "Kevin" is a member of the "IT" group, he is permitted to access the server
• Using SD Access, a user retains their permissions regardless of their location within the network
• If Kevin moves his device to another location, his "Kevin" identity persists, and so does his access to the server

SD Access Solution Layers

• Physical Layer:
  • This consists of the actual infrastructure devices like routers, switches, and wireless LAN controllers
• Network Layer:
  • This contains the physical underlay network and the virtualized overlay network
  • The SD Access overlay network can be referred to as a virtual fabric
• Controller Layer:
  • Houses Cisco DNA Center, which sends instructions to devices using southbound APIs
  • Cisco ISE resides here, granting permissions for different identities
• Management Layer:
  • Managed through the GUI of Cisco DNA Center

Description

Understand software-defined technologies including SDN, SD-WAN, and SD-access. Learn about the traditional networking planes: data, control, and management. Explore the differences between distributed and centralized control planes in SDN.