Chapter 3

Questions and Answers

What is the primary benefit of a centralized controller in software-defined networking (SDN)?

• It enables faster data processing at the hardware level.
• It eliminates the need for any configuration changes.
• It allows for a comprehensive view and management of the entire network. (correct)
• It simplifies the installation process of network devices.

Which plane in traditional networking is responsible for forwarding data between interfaces?

• The Management Plane
• The Data Plane (correct)
• The Network Plane
• The Control Plane

What key role does the Management Plane play in traditional networking?

• Responsible for configuration and monitoring. (correct)
• Processes the data packets for forwarding.
• Handles routing information between devices.
• Calculates performance metrics for the network.

In the context of network function virtualization (NFV), what does the term 'MANO' represent?

Management and Orchestration (A)

How does intent-based networking enhance traditional network management?

By translating business objectives into network policies. (C)

Which of the following is NOT a function of the Control Plane in traditional networking?

Forwarding data between network interfaces. (B)

Which feature distinguishes software-defined networking from traditional networking?

Decoupling control from forwarding functions. (D)

What is a major challenge that software-defined networking addresses in modern networks?

Minimizing the impact of network downtime. (B)

What type of IP protocol does GENEVE utilize?

Any supported IP protocol (D)

What is the key advantage of micro-segmentation over traditional VLAN segmentation?

It allows communication across different data centers. (D)

Which project is specifically designed to provide policy-based micro-segmentation for containers?

Contiv (B)

Which of the following is NOT a role that Open vSwitch (OVS) plays in network management?

Implements packet-filtering firewalls (A)

What does the zero-trust model in micro-segmentation imply?

Communications require explicit policy definitions. (D)

Which of the following best describes the primary function of OpenStack Neutron?

It provides networking-as-a-service in cloud platforms. (C)

In the context of network function virtualization (NFV), what is the significance of the Open Platform for Network Function Virtualization (OPNFV)?

It fosters the development and adoption of NFV technologies. (A)

What is one of the main challenges addressed by the advancements in micro-segmentation?

Need for applications to move seamlessly across servers. (A)

What is the primary role of the APIC in Cisco ACI?

To distribute policy-based configurations (D)

Which of the following describes the topology used in Cisco ACI?

Leaf-and-spine topology with no interconnections between leaf or spine switches (B)

What is the function of VXLAN in modern networks?

Encapsulating Layer 2 Ethernet frames within UDP packets (C)

Which technology is NOT a method for implementing overlay networks?

ARP (A)

Which statement best describes the relationship between leaf and spine switches in a Cisco ACI environment?

Leaf switches connect to all spine switches without interconnections between themselves. (B)

What type of encapsulation does NVGRE use?

GRE packets (D)

What is a primary benefit of using an overlay networking model?

Segregation of network traffic into segments while maintaining communication (B)

Which of the following technologies allows for highly flexible encapsulation of Layer 2 Ethernet frames?

GENEVE (C)

Flashcards

Software-Defined Networking (SDN)

A networking approach that decouples the control function from the forwarding function, allowing centralized management of network infrastructure via software.

Centralized Controller (SDN)

A single point in an SDN network that manages the entire network infrastructure, calculating routes and pushing configurations to network devices.

Traditional Networking Planes

The three distinct components (Management, Control, and Data) in traditional networks that enable network devices to operate.

Management Plane (traditional)

The plane responsible for configuring and monitoring network devices, typically via CLI or GUI.

Control Plane (traditional)

The plane responsible for managing network protocols (Layer 2 & 3) like spanning tree, OSPF, RIP, and BGP for network operations.

Data Plane (traditional)

The plane responsible for forwarding data packets between network interfaces.

Decoupled Control and Data Planes (SDN)

In Software Defined Networking, the control plane is separated from the data plane, enabling central control of the network by separating routing calculations from actual data forwarding.

Traditional Configuration (Network)

Individual devices manage their own configurations in traditional networks. Each device is a small computer on its own.

Micro-segmentation

A network security approach that controls network traffic at the individual VM or container level, regardless of VLAN or subnet, using a zero trust model.

Traditional Segmentation

Network segmentation using VLANs and subnets, often restricted within a data center.

Zero-Trust Model

A security model where no communication is permitted without an explicitly defined policy.

OpenStack Neutron

Networking component of OpenStack, an open-source cloud computing platform, providing network-as-a-service.

Open vSwitch (OVS)

An open-source virtual switch used in hypervisors, enabling a virtualized networking layer for SDN and cloud environments.

Open Virtual Network (OVN)

A virtualized network solution built for increased scalability and performance in Software Defined Networking (SDN).

OpenDaylight (ODL)

An open-source SDN controller platform used to manage various vendors and devices together.

Contiv

An open-source project for policy-based micro-segmentation, focusing on containers and including routing capabilities.

Cisco ACI

A network automation solution that simplifies configuring and managing modern networks with a flexible, scalable approach using leaf-and-spine topology.

Leaf Switch

Connects to traditional Ethernet devices like servers, firewalls, and routers; usually located at the edge of the fabric and provides the VXLAN tunnel endpoint or VTEP function.

Spine Switch

Connects to all leaf switches; no interconnection between spine switches.

APIC

The central controller in Cisco ACI; manages the distributed policy repository, topology, and inventory of devices.

VXLAN

A virtualization technology that encapsulates Layer 2 Ethernet frames within UDP packets for network segmentation and encapsulation.

Overlay Network

Allows traffic encapsulation and tunneling over an underlying Layer 3 network; separates network traffic segments.

Leaf-and-Spine Topology

A network architecture where leaf switches connect to every spine switch, with no interconnection between leaf switches or spine switches. Leaf switches are at edge; spine switches connect them to each other.

Network Automation

Automating the configuration and management of networking equipment.

Study Notes

Software-Defined Networking (SDN) and SDN Security

• SDN decouples control from forwarding functions in networking equipment
• Software centrally manages and programs hardware for forwarding
• SDN security concepts include centralized policy management and micro-segmentation
• SDN solutions like Cisco ACI and Cisco DNA are introduced
• Network overlays are discussed, along with their purpose

Network Programmability

• Networks are managed through modern APIs and other functions
• The chapter covers SCOR 350-701 exam objectives, specifically Domain 1: Security Concepts, including explaining northbound and southbound APIs and Cisco DNA Center (DNAC) APIs.
• The "Do I Know This Already?" quiz helps gauge student understanding.
• Key topics are mapped to quiz questions in Table 3-1

Traditional Networking Planes

• Traditional networking has management, control, and data planes
• Management plane handles configuration and monitoring (CLI or GUI)
• Control plane uses Layer 2 and 3 protocols (e.g., OSPF, RIP, BGP)
• Data plane forwards data between interfaces

So What's Different with SDN?

• Software centralizes control for the network infrastructure.
• SDN controllers provide a global view of the network, simplifying management.
• SDN calculation of reachability in the network promotes forwarding changes
• Open vSwitch (OVS) and Cisco Application Policy Infrastructure Controller are examples of SDN controllers.

Introduction to the Cisco ACI Solution

• Cisco ACI provides centralized policy and configuration management
• Cisco ACI uses a leaf-and-spine topology
• Leaf switches connect to spine switches in the network
• Leaf switches act as virtual extensible LAN (VXLAN) tunnel endpoints (VTEPs)
• Virtualization of networks through VXLAN through encapsulation.

Micro-segmentation

• Traditional segmentation using VLANs is less effective for modern traffic patterns ("East-West" traffic)
• Micro-segmentation is needed to segment application traffic in virtual and distributed environments
• Application segmentation and policies are independent of their network location
• Containers and virtualized networks require different segmentation approaches.

Open-Source Initiatives

• Several open-source projects aim at modern networking benefits (e.g., Neutron from OpenStack, Open vSwitch(OVS), Open Virtual Network(OVN), OpenDaylight (ODL), Open Platform for Network Function Virtualization (OPNFV), Contiv)

Network Function Virtualization (NFV)

• NFV virtualizes network functions like firewalls and routers into VMs.
• NFV uses a hypervisor for isolation, a virtual forwarder, and a network controller.
• OPNFV is an open-source framework for deploying NFV solutions

Cisco DNA Center

• Cisco DNA is an intent-based networking solution for campus, WAN, and branch networks
• Cisco DNA Center provides policy, automation, and analytics capabilities.
• Cisco DNA Center integrates with external services like Cisco ISE for user authentication and authorization.

Cisco DNA Policies

• Cisco DNA center enables Group-based access control policies, IP-based access control policies, application access control policies, and traffic copy policies.
• Key performance indicators (KPIs) are provided from Cisco DNA Center reports for management

Cisco DNA Center Assurance Solution

• Cisco DNA Center Assurance provides network insights via historical, real-time, and predictive analysis.
• The solution focuses on automating network troubleshooting and reducing delays.
• The solution can configure sensors for wireless network health monitoring

Cisco DNA Center APIs

• Cisco DNA Center APIs are RESTful APIs providing policy-based abstraction for business intent.
• API use focuses on outcomes instead of implementing intricate configurations.
• API integrations manage non-Cisco devices via an SDK for device packages.

Modern Programming Languages and Tools

• Modern programming languages (e.g., Python, JavaScript, Go, Swift) are flexible and easier to learn
• Python is a recommended language for network programmability in general.
• Python's requests library simplifies making HTTP/HTTPS requests to APIs

Network Device APIs

• Network devices offer APIs for configuration, status, and troubleshooting
• Examples include APIs for handling credentials, network devices, and interface details
• Accessing APIs requires proper authentication

NETCONF

• NETCONF (Network Configuration Protocol) uses an XML-based structure for communication.
• A NETCONF client typically is the network management application
• A NETCONF server is the managed device

RESTCONF

• RESTCONF is a REST variant of NETCONF.
• Follows REST principles yet keeps some server state.
• Standardized requests (GET, PUT, POST, PATCH, DELETE) make it quick and easy.

OpenConfig and gNMI

• OpenConfig provides vendor-neutral data models using YANG for network devices
• gNMI (gRPC Network Management Interface) is the protocol used
• gNMI uses YANG models to describe network features such as configuration, status, and network events.