Chap 22 SDN Controllers

Software-defined networking (SDN) is a network architecture that uses software to control and manage network traffic and resources. It separates the control plane from the data plane, allowing for centralized management and automation of network devices. This enables flexibility, programmability, and agility in network configuration and management. 

The SDN also divides the network into 2 parts the underlay and overlay.

 

Software Defined Network

SDN

Polls the network devices using SNMP so it can pinpoint misbehaving devices. Performance stats like ICMP response times are tracked.

Network Monitoring System

NMS

Stores, Compares and Pushes configurations also allows you to search through a config.

Network Configuration Managers

NCMs

SNMP HTTP, HTTPS. Telnet, SSH and also console, aux and management ports are all considered part of the management plane

controls everything about logging into a router.

Management Plane of a NE

Considered the brains of the NE. Where all the protocols and decisions are made.

ACL’s and NAT, if the packet needs to change its SA or DA, routing protocols (including forming adjacencies).

ARP, STP, VTP, MAC address tables on switches, QoS and CDP/LLDP.

Control Plane of NE

Considered the workhorse

encapsulation, de-encapsulation, adding and removing packet headers as well as the actual dropping of packets that hit a deny statement in an ACL.

Even the actual forwarding , where the packets moves from the inbound to the outbound interface.

Data Plane of a NE

similar to the management plane in traditional networks. The method used to gain access to the SDN solution via the Northbound Interface (NBI)

We can create VLANs, get a list of network devices and poll the network thru the NBI

North Bound Interface (NBI)

How the SDN talks to the network devices. There are a lot of different products and which one is dependent upon the solution chosen.

South Bound Interfaces (SBI)

A Southbound Interface protocol.

Industry standard API defined by the ONF (opennetworking.org). It configs non-propriety, white label switches and determines the flow path through the network. All config is done via NETCONF, OpenFlow first sends detailed and complex instructions to the control plane of the NE in order to implement a new application policy. This is referred to as the an imperative SDN model.

OpenFlow

Network Configuration Protocol (NETCONF) is an XML-based network management protocol used to install, manipulate, and delete the configuration of network devices. It provides a mechanism for network devices to communicate configuration data and supports complex transactions for reliable configuration changes.

Not supported by all devices it has been standardized by the IETF.

DNA Center uses NETCONF.

NETCONF

Cisco propriety SBI that allows you to inspect or modify the NE configuration without hardware upgrades. It makes life easier for developers by providing software development kits for Java, C and Python. onePK is now legacy but still found in the real world

onePK

Southbound API used by Cisco ACI (Application Center Infrastructure). In other words OpFlex is used in Cisco DataCenters.

OpFlex uses a declarative SDN model because the controller, which Cisco calls APIC (Application Policy Infrastructure Controller) sends a more abstract, summary policy to the network element

OpFlex

Cisco’s Data Center focused SDN solution.

Cisco ACI (Application Centric Infrastructure)

Cisco ACI

Cisco APIC-EM

Ciscos first attempt at a SDN controller it is considered legacy and was replaced with DNA center.

Cisco’s main Enterprise SDN controller.

One stop shop for managing network and troubleshooting needs.

It has a NMS, NCM and also acts as a SDN controller. It is fully capable of building out underlay and overlay networks in order to support CSDA (Cisco’s Software Defined Access)

Network Hierarchy and Template Features It is able to push upgrades

Also has a Topology feature where it attempts to map out the network.

. Able to Discover NEs.

Cisco DNA-Center

Brings the benefits of the SDN to the WAN. This is important to CCNPs.

Cisco SD-WAN

also called ODL

Is a popular open source OpenFlow controller.

Cisco does offers a lil bit of OpenFlow support, but Cisco definitely prefers their own SDN solution due to OpenFlow limitations.

Open Daylight

All endpoints connect to the access layer switch where the VLANS are assigned. Port level features like port security or 802.1x are applied at this layer. Usually cheaper layer 2 switches are used here.

Access layer switch

hosts all the SVIs (switch virtual interface that represents a logical layer-3 interface on a switch) and provides IP based services the network needs like DHCP relay. The distribution switches use layer 2 interfaces with the access layer switches to terminate the VLANs, plus layer 3 interfaces to connect to the core switches.

Distribution layer switch

Switch that’s only job is to provide high speed routing between distribution switches.

Core layer switch

new and preferred architecture for controller based networks.

The Leaf switch maps to access and distro and is what you connect your devices to. It has a high bandwidth uplink to the Spine.

Spine sole job is to provide superfast transport access to the leaf switch.

Everything is 3 hops away. easily load balanced in the routing table via equal cost load balancing (ECMP equal cost multi path)

Need more ports add a leaf switch. need more bandwidth add a spine switch.

also called Two-Tier CLOS Architecture

Spine/Leaf architecture

MTU

Interface Configuration

OSPF or IS-IS configuration

Verification

What are the components that need to be configed and checked of an Underlay

the physical network that provides connectivity so the overlay can be built over/upon it.

Its focus is to advertise its loopback address to OSPF or IS-IS

The Underlay job is to carry a lot of traffic with a larger packet payload then you would see in a normal network. You will need to make MTU bigger. also all underlay switches should have a Loopback.

Devices in underlay tend to be cabled so they are highly redundant, removing a single point of failure and optimizing performance. Can use a full mesh.

Underlay

SW01(config)#system mtu 9000

SW01(config)#do reload

Config the MTU to 9000

OSPF requires the MTU to match on both ends of the neighbors adjacency to work properly, so when MTU is changed, it has to be changed on the neighboring device as well.

To get around this, you can apply the ip ospf mtu-ignore command on the neighboring interface to fix OSPF w/o changing the MTU.

OSPF requires the MTU to match on both ends of the neighbors adjacency to work properly, so when MTU is changed, it has to be changed on the neighboring device as well.

To get around this, you can apply the ip ospf mtu-ignore command on the neighboring interface to fix OSPF w/o changing the MTU.

SW01(config)#ip routing

Its a bad idea to go with STP on an underlay switch. It is recommended to use only Layer 3 interfaces on the Underlay switch.

How do you make a underlay switch interface a Layer 3 interface?

(remember ip routing has been configed on the underlay switch and a loopback will be needed.)

SW01(config-if)#int g3/0

SW01(config-if)#no switchport

SW01(config-if)#ip address 10.1.21.1 255.255.255.0

SW01(config-if)#ip network ospf point-to-point

config Underlay SW01 to have int g3/0 to have an ip address of 10.1.21.1. Also set it to OSPF point to point

SW01(config-if)#interface loopback 0

SW01(config-if)#ip address 192.168.255.1 255.255.255.255

config a loopback address on SW01 of 192.168.255.1

Show ip ospf neighbor

show ip route ospf | b 192.168.255 (Loopback)

What are some commands to verify the Underlay?

a virtual network that’s tunneled over your underlay devices. This is where the advanced configuration like security or QoS gets introduced. Routing for the Overlay is usually BGP or EIGRP. (LSA protocols have proven to be a bad idea with these networks)

The type of tunnel being used varies depending on the exact SDN solution but generally its a Virtual Extensible LAN (VXLAN).

VXLAN is a way of tunneling Layer 2 traffic over Layer 3.

DMVPN is a popular type of overlay that runs over the WAN using the 10.100.123.0 network

Overlay

Cisco propriety Dynamic Multipoint Virtual Private Network feature enables you to easily scale large and small IPSec VPNs. This allows a corporate office to connect to branch offices with low cost, easy configuration and flexibility over the Internet.

Central router is called the hub using the 10.100.123.0/24, allowing to run an IGP (Interior Gateway Protocol)

DMVPN

a routing protocol used within a single autonomous system (AS) to exchange routing information between routers. In simpler terms, it's how routers inside a company's network or an ISP's network communicate to figure out the best path for data to travel. IGPs are the backbone of routing within an AS, enabling routers to learn about other networks and efficiently forward traffic.

Interior Gateway Protocol

IGP

a shorthand term for layer 3 network devices like routers, L3 switches, firewalls Wireless controllers and Access points.

Fabric

DNA searches for NEs either by scanning an IP range or using CDP/LLDP. Once NE has been found DNA Center will try to access device with SNMPv2, SNMPv3, Telnet, SSH, HTTP(S) and NETCONF.

Discovery with DNA Center

Variables can be defined anywhere by adding a $ in front of the word

How do Variables work on Templates in DNA Center?

By default DNA Center will assume everything in the template is a configuration command. If you need to push an enable command like clock set you can put the command between #MODE_ENABLE before the command and #MODE_END_ENABLE after .

ex

#MODE_ENABLE

clock set June 12 2025 00:00:00

#MODE_END_ENABLE

How do enable commands work on Templates in DNA Center?

Path Trace

DNA Center visual representation of the path taken from source to destination. This tool shows the true path tunnels take and shows if any ACL on the network will block your traffic.

Traceroute would not reveal the layer 2 switches that the packet must travel but Path Trace will.

EasyQoS

LAN-Automation

DNA Center Features

Discovery

Network Hierarchy

Templates

topology

upgrades (includes extensive prechecks)

Command Runner (issue cmds on multiple devices at once)

Assurance (week long view of network functionalities)

Path Trace

Easy QoS

Path Trace

LAN Automation (Cisco’s PnP)

SD-Access (network management Marketing cant see Sales data)

C a layer that provides connectivity throughout the fabric

What’s the network underlay?

A a term for everything in the SDN network

B a layer where tunnels are built to provide a service

C a layer that provides connectivity throughout the fabric

E The Data Plane does not run protocols

What are some protocols found in the data plane?

A OSPF

B CDP

C NAT

D LLDP

E The Data Plane does not run protocols

D OpFlex

Which Southbound protocol is used by ACI?

A onePK

B OpenFlow

C Netconf

D OpFlex

E Python

C Restful

E Python

You usually interact with the northbound interface pf a SDN controller through Restful API, either directly of through a Python script.

Which of these protocols commonly used with the northbound interface (2)?

A onePK

B OpenFlow

C Restful

D OpFlex

E Python

Automatically configs QoS, ensures best practices are being used for QoS and Makes it easier to adjust QoS policies.

What’s the purpose of DNA Centers EasyQoS?

D Plug and Play

Which feature does LAN Automation use to config new switches?

A SNMP

B Telnet

C SSH

D Plug and Play

E Restful API

A SNMP

B Telnet

C SSH

Which protocol does NCM primarily use to config a network

A SNMP

B Telnet

C SSH

D Plug and Play

E Restful API

Access, Distribution and Core

What kind of switches are found in a Campus architecture?

B Pushing show commands and viewing results

What can Command Runner be used for?

A Pushing OSPF config

B Pushing show commands and viewing results

C pushing ACL config

D Pushing an interface config

E Pushing a banner config