Exam 350-401 topic 1 question 440 discussion

Authentication: As mentioned, the Cisco SD-WAN control plane contributes the underlying infrastructure for data plane security. In addition, authentication is enforced by two other mechanisms: In the traditional key exchange model, the Cisco vSmart Controller sends IPsec encryption keys to each edge device https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge-20-x/security-book/security-overview.html

A. Distribution of IPsec keys (Wrong) The distribution of IPsec keys is typically handled by the vBond orchestrator, not vSmart controllers. B. Execution of localized policies (Wrong) vSmart controllers are primarily responsible for centralized control plane functions, including policy distribution. The execution and enforcement of policies are generally handled by SD-WAN edge devices. C. Redistribution between OMP and other routing protocols (Correct) This is a primary function of vSmart controllers. They ensure consistency in routing information between the SD-WAN overlay and the underlying transport network. D. Facilitation of NAT detection and traversal (Wrong) While vSmart controllers play a role in facilitating NAT detection and traversal, it is not their primary function. NAT-related functions are often handled by SD-WAN edge devices.

A. Correct: The Cisco Catalyst SD-WAN Controller (vSmart) sends IPsec encryption keys to each edge device (vEdge routers.) B. Incorrect: Control policies are executed by vSmart controllers, while data policies are executed by vEdge routers. C. Incorrect: Redistribution is done by vEdge routers. D. Incorrect: NAT traversal is handled by vBond orchestrator.

It´s A vSmart is the brain of the Cisco SD WAN fabric and is responsible for calculating and deploying all control and data policies as well as handling the distribution of encryption keys for data plane connectivity. https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.pdf (page 13) https://ipwithease.com/cisco-sd-wan-components/#:~:text=vSmart%20is%20the%20brain%20of%20the%20Cisco%20SD%20WAN%20fabric%20and%20is%20responsible%20for%20calculating%20and%20deploying%20all%20control%20and%20data%20policies%20as%20well%20as%20handling%20the%20distribution%20of%20encryption%20keys%20for%20data%20plane%20connectivity.

why not C?

In the Cisco SD-WAN architecture, the distribution of IPsec keys is handled by the vBond orchestrator, not vSmart controllers. The vBond orchestrator is responsible for orchestrating connectivity between all the other components in the system, telling vEdges where and how to connect to organizations' vManage and vSmart controllers, advising vSmart controllers as new vEdges join the SD-WAN fabric, and informing vEdges if they are behind a NAT device to facilitate IPsec NAT traversal. Therefore, the correct component that takes care of the distribution of IPsec keys in Cisco SD-WAN is the vBond orchestrator.

I think the key here is that the localized policies are executed by the switches and not vSMART?

The vSmart component resides in the control plane. vSmart controllers provide routing, enforce data plane policies, and enforce network-wide segmentation. Because policies are created on vManage, vSmart is the component responsible for enforcing these policies centrally. CCNP Enterprise Design ENSLD 300-420 Official Cert Guide page 352

In the traditional key exchange model, the Cisco vSmart Controller sends IPsec encryption keys to each edge device.

Looks like A per 31 days before CCNP book: "The vSmart controller acts as a distribution point to establish data plane connectivity between the WAN Edge routers. This information exchange includes service LAN-side reachability, transport WAN-side IP addressing, IPsec encryption keys, site identifiers, and so on. Together with WAN Edge routers, vSmart controllers act as a distribution system for the pertinent information required to establish data plane connectivity directly between the WAN Edge routers."

Looks like B may be incorrect. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/localized-policy.html Localized Control Policy Control policy operates on the control plane traffic in the Cisco IOS XE SD-WAN overlay network, influencing the determination of routing paths through the overlay network. Localized control policy is policy that is configured on a Cisco IOS XE SD-WAN device (hence, it is local) and affects BGP and OSPF routing decisions on the site-local network that the device is part of. To configure localized policies, use the Cisco vManage policy configuration wizard.

ChatGPT gave the following answer (i also provided the links below) and all your points: After reviewing the additional link provided, my answer remains the same. The vSmart controller is primarily responsible for executing centralized policies in the Cisco SD-WAN architecture, which include policies related to traffic, security, and other aspects of network management. The document provides further detail on the role of vSmart in the SD-WAN architecture, stating that "vSmart controllers provide centralized policy management, act as the decision engine for traffic forwarding, and manage encryption keys for IPsec tunnels." This confirms that while vSmart may be involved in the management of encryption keys, its primary function is still the execution of centralized policies. Therefore, my final answer is still B. Execution of centralized policies.

A is correct verified from the link provided by tckoon

It can't be B, because "Localized policies" are those policies that are applied locally on the vEdge routers. A is the best answer.

A is correct

A is the correct answer.

In the traditional key exchange model, the vSmarts sends IPsec encryption keys to each edge device. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge/security-book.pdf - page 15