7.
Is SprintGrad's SD-WAN Mastery Course Aligned with Industry Standards?
Up-to-date curriculum Tailored to the Evolving Modern WAN Landscape.
Module - 1
SD-WAN Foundations and Business Drivers
Module - 2
Cisco SD-WAN Architecture and Components
Module - 3
Deployment, Provisioning, and Configuration
Module - 4
Control Plane Operations and OMP Routing
Module - 5
Centralized Control Policies
Module - 6
Centralized Data Policies & Service Insertion
Module - 7
Application-Aware Routing (AAR)
Module - 8
SD-WAN Security
Module - 9
Cloud Connectivity & Advanced Optimization
Module - 10
Localized Policies and QoS
Module - 11
SD-WAN Design and Migration
1.1 The State of Today’s Networks
Challenges of modern networks
1.2 Business and IT Trends Impacting the WAN
Common business and IT trends affecting the WAN
1.3 Desired Benefits and Outcomes
Benefits sought by businesses, including reduced costs and lower operational complexity
1.4 Introducing SD-WAN and Key Concepts
Introduction to Cisco SD-WAN, rethinking the WAN, and the shift from connectivity-centric to application-centric architecture
1.5 Transport Independence and Hybrid WAN
The concept of transport independence and the origin of Hybrid WAN topologies.
2.1 SD-WAN Distributed Architecture
Separation of the data, management, and control planes in contrast to traditional networking.
2.2 The Four Planes of SD-WAN
Overview of the Management, Control, Orchestration, and Data planes.
2.3 Management and Orchestration Planes
vManage (Management Plane) functionality: single pane of glass, onboarding, provisioning, policy creation, troubleshooting, and monitoring.
vBond (Orchestration Plane) functionality: authentication, authorisation, NAT traversal, and discovery.
2.4 Control and Data Planes
vSmart (Control Plane) functionality: handling policies and routing, distributing encryption keys, and acting as a BGP route reflector.
WAN Edge devices (Data Plane): carrying data traffic, securing connections via IPsec, and enforcing policies.
2.5 Segmentation and Topology
Segmentation via VPNs (Virtual Private Networks), which are synonymous with VRF instances.
Common topology types (full mesh, hub-and-spoke).
3.1 Controller Deployment Sequence
Installation order: vManage > vBond > vSmart.
Deployment options (Cisco Cloud, Private Cloud, On-premises).
3.2 Security and Certificates
Use of SSL certificates for control plane authentication.
DTLS/TLS protocol usage for secure control plane tunnels.
3.3 WAN Edge Onboarding
Zero Touch Provisioning (ZTP) (Viptela OS) and Plug and Play (PNP) (IOS XE) workflows.
Manual bootstrapping via CLI.
3.4 Configuration Templates
Configuration management via templates designed for intent.
Types: Device, Feature, and CLI templates.
3.5 Template Variables and Rollback
Using variables for flexible, reusable templates.
Automatic rollback mechanism for configuration failures.
4.1 OMP Route Types
Three types of OMP route advertisements: OMP routes (vRoutes), TLOC routes (Transport Location Identifier), and Service routes.
4.2 TLOC Attributes and Colors
TLOC components (system IP, transport color, encapsulation).
Use of Colors to categorise transports (public/private).
4.3 TLOC Control: Restrict and Tunnel Groups
Default full-mesh behaviour and controlling tunnel establishment using the restrict attribute or tunnel groups.
4.4 OMP Best-Path Selection
The ordered steps for OMP best-path selection, including TLOC Preference, OMP Preference, and Origin type.
4.5 NAT Traversal and Restrictions
NAT detection via STUN (Session Traversal Utilities for NAT).
Restrictions on symmetric NAT for data plane tunnel establishment.
4.6 Routing Loop Prevention
Native loop prevention mechanisms when redistributing to/from IGPs: OSPF Down bit, BGP Site of Origin (SoO), and EIGRP external protocol field.
5.1 Policy Construction Fundamentals
Building policies using lists (e.g., prefix-list, site-list, TLOC list).
Sequential match-action logic (first match basis).
5.2 Centralized Policy Directionality
Centralized control policies applied inbound vs. outbound from the vSmart perspective.
5.3 Isolating Branch-to-Branch Traffic
Creating a hub-and-spoke topology by filtering TLOC advertisements outbound to branch sites.
5.4 Controlling Traffic Flow with TLOC Manipulation
Enabling branch-to-branch communication via data centres by updating TLOC attributes (next-hop) in OMP routes using TLOC lists.
5.5 Traffic Engineering with Route Preference
Using OMP Route Preference to prefer a regional data centre for a specific prefix (e.g., Internet access).
5.6 Multi-Topology and Regional Meshes
Configuring different topologies (e.g., regional full mesh) by manipulating TLOC and OMP route advertisements based on Site ID criteria.
5.7 Extranets and VPN Route Leaking
Using control policies to implement extranets by leaking routes between service VPNs (e.g., partner access) using the export-to action.
6.1 Data Policy Fundamentals
Centralized data policy directionality: from-service vs. from-tunnel.
Core actions: drop, inspect, log, and redirect/forward.
6.2 Direct Internet Access (DIA) for Guests
Using data policies to enforce DIA for untrusted traffic.
Matching public addresses and forwarding to VPN 0 using nat use-vpn 0.
6.3 Direct Cloud Access (DCA) for Applications
Forwarding specific, trusted Layer 7 applications (e.g., WebEx) locally using nat use-vpn 0.
Using the optional nat fallback for resilience.
6.4 Application-Based Traffic Engineering
Steering specific applications over preferred tunnels using local-tloc-list (preference) or tloc-list (strict forwarding) actions.
6.5 Service Insertion (Data Plane)
Redirecting traffic for inspection to network services, such as a firewall at a hub.
Configuring the service on the WAN Edge and applying the redirection policy.
7.1 The AAR Imperative
Leveraging inexpensive commodity circuits while maintaining assured application experience.
7.2 SLA Class Lists
Defining application performance requirements using SLA Class lists (maximum Loss, Latency, Jitter thresholds).
7.3 BFD and Tunnel Monitoring
Using BFD for real-time path quality monitoring.
BFD timers: Hello Interval, Multiplier, Poll Interval, and App-Route Multiplier.
7.4 AAR Forwarding Logic
How AAR is evaluated only when multiple equal-cost paths exist in the routing table.
Mapping traffic to tunnels based on SLA compliance and preferred colors.
7.5 AAR Policy Actions
Configuring policies using preferred-color, backup-sla-preferred-color, and strict actions to manage failover scenarios.
8.1 Security in the DIA Model
Security implications of moving the Internet edge to the branch (increased attack surface).
8.2 Integrated Security Suite Overview
Overview of embedded security applications: Application-Aware Enterprise Firewall, IDS/IPS, URL Filtering, and AMP/Threat Grid.
8.3 Application-Aware Enterprise Firewall
Concepts of zones (grouping of VPNs) and zone pairs for establishing security boundaries.
Policy actions: Pass, Inspect, Drop.
8.4 Intrusion Detection/Prevention and Malware Protection
IDS/IPS leveraging Snort and Cisco Talos signatures.
Advanced Malware Protection (AMP) and Threat Grid sandbox analysis for file downloads.
8.5 URL Filtering and DNS Security
URL Filtering for enforcing acceptable use controls based on categories or reputation.
DNS Web Layer Security leveraging Cisco Umbrella cloud for security risks.
8.6 Cloud Security Integration
Connectivity to cloud-delivered firewalls (CDFW) via standards-based IPsec or GRE tunnels to offload compute burden from the WAN Edge.
9.1 Cloud onRamp for SaaS
Optimising connectivity to applications like Microsoft 365.
Calculating vQoE scores (Quality of Experience) based on loss/latency to choose the best-performing path.
Site types: DIA, Gateway, and Client.
9.2 Cloud onRamp for IaaS
Extending the SD-WAN fabric into public cloud instances (AWS, Azure).
Deployment using redundant WAN Edge Cloud routers in a Transit VPC/VNET.
9.3 Cloud onRamp for Colocation
Enabling regional service chaining by integrating Virtual Network Functions (VNFs) (firewalls, load balancers) at colocation facilities.
9.4 Loss Mitigation: FEC
Using Forward Error Correction (FEC) to mitigate loss by sending parity packets (XOR of data packets).
9.5 Loss Mitigation: Packet Duplication
Using Packet Duplication to send duplicate packets over a secondary, less-lossy tunnel to mitigate loss for critical traffic.
10.1 Localized Policy Scope
Localized policies are configured on WAN Edge templates and are device-specific in scope.
Cannot share lists with centralized policies.
10.2 Localized Control Policies
Manipulating route attributes of traditional protocols (BGP, OSPF, EIGRP) advertised by the WAN Edge.
Using route policies to influence path selection (e.g., setting BGP MED).
10.3 Localized Data Policies (ACLs)
Using Access Control Lists (ACLs) to filter, rewrite, or apply additional services to traffic flows at the interface level.
10.4 Quality of Service (QoS) Framework
QoS implemented via localized policies.
Steps: Assign traffic to forwarding classes (via ACLs), map classes to hardware queues, configure schedulers.
10.5 Queuing and Congestion Management
WAN Edge routers support eight queues (0–7). Queue 0 is the Low Latency Queue (LLQ) used for control traffic.
Schedulers use LLQ or Weighted Round Robin (WRR).
11.1 Design Methodology and Preparation
Migration usually occurs in a brownfield environment.
Importance of dissection of existing WAN architecture and documenting network resources.
11.2 Data Center Design
Recommended approach: insert and run the solution in parallel (Dedicated Pod design).
Allows the data centre to act as a transit site.
11.3 Transport and Service-Side Connectivity
Integrating transport-side connections (VPN 0).
Using eBGP as the recommended service-side routing protocol (VPN 1+) to the core.
11.4 Branch Design Options
Designs for complete CE replacement (single or dual WAN Edge).
Integrating with an existing MPLS CE router.
11.5 Integrating Services at the Branch
Design options for integration with a Branch Firewall to support Secure DIA.
Integrating Voice Services using a separate gateway (L2/L3 integration).
11.6 Overlay and Underlay Integration
Design options for traffic flow: Overlay-only (recommended), Overlay with Underlay Backup, and Full Overlay/Underlay Integration (complex).
