Activedumpsnet Logo
Which feature is supported on the Cisco vEdge platform?
IPv6 transport (WAN)
license enforcement
reporting
non-Ethernet interfaces
single sign-on
2-factor authentication
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/segmentation/vEdge-20-x/segmentation-book/segmentation.html
The Cisco vEdge platform supports IPv6 transport (WAN) as one of its features. This means that the vEdge routers can use IPv6 addresses to establish secure control and data plane connections with other vEdge routers over the WAN network. The vEdge routers can also use IPv6 addresses to communicate with the vSmart controllers and the vManage network management system. The vEdge routers can also support IPv6 routing protocols, such as OSPFv3 and BGP, to exchange IPv6 routes with other routers in the network12.
The other features listed in the question are not supported on the Cisco vEdge platform. License enforcement is not applicable to the vEdge routers, as they do not require any license to operate. Reporting is a function of the vManage network management system, which collects and displays various statistics and analytics from the vEdge routers. Non-Ethernet interfaces, such as serial, T1/E1, or DSL, are not available on the vEdge routers, which only support Ethernet and cellular interfaces. Single sign-on and 2-factor authentication are not supportedon the vEdge routers, which use local or remote authentication methods, such as TACACS+, RADIUS, or LDAP3.
References:
1: Cisco SD-WAN vEdge Routers Data Sheet 2: Cisco SD-WAN Configuration Guide, Release 20.3 3: Cisco SD-WAN Command Reference, Release 20.3
What is the easiest way to enable SD-Access for all your remote sites after you have your campus SD-Access fabric up and running?
Use a separate fabric domain for each site and use the traditional physical network as the underlay.
Threat all the sites as one fabric domain and use the traditional physical network as the underlay.
Threat all the sites as one fabric domain and use SD-WAN as the underlay.
Use a separate fabric domain for each site and use SD-WAN a s the underlay.
SD-Access - High Level Branch Design-Software Defined Access @ 0:34https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000O0wmZAAR <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2020/pdf/BRKCRS-3493.pdf
How would Cisco ISE handle authentication for your printer that does not have a supplicant?
ISE would authenticate the printer using 802.1X authentication.
ISE would authenticate the printer using MAC RADIUS authentication.
ISE would authenticate the printer using MAB.
ISE would not authenticate the printer as printers are not subject to ISE authentication.
ISE would authenticate the printer using web authentication.
Cisco ISE can handle authentication for printers that do not have a supplicant using MAB (MAC Authentication Bypass). MAB is a method of authenticating devices based on their MAC address. MAB is useful for devices that do not support 802.1X or other authentication protocols, such as printers, cameras, or IoT devices. MAB works as follows:
The device sends an Ethernet frame with its MAC address as the source address.
The switch sends a RADIUS Access-Request message to ISE with the MAC address as the username and password.
ISE checks the MAC address against a database of known devices or an identity source sequence.
If the MAC address is found and authorized, ISE sends a RADIUS Access-Accept message to the switch with the appropriate authorization profile.
The switch applies the authorization profile to the device and grants it access to the network.
MAB is less secure than 802.1X, as MAC addresses can be spoofed or cloned. Therefore, MAB should be used with caution and combined with other security measures, such as profiling, posture, or endpoint protection. MAB should also be restricted to specific ports or VLANs that are isolated from the rest of the network.
References:
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure MAC Authentication Bypass [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authentication Policies [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authorization Policies [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Identity Source Sequences [Cisco Identity Services Engine]
Cisco Identity Services Engine API Reference Guide, Release 2.7 - Authentication [Cisco Identity Services Engine]
Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]
Cisco Validated Design Guides [Cisco]
Which component of the SD-Access fabric is responsible for communicating with networks that are external to the fabric?
border nodes
edge nodes
control plane nodes
intermediate nodes
= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric. Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network1. Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another2. Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud3.
Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes. Edge nodes also providean anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic4. Control plane nodes are the devices that run a host tracking database to map location information. Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs5. Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes. Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles6.
References :=
Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access
Software Defined Access Network Fabric Roles - Study CCNP
Cisco SD-Access
SD-Access Fabric Troubleshooting Guide - Cisco
Cisco SD-Access Solution Design Guide (CVD) - Cisco
Cisco SD-Access Solution Design Guide (CVD) - Cisco
Cisco SD-Access Solution Design Guide (CVD) - Cisco
Which Cisco product were incorporated into Cisco ISE between ISE releases 2.0 and 2.3?
Cisco WSA
Cisco ACS
Cisco ESA
Cisco ASA
Cisco ISE incorporated Cisco ACS (Cisco Secure Access Control System) between ISE releases 2.0 and 2.3. Cisco ACS was a network access policy platform that provided authentication, authorization, and accounting (AAA) services for network devices and users. Cisco ACS was discontinued in 2017 and replaced by Cisco ISE, which offers more advanced features and capabilities for identity-based network access control. Cisco ISE provides a migration tool that allows customers to migrate their data and configurations from Cisco ACS to Cisco ISE. The migration tool supports Cisco ACS versions 5.5, 5.6, 5.7, and 5.8 and Cisco ISE versions 2.0, 2.1, 2.2, and 2.3.
References:
Cisco Secure Access Control System End-of-Life Announcement [Cisco Secure Access Control System]
Cisco Secure ACS to Cisco ISE Migration Tool [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.3 - Cisco Secure ACS to Cisco ISE Migration [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Migration [Cisco Identity Services Engine]
[Cisco Identity Services Engine Migration Guide, Release 2.3 [Cisco Identity Services Engine]]
[Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]]
[Cisco Validated Design Guides [Cisco]]
ISE 2.3 includes the final suite of capabilities designed to reach feature parity with Cisco Secure Access Control System (ACS), allowing all existing ACS customers to migrate their deployment to ISE. New features include TACACS+-based device administration for IPv6, import and export capabilities for TACACS+-based command sets, policy export scheduling, IP range support in all octets, and more. See the ACS vs ISE Comparison for feature comparisons with every release of ISE
Which option will help build your customers platform during the discovery phase?
POV report
detailed design
high-level design
PO
business case
= A business case is an option that will help build your customers platform during the discovery phase. A business case is a document that outlines the rationale, objectives, benefits, costs, risks, and alternatives of a proposed project or solution. A business case helps to justify the investment and align the stakeholders on the value proposition of the project or solution12.
During the discovery phase, the goal is to understand the problem that needs to be solved, the user needs and context, the constraints and opportunities, and the underlying policy intent. A business case can help to achieve this goal by providing a clear and concise summary of the problem statement, the desired outcomes, the potential solutions, and the evaluation criteria34. A business case can also help to communicate the vision and scope of the project or solution to the customers and other stakeholders, and to secure their buy-in and support56.
A business case is not the same as a POV report, a detailed design, a high-level design, or a PO. A POV report is a document that summarizes the findings and recommendations from a proof of value (POV) exercise, which is a short-term trial of a solution to demonstrate its feasibility and benefits7. A detailed design is a document that specifies the technical and functional requirements, architecture, and configuration of a solution8. A high-level design is a document that provides an overview of the solution, such as the main components, interfaces, and interactions9. A PO is a purchase order, which is a document that authorizes a purchase transaction between a buyer and a seller.
References :=
What is a business case? Definition and examples
Business Case - Project Management Knowledge
How the discovery phase works - Service Manual - GOV.UK
Discovery Phase – Service Design – The Beginner’s Guide
How to Write a Business Case ― 4 Steps to a Perfect Business Case Template
How to Write a Business Case: 4 Steps to a Perfect Business Case Template
What is a Proof of Value (POV)?
What is a Detailed Design Document (DDD)?
What is a High-Level Design Document?
[What is a Purchase Order (PO)?]
Which three key differentiators that DNA Assurance provides that our competitors are unable match? (Choose three.)
Proactive approach to guided remediation
VXLAN support
Apple Insights
Support for Overlay Virtual Transport
Network time travel
On-premise and cloud-based analytics
Cisco DNA Assurance provides three key differentiators that our competitors are unable to match:
Proactive approach to guided remediation: Cisco DNA Assurance uses AI and machine learning to analyze network data and provide insights on network performance, issues, and optimization. It also offers guided remediation options that automate the process of issue resolution and performance enhancement. This reduces manual troubleshooting operations and saves time and resources for network administrators12.
Apple Insights: Cisco DNA Assurance integrates with Apple devices and applications to provide enhanced visibility and analytics on the user experience and network performance. It also leverages the Fast Lane feature to prioritize critical iOS and macOS traffic over the wireless network. This improves the quality of service and collaboration for Apple users and applications13.
Network time travel: Cisco DNA Assurance allows network administrators to go back in time and view the network state and health at any given point. This enables them to identify the root cause of issues, compare network performance over time, and troubleshoot historical problems. This feature is unique to Cisco DNA Assurance and provides a powerful tool for network analysis and optimization1 .
References:
1: Cisco DNA Assurance: AI/ML guided IT operations (AIOps) At-a-Glance 2: Leveraging Cisco Intent-Based Networking DNA Assurance (DNAAS) 3: Cisco DNA Assurance Unlocking the Power of Data, page 39 : Cisco DNA Assurance Unlocking the Power of Data, page 74
Which two primary categories are displayed on the overall health page of the assurance component in the Cisco DNA Center? (Choose two.)
Client
Server
Access-Distribution
Core
Wired
Network
The overall health page of the assurance component in the Cisco DNA Center displays two primary categories: Client and Network1. The Client category shows the health score of all the wired and wireless clients connected to the network, along with the number of clients, the top issues affecting the clients, and the distribution of clients by type, OS, and SSID1. The Network category shows the health score of all the network devices, such as switches, routers, wireless controllers, and access points, along with the number of devices, the top issues affecting the devices, and the distribution of devices by site, family, and role1.
The other options are not primary categories on the overall health page. Server is not a category, but a type of client that can be filtered in the Client category1. Access-Distribution and Core are not categories, but roles of network devices that can be filtered in the Network category1. Wired is not a category, but a subcategory of the Client category that shows the health score of the wired clients only1.
References:
Cisco DNA Assurance User Guide, Release 1.3.1.0 - Monitor and Troubleshoot the Health of Your Network [Cisco DNA Center]
Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]
Cisco Validated Design Guides [Cisco]
Which two Cisco ISE use cases typically involve the highest level of implementation complexity? (Choose two.)
Device management
Asset visibility
Software-defined segmentation
Software-defined access
Guest and wireless access
Cisco ISE use cases can be classified into four categories: device management, asset visibility, software-defined segmentation, and software-defined access. Each of these use cases has a different level of implementation complexity, depending on the network size, topology, security requirements, and integration with other technologies. Among these use cases, software-defined segmentation and software-defined access typically involve the highest level of implementation complexity, because they require:
A thorough understanding of the network architecture and design principles, such as hierarchical, modular, and scalable design.
A comprehensive assessment of the network devices, endpoints, users, applications, and policies, and their interdependencies and interactions.
A careful planning and testing of the network segmentation and access policies, using tools such as Cisco TrustSec, Cisco DNA Center, Cisco SD-Access, and Cisco ISE .
A smooth and secure migration from the existing network to the software-defined network, with minimal disruption and downtime.
A continuous monitoring and optimization of the network performance, security, and compliance, using tools such as Cisco Stealthwatch, Cisco Tetration, and Cisco ISE .
References:
Cisco Identity Services Engine (ISE) Use Cases, https://www.cisco.com/c/en/us/products/security/identity-services-engine/use-cases.html : Cisco Enterprise Network Architecture and Design, https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/enterprise-networking-design.html : Cisco ISE Network Discovery, https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010011.html : Cisco TrustSec, https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html : Cisco DNA Center, https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html : Cisco SD-Access, https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/index.html : Cisco ISE Software-Defined Access, https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010110.html : Cisco SD-Access Migration Guide, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-migration-guide.html : Cisco Stealthwatch, https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html : Cisco Tetration, https://www.cisco.com/c/en/us/products/data-center-analytics/tetration/index.html : Cisco ISE Monitoring and Troubleshooting, https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010100.html
Which two options are primary functions of Cisco ISE? (Choose two.)
allocating resources
enforcing endpoint compliance with network security policies
enabling WAN deployment over any type of connection
automatically enabling, disabling, or reducing allocated power to certain devices
providing VPN access for any type of device
providing information about every device that touches the network
Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:
Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.
The other options are not primary functions of Cisco ISE, because:
Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.
References:
1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]