Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers Questions and Answers
Which two are benefits from a WAN design? (Choose two.)
Options:
Provide lower quality service to guest users
Ensure remote site uptime
Prioritize and secure with granular control
Reduce cost and increase operational complexity
Lower circuit bandwidth requirements
Answer:
B, CExplanation:
A WAN design is a plan for how to connect multiple sites or locations over a wide area network (WAN). A WAN design can have various benefits, depending on the goals and requirements of the organization. Two of the possible benefits from a WAN design are:
- Ensure remote site uptime: A WAN design can help to ensure that remote sites or branches have reliable and consistent connectivity to the central site or the cloud. This can improve the availability and performance of critical applications and services, such as voice, video, collaboration, and data backup. A WAN design can also provide redundancy and resiliency in case of network failures or disasters, by using multiple WAN links, backup routes, or failover mechanisms. For example, SD-WAN is a WAN design that uses software to dynamically route traffic over the best available WAN link, based on the network conditions and the application requirements1.
- Prioritize and secure with granular control: A WAN design can also help to prioritize and secure the traffic and applications that flow over the WAN. This can enhance the quality of service (QoS) and the security of the network. A WAN design can use various techniques, such as traffic shaping, policy-based routing, encryption, firewall, or VPN, to classify, prioritize, and secure the WAN traffic according to the business needs and the security policies. For example, TrustSec is a WAN design that uses software-defined segmentation to enforce granular access policies based on the identity and context of users, devices, and applications2.
The other options, provide lower quality service to guest users, reduce cost and increase operational complexity, and lower circuit bandwidth requirements, are not benefits from a WAN design. Providing lower quality service to guest users is not a desirable outcome, as it can affect the user experience and the reputation of the organization. Reducing cost and increasing operational complexity is a trade-off that may not be worth it, as it can create more challenges and risks for the network management and maintenance. Lowering circuit bandwidth requirements is not a benefit in itself, but a means to achieve other benefits, such as reducing cost or improving performance. A WAN design should aim to optimize the bandwidth utilization and allocation, rather than simply lowering it. References := : 1: Cisco SD-WAN Solution Design Guide (CVD) - Cisco1, 2: Cisco TrustSec Solution Overview - Cisco
Whatis a challenge of having an SD-Access Centralized design where a single fabric encompasses the main site and all branch sites across the WAN?
Options:
End to End Routing is not supported
DNA Center does not support it.
SSIDs would be the same across all sites
Since the traffic is encapsulated, SD-WAN features can’t be used to optimize/route traffic.
Answer:
DExplanation:
A centralized SD-Access design is where a single fabric domain spans across the main site and all branch sites over the WAN. This design has some challenges, such as:
- Since the traffic is encapsulated in VXLAN headers, SD-WAN features such as application-aware routing, QoS, and security policies cannot be applied to the traffic based on the original IP headers. This means that the SD-WAN controller cannot optimize or route the traffic based on the application or user identity. The traffic is treated as a single class of service across the WAN.
- The centralized design also introduces a single point of failure and a potential bottleneck at the main site, where the border nodes and the control plane nodes are located. If the main site goes down or the WAN link fails, the branch sites will lose connectivity to the fabric domain and the external networks.
- The centralized design also requires a high bandwidth and low latency WAN connection between the main site and the branch sites, which may not be feasible or cost-effective for some scenarios.
References :=
Some possible references are:
- Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers (ENSDENG) Study Guide
- Cisco SD-Access and SD-WAN Integration Design Guide
Device Sensor provides which two types of information to ISE? (Choose two.)
Options:
Encrypted traffic
DHCP
CDP
NetFlow
User/Device Name
Answer:
B, CExplanation:
Device Sensor is a feature that enables Cisco devices to collect and report information about the endpoints connected to them. This information can be used by ISE to identify and classify the endpoints, and apply appropriate policies based on their attributes. Device Sensor can collect information from various sources, such as DHCP, CDP, LLDP, and HTTP User-Agent. Among the options given, only DHCP and CDP are valid sources of information for Device Sensor. References := : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Device Sensor [Cisco Identity Services Engine]- Cisco
2of30
Which are three Cisco ISE use cases? (Choose three.)
Options:
Segmentation
Monitoring
Assurance
Security Incident and Event Management
Access Control
BYOD
Answer:
B, C, FExplanation:
Cisco ISE is a network access control solution that uses policy-based decision making to determine if a device is allowed access to the network and, if allowed, what level of access this device is given1.Cisco ISE can also provide authentication, authorization, and accounting (AAA) through the RADIUS protocol and device administration through TACACS+ service1.
Some of the use cases of Cisco ISE are:
- Access Control: Cisco ISE can grant and control the right level of network access for both wired and wireless devices by employing mainly the 802.1x protocol and EAPoL (EAP over LAN)1.Cisco ISE can also use MAC authentication bypass (MAB) to authenticate devices that are unable to use the EAP protocol1.Additionally, Cisco ISE can integrate with Microsoft Active Directory for confirming user identity1.
- Assurance: Cisco ISE can monitor and troubleshoot the various features on ISE and analyze trends of the network activities from a centralized admin node2.Cisco ISE can also provide reports on user andentity behavior analytics (UEBA), enterprise mobility management/mobile device management (EMM/MDM), security incident and event management (SIEM), and segmentation34.
- Monitoring: Cisco ISE can provide endpoint visibility with context by collecting and analyzing data from various sources such as endpoints, users, applications, devices, networks, and cloud services4.Cisco ISE can also provide real-time alerts and notifications on security events and anomalies4.
What is the role of DNA Center in SD-Access?
Options:
Identifying and Authenticating Endpoints
The point of exchange of reachability and policy for two domains
Provide GUI management abstraction & Analytics via Multiple Service Apps
Maintain a database of Endpoint IDs to Fabric Edge Nodes
Answer:
CExplanation:
DNA Center is the central point of management for SD-Access. It provides a graphical user interface (GUI) to design, provision, and monitor the SD-Access fabric. DNA Center also offers various service applications that leverage the network data and analytics to provide insights, automation, and assurance for the network and the applications running on it. DNA Center does not perform the functions of identifying and authenticating endpoints, which are handled by ISE; nor does it act as the point of exchange of reachability and policy for two domains, which are the roles of the border nodes and the control plane nodes; nor does it maintain a database of endpoint IDs to fabric edge nodes, which is the function of the LISP mapping system. References:
- : Cisco DNA Center User Guide, Release 2.2.2.0, Chapter 1: Introduction to Cisco DNA Center, https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-2-2-0/user_guide/b_cisco_dna_center_ug_2_2_2_0/b_cisco_dna_center_ug_2_2_2_0_chapter_01.html
- : Cisco SD-Access Design Guide, Release 2.2.2.0, Chapter 2: SD-Access Fabric Design, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-design-guide-2-2-2-0.html#_Toc67188638
Which three statements best describe Cisco ISE configuration capabilities? (Choose three.)
Options:
Cisco Active Advisor provides additional guidance for ISE deployments.
ISE Deployment Assistant (IDA) is a built in application designed to accelerate the deployment of Cisco Identity Service Engine (ISE)
ISE requires an understanding of the command line for set-up and configuration.
Cisco ISE includes wireless setup wizard and visibility wizard.
ISE wizards and per-canned configurations ease ISE roll-out significantly.
Answer:
B, D, EExplanation:
Cisco ISE configuration capabilities include the following features:
- ISE Deployment Assistant (IDA) is a built-in application designed to accelerate the deployment of Cisco Identity Service Engine (ISE). IDA guides the user through the initial setup, configuration, and verification of ISE with a step-by-step wizard. IDA also provides best practices and recommendations for common deployment scenarios, such as wireless, wired, VPN, guest, and BYOD1.
- Cisco ISE includes wireless setup wizard and visibility wizard. The wireless setup wizard simplifies the configuration of ISE for wireless access by automating the tasks of adding network devices, creating authorization profiles, and applying policies. The visibility wizard helps the user to enable device profiling and posture services, and to view the endpoint information and compliance status on the ISE dashboard2.
- ISE wizards and per-canned configurations ease ISE roll-out significantly. ISE wizards are interactive tools that assist the user in configuring various features and functions of ISE, such as certificates, network access devices, authentication and authorization policies, guest access, BYOD, and TrustSec. Per-canned configurations are predefined templates that provide common settings and values for ISE components, such as policy sets, authorization profiles, and network conditions. The user can apply these templates to quickly configure ISE for specific use cases, such as 802.1X, MAB, or web authentication3.
The other options, Cisco Active Advisor and ISE command line, are not accurate descriptions of ISE configuration capabilities. Cisco Active Advisor is a separate cloud-based service that provides network health and security checks, device lifecycle management, and best practice recommendations for Cisco devices. It is not directly related to ISE deployments. ISE command line is an interface that allows the user to perform administrative tasks, such as backup and restore, password recovery, and troubleshooting. However, ISE does not require an understanding of the command line for set-up and configuration, as most of the functions can be done through the graphical user interface (GUI). References := : 1: ISE Deployment Assistant (IDA) - Cisco Identity Services Engine - Cisco, 2: Cisco Identity Services Engine Administrator Guide, Release 2.7 - Wireless Setup Wizard [Cisco Identity Services Engine] - Cisco, 3: Cisco Identity Services Engine Administrator Guide, Release 2.7 - ISE Wizards [Cisco Identity Services Engine] - Cisco, : Cisco Active Advisor - Cisco, : Cisco Identity Services Engine CLI Reference Guide, Release 2.7 - Using the Command-Line Interface [Cisco Identity Services Engine] - Cisco
Which three wireless product families are supported in the current DNA-C 1.1 release? (Choose three.)
Options:
AP 1260
WLC 3504
WLC 8540
WLC 5508
AP 3800
Answer:
B, C, EExplanation:
The current DNA-C 1.1 release supports the following wireless product families:
- WLC 3504: This is a wireless LAN controller that provides centralized control, management, and troubleshooting for small to medium-sized enterprises and branch offices. It supports up to 150 access points and 3,000 clients, and offers high availability, scalability, and security features. It is compatible with Cisco DNA Center 1.1 and later releases1.
- WLC 8540: This is a wireless LAN controller that provides centralized control, management, and troubleshooting for large enterprises and service providers. It supports up to 6,000 access points and 64,000 clients, and offers high performance, reliability, and flexibility. It is compatible with Cisco DNA Center 1.1 and later releases2.
- AP 3800: This is an access point that delivers high-performance wireless connectivity for indoor and outdoor environments. It supports 802.11ac Wave 2 technology, multiuser multiple-input multiple-output (MU-MIMO), flexible radio assignment, and modular design. It is compatible with Cisco DNA Center 1.1 and later releases3.
References:
1: [Cisco Wireless LAN Controller 3504 Data Sheet - Cisco] : 2: [Cisco 8540 Wireless Controller Data Sheet - Cisco] : 3: [Cisco Aironet 3800 Series Access Points Data Sheet - Cisco]
Which three options describe fabric overlay concepts? (Choose three.)
Options:
Intermediate System to Intermediate System
A virtual Local Area Network
An Overlay is a logical topology
GRE is a type of Overlay
A link state routing protocol like OSPF
An Overlay uses alternate forwarding attributes
Answer:
C, D, FExplanation:
Fabric overlay concepts are related to the creation of a virtual network topology on top of a physical network infrastructure. The overlay network is usually designed to provide services or features that are not directly supported by the underlay network, such as network segmentation, mobility, or security. Some of the fabric overlay concepts are:
- An overlay is a logical topology: An overlay network is a network that is built on top of another network using software or hardware devices that encapsulate and decapsulate packets. The overlay network creates a logical topology that is independent of the physical topology of the underlay network. The overlay network can span multiple Layer 2 or Layer 3 domains and provide end-to-end connectivity for the overlay endpoints. An example of an overlay network is a VPN that connects remote sites over the Internet.
- GRE is a type of overlay: Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets of one protocol type within another protocol type. GRE is used to create tunnels between devices that can carry different types of traffic, such as IP, IPv6, MPLS, or Ethernet. GRE is a type of overlay network that can be used to extend Layer 2 or Layer 3 connectivity across different networks or to provide a secure and private communication channel. An example of a GRE overlay network is a DMVPN that uses GRE tunnels to connect branch offices to a central hub over the Internet.
- An overlay uses alternate forwarding attributes: An overlay network uses different attributes or identifiers to forward packets than the underlay network. The overlay network adds specific headers or tags to the packets that contain information about the overlay endpoints, such as their logical addresses, group memberships, or policies. The overlay devices use these attributes to forward packets based on the overlay topology and services, rather than the underlay topology and protocols. The underlay devices are unaware of the overlay attributes and forward packets based on the underlay headers. An example of an overlay network that uses alternate forwarding attributes is a VXLAN network that uses VNIs to segment traffic and provide Layer 2 connectivity over a Layer 3 network.
The other options, Intermediate System to Intermediate System (IS-IS), a virtual Local Area Network (VLAN), and a link state routing protocol like OSPF, are not fabric overlay concepts. IS-IS and OSPF are routing protocols that are used to exchange routing information and build the routing table of the underlay network. A VLAN is a Layer 2 segmentation technique that divides a physical network into logical subnets based on the switch port membership. A VLAN is not an overlay network, but it can be part of the underlay network or the overlay network, depending on the design. References := : Fabric Technologies and Overlays - Cisco Learning Network1, What Is a Network Fabric? - Cisco2
Which party solution integrates with Cisco’s security and network portfolios within the ISE?
Options:
30+ 3rd party solutions
60+ 3rd party solutions
20+ 3rd party solutions
45+ 3rd party solutions
25+ 3rd party solutions
Answer:
BExplanation:
Cisco ISE integrates with more than 60 third-party solutions that span across security and network portfolios. These solutions include network access devices, firewalls, threat detection and prevention systems, vulnerability scanners, endpoint management platforms, cloud services, and more. By integrating with these solutions, Cisco ISE can leverage the information and capabilities of these solutions to enhance the identity and access management, network visibility and segmentation, threat detection and response, and policy enforcement of the network. Some of the examples of third-party solutions that integrate with Cisco ISE are:
- Fortinet: Fortinet integrates with Cisco ISE through pxGrid to share user and device information, security group tags, and endpoint posture status. This enables Fortinet to apply granular and dynamic firewall policies based on the identity and context of the endpoints1.
- Tripwire: Tripwire integrates with Cisco ISE through pxGrid to share vulnerability and compliance data of the endpoints. This enables Cisco ISE to apply appropriate network access policies based on the risk and compliance level of the endpoints2.
- Splunk: Splunk integrates with Cisco ISE through REST APIs to collect and analyze the logs and events generated by Cisco ISE. This enables Splunk to provide network and security insights, dashboards, reports, and alerts based on the Cisco ISE data3.
References := : Cisco Identity Services Engine Administrator Guide, Release 2.7 - ISE Security Ecosystem Integration Guides [Cisco Identity Services Engine] - Cisco4, Solved: ISE Integration with 3rd party solution - Cisco Community1, ISE Security Ecosystem Integration Guides - Cisco Community5, Cisco Identity Services Engine Administrator Guide, Release 2.7 - Splunk Integration [Cisco Identity Services Engine] - Cisco3, Cisco Identity Services Engine Administrator Guide, Release 2.7 - Tripwire Integration [Cisco Identity Services Engine] - Cisco2
slide 9
Which two options are used as part of an ISE POV? (Choose two.)
Options:
dCloud
Cisco TV
YouTube
Implementation on Production Network
POV Kit
Answer:
A, EExplanation:
An ISE PoV (Proof of Value) is a service that demonstrates the value of Cisco Identity Services Engine (ISE) to potential customers. It consists of two components: a virtual machine (VM) and a license. The VM is a pre-configured ISE environment that can be deployed on any cloud platform, such as Cisco dCloud1. The license is a one-time payment that grants access to the ISE features and capabilities for three years2.
The two options that are used as part of an ISE PoV are A and E. Option A refers to the VM, which is the core component of the ISE PoV. Option E refers to the POV Kit, which is a bundle that includes the VM, the license, and some additional resources, such as documentation, videos, and webinars2. Option B, C, and D are not used as part of an ISE PoV.
References: 1 Cisco dCloud 2 ISE PoV licenses
