Cisco 500-490 Designing Cisco Enterprise Networks exam Exam Practice Test

 The current digital business era is characterized by the rapid growth and adoption of digital technologies that enable companies to improve their business capabilities, operational efficiencies, and customer experiences. According to various sources, such as McKinsey1 and Forbes23, some of the key focus areas of the current digital business era are:

• IoT scale: The Internet of Things (IoT) refers to the network of physical devices, sensors, and machines that are connected to the internet and can communicate, collect, and exchange data. The IoT scale represents the massive amount and variety of data that are generated and processed by the IoT devices, as well as the potential value and insights that can be derived from them. The IoT scale also poses new challenges and opportunities for businesses, such as enhancing customer engagement, optimizing operations, creating new products and services, and ensuring security and privacy45.
• Automation: Automation refers to the use of technology to perform tasks or processes that would otherwise require human intervention or effort. Automation can increase productivity, efficiency, accuracy, and consistency, as well as reduce costs, errors, and risks. Automation can also enable businesses to scale up or down their operations, respond to changing customer demands, and innovate faster. Automation can be applied to various domains and functions, such as manufacturing, marketing, customer service, finance, and human resources6 .
• Connectivity: Connectivity refers to the ability to access, share, and exchange information and resources across different platforms, devices, and locations. Connectivity can enhance the communication and collaboration among businesses, customers, partners, and employees, as well as enable new business models and value propositions. Connectivity can also create new customer expectations and preferences, such as personalization, convenience, and speed. Connectivity can be enabled by various technologies, such as cloud computing, mobile devices, social media, and artificial intelligence .

References:

1: Digital strategy in the postpandemic era | McKinsey 2: The Business Benefits Of Living In The Most Digital Era Yet - Forbes 3: Why The Era Of Digital Transformation Is Important For … - Forbes 4: [What is IoT? How Smart Devices Impact Businesses in 2021] 5: [The Internet of Things: How IoT is changing the world - Forbes] 6: [What is Automation? Definition, Benefits, and Examples] : [How Automation Is Changing The Future Of Work - Forbes] : [What is Connectivity? Definition, Types, and Examples] : [How Connectivity Is Driving Business Transformation - Forbes]

 Cisco ISE is a comprehensive solution that enables enterprises to enforce consistent and secure access policies across wired, wireless, and VPN connections. It also provides visibility, control, and automation for the network devices, endpoints, users, and applications. To sell Cisco ISE effectively, it is important to highlight the benefits and features of the solution that address the customer’s pain points and needs. Among the options given, two options help you sell Cisco ISE:

• Showcasing the entire ISE feature set: ISE has a rich and diverse feature set that covers various use cases, such as device management, asset visibility, software-defined segmentation, software-defined access, guest and wireless access, BYOD, posture assessment, threat detection and response, and more1. By showcasing the entire ISE feature set, you can demonstrate the value proposition and differentiation of ISE from other solutions, and how it can help the customer achieve their business and technical goals.
• Explaining ISE support for 3rd party network devices: ISE is not limited to Cisco networks only. It can also support 3rd party network devices that comply with the standard protocols and interfaces, such as RADIUS, SNMP, TACACS+, 802.1X, MAB, CoA, and EAP2. By explaining ISE support for 3rd party network devices, you can show the customer that ISE is a flexible and interoperable solution that can work with their existing network infrastructure, and that they do not need to replace their non-Cisco devices to deploy ISE.

The other three options are not helpful for selling Cisco ISE:

• Referring to TrustSec as being only supported on Cisco networks: TrustSec is a Cisco technology that enables software-defined segmentation based on security group tags (SGTs) and security group access control lists (SGACLs)3. TrustSec is not only supported on Cisco networks, but also on 3rd party network devices that can integrate with ISE through pxGrid, which is a platform for sharing contextual information across multiple security products4. By referring to TrustSec as being only supported on Cisco networks, you can create a false impression that ISE is a proprietary and closed solution that requires a complete Cisco network overhaul, which can discourage the customer from adopting ISE.
• Discussing the importance of custom profiling: Profiling is a feature of ISE that allows it to identify and classify the endpoints on the network based on their attributes, such as MAC address, IP address, device type, operating system, etc.5. Custom profiling is the ability to create custom profiles and policies for the endpoints that are not recognized by the default ISE profiles. While custom profiling is an important feature of ISE, it is not a key selling point, because it is a complex and time-consuming process that requires a deep understanding of the endpoint attributes and behaviors, and it may not be relevant or applicable for all customers. By discussing the importance of custom profiling, you can confuse or overwhelm the customer with technical details that are not essential for their use case, and divert their attention from the core benefits and features of ISE.
• Downplaying the value of pxGrid as compared to RESTful APIs: pxGrid is a platform that enables ISE to share contextual information, such as identity, location, posture, device type, etc., with other security products, such as firewalls, SIEMs, threat detection systems, etc.4. RESTful APIs are a standard way of communicating with web services, such as ISE, using HTTP methods, such as GET, POST, PUT, DELETE, etc… Both pxGrid and RESTful APIs are valuable for ISE, because they provide different capabilities and benefits. pxGrid allows ISE to exchange real-time and bidirectional information with other security products, and to enforce consistent policies across the network4. RESTful APIs allow ISE to be integrated with external applications and systems, such as portals, dashboards, workflows, etc., and to automate and customize the network operations. By downplaying the value of pxGrid as compared to RESTful APIs, you can misrepresent the functionality and potential of ISE, and miss the opportunity to showcase how ISE can enhance the security and efficiency of the network.

References:

Cisco Identity Services Engine (ISE) Use Cases1 : Cisco Identity Services Engine Network Component Compatibility, Release 2.72 : Cisco TrustSec3 : Cisco pxGrid4 : Cisco ISE Network Discovery5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Custom Profiling Policies [Cisco Identity Services Engine] - Cisco : Cisco Identity Services Engine API Reference Guide, Release 2.7 - Cisco ISE REST APIs [Cisco Identity Services Engine] - Cisco

If you are looking at a strategic win with a customer and the customer wants to examine Cisco ISE for longer than a few weeks, you should provide them with a downloadable POV kit. A POV kit is a proof of value kit that contains a pre-configured virtual machine of Cisco ISE with licenses, sample data, and documentation. A POV kit allows the customer to quickly and easily deploy and test Cisco ISE in their own environment, without requiring any hardware or installation. A POV kit can help the customer to evaluate the features and benefits of Cisco ISE, such as identity-based access control, device profiling, posture assessment, guest management, and threat mitigation12.

The other options are not suitable for a customer who wants to examine Cisco ISE for longer than a few weeks. Pointing them to our dCloud demo library, giving them our ISE YouTube videos, or giving them some of our flash files that can be played on any browser are good ways to introduce Cisco ISE to the customer, but they do not provide a hands-on experience or a realistic scenario of how Cisco ISE works in their network. Setting them up with a dCloud account or an account on a Cisco UCS server that hosts ISE are also possible ways to provide a demo or a trial of Cisco ISE, but they may have limitations on the duration, availability, scalability, or customization of the environment. A POV kit gives the customer more flexibility and control over their evaluation of Cisco ISE.

References :=

• Solved: ISE PoV licenses - Cisco Community
• Cisco Endpoint Security Analytics (CESA) Built on Splunk Quickstart POV Kit & Deployment Guide - Cisco Community

= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric. Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network1. Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another2. Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud3.

Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes. Edge nodes also provide an anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic4. Control plane nodes are the devices that run a host tracking database to map location information. Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs5. Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes. Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles6.

References :=

• Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access
• Software Defined Access Network Fabric Roles - Study CCNP
• Cisco SD-Access
• SD-Access Fabric Troubleshooting Guide - Cisco
• Cisco SD-Access Solution Design Guide (CVD) - Cisco
• Cisco SD-Access Solution Design Guide (CVD) - Cisco
• Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-WAN vEdge routers can mitigate DoS attacks against the infrastructure by using two mechanisms:

• Only authorized controllers are allowed to communicate back to the vEdge router after the vEdge router establishes connection with the controllers. This means that the vEdge router initiates a secure connection to the vSmart controller and the vBond orchestrator using DTLS or TLS, and verifies their identity using certificates. The vEdge router does not accept any incoming connections from the controllers, and only responds to the messages that match the established sessions. This prevents unauthorized or malicious traffic from reaching the vEdge router and consuming its resources12.
• By default, all incoming traffic is denied at the transport (WAN) side interfaces. This means that the vEdge router applies an implicit deny-all policy to any traffic that arrives from the WAN side, unless it is explicitly allowed by a security policy. The security policy can be configured to permit only the traffic that matches certain criteria, such as source, destination, protocol, port, or application. This reduces the attack surface of the vEdge router and protects it from unwanted or harmful traffic34.

References:

• Cisco SD-WAN Security Features
• Cisco SD-WAN Design Guide
• Cisco SD-WAN Security Policy Configuration Guide
• Cisco SD-WAN vEdge Routers Denial of Service Vulnerability

The protocol that runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella is the Overlay Management Protocol (OMP)12. OMP is a proprietary protocol that is designed to enable the Cisco SD-WAN solution, which provides a software overlay that runs over standard network transport, including MPLS, broadband, and internet to deliver applications and services3. OMP provides the following services12:

• Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN or VRF topologies
• Distribution of service-level routing information and related location mappings
• Distribution of data plane security parameters
• Central control and distribution of routing policy

OMP is an all-encompassing information management and distribution protocol that enables the overlay network by separating services from transport. Services provided in a typical VPN setting are usually located within a VPN domain, and they are protected so that they are not visible outside the VPN. In such a traditional architecture, it is a challenge to extend VPN domains and service connectivity. OMP addresses these scalability challenges by providing an efficient way to manage service traffic based on the location of logical transport end points. This method extends the data plane and control plane separation concept from within routers to across the network2.

References:

1: Routing Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.x - Unicast Overlay Routing 2: Introduction to Overlay Management Protocol in Viptela 3: Cisco SD-WAN vEdge vManage vSmart IBM

 The discovery process is a critical phase in the sales cycle, where the SE gathers information about the customer’s network environment, business goals, challenges, and needs. The discovery process helps the SE to understand the customer’s pain points, identify opportunities, and propose solutions that align with the customer’s objectives and address their problems. The discovery process also helps the SE to establish credibility, trust, and rapport with the customer, and to map Cisco innovation to the customer’s needs.

Some of the activities that should occur during the SE’s discovery process are:

• Gathering information about the current state of the customer’s network environment. This includes collecting data about the network topology, devices, protocols, applications, performance, security, availability, scalability, and management. The SE can use various tools and methods to gather this information, such as interviews, questionnaires, surveys, audits, assessments, and network analysis tools. Gathering information about the current state helps the SE to understand the customer’s existing network capabilities, limitations, and gaps, and to benchmark the network against best practices and industry standards12
• Mapping Cisco innovation to the customer’s needs. This involves identifying how Cisco products, solutions, and services can help the customer achieve their desired outcomes, address their challenges, and overcome their pain points. The SE can use various tools and methods to map Cisco innovation to the customer’s needs, such as value proposition, business case, return on investment (ROI) analysis, proof of value (POV), proof of concept (POC), and demonstrations. Mapping Cisco innovation to the customer’s needs helps the SE to show the value and benefits of Cisco solutions, differentiate Cisco from competitors, and influence the customer’s decision making34

References:

1: Cisco Discovery Service 2: Cisco Network Assessment Services 3: Cisco Catalyst SD-WAN Demos 4: Cisco Business Critical Services

 Cisco ISE use cases can be classified into four categories: device management, asset visibility, software-defined segmentation, and software-defined access. Each of these use cases has a different level of implementation complexity, depending on the network size, topology, security requirements, and integration with other technologies. Among these use cases, software-defined segmentation and software-defined access typically involve the highest level of implementation complexity, because they require:

• A thorough understanding of the network architecture and design principles, such as hierarchical, modular, and scalable design.
• A comprehensive assessment of the network devices, endpoints, users, applications, and policies, and their interdependencies and interactions.
• A careful planning and testing of the network segmentation and access policies, using tools such as Cisco TrustSec, Cisco DNA Center, Cisco SD-Access, and Cisco ISE .
• A smooth and secure migration from the existing network to the software-defined network, with minimal disruption and downtime.
• A continuous monitoring and optimization of the network performance, security, and compliance, using tools such as Cisco Stealthwatch, Cisco Tetration, and Cisco ISE .

References:

Cisco Identity Services Engine (ISE) Use Cases, : Cisco Enterprise Network Architecture and Design, : Cisco ISE Network Discovery, : Cisco TrustSec, : Cisco DNA Center, : Cisco SD-Access, : Cisco ISE Software-Defined Access, : Cisco SD-Access Migration Guide, : Cisco Stealthwatch, : Cisco Tetration, : Cisco ISE Monitoring and Troubleshooting,

Cisco DNA Assurance provides three key differentiators that our competitors are unable to match:

• Proactive approach to guided remediation: Cisco DNA Assurance uses AI and machine learning to analyze network data and provide insights on network performance, issues, and optimization. It also offers guided remediation options that automate the process of issue resolution and performance enhancement. This reduces manual troubleshooting operations and saves time and resources for network administrators12.
• Apple Insights: Cisco DNA Assurance integrates with Apple devices and applications to provide enhanced visibility and analytics on the user experience and network performance. It also leverages the Fast Lane feature to prioritize critical iOS and macOS traffic over the wireless network. This improves the quality of service and collaboration for Apple users and applications13.
• Network time travel: Cisco DNA Assurance allows network administrators to go back in time and view the network state and health at any given point. This enables them to identify the root cause of issues, compare network performance over time, and troubleshoot historical problems. This feature is unique to Cisco DNA Assurance and provides a powerful tool for network analysis and optimization1 .

References:

1: Cisco DNA Assurance: AI/ML guided IT operations (AIOps) At-a-Glance 2: Leveraging Cisco Intent-Based Networking DNA Assurance (DNAAS) 3: Cisco DNA Assurance Unlocking the Power of Data, page 39 : Cisco DNA Assurance Unlocking the Power of Data, page 74

 Cisco SD-Access is a solution within Cisco DNA, which is built on intent-based networking principles. Cisco SD-Access provides visibility-based, automated end-to-end segmentation to separate user, device, and application traffic without redesigning the underlying physical network1. Cisco SD-Access also enables programmable overlays that allow network virtualization across the campus, branch, data center, and cloud2. Cisco SD-Access has two main components: the fabric and the policy3.

The fabric is the network overlay that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. The fabric nodes are classified into four types: edge nodes, border nodes, control plane nodes, and intermediate nodes. The edge nodes are the access switches or wireless controllers that connect to the end devices. The border nodes are the routers or switches that connect the fabric to external networks, such as the Internet, WAN, or data center. The control plane nodes are the routers or switches that maintain the mapping between the endpoint identifiers and the network locators. The intermediate nodes are the routers or switches that provide transit services within the fabric3.

The policy is the network configuration that defines the network behavior and outcomes, based on the business intent and requirements. The policy is composed of three elements: the endpoint groups, the contracts, and the virtual networks. The endpoint groups are the logical containers that group the endpoints based on their attributes, such as user identity, device type, or application. The contracts are the rules that specify the allowed interactions between the endpoint groups, such as the protocols, ports, and quality of service. The virtual networks are the logical partitions that isolate the endpoint groups and contracts from each other, based on the network scope and security3.

Cisco SD-Access addresses the following challenges and benefits:

• It simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.
• It enhances the network security and compliance, as it enforces granular and dynamic policies based on the endpoint identity and context, rather than the network topology and IP addresses.
• It improves the network performance and user experience, as it optimizes the network path, load balancing, and traffic engineering based on the network conditions and application requirements.
• It enables the network agility and scalability, as it supports the rapid deployment and integration of new devices, applications, and services, without affecting the existing network operations.

References:

• Cisco Software-Defined Access - Cisco Software-Defined Access Solution Overview
• What Is Software-Defined Access? - SD-Access - Cisco
• Cisco SD-Access Architecture Overview