Free Cisco 500-490 Practice Exam with Questions & Answers

 A cloud-based SD-WAN deployment is a model of delivering SD-WAN services from the cloud, rather than from on-premises hardware or software appliances. A cloud-based SD-WAN deployment has several benefits, such as:

Instant scale: A cloud-based SD-WAN deployment can scale up or down the network resources and bandwidth on demand, without requiring additional hardware or manual configuration. This enables the network to adapt to the changing traffic patterns and user demands, while optimizing the network performance and efficiency12.

Reduced costs: A cloud-based SD-WAN deployment can lower the capital and operational expenses of the network, by eliminating the need for expensive and complex WAN infrastructure, such as MPLS circuits, routers, firewalls, and WAN optimization devices. A cloud-based SD-WAN deployment can also leverage the economies of scale and the pay-as-you-go model of the cloud, which can reduce the network costs per megabit12.

Simplified management: A cloud-based SD-WAN deployment can simplify the network management and operation, by providing a centralized and unified dashboard that can monitor, configure, and troubleshoot the network across multiple sites and regions. A cloud-based SD-WAN deployment can alsoautomate the network provisioning, orchestration, and optimization, by applying intelligent policies and analytics based on the business intent and network conditions12.

Enhanced security: A cloud-based SD-WAN deployment can enhance the network security and compliance, by providing built-in and integrated security features, such as encryption, firewall, VPN, IPS, and antivirus. A cloud-based SD-WAN deployment can also leverage the cloud security services, such as SASE, toprovide secure and direct access to the cloud applications and platforms, without compromising the network performance and user experience123.

Improved cloud readiness: A cloud-based SD-WAN deployment can improve the cloud readiness and agility of the network, by enabling seamless and optimized connectivity to the public cloud, SaaS, and cloud interconnect providers. A cloud-based SD-WAN deployment can also support the multicloud and hybrid-cloud strategies, by allowing the network to operate as a cloud-native WAN overlay, using software-defined automation and orchestration tools123.

References:

What Is SD-WAN? - Software-Defined WAN (SDWAN) - Cisco

SD-WAN Benefits: 5 Business Advantages of SD-WAN - Fortinet

What are the Benefits of SD-WAN? - Cisco

What are the Benefits of SD-WAN?

SD-WAN and SASE: The new landscape of networking

https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000P3hKMAAZ <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=

SD-Access - High Level Branch Design-Software Defined Access @ 0:34https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000O0wmZAAR <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2020/pdf/BRKCRS-3493.pdf

Cisco ISE is a policy decision point that enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Some features and benefits of Cisco ISE include1:

Zero trust across the network: ISE allows only trusted users and devices access to resources on your network. It also uses intel to automatically identify, classify and profile devices.

Policy and lifecycle management: ISE simplifies the delivery of consistent, highly secure access control across wired, wireless, and VPN connections. It also allows users to add and manage their own devices through self-service portals.

Remote management and deployment: ISE supports cloud-based deployment and management, as well as integration with other Cisco products and third-party solutions.

Site survivability: ISE provides local authentication and authorization services for remote sites, even when the connection to the central ISE server is lost.

Visibility of all devices and their users: ISE can provide data about when a specific device connected to the network, what type of device it is, who is using it, what applications are running on it, and where it is located.

Among these features, two statements are true regarding Cisco ISE:

ISE plays a critical role in SD-Access: SD-Access is a network architecture that uses software-defined networking (SDN) principles to create a secure, scalable, and consistent network fabric. ISE is the policy engine that defines and enforces the network segmentation and access policies for SD-Access2.

ISE can provide data about when a specific device connected to the network: ISE uses a number of probes to collect attributes for all endpoints on the network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups. ISE can also provide historical data about the endpoint connections, such as the time, duration, location, and user of the connection3.

The other three statements are false regarding Cisco ISE:

The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation: ISE provides more than just user experience and VLAN segmentation. It also delivers business outcomes such as improved network performance, reduced operational costs, increased security, and simplified compliance4.

An ISE deployment requires only a Cisco ISE network access control appliance: ISE can be deployed on different platforms, such as physical appliances, virtual machines, or cloud services. An ISE deployment also requires other components, such as network devices, endpoints, and external identity sources5.

Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves: ISE can provide the location information of an endpoint based on the network device that it is connected to, such as the switch port or the wireless access point. However, to track the actual physical location of a wireless endpoint as it moves, ISE needs to integrate with other products, such as Cisco DNA Center, Cisco Connected Mobile Experiences (CMX), or Cisco Wireless LAN Controller (WLC)6.

References:

Cisco Content Hub - Cisco ISE Features1 : Cisco SD-Access Solution Design Guide (CVD) - Cisco2 : Cisco ISE Network Discovery3 : Cisco Identity Services Engine (ISE) - Cisco4 : Cisco Identity Services Engine Hardware Installation Guide,Release 2.7 - Cisco ISE Deployment [Cisco Identity Services Engine] - Cisco5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Location Mapping [Cisco Identity Services Engine] - Cisco6

Slide 5 & 7https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000Kfw0EAAR <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKRST-2377.pdf

 SD-WAN demonstrations are an effective way to showcase the benefits and features of Cisco SD-WAN solutions to potential customers. However, not all demos are created equal, and there are some best practices to follow to ensure a successful and engaging demo. Here are some explanations for why C and E are true statements regarding SD-WAN demonstrations:

C. During a demo, you should consider the target audience and the desired outcome. This is a true statement because different audiences may have different levels of technical knowledge, business needs, and expectations from the demo. For example, a demo for a C-level executive may focus more on the business outcomes and value proposition of SD-WAN, while a demo for a network engineer may dive deeper into the technical details and configuration options. Therefore, it is important to tailor the demo to the specific audience and the desired outcome, such as generating interest, building trust, or closing a deal.

E. There is a big difference between demos that use a top down approach and demos that use a bottom up approach. This is also a true statement because the two approaches have different advantages and disadvantages, and may suit different scenarios. A top down approach starts with the high-level overview of the SD-WAN solution, such as the architecture, components, benefits, and use cases, and then drills down into the specific features and functionalities. A bottom up approach starts withthe low-level details of the SD-WAN solution, such as the configuration, troubleshooting, and testing, and then builds up to the big picture and value proposition. A top down approach may be more suitable for a non-technical or business-oriented audience, while a bottom up approach may be more suitable for a technical or hands-on audience.

References :=

Cisco SD-WAN Demonstration Guide

SD-WAN Best Practices | Kentik Blog

SD-WAN best practices for a successful implementation

SD-WAN best practices - VMware Blogs

Stay focused and develop a custom story guide taking into consideration the target audience, desired outcome and story to tell while demonstrating the Viptela solution capabilities Slide 151 = There is a big difference demoing using a top down vs. bottom up approachhttps://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000P3hKMAAZ <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=learning-activity-from-plan

 Cisco ISE is a comprehensive solution that enables enterprises to enforce consistent and secure access policies across wired, wireless, and VPN connections. It also provides visibility, control, and automation for the network devices, endpoints, users, and applications. To sell Cisco ISE effectively, it is important to highlight the benefits and features of the solution that address the customer’s pain points and needs. Among the options given, two options help you sell Cisco ISE:

Showcasing the entire ISE feature set: ISE has a rich and diverse feature set that covers various use cases, such as device management, asset visibility, software-defined segmentation, software-defined access, guest and wireless access, BYOD, posture assessment, threat detection and response, and more1. By showcasing the entire ISE feature set, you can demonstrate the value proposition and differentiation of ISE from other solutions, and how it can help the customer achieve their business and technical goals.

Explaining ISE support for 3rd party network devices: ISE is not limited to Cisco networks only. It can also support 3rd party network devices that comply with the standard protocols and interfaces, such as RADIUS, SNMP, TACACS+, 802.1X, MAB,CoA, and EAP2. By explaining ISE support for 3rd party network devices, you can show the customer that ISE is a flexible and interoperable solution that can work with their existing network infrastructure, and that they do not need to replace their non-Cisco devices to deploy ISE.

The other three options are not helpful for selling Cisco ISE:

Referring to TrustSec as being only supported on Cisco networks: TrustSec is a Cisco technology that enables software-defined segmentation based on security group tags (SGTs) and security group access control lists (SGACLs)3. TrustSec is not only supported on Cisco networks, but also on 3rd party network devices that can integrate with ISE through pxGrid, which is a platform for sharing contextual information across multiple security products4. By referring to TrustSec as being only supported on Cisco networks, you can create a false impression that ISE is a proprietary and closed solution that requires a complete Cisco network overhaul, which can discourage the customer from adopting ISE.

Discussing the importance of custom profiling: Profiling is a feature of ISE that allows it to identify and classify the endpoints on the network based on their attributes, such as MAC address, IP address, device type, operating system, etc.5. Custom profiling is the ability to create custom profiles and policies for the endpoints that are not recognized by the default ISE profiles. While custom profiling is an important feature of ISE, it is not a key selling point, because it is a complex and time-consuming process that requires a deep understanding of the endpoint attributes and behaviors, and it may not be relevant or applicable for all customers. By discussing the importance of custom profiling, you can confuse or overwhelm the customer with technical details that are not essential for their use case, and divert their attention from the core benefits and features of ISE.

Downplaying the value of pxGrid as compared to RESTful APIs: pxGrid is a platform that enables ISE to share contextual information, such as identity, location, posture, device type, etc., with other security products, such as firewalls, SIEMs, threat detection systems, etc.4. RESTful APIs are a standard way of communicating with web services, such as ISE, using HTTP methods, such as GET, POST, PUT, DELETE, etc… Both pxGrid and RESTful APIs are valuable for ISE, because they provide different capabilities and benefits. pxGrid allows ISE to exchange real-time and bidirectional information with other security products, and to enforce consistent policies across the network4. RESTful APIs allow ISE to be integrated with external applications and systems, such as portals, dashboards, workflows, etc., and to automate and customize the network operations. By downplaying the value of pxGrid as compared to RESTful APIs, you can misrepresent the functionality and potential of ISE, and miss the opportunity to showcase how ISE can enhance the security and efficiency of the network.

References:

Cisco Identity Services Engine (ISE) Use Cases1 : Cisco Identity Services Engine Network Component Compatibility, Release 2.72 : Cisco TrustSec3 : Cisco pxGrid4 : Cisco ISE Network Discovery5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Custom Profiling Policies [Cisco Identity Services Engine] - Cisco : Cisco Identity Services Engine API Reference Guide, Release 2.7 - Cisco ISE REST APIs [Cisco Identity Services Engine] - Cisco

= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric. Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network1. Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another2. Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud3.

Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes. Edge nodes also providean anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic4. Control plane nodes are the devices that run a host tracking database to map location information. Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs5. Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes. Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles6.

References :=

Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access

Software Defined Access Network Fabric Roles - Study CCNP

Cisco SD-Access

SD-Access Fabric Troubleshooting Guide - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the statements that are true regarding Cisco ISE are:

ISE can detect endpoints whose addresses have been translated via NAT: Cisco ISE can discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security1. Cisco ISE can also detect endpoints whose addresses have been translated via NAT by using various methods, such as passive and active discovery, NMAP scanning, DHCP snooping, and RADIUS accounting234.

The number of logs that ISE can retain is determined by your disk space: Cisco ISE provides a logging mechanism that is used for auditing, faultmanagement, and troubleshooting. The logging mechanism helps you to identify fault conditions in deployed services and troubleshoot issues efficiently. You can configure your Cisco ISE node to collect the logs in the local systems using a virtual loopback address5. The number of logs that ISE can retain is determined by your disk space, as well as the data purging settings that you can configure under Administration > System > Maintenance > Data Purging6. You can also configure Cisco ISE to send its logs to a remote system for greater retention history7.

The other statements are not true regarding Cisco ISE, because:

In distributed deployments, failover from primary to secondary Policy Administration Nodes happens automatically: Cisco ISE supports high availability for the Administration persona, which provides centralized configuration and management of the distributed deployment. You can configure one primary Administration ISE node and one secondary Administration ISE node for high availability. However, the failover from primary to secondary Policy Administration Nodes does not happen automatically, unless you enable the automatic failover feature and configure a health check node to monitor the primary node’s status8. Otherwise, you have to manually promote the secondary node to become the primary node in case of a failure9.

In two-node standalone ISE deployments, failover must be done manually: Cisco ISE supports high availability for the Policy Service persona, which provides network access, posture, guest access, client provisioning, and profiling services. You can configure multiple Policy Service Nodes (PSNs) in a node group to provide session failover and load balancing for the endpoints. In a two-nodestandalone ISE deployment, where each node assumes all the personas, the failover for the Policy Service persona does not need to be done manually, as long as the network access devices are configured to use both nodes for RADIUS and TACACS services10.

ISE supports IPv6 downloadable ACLs: Cisco ISE supports downloadable ACLs (DACLs), which are configured and implemented through authorization profiles. DACLs are used to enforce granular access control policies for the endpoints based on their identity and other attributes. However, Cisco ISE does not support IPv6 downloadable ACLs, as it only supports IPv4 ACLs for RADIUS and TACACS protocols1112.

References:

1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Profiler Service Overview 3: ISE Deployment through NAT Boundaries - Cisco Community 4: Configure ISE 3.3 Native IPSec to Secure NAD (IOS-XE) Communication - Cisco 5: Logging [Cisco Identity Services Engine] - Cisco Systems 6: ISE maximum logging time / data retention - Cisco Community 7: Logs retention on ISE - Cisco Community 8: Cisco Identity Services Engine Administrator Guide, Release 2.4 9: Setting Up Cisco ISE in a Distributed Environment 10: Cisco Content Hub - Network Deployments in Cisco ISE 11: Cisco Identity Services Engine Administrator Guide, Release 2.2 12: Solved: ISE: support for IPv6 DACL’s - Cisco Community

"There is no automatic failover for the Administration persona."https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html...Newer platforms and ISE versions appear to support ipv6 dacl just fine now

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKDCN-2489.pdf Slide 20 -Overlay -VNID -Group Based Policy

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKDCN-2489.pdf