500-470 Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers Questions and Answers

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.2/05Sec urity/01Security_Overview/Data_Plane_Security_Overview

 vEdge is the Cisco SD WAN component that provides a secure data plane with remote vEdge routers. vEdge routers are the devices that sit at the edge of the SD WAN fabric and connect to the WAN transports, such as MPLS, Internet, or LTE. vEdge routers establish secure IPsec tunnels with other vEdge routers in the fabric and exchange routing and policy information with the vSmart controller. vEdge routers also perform application-aware routing, QoS, and security functions on the data plane traffic. vEdge routers can be physical or virtual devices and can be deployed in branch, campus, data center, or cloud environments1.

The other options, vBond, vSmart, and vManage, are not the components that provide a secure data plane with remote vEdge routers. vBond is the orchestrator that performs the initial authentication and authorization of vEdge routers and assigns them to a vSmart controller. vSmart is the controller that distributes the control and data policies and the network topology information to the vEdge routers. vManage is the management platform that provides centralized configuration, monitoring, and troubleshooting of the SD WAN fabric1. References := : 1: Cisco SD-WAN Getting Started Guide - Cisco SD-WAN Overview [Cisco SD-WAN] - Cisco

A Digital Network is a network that is based on the Cisco Digital Network Architecture (Cisco DNA), which is an open and extensible, software-driven network architecture designed to rapidly deliver services that enable IT to innovate faster, reduce costs and complexity, lower risk, and comply with regulatory requirements1. A key function of a Digital Network is centralized provisioning, which allows IT to automate the deployment and configuration of network devices and services using a single platform, such as the Cisco DNA Center2. Centralized provisioning simplifies network management, reduces human errors, and accelerates network changes.

References:

 2: [Cisco DNA Software - Digital Network Architecture - Cisco] : 1: [Cisco Digital Network Architecture]

Cisco ISE is a network access control solution that uses policy-based decision making to determine if a device is allowed access to the network and, if allowed, what level of access this device is given1.Cisco ISE can also provide authentication, authorization, and accounting (AAA) through the RADIUS protocol and device administration through TACACS+ service1.

Some of the use cases of Cisco ISE are:

• Access Control: Cisco ISE can grant and control the right level of network access for both wired and wireless devices by employing mainly the 802.1x protocol and EAPoL (EAP over LAN)1.Cisco ISE can also use MAC authentication bypass (MAB) to authenticate devices that are unable to use the EAP protocol1.Additionally, Cisco ISE can integrate with Microsoft Active Directory for confirming user identity1.
• Assurance: Cisco ISE can monitor and troubleshoot the various features on ISE and analyze trends of the network activities from a centralized admin node2.Cisco ISE can also provide reports on user andentity behavior analytics (UEBA), enterprise mobility management/mobile device management (EMM/MDM), security incident and event management (SIEM), and segmentation34.
• Monitoring: Cisco ISE can provide endpoint visibility with context by collecting and analyzing data from various sources such as endpoints, users, applications, devices, networks, and cloud services4.Cisco ISE can also provide real-time alerts and notifications on security events and anomalies4.

The Cisco V-Edge Router performs QoS traffic classification on the ingress interface, before the traffic enters the VPN. The classification is based on the match criteria specified in the access lists, which can include the source and destination IP addresses, ports, protocols, DSCP values, and application-aware NBAR attributes. The classification results in assigning a forwarding class and a QoS group to each packet. The forwarding class determines the output queue and the scheduling policy for the packet on the egress interface. The QoS group is an internal label that can be used to remark the DSCP value of the packet or to match the packet in another access list for further processing. References:

• : Forwarding and QoS Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20, Chapter 2: Configuring Localized Data Policy, https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/qos/vEdge-20-x/qos-book/localized-data-policy.html#id_1050591
• : Cisco SD-WAN Design Guide, Release 20, Chapter 6: Quality of Service, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/2020/b_SD-WAN_Design_Guide_Aug_2020/b_SD-WAN_Design_Guide_Aug_2020_chapter_0110.html2

https://www.cisco.com/en/US/technologies/tk648/tk365/tk207/technologies_white_paper0900 aecd80243fe7.html

 The default interval for BFD packets is 1 second. BFD uses Hello packets to detect the liveness and faults on a connection. BFD Hello Interval packet is sent at the default interval of 1000 milliseconds on all connections1. This command can be used to change the hello interval for a transport color. The interval for transmitting and receiving BFD packets can also be configured on the interface level or the BFD session level, depending on the device and the protocol234. The BFD detection time is calculated as the product of the local detection multiplier and the agreed remote transmission interval. The lower the BFD detection time, the faster the BFD session can detect a fault. However, a lower BFD detection time also consumes more system resources and bandwidth. Therefore, the BFD detection time should be configured according to the network situation and performance requirements. References:

• : Bidirectional Forwarding Detection - Cisco
• : Configuring the BFD Detection Time - CloudEngine 16800 … - Huawei
• : Cisco IOS XE Catalyst SD-WAN Qualified Command Reference
• : bfd min-echo-receive-interval - Aruba

Some of the statements that are true regarding Cisco SD-WAN license tiers are:

• With Pro license, control and data policies are supported2. This license tier enables network operators to define and enforce policies for traffic shaping, quality of service (QoS), application optimization, and security2.
• With Plus license, split-tunnel is supported3. This license tier enables network operators to use split-tunneling technology to route traffic through different paths based on application or user preferences3.
• With Enterprise license, vAnalytics is included4. This license tier enables network operators to use vAnalytics feature to collect and analyze data from various sources such as endpoints, applications, devices, networks, and cloud services4.

 ISE automation BYOD flow is a process that allows users to self-enroll their devices to the network without requiring IT intervention. The process consists of three main functions: certificate enrollment, device registration, and supplicant provisioning.

• Certificate enrollment is the function that allows users to obtain a digital certificate from a certificate authority (CA) for their devices. This certificate is used to authenticate the device to the network and provide secure communication. ISE supports different CA options, such as Microsoft CA, Cisco ISE CA, or third-party CA .
• Device registration is the function that allows users to register their devices to the network and associate them with their identity. This enables ISE to apply policies based on the device type, ownership, and posture. ISE supports different device registration methods, such as portal-based, API-based, or bulk import .
• Supplicant provisioning is the function that allows users to install and configure a network access client (supplicant) on their devices. This client is used to connect to the network using the appropriate protocols and settings. ISE supports different supplicant provisioning methods, such as native supplicant, Cisco Network Setup Assistant (NSA), or Cisco AnyConnect Secure Mobility Client (AnyConnect) .

References:

[Cisco Identity Services Engine Administrator Guide, Release 2.7 - BYOD [Cisco Identity Services Engine]] : [Cisco Identity Services Engine Administrator Guide, Release 2.7 - Certificate Provisioning [Cisco Identity Services Engine]] : [Cisco Identity Services Engine Administrator Guide, Release 2.7 - Device Registration [Cisco Identity Services Engine]] : [Cisco Identity Services Engine Administrator Guide, Release 2.7 - Supplicant Provisioning [Cisco Identity Services Engine]]