Cisco 500-470 Cisco Enterprise Networks SDA - SDWAN and ISE Exam for System Engineers Exam Practice Test

Self-healing functionality on vEdges refers to the ability of the vEdge routers to recover from failures or errors that affect their connectivity or performance. Two examples of self-healing functionality on vEdges are:

• In software upgrade process, rolling back to the previously running software image when connectivity to vManage fails: When a vEdge router is upgraded to a new software version, it maintains a backup copy of the previous software image and configuration. If the vEdge router loses connectivity to the vManage controller during or after the upgrade process, it automatically reboots and restores the previous software image and configuration. This ensures that the vEdge router can resume its normal operation and reconnect to the vManage controller1.
• With configuration change, rolling back the configuration change when loss of connectivity to vManage: When a vEdge router receives a configuration change from the vManage controller, it applies the change and verifies the connectivity to the vManage controller. If the vEdge router detects that the configuration change has caused a loss of connectivity to the vManage controller, it automatically reverts the configuration change and restores the previous configuration. This prevents the vEdge router from being isolated from the vManage controller and the rest of the SD-WAN fabric2.

References:

• : Software Upgrade for vEdge Routers - Viptela Documentation
• : Configuration Rollback - Viptela Documentation

https://www.cisco.com/en/US/technologies/tk648/tk365/tk207/technologies_white_paper0900 aecd80243fe7.html

 The default interval for BFD packets is 1 second. BFD uses Hello packets to detect the liveness and faults on a connection. BFD Hello Interval packet is sent at the default interval of 1000 milliseconds on all connections1. This command can be used to change the hello interval for a transport color. The interval for transmitting and receiving BFD packets can also be configured on the interface level or the BFD session level, depending on the device and the protocol234. The BFD detection time is calculated as the product of the local detection multiplier and the agreed remote transmission interval. The lower the BFD detection time, the faster the BFD session can detect a fault. However, a lower BFD detection time also consumes more system resources and bandwidth. Therefore, the BFD detection time should be configured according to the network situation and performance requirements. References:

• : Bidirectional Forwarding Detection - Cisco
• : Configuring the BFD Detection Time - CloudEngine 16800 … - Huawei
• : Cisco IOS XE Catalyst SD-WAN Qualified Command Reference
• : bfd min-echo-receive-interval - Aruba

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.2/05Sec urity/01Security_Overview/Data_Plane_Security_Overview

 vEdge is the Cisco SD WAN component that provides a secure data plane with remote vEdge routers. vEdge routers are the devices that sit at the edge of the SD WAN fabric and connect to the WAN transports, such as MPLS, Internet, or LTE. vEdge routers establish secure IPsec tunnels with other vEdge routers in the fabric and exchange routing and policy information with the vSmart controller. vEdge routers also perform application-aware routing, QoS, and security functions on the data plane traffic. vEdge routers can be physical or virtual devices and can be deployed in branch, campus, data center, or cloud environments1.

The other options, vBond, vSmart, and vManage, are not the components that provide a secure data plane with remote vEdge routers. vBond is the orchestrator that performs the initial authentication and authorization of vEdge routers and assigns them to a vSmart controller. vSmart is the controller that distributes the control and data policies and the network topology information to the vEdge routers. vManage is the management platform that provides centralized configuration, monitoring, and troubleshooting of the SD WAN fabric1. References := : 1: Cisco SD-WAN Getting Started Guide - Cisco SD-WAN Overview [Cisco SD-WAN] - Cisco

Cisco ISE configuration capabilities include the following features:

• ISE Deployment Assistant (IDA): This is a built-in application designed to accelerate the deployment of Cisco Identity Service Engine (ISE) by providing a guided workflow for configuring the most common ISE use cases, such as guest access, BYOD, and secure wired and wireless access1. IDA also provides validation checks, best practices, and troubleshooting tips to ensure a successful deployment.
• Wireless Setup Wizard and Visibility Wizard: These are two of the several wizards that Cisco ISE provides to simplify the configuration of various ISE functions and features. The Wireless Setup Wizard helps to configure the wireless network settings, such as SSIDs, authentication methods, and policies, for secure wireless access2. The Visibility Wizard helps to enable the ISE profiling service, which collects and analyzes endpoint data to identify, classify, and monitor devices on the network3.
• ISE Wizards and Pre-Canned Configurations: These are the tools that ease the ISE roll-out significantly by providing ready-made templates, policies, and settings for common ISE scenarios, such as posture assessment, device administration, and threat-centric NAC. These tools help to reduce the manual configuration efforts and errors, and speed up the time to value.

References:

 1: [Cisco Identity Services Engine Administrator Guide, Release 3.3 - ISE Deployment Assistant [Cisco Identity Services Engine]] : 2: [Cisco Identity Services Engine Administrator Guide, Release 3.3 - Wireless Setup Wizard [Cisco Identity Services Engine]] : 3: [Cisco Identity Services Engine Administrator Guide, Release 3.3 - Visibility Wizard [Cisco Identity Services Engine]] : : [Cisco Identity Services Engine Administrator Guide, Release 3.3 - ISE Wizards and Pre-Canned Configurations [Cisco Identity Services Engine]]

Syslog, FNF (Flexible NetFlow), and SNMP (Simple Network Management Protocol) are three technologies that can be deployed to gather data and provide insight into the network performance, health, and behavior. Syslog is a standard protocol for logging messages from network devices, such as routers, switches, firewalls, and servers. Syslog messages can be sent to a centralized server for analysis, correlation, and alerting. FNF is a Cisco technology that captures and exports information about network flows, such as source and destination IP addresses, ports, protocols, bytes, packets, and timestamps. FNF can be used to monitor network traffic patterns, identify anomalies, and optimize network resources. SNMP is a protocol that allows network devices to communicate with management systems, such as Cisco DNA Center. SNMP can be used to collect statistics, configuration, and status information from network devices, as well as to send commands and notifications. SNMP can help network administrators to troubleshoot, configure, and manage their network devices remotely. References: Cisco DNA Center User Guide, Release 1.3.1.0 - Monitor the Network 1, Cisco DNA Center User Guide, Release 1.3.1.0 - Configure Flexible NetFlow 2, Cisco DNA Center User Guide, Release 1.3.1.0 - Configure SNMP 3

An ISE PoV (Proof of Value) is a service that demonstrates the value of Cisco Identity Services Engine (ISE) to potential customers. It consists of two components: a virtual machine (VM) and a license. The VM is a pre-configured ISE environment that can be deployed on any cloud platform, such as Cisco dCloud1. The license is a one-time payment that grants access to the ISE features and capabilities for three years2.

The two options that are used as part of an ISE PoV are A and E. Option A refers to the VM, which is the core component of the ISE PoV. Option E refers to the POV Kit, which is a bundle that includes the VM, the license, and some additional resources, such as documentation, videos, and webinars2. Option B, C, and D are not used as part of an ISE PoV.

References: 1 Cisco dCloud 2 ISE PoV licenses

The Cisco V-Edge Router performs QoS traffic classification on the ingress interface, before the traffic enters the VPN. The classification is based on the match criteria specified in the access lists, which can include the source and destination IP addresses, ports, protocols, DSCP values, and application-aware NBAR attributes. The classification results in assigning a forwarding class and a QoS group to each packet. The forwarding class determines the output queue and the scheduling policy for the packet on the egress interface. The QoS group is an internal label that can be used to remark the DSCP value of the packet or to match the packet in another access list for further processing. References:

• : Forwarding and QoS Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20, Chapter 2: Configuring Localized Data Policy, https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/qos/vEdge-20-x/qos-book/localized-data-policy.html#id_1050591
• : Cisco SD-WAN Design Guide, Release 20, Chapter 6: Quality of Service, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/2020/b_SD-WAN_Design_Guide_Aug_2020/b_SD-WAN_Design_Guide_Aug_2020_chapter_0110.html2

According to the Cisco DNA Center Compatibility Matrix1, the current DNA-C 1.1 release supports the following wireless product families:

• WLC 8540: This is a high-performance wireless controller that can support up to 6000 access points and 64,000 clients. It is designed for large-scale wireless deployments and offers advanced features such as application visibility and control, flexible radio assignment, and software-defined access2.
• AP 3800: This is a high-performance access point that can support up to 5.2 Gbps data rates and 4x4 MIMO with four spatial streams. It is designed for high-density environments and offers features such as flexible radio assignment, CleanAir, ClientLink, and Smart Antenna Connector3.
• WLC 3504: This is a compact wireless controller that can support up to 150 access points and 3000 clients. It is designed for small to medium-sized wireless deployments and offers features such as application visibility and control, software-defined access, and TrustSec4.

The other wireless product families, such as AP 1260 and WLC 5508, are not supported in the current DNA-C 1.1 release.

References:

• : Cisco DNA Center Compatibility Matrix
• : Cisco 8540 Wireless Controller Data Sheet - Cisco
• : Cisco Aironet 3800 Series Access Points Data Sheet - Cisco
• : Cisco 3504 Wireless Controller Data Sheet - Cisco

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.1/04Segmentation/02Configuring_Segmentation_(VPNs)

The Cisco SD-WAN subscription cost is based on two factors: the features and the service bandwidth. The features are determined by the subscription tier, which can be Cisco DNA Essentials, Cisco DNA Advantage, or Cisco DNA Premier. Each tier offers different levels of functionality, security, and analytics for the SD-WAN solution. The service bandwidth is the aggregated WAN bandwidth across all the edge devices in the SD-WAN fabric. The subscription cost is calculated as the product of the feature price per Mbps and the service bandwidth. For example, if the feature price per Mbps for Cisco DNA Advantage is $2 and the service bandwidth is 100 Mbps, the subscription cost for one year is $2 x 100 x 12 = $240012

The other factors, such as the hypervisor platform, the security, and the routing protocol, are not used in calculating the Cisco SD-WAN subscription cost. The hypervisor platform is the virtualization environment where the SD-WAN edge software can run, such as VMware ESXi, KVM, or Microsoft Hyper-V. The security is the protection of the SD-WAN network from threats and attacks, which can be enhanced by integrating with complementary products and applications, such as Cisco Umbrella, Cisco SIG Essentials, or Cisco Secure Malware Analytics. The routing protocol is the method of exchanging routing information between the SD-WAN edge devices and the external networks, such as BGP, OSPF, or EIGRP. These factors are not directly related to the subscription cost, but rather to the deployment options, the security requirements, and the network design of the SD-WAN solution34

References :=

• Cisco DNA Software for SD-WAN and Routing Ordering Guide
• Cisco DNA Subscription Software for SD-WAN and Routing FAQ
• Cisco SD-WAN Solution Overview
• Cisco SD-WAN Configuration Guide