Cisco 500-490 Designing Cisco Enterprise Networks exam Exam Practice Test

Cisco ISE incorporated Cisco ACS (Cisco Secure Access Control System) between ISE releases 2.0 and 2.3. Cisco ACS was a network access policy platform that provided authentication, authorization, and accounting (AAA) services for network devices and users. Cisco ACS was discontinued in 2017 and replaced by Cisco ISE, which offers more advanced features and capabilities for identity-based network access control. Cisco ISE provides a migration tool that allows customers to migrate their data and configurations from Cisco ACS to Cisco ISE. The migration tool supports Cisco ACS versions 5.5, 5.6, 5.7, and 5.8 and Cisco ISE versions 2.0, 2.1, 2.2, and 2.3.

References:

• Cisco Secure Access Control System End-of-Life Announcement [Cisco Secure Access Control System]
• Cisco Secure ACS to Cisco ISE Migration Tool [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.3 - Cisco Secure ACS to Cisco ISE Migration [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Migration [Cisco Identity Services Engine]
• [Cisco Identity Services Engine Migration Guide, Release 2.3 [Cisco Identity Services Engine]]
• [Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]]
• [Cisco Validated Design Guides [Cisco]]

 The current time in enterprise networking history is characterized by the rapid pace of change in the network technologies, architectures, and services. Some of the factors that contribute to this change are:

• The increasing demand for network performance, scalability, reliability, security, and agility from the business and end users.
• The emergence of new network paradigms, such as software-defined networking (SDN), network function virtualization (NFV), cloud networking, and intent-based networking (IBN).
• The proliferation of network devices, applications, and data sources, such as the Internet of Things (IoT), mobile devices, cloud services, big data, and artificial intelligence (AI).
• The evolution of network standards, protocols, and best practices, such as IPv6, 5G, Wi-Fi 6, Ethernet, and network automation.

These factors create new opportunities and challenges for enterprise network designers, engineers, and administrators, who need to keep up with the latest trends and innovations, and adapt their network solutions to the changing business and technical requirements.

References:

Cisco Enterprise Network Architecture and Design, https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/enterprise-networking-design.html 1 : Enterprise Networking Explained: Types, Concepts & Trends, https://www.bmc.com/blogs/enterprise-networking/ 2 : What is enterprise networking?, https://www.cloudflare.com/learning/network-layer/enterprise-networking/ 3 : Enterprise WAN – A Brief History, https://blogs.juniper.net/en-us/enterprise-cloud-and-transformation/enterprise-wan-a-brief-history 4

Cisco ISE is a policy decision point that enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Some features and benefits of Cisco ISE include1:

• Zero trust across the network: ISE allows only trusted users and devices access to resources on your network. It also uses intel to automatically identify, classify and profile devices.
• Policy and lifecycle management: ISE simplifies the delivery of consistent, highly secure access control across wired, wireless, and VPN connections. It also allows users to add and manage their own devices through self-service portals.
• Remote management and deployment: ISE supports cloud-based deployment and management, as well as integration with other Cisco products and third-party solutions.
• Site survivability: ISE provides local authentication and authorization services for remote sites, even when the connection to the central ISE server is lost.
• Visibility of all devices and their users: ISE can provide data about when a specific device connected to the network, what type of device it is, who is using it, what applications are running on it, and where it is located.

Among these features, two statements are true regarding Cisco ISE:

• ISE plays a critical role in SD-Access: SD-Access is a network architecture that uses software-defined networking (SDN) principles to create a secure, scalable, and consistent network fabric. ISE is the policy engine that defines and enforces the network segmentation and access policies for SD-Access2.
• ISE can provide data about when a specific device connected to the network: ISE uses a number of probes to collect attributes for all endpoints on the network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups. ISE can also provide historical data about the endpoint connections, such as the time, duration, location, and user of the connection3.

The other three statements are false regarding Cisco ISE:

• The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation: ISE provides more than just user experience and VLAN segmentation. It also delivers business outcomes such as improved network performance, reduced operational costs, increased security, and simplified compliance4.
• An ISE deployment requires only a Cisco ISE network access control appliance: ISE can be deployed on different platforms, such as physical appliances, virtual machines, or cloud services. An ISE deployment also requires other components, such as network devices, endpoints, and external identity sources5.
• Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves: ISE can provide the location information of an endpoint based on the network device that it is connected to, such as the switch port or the wireless access point. However, to track the actual physical location of a wireless endpoint as it moves, ISE needs to integrate with other products, such as Cisco DNA Center, Cisco Connected Mobile Experiences (CMX), or Cisco Wireless LAN Controller (WLC)6.

References:

Cisco Content Hub - Cisco ISE Features1 : Cisco SD-Access Solution Design Guide (CVD) - Cisco2 : Cisco ISE Network Discovery3 : Cisco Identity Services Engine (ISE) - Cisco4 : Cisco Identity Services Engine Hardware Installation Guide, Release 2.7 - Cisco ISE Deployment [Cisco Identity Services Engine] - Cisco5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Location Mapping [Cisco Identity Services Engine] - Cisco6

 The discovery process is a critical phase in the sales cycle, where the SE gathers information about the customer’s network environment, business goals, challenges, and needs. The discovery process helps the SE to understand the customer’s pain points, identify opportunities, and propose solutions that align with the customer’s objectives and address their problems. The discovery process also helps the SE to establish credibility, trust, and rapport with the customer, and to map Cisco innovation to the customer’s needs.

Some of the activities that should occur during the SE’s discovery process are:

• Gathering information about the current state of the customer’s network environment. This includes collecting data about the network topology, devices, protocols, applications, performance, security, availability, scalability, and management. The SE can use various tools and methods to gather this information, such as interviews, questionnaires, surveys, audits, assessments, and network analysis tools. Gathering information about the current state helps the SE to understand the customer’s existing network capabilities, limitations, and gaps, and to benchmark the network against best practices and industry standards12
• Mapping Cisco innovation to the customer’s needs. This involves identifying how Cisco products, solutions, and services can help the customer achieve their desired outcomes, address their challenges, and overcome their pain points. The SE can use various tools and methods to map Cisco innovation to the customer’s needs, such as value proposition, business case, return on investment (ROI) analysis, proof of value (POV), proof of concept (POC), and demonstrations. Mapping Cisco innovation to the customer’s needs helps the SE to show the value and benefits of Cisco solutions, differentiate Cisco from competitors, and influence the customer’s decision making34

References:

1: Cisco Discovery Service 2: Cisco Network Assessment Services 3: Cisco Catalyst SD-WAN Demos 4: Cisco Business Critical Services

The Proactive Insights feature of Cisco DNA Center Assurance is a function that generates synthetic traffic to perform tests that raise awareness of potential network issues. This feature uses the Cisco DNA Center platform to create and schedule tests that simulate real user traffic and measure the network performance and user experience. The tests can be run on demand or periodically, and the results are displayed in the Cisco DNA Center dashboard. The Proactive Insights feature helps network administrators to proactively identify and troubleshoot network issues before they affect the end users12. References:

• Cisco DNA Center Assurance User Guide, Release 2.1.2
• Understanding Cisco DNA Center Assurance!

Cisco ISE can handle authentication for printers that do not have a supplicant using MAB (MAC Authentication Bypass). MAB is a method of authenticating devices based on their MAC address. MAB is useful for devices that do not support 802.1X or other authentication protocols, such as printers, cameras, or IoT devices. MAB works as follows:

• The device sends an Ethernet frame with its MAC address as the source address.
• The switch sends a RADIUS Access-Request message to ISE with the MAC address as the username and password.
• ISE checks the MAC address against a database of known devices or an identity source sequence.
• If the MAC address is found and authorized, ISE sends a RADIUS Access-Accept message to the switch with the appropriate authorization profile.
• The switch applies the authorization profile to the device and grants it access to the network.

MAB is less secure than 802.1X, as MAC addresses can be spoofed or cloned. Therefore, MAB should be used with caution and combined with other security measures, such as profiling, posture, or endpoint protection. MAB should also be restricted to specific ports or VLANs that are isolated from the rest of the network.

References:

• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure MAC Authentication Bypass [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authentication Policies [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authorization Policies [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Identity Source Sequences [Cisco Identity Services Engine]
• Cisco Identity Services Engine API Reference Guide, Release 2.7 - Authentication [Cisco Identity Services Engine]
• Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]
• Cisco Validated Design Guides [Cisco]

The Cisco Catalyst 9500 Series Switches are specifically built to address the new challenges faced by enterprises, such as the need for increased bandwidth, security, and scalability. The Catalyst 9500 Series Switches are also designed to support Cisco SD-Access, which is a software-defined access fabric that simplifies network management and improves network security.

References: =

• Designing Cisco Enterprise Networks (ENDESIGN): https://www.cisco.com/c/en/us/training-events/training-certifications/training/training-services/courses/designing-cisco-enterprise-networks-ensld.html
• Cisco Catalyst 9500 Series Switches: https://www.cisco.com/site/us/en/products/networking/switches/catalyst-9500-series-switches/index.html

 The new operational paradigm is a way of designing, deploying, and managing networks that leverages the power of intent-based networking. Intent-based networking is a network architecture that aligns the network with the business goals and policies, and uses artificial intelligence and automation to translate the intent into network configurations and actions. The new operational paradigm requires three foundational elements:

• Fabric: A fabric is a network topology that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. A fabric can span across multiple domains, such as campus, branch, data center, and cloud, and can support multiple protocols, such as IP, Ethernet, MPLS, and VXLAN. A fabric enables the network to operate as a single entity, rather than a collection of disparate devices and links. A fabric also simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.
• Assurance: Assurance is the process of continuously monitoring, verifying, and optimizing the network performance and behavior, based on the defined intent and policies. Assurance uses telemetry, analytics, and machine learning to collect and process data from the network devices and applications, and to provide insights and recommendations for network optimization and troubleshooting. Assurance also enables the network to self-heal and self-optimize, by applying corrective actions and adjustments to the network configurations and policies, based on the feedback loop from the data and analytics.
• Policy-based automated provisioning of network: Policy-based automated provisioning of network is the process of applying the intent and policies to the network devices and services, using automation and orchestration tools. Policy-based automated provisioning of network abstracts the network complexity and heterogeneity, and allows the network operators to define the network requirements and outcomes in a high-level and declarative way, rather than specifying the low-level and imperative commands and parameters. Policy-based automated provisioning of network also enables the network to be agile and adaptive, as it can dynamically adjust the network configurations and policies, based on the changing network conditions and business needs.

References:

• Cisco Intent-Based Networking
• Cisco Digital Network Architecture
• Cisco Routed Optical Networking
• Cisco Operational Insights: A New Way of Seeing Operations

The three focus areas for reinventing the WAN are:

• Secure Elastic Connectivity: This refers to the ability to provide secure and flexible connectivity to any application, anywhere, and anytime. Secure elastic connectivity enables the network to adapt to the changing business needs and user demands, while maintaining security and performance. Secure elastic connectivity leverages SD-WAN technologies, such as Cloud OnRamp, SASE, and ThousandEyes, to optimize the network path, encrypt the traffic, and monitor the end-to-end visibility across the WAN12.
• Application Quality of Experience: This refers to the ability to ensure optimal and consistent user experience for any application, regardless of the network conditions. Application quality of experience uses SD-WAN technologies, such as vAnalytics, to measure and improve the application performance, availability, and reliability across the WAN3. Application quality of experience also uses intelligent policies and real-time analytics to prioritize the critical applications and steer the traffic to the best-performing path4.
• Cloud First: This refers to the ability to embrace the cloud as the primary platform for delivering applications and services to the users. Cloud first enables the network to support the multicloud strategy and accelerate the cloud adoption. Cloud first leverages SD-WAN technologies, such as Cloud OnRamp, to simplify and automate the connectivity to the public cloud, SaaS, and cloud interconnect providers4. Cloud first also enables the network to operate as a cloud-native WAN overlay, using software-defined automation and orchestration tools5.

References:

• Cisco SD-WAN Architecture Overview
• SD-WAN and SASE: The new landscape of networking
• Under the vAnalytics Hood: Enabling Total Network Visibility, Total Network Control
• SD-WAN Capabilities - The New Landscape of Networking
• Software-defined WAN (SD-WAN): the new landscape of networking

 A cloud-based SD-WAN deployment is a model of delivering SD-WAN services from the cloud, rather than from on-premises hardware or software appliances. A cloud-based SD-WAN deployment has several benefits, such as:

• Instant scale: A cloud-based SD-WAN deployment can scale up or down the network resources and bandwidth on demand, without requiring additional hardware or manual configuration. This enables the network to adapt to the changing traffic patterns and user demands, while optimizing the network performance and efficiency12.
• Reduced costs: A cloud-based SD-WAN deployment can lower the capital and operational expenses of the network, by eliminating the need for expensive and complex WAN infrastructure, such as MPLS circuits, routers, firewalls, and WAN optimization devices. A cloud-based SD-WAN deployment can also leverage the economies of scale and the pay-as-you-go model of the cloud, which can reduce the network costs per megabit12.
• Simplified management: A cloud-based SD-WAN deployment can simplify the network management and operation, by providing a centralized and unified dashboard that can monitor, configure, and troubleshoot the network across multiple sites and regions. A cloud-based SD-WAN deployment can also automate the network provisioning, orchestration, and optimization, by applying intelligent policies and analytics based on the business intent and network conditions12.
• Enhanced security: A cloud-based SD-WAN deployment can enhance the network security and compliance, by providing built-in and integrated security features, such as encryption, firewall, VPN, IPS, and antivirus. A cloud-based SD-WAN deployment can also leverage the cloud security services, such as SASE, to provide secure and direct access to the cloud applications and platforms, without compromising the network performance and user experience123.
• Improved cloud readiness: A cloud-based SD-WAN deployment can improve the cloud readiness and agility of the network, by enabling seamless and optimized connectivity to the public cloud, SaaS, and cloud interconnect providers. A cloud-based SD-WAN deployment can also support the multicloud and hybrid-cloud strategies, by allowing the network to operate as a cloud-native WAN overlay, using software-defined automation and orchestration tools123.

References:

• What Is SD-WAN? - Software-Defined WAN (SDWAN) - Cisco
• SD-WAN Benefits: 5 Business Advantages of SD-WAN - Fortinet
• What are the Benefits of SD-WAN? - Cisco
• What are the Benefits of SD-WAN?
• SD-WAN and SASE: The new landscape of networking