Quick Links
Why Us
Unlimited Packages
Site Secure
TESTED 23 Feb 2025
We Accept
How would Cisco ISE handle authentication for your printer that does not have a supplicant?
ISE would authenticate the printer using 802.1X authentication.
ISE would authenticate the printer using MAC RADIUS authentication.
ISE would authenticate the printer using MAB.
ISE would not authenticate the printer as printers are not subject to ISE authentication.
ISE would authenticate the printer using web authentication.
Cisco ISE can handle authentication for printers that do not have a supplicant using MAB (MAC Authentication Bypass). MAB is a method of authenticating devices based on their MAC address. MAB is useful for devices that do not support 802.1X or other authentication protocols, such as printers, cameras, or IoT devices. MAB works as follows:
The device sends an Ethernet frame with its MAC address as the source address.
The switch sends a RADIUS Access-Request message to ISE with the MAC address as the username and password.
ISE checks the MAC address against a database of known devices or an identity source sequence.
If the MAC address is found and authorized, ISE sends a RADIUS Access-Accept message to the switch with the appropriate authorization profile.
The switch applies the authorization profile to the device and grants it access to the network.
MAB is less secure than 802.1X, as MAC addresses can be spoofed or cloned. Therefore, MAB should be used with caution and combined with other security measures, such as profiling, posture, or endpoint protection. MAB should also be restricted to specific ports or VLANs that are isolated from the rest of the network.
References:
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure MAC Authentication Bypass [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authentication Policies [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authorization Policies [Cisco Identity Services Engine]
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Identity Source Sequences [Cisco Identity Services Engine]
Cisco Identity Services Engine API Reference Guide, Release 2.7 - Authentication [Cisco Identity Services Engine]
Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]
Cisco Validated Design Guides [Cisco]
Which feature is supported on the Cisco vEdge platform?
IPv6 transport (WAN)
license enforcement
reporting
non-Ethernet interfaces
single sign-on
2-factor authentication
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/segmentation/vEdge-20-x/segmentation-book/segmentation.html
The Cisco vEdge platform supports IPv6 transport (WAN) as one of its features. This means that the vEdge routers can use IPv6 addresses to establish secure control and data plane connections with other vEdge routers over the WAN network. The vEdge routers can also use IPv6 addresses to communicate with the vSmart controllers and the vManage network management system. The vEdge routers can also support IPv6 routing protocols, such as OSPFv3 and BGP, to exchange IPv6 routes with other routers in the network12.
The other features listed in the question are not supported on the Cisco vEdge platform. License enforcement is not applicable to the vEdge routers, as they do not require any license to operate. Reporting is a function of the vManage network management system, which collects and displays various statistics and analytics from the vEdge routers. Non-Ethernet interfaces, such as serial, T1/E1, or DSL, are not available on the vEdge routers, which only support Ethernet and cellular interfaces. Single sign-on and 2-factor authentication are not supportedon the vEdge routers, which use local or remote authentication methods, such as TACACS+, RADIUS, or LDAP3.
References:
1: Cisco SD-WAN vEdge Routers Data Sheet 2: Cisco SD-WAN Configuration Guide, Release 20.3 3: Cisco SD-WAN Command Reference, Release 20.3
Which are two Cisco ISE that benefits our customers? (Choose two.)
enables them to set traffic priorities across the network
helps them stop and contain real-time threats
provides network access control
helps t hem accelerate application deployment and delivery
 Cisco ISE benefits our customers by providing network access control and helping them stop and contain real-time threats. Network access control is the ability to enforce policies on who and what can access the network, based on the identity and context of users, devices, and applications. Cisco ISE allows customers to authenticate, authorize, and audit network access, as well as to segment and isolate network traffic based on security and compliance requirements. Cisco ISE also helps customers stop and contain real-time threats by leveraging intel from across the network and security ecosystem, and by automating threat response actions. Cisco ISE can integrate with various security solutions, such as Cisco Stealthwatch, Cisco Firepower, and Cisco Umbrella, to detect and mitigate attacks on the network quickly and effectively. References:
Cisco Identity Services Engine (ISE) - Cisco1
Cisco Identity Services Engine (ISE) - Cisco2
Network Visibility and Segmentation (NVS) - Cisco3
Rapid Threat Containment - Cisco4
https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000Kfw0AAAR <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl= Slide 3 - ISE is critical to your customer – • Visibility in to users, devices & applications • Access control and segmentation • Stop and contain threats in real-time
Which node enables Cisco ISE to share contextual information on a device with Cisco Stealth watch?
Inline Posture Node
pXGrid Controller
Monitoring and Troubleshooting Node
Policy Administration Node
The node that enables Cisco ISE to share contextual information on a device with Cisco Stealthwatch is the pXGrid Controller. The pXGrid Controller is a component of the ISE Policy Service Node (PSN) that facilitates the exchange of contextual data between ISE and other security products, such as Stealthwatch, via the Platform Exchange Grid (pxGrid) protocol. The pXGrid Controller acts as a broker that registers, authenticates, and authorizes pxGrid clients, and allows them to publish and subscribe to topics of interest. For example, Stealthwatch can subscribe to the Session Directory topic to obtain user and device information from ISE, and use it to enrich the network flow data and provide better visibility and security analytics. Stealthwatch can also publish topics, such as Rapid Threat Containment (RTC), to allow ISE to take mitigation actions on compromised endpoints, such as quarantine or re-authentication. References:
Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Platform Exchange Grid Services [Cisco Identity Services Engine] - Cisco1
Deploying Cisco Stealthwatch 7.x with Cisco ISE 2.4 using pxGrid - Cisco Community2
Stealthwatch — Networking fun3
pxGrid in Depth > Sharing the Context | Cisco Press4
Which two options are primary functions of Cisco ISE? (Choose two.)
allocating resources
enforcing endpoint compliance with network security policies
enabling WAN deployment over any type of connection
automatically enabling, disabling, or reducing allocated power to certain devices
providing VPN access for any type of device
providing information about every device that touches the network
Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:
Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.
The other options are not primary functions of Cisco ISE, because:
Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.
References:
1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]
Which component of the SD-Access fabric is responsible for communicating with networks that are external to the fabric?
border nodes
edge nodes
control plane nodes
intermediate nodes
= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric. Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network1. Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another2. Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud3.
Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes. Edge nodes also providean anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic4. Control plane nodes are the devices that run a host tracking database to map location information. Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs5. Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes. Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles6.
References :=
Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access
Software Defined Access Network Fabric Roles - Study CCNP
Cisco SD-Access
SD-Access Fabric Troubleshooting Guide - Cisco
Cisco SD-Access Solution Design Guide (CVD) - Cisco
Cisco SD-Access Solution Design Guide (CVD) - Cisco
Cisco SD-Access Solution Design Guide (CVD) - Cisco
Which two activities should occur during an SE's discovery process? (Choose two.)
Gathering information about the current state of the customer ’s network environment
Working with the customer to develop a reference architecture
Referencing the PPDIOO model to effectively facilitate the discussion
Establishing credibility with the customer
Mapping Cisco innovation to customer ’s needs
 The discovery process is a critical phase in the sales cycle, where the SE gathers information about the customer’s network environment, business goals, challenges, and needs. The discovery process helps the SE to understand the customer’s pain points, identify opportunities, and propose solutions that align with the customer’s objectives and address their problems. The discovery process also helps the SE to establish credibility, trust, and rapport with the customer, and to map Cisco innovation to the customer’s needs.
Some of the activities that should occur during the SE’s discovery process are:
Gathering information about the current state of the customer’s network environment. This includes collecting data about the network topology, devices, protocols, applications, performance, security, availability, scalability, and management. The SE can use various tools and methods to gather this information, such as interviews, questionnaires, surveys, audits, assessments, and network analysis tools. Gathering information about the current state helps the SE to understand the customer’s existing network capabilities, limitations, and gaps, and to benchmark the network against best practices and industry standards12
Mapping Cisco innovation to the customer’s needs. This involves identifying how Cisco products, solutions, and services can help the customer achieve their desired outcomes, address their challenges, and overcome their pain points. The SE can use various tools and methods to map Cisco innovation to the customer’s needs, such as value proposition, business case, return on investment (ROI) analysis, proof of value (POV), proof of concept (POC), and demonstrations. Mapping Cisco innovation to the customer’s needs helps the SE to show the value and benefits of Cisco solutions, differentiate Cisco from competitors, and influence the customer’s decision making34
References:
1: Cisco Discovery Service 2: Cisco Network Assessment Services 3: Cisco Catalyst SD-WAN Demos 4: Cisco Business Critical Services
TESTED 23 Feb 2025