500-470 Exam Dumps : Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers

A centralized SD-Access design is where a single fabric domain spans across the main site and all branch sites over the WAN. This design has some challenges, such as:

• Since the traffic is encapsulated in VXLAN headers, SD-WAN features such as application-aware routing, QoS, and security policies cannot be applied to the traffic based on the original IP headers. This means that the SD-WAN controller cannot optimize or route the traffic based on the application or user identity. The traffic is treated as a single class of service across the WAN.
• The centralized design also introduces a single point of failure and a potential bottleneck at the main site, where the border nodes and the control plane nodes are located. If the main site goes down or the WAN link fails, the branch sites will lose connectivity to the fabric domain and the external networks.
• The centralized design also requires a high bandwidth and low latency WAN connection between the main site and the branch sites, which may not be feasible or cost-effective for some scenarios.

References :=

Some possible references are:

• Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers (ENSDENG) Study Guide
• Cisco SD-Access and SD-WAN Integration Design Guide

The Cisco V-Edge Router performs QoS traffic classification on the ingress interface, before the traffic enters the VPN. The classification is based on the match criteria specified in the access lists, which can include the source and destination IP addresses, ports, protocols, DSCP values, and application-aware NBAR attributes. The classification results in assigning a forwarding class and a QoS group to each packet. The forwarding class determines the output queue and the scheduling policy for the packet on the egress interface. The QoS group is an internal label that can be used to remark the DSCP value of the packet or to match the packet in another access list for further processing. References:

• : Forwarding and QoS Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20, Chapter 2: Configuring Localized Data Policy, https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/qos/vEdge-20-x/qos-book/localized-data-policy.html#id_1050591
• : Cisco SD-WAN Design Guide, Release 20, Chapter 6: Quality of Service, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/2020/b_SD-WAN_Design_Guide_Aug_2020/b_SD-WAN_Design_Guide_Aug_2020_chapter_0110.html2

Cisco ISE is a network access control solution that uses policy-based decision making to determine if a device is allowed access to the network and, if allowed, what level of access this device is given1.Cisco ISE can also provide authentication, authorization, and accounting (AAA) through the RADIUS protocol and device administration through TACACS+ service1.

Some of the use cases of Cisco ISE are:

• Access Control: Cisco ISE can grant and control the right level of network access for both wired and wireless devices by employing mainly the 802.1x protocol and EAPoL (EAP over LAN)1.Cisco ISE can also use MAC authentication bypass (MAB) to authenticate devices that are unable to use the EAP protocol1.Additionally, Cisco ISE can integrate with Microsoft Active Directory for confirming user identity1.
• Assurance: Cisco ISE can monitor and troubleshoot the various features on ISE and analyze trends of the network activities from a centralized admin node2.Cisco ISE can also provide reports on user andentity behavior analytics (UEBA), enterprise mobility management/mobile device management (EMM/MDM), security incident and event management (SIEM), and segmentation34.
• Monitoring: Cisco ISE can provide endpoint visibility with context by collecting and analyzing data from various sources such as endpoints, users, applications, devices, networks, and cloud services4.Cisco ISE can also provide real-time alerts and notifications on security events and anomalies4.