Cisco 500-470 - Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers

 DNA Center is the central point of management for SD-Access. It provides a graphical user interface (GUI) to design, provision, and monitor the SD-Access fabric. DNA Center also offers various service applications that leverage the network data and analytics to provide insights, automation, and assurance for the network and the applications running on it. DNA Center does not perform the functions of identifying and authenticating endpoints, which are handled by ISE; nor does it act as the point of exchange of reachability and policy for two domains, which are the roles of the border nodes and the control plane nodes; nor does it maintain a database of endpoint IDs to fabric edge nodes, which is the function of the LISP mapping system. References:

: Cisco DNA Center User Guide, Release 2.2.2.0, Chapter 1: Introduction to Cisco DNA Center, https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-2-2-0/user_guide/b_cisco_dna_center_ug_2_2_2_0/b_cisco_dna_center_ug_2_2_2_0_chapter_01.html

: Cisco SD-Access Design Guide, Release 2.2.2.0, Chapter 2: SD-Access Fabric Design, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-design-guide-2-2-2-0.html#_Toc67188638

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-c07-739242.pdf

According to the Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers document1, the three Cisco recommendations on “How to Win” are:

Explain support for 3rd party network devices: Cisco ISE can integrate with more than 60 third-party solutions that span across security and network portfolios. This enablesCisco ISE to leverage the information and capabilities of these solutions to enhance the identity and access management, network visibility and segmentation, threat detection and response, and policy enforcement of the network. By explaining this support, the customer can see the value and flexibility of Cisco ISE in their existing or heterogeneous network environment2.

Explain architectural advantage of holistic Cisco solution: Cisco ISE is part of the Cisco Digital Network Architecture (DNA), which is a comprehensive and open platform that provides end-to-end network automation, assurance, security, and analytics. By explaining the architectural advantage of the holistic Cisco solution, the customer can see how Cisco ISE works seamlessly with other Cisco DNA components, such as Cisco DNA Center, Cisco SD-Access, Cisco SD-WAN, Cisco TrustSec, and Cisco Stealthwatch, to deliver a unified and consistent network experience across wired, wireless, and cloud domains3.

Talk about Cisco’s focus on Security and integration with StealthWatch, Sourcefire, WSA, vulnerability scanner to make smarter policy decisions: Cisco ISE is a core component of the Cisco security portfolio, which provides comprehensive and integrated security solutions for the network. By talking about Cisco’s focus on security and integration with other security products, such as StealthWatch, Sourcefire, WSA, and vulnerability scanner, the customer can see how Cisco ISE can provide enhanced visibility, threat detection, and policy enforcement for the network. For example, Cisco ISE can use the data from StealthWatch to identify anomalous or malicious behavior of the endpoints and apply appropriate network access policies based on the threat level4.

The other options, show case Cisco portfolio or ISE feature set during PoC and demonstrate complex policy flows, rather show case Wizards and enhanced context visibility, are not Cisco recommendations on “How to Win”. Showing case Cisco portfolio or ISE feature set during PoC is a general best practice, but not a specific recommendation for winning the customer. Demonstrating complex policy flows, rather than showing case Wizards and enhanced context visibility, is a counterproductive approach, as it can confuse or overwhelm the customer with technical details, rather than highlighting the benefits and simplicity of Cisco ISE. References := : 2: Cisco Identity Services Engine Administrator Guide, Release 2.7 - ISE Security Ecosystem Integration Guides [Cisco Identity Services Engine] - Cisco2, 1: Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers1, 3: Cisco Identity Services Engine - Cisco3, 4: Cisco Identity Services Engine Administrator Guide, Release 2.7 - Stealthwatch Integration [Cisco Identity Services Engine] - Cisco4

A Digital Network is a network that is based on the Cisco Digital Network Architecture (Cisco DNA), which is an open and extensible, software-driven network architecture designed to rapidly deliver services that enable IT to innovate faster, reduce costs and complexity, lower risk, and comply with regulatory requirements1. A key function of a Digital Network is centralized provisioning, which allows IT to automate the deployment and configuration of network devices and services using a single platform, such as the Cisco DNA Center2. Centralized provisioning simplifies network management, reduces human errors, and accelerates network changes.

References:

 2: [Cisco DNA Software - Digital Network Architecture - Cisco] : 1: [Cisco Digital Network Architecture]

 SD-Access Fabric is a network architecture that uses three key technologies to create a virtual overlay network on top of the physical underlay network. These technologies are:

VXLAN: Virtual Extensible LAN is a tunneling protocol that encapsulates Layer 2 frames in UDP packets and transports them over an IP network. VXLAN enables the creation of large-scale virtual networks that span multiple Layer 3 domains. VXLAN is used in SD-Access Fabric to carry user traffic between different fabric nodes and to provide network segmentation based on virtual network identifiers (VNIs).

TrustSec: Cisco TrustSec is a security framework that uses software-defined segmentation to enforce granular access policies based on the identity and context of users, devices, and applications. TrustSec uses scalable group tags (SGTs) to classify endpoints into logical groups and applies security policies based on the source and destination SGTs. TrustSec is integrated with SD-Access Fabric to provide micro-segmentation within a virtual network and to simplify policy management across the fabric.

LISP: Locator/ID Separation Protocol is a routing protocol that decouples the endpoint identity (EID) from its location (RLOC) in the network. LISP uses two types of devices: ingress tunnel routers (ITRs) and egress tunnel routers (ETRs) to map EIDs to RLOCs and to encapsulate and decapsulate packets. LISP is used in SD-Access Fabric to provide control plane functions, such as endpoint registration, discovery, and mobility. LISP also enables seamless integration of SD-Access Fabric with external networks, such as the Internet, WAN, or data center.

The other options, OTV, RSVP, and MPLS, are not used in SD-Access Fabric. OTV is another tunneling protocol that extends Layer 2 connectivity across Layer 3 domains, but it is not compatible with VXLAN. RSVP is a signaling protocol that reserves network resources for quality of service (QoS), but it is not required for SD-Access Fabric. MPLS is a packet-switching technology that labels packets and forwards them based on label switching routers (LSRs), but it is not involved in SD-Access Fabric. References := : Cisco SD-Access Solution Design Guide (CVD) - Cisco1, Cisco Software-Defined Access - Cisco Software-Defined Access Solution Overview2

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/sd-wan/nb-07-clo ud-router-data-sheet-cte-en.pdf

A vEdge Cloud Router is a virtualized version of the vEdge router that can be deployed in various cloud environments. According to the Cisco vEdge Cloud Data Sheet1, the vEdge Cloud Router can be instantiated as a virtual machine (VM) on a KVM hypervisor or as a VM on a VMware ESXi hypervisor, as well as in public cloud environments, such as Amazon AWS or Google Cloud Platform. Therefore, the two platforms that can host a vEdge Cloud Router are AWS and Microsoft Azure.

References:

 1: [Solutions - Cisco vEdge Cloud Data Sheet - Cisco]

Cisco ISE configuration capabilities include the following features:

ISE Deployment Assistant (IDA) is a built-in application designed to accelerate the deployment of Cisco Identity Service Engine (ISE). IDA guides the user through the initial setup, configuration, and verification of ISE with a step-by-step wizard. IDA also provides best practices and recommendations for common deployment scenarios, such as wireless, wired, VPN, guest, and BYOD1.

Cisco ISE includes wireless setup wizard and visibility wizard. The wireless setup wizard simplifies the configuration of ISE for wireless access by automating the tasks of adding network devices, creating authorization profiles, and applying policies. The visibility wizard helps the user to enable device profiling and posture services, and to view the endpoint information and compliance status on the ISE dashboard2.

ISE wizards and per-canned configurations ease ISE roll-out significantly. ISE wizards are interactive tools that assist the user in configuring various features and functions of ISE, such as certificates, network access devices, authentication and authorization policies, guest access, BYOD, and TrustSec. Per-canned configurations are predefined templates that provide common settings and values for ISE components, such as policy sets, authorization profiles, and network conditions. The user can apply these templates to quickly configure ISE for specific use cases, such as 802.1X, MAB, or web authentication3.

The other options, Cisco Active Advisor and ISE command line, are not accurate descriptions of ISE configuration capabilities. Cisco Active Advisor is a separate cloud-based service that provides network health and security checks, device lifecycle management, and best practice recommendations for Cisco devices. It is not directly related to ISE deployments. ISE command line is an interface that allows the user to perform administrative tasks, such as backup and restore, password recovery, and troubleshooting. However, ISE does not require an understanding of the command line for set-up and configuration, as most of the functions can be done through the graphical user interface (GUI). References := : 1: ISE Deployment Assistant (IDA) - Cisco Identity Services Engine - Cisco, 2: Cisco Identity Services Engine Administrator Guide, Release 2.7 - Wireless Setup Wizard [Cisco Identity Services Engine] - Cisco, 3: Cisco Identity Services Engine Administrator Guide, Release 2.7 - ISE Wizards [Cisco Identity Services Engine] - Cisco, : Cisco Active Advisor - Cisco, : Cisco Identity Services Engine CLI Reference Guide, Release 2.7 - Using the Command-Line Interface [Cisco Identity Services Engine] - Cisco

https://www.arista.com/assets/data/pdf/Whitepapers/Arista_Networks_VXLAN_White_Paper.pdf

A VxLAN header adds 50 bytes to an original Ethernet frame. This is because a VxLAN header consists of the following components:

8-byte outer UDP header for VxLAN: The default VxLAN destination UDP port number is 47891

20-byte outer IP header: Valid addresses of VTEPs or VxLAN multicast groups on the transport network. Devices in the transport network forward VxLAN packets based on the outer IP header1

8-byte VxLAN header: VxLAN information for the frame. It includes a 24-bit VxLAN Network Identifier (VNI) that identifies the VxLAN of the frame, and an 8-bit flags field that indicates the validity of the VNI1

14-byte inner Ethernet header: The original Ethernet header of the encapsulated frame. It includes the source and destination MAC addresses, the EtherType, and optionally a 4-byte VLAN tag2

The total size of these components is 8 + 20 + 8 + 14 = 50 bytes. Therefore, a VxLAN header adds 50 bytes to an original Ethernet frame.

References :=

VXLAN packet format - Aruba

MTU Considerations for VXLAN | Matt Oswalt

A centralized SD-Access design is where a single fabric domain spans across the main site and all branch sites over the WAN. This design has some challenges, such as:

Since the traffic is encapsulated in VXLAN headers, SD-WAN features such as application-aware routing, QoS, and security policies cannot be applied to the traffic based on the original IP headers. This means that the SD-WAN controller cannot optimize or route the traffic based on the application or user identity. The traffic is treated as a single class of service across the WAN.

The centralized design also introduces a single point of failure and a potential bottleneck at the main site, where the border nodes and the control plane nodes are located. If the main site goes down or the WAN link fails, the branch sites will lose connectivity to the fabric domain and the external networks.

The centralized design also requires a high bandwidth and low latency WAN connection between the main site and the branch sites, which may not be feasible or cost-effective for some scenarios.

References :=

Some possible references are:

Cisco Enterprise Networks SDA, SDWAN and ISE Exam for System Engineers (ENSDENG) Study Guide

Cisco SD-Access and SD-WAN Integration Design Guide