Cisco 500-490 Designing Cisco Enterprise Networks (ENDESIGN) exam Exam Practice Test

 = A business case is an option that will help build your customers platform during the discovery phase. A business case is a document that outlines the rationale, objectives, benefits, costs, risks, and alternatives of a proposed project or solution. A business case helps to justify the investment and align the stakeholders on the value proposition of the project or solution12.

During the discovery phase, the goal is to understand the problem that needs to be solved, the user needs and context, the constraints and opportunities, and the underlying policy intent. A business case can help to achieve this goal by providing a clear and concise summary of the problem statement, the desired outcomes, the potential solutions, and the evaluation criteria34. A business case can also help to communicate the vision and scope of the project or solution to the customers and other stakeholders, and to secure their buy-in and support56.

A business case is not the same as a POV report, a detailed design, a high-level design, or a PO. A POV report is a document that summarizes the findings and recommendations from a proof of value (POV) exercise, which is a short-term trial of a solution to demonstrate its feasibility and benefits7. A detailed design is a document that specifies the technical and functional requirements, architecture, and configuration of a solution8. A high-level design is a document that provides an overview of the solution, such as the main components, interfaces, and interactions9. A PO is a purchase order, which is a document that authorizes a purchase transaction between a buyer and a seller.

References :=

What is a business case? Definition and examples

Business Case - Project Management Knowledge

How the discovery phase works - Service Manual - GOV.UK

Discovery Phase – Service Design – The Beginner’s Guide

How to Write a Business Case ― 4 Steps to a Perfect Business Case Template

How to Write a Business Case: 4 Steps to a Perfect Business Case Template

What is a Proof of Value (POV)?

What is a Detailed Design Document (DDD)?

What is a High-Level Design Document?

[What is a Purchase Order (PO)?]

When demonstrating Cisco Software-Defined Access (SDA), it's essential to tailor the presentation to highlight the strategic benefits and overall architecture without overwhelming the audience with excessive technical details. Two key recommendations for a successful SDA demonstration are:

Keep the demo at a high level (Option B):It's crucial to keep the demonstration focused on the overarching concepts and benefits rather than delving into the intricate technical details. This approach ensures that the audience, which may include decision-makers and non-technical stakeholders, can easily grasp the value and advantages of SDA. By presenting at a high level, you can effectivelycommunicate how SDA simplifies network management, enhances security, and supports digital transformation initiatives.

Show the customer how to integrate ISE into DNA Center at the end of the demo (Option E):Integrating Cisco Identity Services Engine (ISE) with Cisco DNA Center is a pivotal aspect of the SDA solution. Demonstrating this integration towards the end of the presentation allows you to showcase the seamless interoperability and added security benefits that ISE brings to the SDA environment. This part of the demo highlights how ISE enhances network access control, policy enforcement, and overall security management within the SDA framework.

References:

Cisco Software-Defined Access Solution Overview

Cisco DNA Center and ISE Integration Guide

 The new operational paradigm is a way of designing, deploying, and managing networks that leverages the power of intent-based networking. Intent-based networking is a network architecture that aligns the network with the business goals and policies, and uses artificial intelligence and automation to translate the intent into network configurations and actions. The new operational paradigm requires three foundational elements:

Fabric: A fabric is a network topology that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. A fabric can span across multiple domains, such as campus, branch, data center, and cloud, and can support multiple protocols, such as IP, Ethernet, MPLS, and VXLAN. A fabric enables the network to operate as a single entity, rather than a collection of disparate devices and links. A fabric also simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.

Assurance: Assurance is the process of continuously monitoring, verifying, and optimizing the network performance and behavior, based on the defined intent and policies. Assurance uses telemetry, analytics, and machine learning to collect and process data from the network devices and applications, and to provide insights and recommendations for network optimization and troubleshooting. Assurance also enables the network to self-heal and self-optimize, by applying corrective actions and adjustments to the network configurations and policies, based on the feedback loop from the data and analytics.

Policy-based automated provisioning of network: Policy-based automated provisioning of network is the process of applying the intent and policies to the network devices and services, using automation and orchestration tools. Policy-based automated provisioning of network abstracts the network complexity and heterogeneity, and allows the network operators to define the network requirements and outcomes in a high-level and declarative way, rather than specifying the low-level and imperative commands and parameters. Policy-based automated provisioning of network also enables the network to be agile and adaptive, as it can dynamically adjust the network configurations and policies, based on the changing network conditions and business needs.

References:

Cisco Intent-Based Networking

Cisco Digital Network Architecture

Cisco Routed Optical Networking

Cisco Operational Insights: A New Way of Seeing Operations

The Proactive Insights feature of Cisco DNA Center Assurance is a function that generates synthetic traffic to perform tests that raise awareness of potential network issues. This feature uses the Cisco DNA Center platform to create and schedule tests that simulate real user traffic and measure the network performance and user experience. The tests can be run on demand or periodically, and the results are displayed in the Cisco DNA Center dashboard. The Proactive Insights feature helps network administrators to proactively identify and troubleshoot network issues before they affect the end users12. References:

Cisco DNA Center Assurance User Guide, Release 2.1.2

Understanding Cisco DNA Center Assurance!

According to the Cisco SD-WAN vEdge Routers Data Sheet1, the Cisco vEdge 5000 router is the only model that offers 20 Gbps of encrypted throughput. The vEdge 5000 router delivers highly secure site-to-site data connectivity to large enterprises, offers interface modularity, and supports up to 4 Network Interface Modules (NIMs)2. The other models of vEdge routers have lower encrypted throughput capacities, as shown in Table 6 of the Ordering Guide for SD-WAN3. The vEdge 1000 router has a maximum encrypted throughput of 1 Gbps, the vEdge 2000 router has a maximum encrypted throughput of 5 Gbps, and the vEdge 100 router has a maximum encrypted throughput of 100 Mbps3.

References:

1: Cisco SD-WAN vEdge Routers Data Sheet 2: vEdge 5000 Router 3: Ordering Guide for SD-WAN

1. vEdge-100: 100Mbps AES-256 throughput, with five fixed 10/100/1000 Mbps ports. Comes in three different flavors: ● vEdge 100b: Ethernet only ● vEdge 100m: Ethernet and integrated 2G/3G/4G modem ● vEdge 100wm: Ethernet and integrated 2G/3G/4G modem + Wireless LAN 2. vEdge-1000: 1 Gbps AES-256 throughput, with 8 ports of fixed GE SFP 3. vEdge-2000: 10 Gbps AES-256 throughput, with 2 Pluggable Interface Modules 4. vEdge-5000: 20 Gbps AES-256 throughput, with 4 Network Interface Modules

 Cisco ISE is a comprehensive solution that enables enterprises to enforce consistent and secure access policies across wired, wireless, and VPN connections. It also provides visibility, control, and automation for the network devices, endpoints, users, and applications. To sell Cisco ISE effectively, it is important to highlight the benefits and features of the solution that address the customer’s pain points and needs. Among the options given, two options help you sell Cisco ISE:

Showcasing the entire ISE feature set: ISE has a rich and diverse feature set that covers various use cases, such as device management, asset visibility, software-defined segmentation, software-defined access, guest and wireless access, BYOD, posture assessment, threat detection and response, and more1. By showcasing the entire ISE feature set, you can demonstrate the value proposition and differentiation of ISE from other solutions, and how it can help the customer achieve their business and technical goals.

Explaining ISE support for 3rd party network devices: ISE is not limited to Cisco networks only. It can also support 3rd party network devices that comply with the standard protocols and interfaces, such as RADIUS, SNMP, TACACS+, 802.1X, MAB,CoA, and EAP2. By explaining ISE support for 3rd party network devices, you can show the customer that ISE is a flexible and interoperable solution that can work with their existing network infrastructure, and that they do not need to replace their non-Cisco devices to deploy ISE.

The other three options are not helpful for selling Cisco ISE:

Referring to TrustSec as being only supported on Cisco networks: TrustSec is a Cisco technology that enables software-defined segmentation based on security group tags (SGTs) and security group access control lists (SGACLs)3. TrustSec is not only supported on Cisco networks, but also on 3rd party network devices that can integrate with ISE through pxGrid, which is a platform for sharing contextual information across multiple security products4. By referring to TrustSec as being only supported on Cisco networks, you can create a false impression that ISE is a proprietary and closed solution that requires a complete Cisco network overhaul, which can discourage the customer from adopting ISE.

Discussing the importance of custom profiling: Profiling is a feature of ISE that allows it to identify and classify the endpoints on the network based on their attributes, such as MAC address, IP address, device type, operating system, etc.5. Custom profiling is the ability to create custom profiles and policies for the endpoints that are not recognized by the default ISE profiles. While custom profiling is an important feature of ISE, it is not a key selling point, because it is a complex and time-consuming process that requires a deep understanding of the endpoint attributes and behaviors, and it may not be relevant or applicable for all customers. By discussing the importance of custom profiling, you can confuse or overwhelm the customer with technical details that are not essential for their use case, and divert their attention from the core benefits and features of ISE.

Downplaying the value of pxGrid as compared to RESTful APIs: pxGrid is a platform that enables ISE to share contextual information, such as identity, location, posture, device type, etc., with other security products, such as firewalls, SIEMs, threat detection systems, etc.4. RESTful APIs are a standard way of communicating with web services, such as ISE, using HTTP methods, such as GET, POST, PUT, DELETE, etc… Both pxGrid and RESTful APIs are valuable for ISE, because they provide different capabilities and benefits. pxGrid allows ISE to exchange real-time and bidirectional information with other security products, and to enforce consistent policies across the network4. RESTful APIs allow ISE to be integrated with external applications and systems, such as portals, dashboards, workflows, etc., and to automate and customize the network operations. By downplaying the value of pxGrid as compared to RESTful APIs, you can misrepresent the functionality and potential of ISE, and miss the opportunity to showcase how ISE can enhance the security and efficiency of the network.

References:

Cisco Identity Services Engine (ISE) Use Cases1 : Cisco Identity Services Engine Network Component Compatibility, Release 2.72 : Cisco TrustSec3 : Cisco pxGrid4 : Cisco ISE Network Discovery5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Custom Profiling Policies [Cisco Identity Services Engine] - Cisco : Cisco Identity Services Engine API Reference Guide, Release 2.7 - Cisco ISE REST APIs [Cisco Identity Services Engine] - Cisco

SD-Access - High Level Branch Design-Software Defined Access @ 0:34https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000O0wmZAAR <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2020/pdf/BRKCRS-3493.pdf

= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric. Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network1. Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another2. Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud3.

Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes. Edge nodes also providean anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic4. Control plane nodes are the devices that run a host tracking database to map location information. Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs5. Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes. Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles6.

References :=

Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access

Software Defined Access Network Fabric Roles - Study CCNP

Cisco SD-Access

SD-Access Fabric Troubleshooting Guide - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000P3hKMAAZ <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=learning-activity-from-plan

Cisco ISE incorporated Cisco ACS (Cisco Secure Access Control System) between ISE releases 2.0 and 2.3. Cisco ACS was a network access policy platform that provided authentication, authorization, and accounting (AAA) services for network devices and users. Cisco ACS was discontinued in 2017 and replaced by Cisco ISE, which offers more advanced features and capabilities for identity-based network access control. Cisco ISE provides a migration tool that allows customers to migrate their data and configurations from Cisco ACS to Cisco ISE. The migration tool supports Cisco ACS versions 5.5, 5.6, 5.7, and 5.8 and Cisco ISE versions 2.0, 2.1, 2.2, and 2.3.

References:

Cisco Secure Access Control System End-of-Life Announcement [Cisco Secure Access Control System]

Cisco Secure ACS to Cisco ISE Migration Tool [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Cisco Secure ACS to Cisco ISE Migration [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Migration [Cisco Identity Services Engine]

[Cisco Identity Services Engine Migration Guide, Release 2.3 [Cisco Identity Services Engine]]

[Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]]

[Cisco Validated Design Guides [Cisco]]

ISE 2.3 includes the final suite of capabilities designed to reach feature parity with Cisco Secure Access Control System (ACS), allowing all existing ACS customers to migrate their deployment to ISE. New features include TACACS+-based device administration for IPv6, import and export capabilities for TACACS+-based command sets, policy export scheduling, IP range support in all octets, and more. See the ACS vs ISE Comparison for feature comparisons with every release of ISE