Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:

• Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
• Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.

The other options are not primary functions of Cisco ISE, because:

• Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
• Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
• Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
• Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.

References:

1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]

 SD-WAN demonstrations are an effective way to showcase the benefits and features of Cisco SD-WAN solutions to potential customers. However, not all demos are created equal, and there are some best practices to follow to ensure a successful and engaging demo. Here are some explanations for why C and E are true statements regarding SD-WAN demonstrations:

• C. During a demo, you should consider the target audience and the desired outcome. This is a true statement because different audiences may have different levels of technical knowledge, business needs, and expectations from the demo. For example, a demo for a C-level executive may focus more on the business outcomes and value proposition of SD-WAN, while a demo for a network engineer may dive deeper into the technical details and configuration options. Therefore, it is important to tailor the demo to the specific audience and the desired outcome, such as generating interest, building trust, or closing a deal.
• E. There is a big difference between demos that use a top down approach and demos that use a bottom up approach. This is also a true statement because the two approaches have different advantages and disadvantages, and may suit different scenarios. A top down approach starts with the high-level overview of the SD-WAN solution, such as the architecture, components, benefits, and use cases, and then drills down into the specific features and functionalities. A bottom up approach starts with the low-level details of the SD-WAN solution, such as the configuration, troubleshooting, and testing, and then builds up to the big picture and value proposition. A top down approach may be more suitable for a non-technical or business-oriented audience, while a bottom up approach may be more suitable for a technical or hands-on audience.

References :=

• Cisco SD-WAN Demonstration Guide
• SD-WAN Best Practices | Kentik Blog
• SD-WAN best practices for a successful implementation
• SD-WAN best practices - VMware Blogs

The node that enables Cisco ISE to share contextual information on a device with Cisco Stealthwatch is the pXGrid Controller. The pXGrid Controller is a component of the ISE Policy Service Node (PSN) that facilitates the exchange of contextual data between ISE and other security products, such as Stealthwatch, via the Platform Exchange Grid (pxGrid) protocol. The pXGrid Controller acts as a broker that registers, authenticates, and authorizes pxGrid clients, and allows them to publish and subscribe to topics of interest. For example, Stealthwatch can subscribe to the Session Directory topic to obtain user and device information from ISE, and use it to enrich the network flow data and provide better visibility and security analytics. Stealthwatch can also publish topics, such as Rapid Threat Containment (RTC), to allow ISE to take mitigation actions on compromised endpoints, such as quarantine or re-authentication. References:

• Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Platform Exchange Grid Services [Cisco Identity Services Engine] - Cisco1
• Deploying Cisco Stealthwatch 7.x with Cisco ISE 2.4 using pxGrid - Cisco Community2
• Stealthwatch — Networking fun3
• pxGrid in Depth > Sharing the Context | Cisco Press4

The overall health page of the assurance component in the Cisco DNA Center displays two primary categories: Client and Network1. The Client category shows the health score of all the wired and wireless clients connected to the network, along with the number of clients, the top issues affecting the clients, and the distribution of clients by type, OS, and SSID1. The Network category shows the health score of all the network devices, such as switches, routers, wireless controllers, and access points, along with the number of devices, the top issues affecting the devices, and the distribution of devices by site, family, and role1.

The other options are not primary categories on the overall health page. Server is not a category, but a type of client that can be filtered in the Client category1. Access-Distribution and Core are not categories, but roles of network devices that can be filtered in the Network category1. Wired is not a category, but a subcategory of the Client category that shows the health score of the wired clients only1.

References:

• Cisco DNA Assurance User Guide, Release 1.3.1.0 - Monitor and Troubleshoot the Health of Your Network [Cisco DNA Center]
• Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]
• Cisco Validated Design Guides [Cisco]

Cisco SD-WAN vEdge routers can mitigate DoS attacks against the infrastructure by using two mechanisms:

• Only authorized controllers are allowed to communicate back to the vEdge router after the vEdge router establishes connection with the controllers. This means that the vEdge router initiates a secure connection to the vSmart controller and the vBond orchestrator using DTLS or TLS, and verifies their identity using certificates. The vEdge router does not accept any incoming connections from the controllers, and only responds to the messages that match the established sessions. This prevents unauthorized or malicious traffic from reaching the vEdge router and consuming its resources12.
• By default, all incoming traffic is denied at the transport (WAN) side interfaces. This means that the vEdge router applies an implicit deny-all policy to any traffic that arrives from the WAN side, unless it is explicitly allowed by a security policy. The security policy can be configured to permit only the traffic that matches certain criteria, such as source, destination, protocol, port, or application. This reduces the attack surface of the vEdge router and protects it from unwanted or harmful traffic34.

References:

• Cisco SD-WAN Security Features
• Cisco SD-WAN Design Guide
• Cisco SD-WAN Security Policy Configuration Guide
• Cisco SD-WAN vEdge Routers Denial of Service Vulnerability

According to the Cisco Design Zone website1, an SE’s demo process should include the following activities:

• Identifying which capabilities require demonstration: The SE should understand the customer’s business objectives, pain points, and technical requirements, and map them to the relevant Cisco solutions and capabilities. The SE should also prioritize the most important and impactful features and benefits that address the customer’s needs and challenges, and plan the demo accordingly. The SE should avoid showing irrelevant or unnecessary features that may confuse or distract the customer12.
• Determining whether the customer would like to dive deeper during a follow-up: The SE should use the demo as an opportunity to engage the customer in a dialogue, solicit feedback, and gauge the customer’s interest and satisfaction. The SE should also identify any gaps or questions that the customer may have, and offer to provide more information or a deeper dive during a follow-up session. The SE should also ask for the customer’s permission to schedule a follow-up meeting or call, and confirm the next steps and actions13.

The other activities are not recommended or necessary during an SE’s demo process, because:

• Highlighting opportunities that although not currently within scope would result in lower operational costs and complexity: The SE should focus on the customer’s current scope and needs, and not try to upsell or cross-sell other solutions or services that are not relevant or requested by the customer. The SE should also respect the customer’s budget and timeline, and not introduce additional costs or complexity that may jeopardize the deal or the relationship1 .
• Asking the customer to provide network drawings or white board the environment for you: The SE should prepare for the demo by doing the necessary research and discovery before the meeting, and not rely on the customer to provide the information or draw the network for them. The SE should also demonstrate their expertise and credibility by showing their knowledge of the customer’s environment and challenges, and not ask the customer to do their work for them1 .
• Leveraging a company such as Complete Communications to build a financial case: The SE should not outsource or delegate the financial analysis or justification of the solution to a third-party company, as this may undermine the SE’s role and value, and create a dependency or risk for the deal. The SE should also use the Cisco tools and resources available to them, such as the Business Value Calculator, to build a financial case and show the return on investment and total cost of ownership of the solution1 .

References:

1: Cisco Design Zone 2: [Cisco Demo Best Practices], page 3 3: [Cisco Demo Best Practices], page 6 : [Cisco Demo Best Practices], page 4 : [Cisco Demo Best Practices], page 2 : [Cisco Demo Best Practices], page 5

Cisco ISE can handle authentication for printers that do not have a supplicant using MAB (MAC Authentication Bypass). MAB is a method of authenticating devices based on their MAC address. MAB is useful for devices that do not support 802.1X or other authentication protocols, such as printers, cameras, or IoT devices. MAB works as follows:

• The device sends an Ethernet frame with its MAC address as the source address.
• The switch sends a RADIUS Access-Request message to ISE with the MAC address as the username and password.
• ISE checks the MAC address against a database of known devices or an identity source sequence.
• If the MAC address is found and authorized, ISE sends a RADIUS Access-Accept message to the switch with the appropriate authorization profile.
• The switch applies the authorization profile to the device and grants it access to the network.

MAB is less secure than 802.1X, as MAC addresses can be spoofed or cloned. Therefore, MAB should be used with caution and combined with other security measures, such as profiling, posture, or endpoint protection. MAB should also be restricted to specific ports or VLANs that are isolated from the rest of the network.

References:

• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure MAC Authentication Bypass [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authentication Policies [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authorization Policies [Cisco Identity Services Engine]
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Identity Source Sequences [Cisco Identity Services Engine]
• Cisco Identity Services Engine API Reference Guide, Release 2.7 - Authentication [Cisco Identity Services Engine]
• Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]
• Cisco Validated Design Guides [Cisco]