Cisco ISE is a security policy management platform that provides secure access to network resources.  Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations 1 . Two of the primary functions of Cisco ISE are:

Enforcing endpoint compliance with network security policies : Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access.  Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities 1 2 .

Providing information about every device that touches the network : Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups.  Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security 1 3 .

The other options are not primary functions of Cisco ISE, because:

Allocating resources : Cisco ISE does not allocate resources to the endpoints or the network devices.  Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU 1 .

Enabling WAN deployment over any type of connection : Cisco ISE does not enable WAN deployment over any type of connection.  Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure 1 .

Automatically enabling, disabling, or reducing allocated power to certain devices : Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices.  Cisco ISE can control the access and authorization of the devices, but not their power consumption or management 1 .

Providing VPN access for any type of device : Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself.  Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access 1 .

References :

1 :  Cisco Content Hub - Cisco ISE Features   2 :  Cisco ISE Posture Service Overview   3 : [Cisco ISE Profiler Service Overview]

 Cisco SD-Access is a solution within Cisco DNA, which is built on intent-based networking principles.  Cisco SD-Access provides visibility-based, automated end-to-end segmentation to separate user, device, and application traffic without redesigning the underlying physical network 1 .  Cisco SD-Access also enables programmable overlays that allow network virtualization across the campus, branch, data center, and cloud 2 .  Cisco SD-Access has two main components: the fabric and the policy 3 .

The fabric is the network overlay that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. The fabric nodes are classified into four types: edge nodes, border nodes, control plane nodes, and intermediate nodes. The edge nodes are the access switches or wireless controllers that connect to the end devices. The border nodes are the routers or switches that connect the fabric to external networks, such as the Internet, WAN, or data center. The control plane nodes are the routers or switches that maintain the mapping between the endpoint identifiers and the network locators.  The intermediate nodes are the routers or switches that provide transit services within the fabric 3 .

The policy is the network configuration that defines the network behavior and outcomes, based on the business intent and requirements. The policy is composed of three elements: the endpoint groups, the contracts, and the virtual networks. The endpoint groups are the logical containers that group the endpoints based on their attributes, such as user identity, device type, or application. The contracts are the rules that specify the allowed interactions between the endpoint groups, such as the protocols, ports, and quality of service.  The virtual networks are the logical partitions that isolate the endpoint groups and contracts from each other, based on the network scope and security 3 .

Cisco SD-Access addresses the following challenges and benefits:

It simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.

It enhances the network security and compliance, as it enforces granular and dynamic policies based on the endpoint identity and context, rather than the network topology and IP addresses.

It improves the network performance and user experience, as it optimizes the network path, load balancing, and traffic engineering based on the network conditions and application requirements.

It enables the network agility and scalability, as it supports the rapid deployment and integration of new devices, applications, and services, without affecting the existing network operations.

References :

Cisco Software-Defined Access - Cisco Software-Defined Access Solution Overview

What Is Software-Defined Access? - SD-Access - Cisco

Cisco SD-Access Architecture Overview

Integrating Cisco Software-Defined Access (SD-Access) into an existing brownfield environment can be complex and risky, given the existing network's configurations and operations. Adopting a "one switch at a time" approach provides two significant advantages:

Involves the least risk of all approaches (Option C): This method minimizes the impact on the existing network because changes are applied incrementally rather than all at once. By limiting the scope of changes to one switch at a time, network administrators can carefully monitor the effects and address any issues immediately. This approach reduces the risk of widespread network disruptions, making it a safer option compared to more aggressive migration strategies.

Allows simplified roll back (Option D): If any issues arise during the integration of a single switch, it is easier to revert to the previous state without affecting the entire network. This rollback capability is critical in maintaining network stability and ensuring that the operations of the existing network continue uninterrupted. The granularity of changes and the ease of reverting them back to a known good state provide a safety net that is crucial in complex environments.

References:

Cisco SD-Access Deployment Guide

Cisco Digital Network Architecture (DNA) Center User Guide

= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric.  Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network 1 .  Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another 2 .  Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud 3 .

Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes.  Edge nodes also provide an anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic 4 . Control plane nodes are the devices that run a host tracking database to map location information.  Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs 5 . Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes.  Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles 6 .

References  :=

Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access

Software Defined Access Network Fabric Roles - Study CCNP

Cisco SD-Access

SD-Access Fabric Troubleshooting Guide - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

Cisco SD-Access Solution Design Guide (CVD) - Cisco

 The current time in enterprise networking history is characterized by the rapid pace of change in the network technologies, architectures, and services. Some of the factors that contribute to this change are:

The increasing demand for network performance, scalability, reliability, security, and agility from the business and end users.

The emergence of new network paradigms, such as software-defined networking (SDN), network function virtualization (NFV), cloud networking, and intent-based networking (IBN).

The proliferation of network devices, applications, and data sources, such as the Internet of Things (IoT), mobile devices, cloud services, big data, and artificial intelligence (AI).

The evolution of network standards, protocols, and best practices, such as IPv6, 5G, Wi-Fi 6, Ethernet, and network automation.

These factors create new opportunities and challenges for enterprise network designers, engineers, and administrators, who need to keep up with the latest trends and innovations, and adapt their network solutions to the changing business and technical requirements.

References :

Cisco Enterprise Network Architecture and Design, https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/enterprise-networking-design.html 1  : Enterprise Networking Explained: Types, Concepts & Trends, https://www.bmc.com/blogs/enterprise-networking/ 2  : What is enterprise networking?, https://www.cloudflare.com/learning/network-layer/enterprise-networking/ 3  : Enterprise WAN – A Brief History, https://blogs.juniper.net/en-us/enterprise-cloud-and-transformation/enterprise-wan-a-brief-history 4

Cisco ISE incorporated Cisco ACS (Cisco Secure Access Control System) between ISE releases 2.0 and 2.3. Cisco ACS was a network access policy platform that provided authentication, authorization, and accounting (AAA) services for network devices and users. Cisco ACS was discontinued in 2017 and replaced by Cisco ISE, which offers more advanced features and capabilities for identity-based network access control. Cisco ISE provides a migration tool that allows customers to migrate their data and configurations from Cisco ACS to Cisco ISE. The migration tool supports Cisco ACS versions 5.5, 5.6, 5.7, and 5.8 and Cisco ISE versions 2.0, 2.1, 2.2, and 2.3.

References :

Cisco Secure Access Control System End-of-Life Announcement [Cisco Secure Access Control System]

Cisco Secure ACS to Cisco ISE Migration Tool [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Cisco Secure ACS to Cisco ISE Migration [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Migration [Cisco Identity Services Engine]

[Cisco Identity Services Engine Migration Guide, Release 2.3 [Cisco Identity Services Engine]]

[Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]]

[Cisco Validated Design Guides [Cisco]]

ISE 2.3 includes the final suite of capabilities designed to reach feature parity with Cisco Secure Access Control System (ACS), allowing all existing ACS customers to migrate their deployment to ISE. New features include TACACS+-based device administration for IPv6, import and export capabilities for TACACS+-based command sets, policy export scheduling, IP range support in all octets, and more. See the ACS vs ISE Comparison for feature comparisons with every release of ISE

The protocol that runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella is the  Overlay Management Protocol (OMP) 1 2 .  OMP is a proprietary protocol that is designed to enable the Cisco SD-WAN solution, which provides a software overlay that runs over standard network transport, including MPLS, broadband, and internet to deliver applications and services 3 .  OMP provides the following services 1 2 :

Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN or VRF topologies

Distribution of service-level routing information and related location mappings

Distribution of data plane security parameters

Central control and distribution of routing policy

OMP is an all-encompassing information management and distribution protocol that enables the overlay network by separating services from transport. Services provided in a typical VPN setting are usually located within a VPN domain, and they are protected so that they are not visible outside the VPN. In such a traditional architecture, it is a challenge to extend VPN domains and service connectivity. OMP addresses these scalability challenges by providing an efficient way to manage service traffic based on the location of logical transport end points.  This method extends the data plane and control plane separation concept from within routers to across the network 2 .

References :

1 :  Routing Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.x - Unicast Overlay Routing   2 :  Introduction to Overlay Management Protocol in Viptela   3 :  Cisco SD-WAN vEdge vManage vSmart IBM

The overall health page of the assurance component in the Cisco DNA Center displays two primary categories:  Client  and  Network 1 .  The Client category shows the health score of all the wired and wireless clients connected to the network, along with the number of clients, the top issues affecting the clients, and the distribution of clients by type, OS, and SSID 1 .  The Network category shows the health score of all the network devices, such as switches, routers, wireless controllers, and access points, along with the number of devices, the top issues affecting the devices, and the distribution of devices by site, family, and role 1 .

The other options are not primary categories on the overall health page.  Server is not a category, but a type of client that can be filtered in the Client category 1 .  Access-Distribution and Core are not categories, but roles of network devices that can be filtered in the Network category 1 .  Wired is not a category, but a subcategory of the Client category that shows the health score of the wired clients only 1 .

References :

Cisco DNA Assurance User Guide, Release 1.3.1.0 - Monitor and Troubleshoot the Health of Your Network [Cisco DNA Center]

Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]

Cisco Validated Design Guides [Cisco]

 Cisco ISE benefits our customers by providing network access control and helping them stop and contain real-time threats. Network access control is the ability to enforce policies on who and what can access the network, based on the identity and context of users, devices, and applications. Cisco ISE allows customers to authenticate, authorize, and audit network access, as well as to segment and isolate network traffic based on security and compliance requirements. Cisco ISE also helps customers stop and contain real-time threats by leveraging intel from across the network and security ecosystem, and by automating threat response actions. Cisco ISE can integrate with various security solutions, such as Cisco Stealthwatch, Cisco Firepower, and Cisco Umbrella, to detect and mitigate attacks on the network quickly and effectively.  References :

Cisco Identity Services Engine (ISE) - Cisco 1

Cisco Identity Services Engine (ISE) - Cisco 2

Network Visibility and Segmentation (NVS) - Cisco 3

Rapid Threat Containment - Cisco 4

https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000Kfw0AAAR & ltui__urlRedirect=learning-activity-from-plan & ltui__parentUrl= Slide 3 - ISE is critical to your customer – • Visibility in to users, devices & applications • Access control and segmentation • Stop and contain threats in real-time

 The vBond orchestrator is an SD-WAN router responsible for authenticating and orchestrating connectivity between the vSmart controllers and SD-WAN routers. It is the sole device in the network that requires a public IP address for all SD-WAN devices to connect to it. The vBond orchestrator has three major functions:

Controller discovery: The vBond orchestrator acts as the initial point of contact for all SD-WAN components that join the network. It authenticates the devices using pre-installed credentials and assigns them to a vSmart controller. The vBond orchestrator also provides the IP addresses of the vSmart controllers and the vManage NMS to the SD-WAN routers.

NAT traversal: The vBond orchestrator facilitates the establishment of secure DTLS or TLS tunnels between the SD-WAN components that are behind NAT devices. The vBond orchestrator acts as a rendezvous point for the NATed devices and helps them exchange their public IP addresses and port numbers. The vBond orchestrator also performs NAT keepalive and hole punching to maintain the NAT bindings and prevent the NAT devices from timing out the sessions.

Certificate management: The vBond orchestrator acts as the certificate authority (CA) for the SD-WAN network. It generates and signs the certificates for the SD-WAN components and distributes them to the devices. The certificates are used to authenticate the devices and encrypt the control and data plane traffic.

References :

Cisco SD-WAN Architecture Overview

Cisco Catalyst SD-WAN Getting Started Guide

New Training: Identify Cisco SD-WAN Components