500-490 exam questions for practice in 2024 Updated 37 Questions Updated Oct-2024 Premium 500-490 Exam Engine pdf - Download Free Updated 37 Questions NEW QUESTION # 17 Which element of the Cisco SD-WAN architecture facilitates the functions of controller discovery and NAT traversal? A. vBond orchestrator B. vSmart controller C. vEdge D. vManage Answer: A NEW QUESTION # 18 Which two options are primary [...]

All Products Contact now

500-490 exam questions for practice in 2024 Updated 37 Questions [Q17-Q41]

Share

500-490 exam questions for practice in 2024 Updated 37 Questions

Updated Oct-2024 Premium 500-490 Exam Engine pdf - Download Free Updated 37 Questions

NEW QUESTION # 17
Which element of the Cisco SD-WAN architecture facilitates the functions of controller discovery and NAT traversal?

  • A. vBond orchestrator
  • B. vSmart controller
  • C. vEdge
  • D. vManage

Answer: A


NEW QUESTION # 18
Which two options are primary functions of Cisco ISE? (Choose two.)

  • A. automatically enabling, disabling, or reducing allocated power to certain devices
  • B. enforcing endpoint compliance with network security policies
  • C. allocating resources
  • D. providing VPN access for any type of device
  • E. enabling WAN deployment over any type of connection
  • F. providing information about every device that touches the network

Answer: B,F

Explanation:
Explanation
Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:
Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.
The other options are not primary functions of Cisco ISE, because:
Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.
References:
1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]


NEW QUESTION # 19
Which three ways are SD-Access and ACI Fabric similar? (Choose three.)

  • A. focus on user endpoints
  • B. use of Virtual Network IDs
  • C. use of group policy
  • D. use of Scalable Group Tags
  • E. use of Endpoint Groups
  • F. use of overlays

Answer: D,E,F

Explanation:
Explanation
SD-Access and ACI Fabric are both solutions that provide software-defined networking for different domains.
SD-Access is designed for the campus and branch networks, while ACI Fabric is designed for the data center networks. However, they share some common features and concepts, such as:
Use of Scalable Group Tags: Both SD-Access and ACI Fabric use Scalable Group Tags (SGTs) to identify and classify the endpoints based on their attributes, such as user identity, device type, or application. SGTs are numerical labels that are assigned to the endpoints and carried in the packets, either in the header or in the metadata. SGTs enable granular and dynamic policy enforcement based on the endpoint identity and context, rather than the network topology and IP addresses12.
Use of overlays: Both SD-Access and ACI Fabric use overlays to create a network abstraction layer that decouples the network services and functions from the underlying physical infrastructure. Overlays enable network virtualization and segmentation, as they allow multiple logical networks to coexist on the same physical network. Overlays also simplify the network design and management, as they reduce the complexity and variability of the network elements and interfaces. SD-Access uses VXLAN as the overlay protocol, while ACI Fabric uses VXLAN with EVPN as the overlay protocol34.
Use of Endpoint Groups: Both SD-Access and ACI Fabric use Endpoint Groups (EPGs) to group the endpoints based on their policy requirements and network scope. EPGs are logical containers that define the allowed interactions between the endpoints, such as the protocols, ports, and quality of service.
EPGs also define the network boundaries that isolate the endpoints from each other, based on the security and compliance needs. EPGs are synonymous with Scalable Groups in SD-Access, and they can be mapped between SD-Access and ACI Fabric to enable end-to-end policy across the domains56.
References:
Cisco TrustSec Overview
Cisco TrustSec Configuration Guide, Cisco IOS XE Gibraltar 16.12.x - Scalable Group Tags [Cisco IOS XE 16] - Cisco Cisco SD-Access Architecture Overview Cisco Application Centric Infrastructure Fundamentals, Release 4.0(1) - ACI Fabric Fundamentals
[Cisco Application Policy Infrastructure Controller (APIC)] - Cisco
Cisco SD-Access (SDA) Integration with Cisco Application Centric Infrastructure (ACI) - Cisco Community Cisco Application Centric Infrastructure - Cisco Multidomain Integration At-a-Glance


NEW QUESTION # 20
What are the three foundational elements required for the new operational paradigm? (Choose three.)

  • A. assurance
  • B. fabric
  • C. centralization
  • D. multiple technologies at multiple OSI layers
  • E. policy-based automated provisioning of network
  • F. application QoS

Answer: A,B,E

Explanation:
The new operational paradigm is a way of designing, deploying, and managing networks that leverages the power of intent-based networking. Intent-based networking is a network architecture that aligns the network with the business goals and policies, and uses artificial intelligence and automation to translate the intent into network configurations and actions. The new operational paradigm requires three foundational elements:
* Fabric: A fabric is a network topology that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. A fabric can span across multiple domains, such as campus, branch, data center, and cloud, and can support multiple protocols, such as IP, Ethernet, MPLS, and VXLAN. A fabric enables the network to operate as a single entity, rather than a collection of disparate devices and links. A fabric also simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.
* Assurance: Assurance is the process of continuously monitoring, verifying, and optimizing the network performance and behavior, based on the defined intent and policies. Assurance uses telemetry, analytics, and machine learning to collect and process data from the network devices and applications, and to provide insights and recommendations for network optimization and troubleshooting. Assurance also enables the network to self-heal and self-optimize, by applying corrective actions and adjustments to the network configurations and policies, based on the feedback loop from the data and analytics.
* Policy-based automated provisioning of network: Policy-based automated provisioning of network is the process of applying the intent and policies to the network devices and services, using automation and orchestration tools. Policy-based automated provisioning of network abstracts the network complexity and heterogeneity, and allows the network operators to define the network requirements and outcomes in a high-level and declarative way, rather than specifying the low-level and imperative commands and parameters. Policy-based automated provisioning of network also enables the network to be agile and adaptive, as it can dynamically adjust the network configurations and policies, based on the changing network conditions and business needs.
References:
* Cisco Intent-Based Networking
* Cisco Digital Network Architecture
* Cisco Routed Optical Networking
* Cisco Operational Insights: A New Way of Seeing Operations


NEW QUESTION # 21
Which three options focus of the current digital business era'? (Choose three.)

  • A. automation
  • B. loT scale
  • C. centralized enterprise and web applications
  • D. connectivity
  • E. Human scale
  • F. virtualized services

Answer: A,D,F


NEW QUESTION # 22
What should you do if you are looking at a strategic win with a customer and the customer wants to examine Cisco ISE for longer than a few weeks?

  • A. Set them up with an account on a Cisco UCS server that hosts ISE.
  • B. Provide them with a downloadable POV kit.
  • C. Give them some of our flash files that can be played on any browser.
  • D. Set them up with a dCloud account.
  • E. Point them to our dCloud demo library.
  • F. Give them our ISE YouTube videos.

Answer: B

Explanation:
If you are looking at a strategic win with a customer and the customer wants to examine Cisco ISE for longer than a few weeks, you should provide them with a downloadable POV kit. A POV kit is a proof of value kit that contains a pre-configured virtual machine of Cisco ISE with licenses, sample data, and documentation. A POV kit allows the customer to quickly and easily deploy and test Cisco ISE in their own environment, without requiring any hardware or installation. A POV kit can help the customer to evaluate the features and benefits of Cisco ISE,such as identity-based access control, device profiling, posture assessment, guest management, and threat mitigation12.
The other options are not suitable for a customer who wants to examine Cisco ISE for longer than a few weeks. Pointing them to our dCloud demo library, giving them our ISE YouTube videos, or giving them some of our flash files that can be played on any browser are good ways to introduce Cisco ISE to the customer, but they do not provide a hands-on experience or a realistic scenario of how Cisco ISE works in their network.
Setting them up with a dCloud account or an account on a Cisco UCS server that hosts ISE are also possible ways to provide a demo or a trial of Cisco ISE, but they may have limitations on the duration, availability, scalability, or customization of the environment. A POV kit gives the customer more flexibility and control over their evaluation of Cisco ISE.
References :=
* Solved: ISE PoV licenses - Cisco Community
* Cisco Endpoint Security Analytics (CESA) Built on Splunk Quickstart POV Kit & Deployment Guide - Cisco Community While scheduling a session you can choose to Extend the session longer than 5 days by checking this check box. An initial session scheduled shorter than 5 days can later be extended up to the 5-day total. To extend an active session longer than 5 days, submit a session extension request.
https://dcloud-cms.cisco.com/help/sched_demo#:~:text=An%20initial%20session%20scheduled%20shorter,subm kitshttps://community.cisco.com/t5/security-knowledge-base/product-proof-of-value-pov/ta-p/3633986/redirect_


NEW QUESTION # 23
Which two Cisco ISE use cases typically involve the highest level of implementation complexity? (Choose two.)

  • A. Guest and wireless access
  • B. Device management
  • C. Asset visibility
  • D. Software-defined access
  • E. Software-defined segmentation

Answer: D,E

Explanation:
Explanation
Cisco ISE use cases can be classified into four categories: device management, asset visibility, software-defined segmentation, and software-defined access. Each of these use cases has a different level of implementation complexity, depending on the network size, topology, security requirements, and integration with other technologies. Among these use cases, software-defined segmentation and software-defined access typically involve the highest level of implementation complexity, because they require:
A thorough understanding of the network architecture and design principles, such as hierarchical, modular, and scalable design.
A comprehensive assessment of the network devices, endpoints, users, applications, and policies, and their interdependencies and interactions.
A careful planning and testing of the network segmentation and access policies, using tools such as Cisco TrustSec, Cisco DNA Center, Cisco SD-Access, and Cisco ISE .
A smooth and secure migration from the existing network to the software-defined network, with minimal disruption and downtime.
A continuous monitoring and optimization of the network performance, security, and compliance, using tools such as Cisco Stealthwatch, Cisco Tetration, and Cisco ISE .
References:
Cisco Identity Services Engine (ISE) Use Cases,
https://www.cisco.com/c/en/us/products/security/identity-services-engine/use-cases.html : Cisco Enterprise Network Architecture and Design,
https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/enterprise-networking-design.ht: Cisco ISE Network Discovery,
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide: Cisco TrustSec, https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html : Cisco DNA Center, https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html :
Cisco SD-Access,
https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/index.html : Cisco ISE Software-Defined Access,
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide : Cisco SD-Access Migration Guide,
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-migration-guide.html : Cisco Stealthwatch, https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html : Cisco Tetration,
https://www.cisco.com/c/en/us/products/data-center-analytics/tetration/index.html : Cisco ISE Monitoring and Troubleshooting,
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide


NEW QUESTION # 24
Which three options focus of the current digital business era? (Choose three.)

  • A. IoT scale
  • B. automation
  • C. connectivity
  • D. centralized enterprise and web applications
  • E. Human scale
  • F. virtualized services

Answer: A,B,F

Explanation:
https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000P3hKMAAZ&ltu


NEW QUESTION # 25
Which two statements regarding Cisco SD WAN vEdge routers can mitigate DoS attacks against the infrastructure? (Choose two)

  • A. Open Certificate Authority and automated enrollment feature
  • B. In case of direct Internet access, the only traffic allowed back is the traffic matching the state table entries on the vEdge router.
  • C. Only authorized controllers are allowed to communicate back to the vEdge router after the vEdge router establishes connections with the controllers
  • D. By default, all incoming traffic is denied art the transport (WAN) side interfaces,
  • E. The vEdge routers run on hardened Linux operating systems

Answer: B,C


NEW QUESTION # 26
What should you do if you are looking at a strategic win with a customer and the customer wants to examine Cisco ISE for longer than a few weeks?

  • A. Give then, some of our flash files mat can be played on any browser
  • B. Provide them to our d Cloud demo library
  • C. Give them our ISE YouTube videos
  • D. Provide them with a downloadable POV kit
  • E. Set them up with a d Cloud account
  • F. Set them up with an account on a Cisco UCS server that hosts ISE

Answer: E


NEW QUESTION # 27
Which two statements are true regarding CiscoISE?(Choose two.)

  • A. Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves.
  • B. An ISE deployment requires only a Cisco ISE network access control appliance.
  • C. ISE plays a critical role in SD-Access.
  • D. ISE can provide data about when aspecific device connected to the network.
  • E. ThemajorbusinessoutcomesofISEareenhanceduserexperienceandsecureVLAN segmentation.

Answer: C,D


NEW QUESTION # 28
Which are the three focus areas for reinventing the WAN? (Choose three.)

  • A. Secure Elastic Connectivity
  • B. Application Quality of Experience
  • C. Cloud First
  • D. Execution
  • E. Centralized device authentication
  • F. Operations

Answer: A,B,C


NEW QUESTION # 29
What is the easiest way to enable SD-Access for all your remote site after you have your campus SD-Access fabric up and running?

  • A. Treat all the sites as one fabric domain and use the traditional physical network as the underlay
  • B. Use a separate fabric domain for each site and use the traditional physical network as the underlay
  • C. Use a separate fabric domain for each site and use SD-WAN as the underlay
  • D. Treat all the sites as one fabric domain and use SD-WAN as the underlay

Answer: D


NEW QUESTION # 30
Which two activities should occur during an SE's discovery process? (Choose two.)

  • A. Gathering information about the current state of the customer's network environment
  • B. Establishing credibility with the customer
  • C. Working with the customer to develop a reference architecture
  • D. Mapping Cisco innovation to customer's needs
  • E. Referencing the PPDIOO model to effectively facilitate the discussion

Answer: A,B


NEW QUESTION # 31
What are the three foundational elements required for the new operational paradigm? (Choose three.)

  • A. assurance
  • B. fabric
  • C. centralization
  • D. multiple technologies at multiple OSI layers
  • E. policy-based automated provisioning of network
  • F. application QoS

Answer: A,B,E


NEW QUESTION # 32
Which Cisco product were incorporated into Cisco ISE between ISE releases 2.0 and 2.3?

  • A. Cisco ACS
  • B. Cisco ESA
  • C. Cisco WSA
  • D. Cisco ASA

Answer: A

Explanation:
Explanation
Cisco ISE incorporated Cisco ACS (Cisco Secure Access Control System) between ISE releases 2.0 and 2.3.
Cisco ACS was a network access policy platform that provided authentication, authorization, and accounting (AAA) services for network devices and users. Cisco ACS was discontinued in 2017 and replaced by Cisco ISE, which offers more advanced features and capabilities for identity-based network access control. Cisco ISE provides a migration tool that allows customers to migrate their data and configurations from Cisco ACS to Cisco ISE. The migration tool supports Cisco ACS versions 5.5, 5.6, 5.7, and 5.8 and Cisco ISE versions
2.0, 2.1, 2.2, and 2.3.
References:
Cisco Secure Access Control System End-of-Life Announcement [Cisco Secure Access Control System] Cisco Secure ACS to Cisco ISE Migration Tool [Cisco Identity Services Engine] Cisco Identity Services Engine Administrator Guide, Release 2.3 - Cisco Secure ACS to Cisco ISE Migration [Cisco Identity Services Engine] Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Migration [Cisco Identity Services Engine]
[Cisco Identity Services Engine Migration Guide, Release 2.3 [Cisco Identity Services Engine]]
[Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]]
[Cisco Validated Design Guides [Cisco]]


NEW QUESTION # 33
Which are two Cisco recommendations that demonstrates SDA? (Choose two.)

  • A. Keep the demo at a high level
  • B. Be sure you explain the major technologies such as VXLAN and LISP in depth
  • C. Use the CLI to perform as much of the configuration as possible
  • D. Focus on business benefits
  • E. Show lite customer how to integrate ISL into DMA Center at the end of the demo

Answer: A,D


NEW QUESTION # 34
What should you do if you are looking at a strategic win with a customer and the customer wants to examine Cisco ISE for longer than a few weeks?

  • A. Give then, some of our flash files mat can be played on any browser
  • B. Provide them to our d Cloud demo library
  • C. Give them our ISE YouTube videos
  • D. Provide them with a downloadable POV kit
  • E. Set them up with a d Cloud account
  • F. Set them up with an account on a Cisco UCS server that hosts ISE

Answer: F


NEW QUESTION # 35
Which Cisco product supports SD-Access and specifically built lo address new challenges faced by enterprises?

  • A. Catalyst 6807-XL W/ Sup6T and C6800 10G line cards
  • B. CSRv virtual router
  • C. ISR 4221
  • D. Nexus 7700 w/ Sup2E and M3 line cards
  • E. Catalyst 9500
  • F. ASR 1000 MX

Answer: C


NEW QUESTION # 36
Which two statements describes Cisco SD-Access? (Choose Two.)

  • A. an automated encryption/decryption engine for highly secured transport requirements
  • B. a collection of tools and applications that are a combination of loose and tight coupling
  • C. software-defined segmentation and policy enforcement based on user identity and group membership
  • D. an overlay for the wired infrastructure in which traffic is tunneled via a GRE tunnel lo a mobility controller for policy and application visibility.
  • E. programmable overlays enabling network virtualization across the campus

Answer: C,E


NEW QUESTION # 37
Which feature is supported on the Cisco vEdge platform?

  • A. 2-factor authentication
  • B. license enforcement
  • C. reporting
  • D. non-Ethernet interfaces
  • E. single sign-on
  • F. IPv6 transport (WAN)

Answer: F

Explanation:
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/segmentation/vEdge-20-x/segmentation-boo The Cisco vEdge platform supports IPv6 transport (WAN) as one of its features. This means that the vEdge routers can use IPv6 addresses to establish secure control and data plane connections with other vEdge routers over the WAN network. The vEdge routers can also use IPv6 addresses to communicate with the vSmart controllers and the vManage network management system. The vEdge routers can also support IPv6 routing protocols, such as OSPFv3 and BGP, to exchange IPv6 routes with other routers in the network12.
The other features listed in the question are not supported on the Cisco vEdge platform. License enforcement is not applicable to the vEdge routers, as they do not require any license to operate. Reporting is a function of the vManage network management system, which collects and displays various statistics and analytics from the vEdge routers. Non-Ethernet interfaces, such as serial, T1/E1, or DSL, are not available on the vEdge routers, which only support Ethernet and cellular interfaces. Single sign-on and 2-factor authentication are not supportedon the vEdge routers, which use local or remote authentication methods, such as TACACS+, RADIUS, or LDAP3.
References:
1: Cisco SD-WAN vEdge Routers Data Sheet 2: Cisco SD-WAN Configuration Guide, Release 20.3 3: Cisco SD-WAN Command Reference, Release 20.3


NEW QUESTION # 38
How would cisco ISE handle authentication for your printer that does not have a supplicant?

  • A. ISE would not authenticate the printer as printers are not subject to ISE authentication.
  • B. ISE would authenticate the printer using MAB.
  • C. ISE would authenticate the printer using 8.2.1X authentication
  • D. ISE would authenticate the printer using web authentication.
  • E. ISE would authenticate the printer using MAC RADIUS authentication

Answer: C


NEW QUESTION # 39
What are three ways in Which Cisco ISE learns information about devices? (Choose three,)

  • A. user authentication to the ISE
  • B. SMIP agents
  • C. network servers the device has accessed
  • D. RADIUS attributes
  • E. traffic generated by the device
  • F. RPC mechanism via HTTPS

Answer: C,D,E


NEW QUESTION # 40
What is the easiest way to enable SD-Access for all your remote sites after you have your campus SD-Access fabric up and running?

  • A. Use a separate fabric domain for each site and use the traditional physical network as theunderlay.
  • B. Threat all the sites as one fabric domain and use the traditional physical network as the underlay.
  • C. Use a separate fabric domain for each site and use SD-WAN a s the underlay.
  • D. Threat all the sites as one fabric domain and use SD-WAN as the underlay.

Answer: D


NEW QUESTION # 41
......

Authentic 500-490 Dumps With 100% Passing Rate Practice Tests Dumps: https://freetorrent.braindumpsvce.com/500-490_exam-dumps-torrent.html

Related Articles

more
Cisco 500-490 Certification Practice Exam