Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the statements that are true regarding Cisco ISE are:

• ISE can detect endpoints whose addresses have been translated via NAT: Cisco ISE can discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security1. Cisco ISE can also detect endpoints whose addresses have been translated via NAT by using various methods, such as passive and active discovery, NMAP scanning, DHCP snooping, and RADIUS accounting234.
• The number of logs that ISE can retain is determined by your disk space: Cisco ISE provides a logging mechanism that is used for auditing, fault management, and troubleshooting. The logging mechanism helps you to identify fault conditions in deployed services and troubleshoot issues efficiently. You can configure your Cisco ISE node to collect the logs in the local systems using a virtual loopback address5. The number of logs that ISE can retain is determined by your disk space, as well as the data purging settings that you can configure under Administration > System > Maintenance > Data Purging6. You can also configure Cisco ISE to send its logs to a remote system for greater retention history7.

The other statements are not true regarding Cisco ISE, because:

• In distributed deployments, failover from primary to secondary Policy Administration Nodes happens automatically: Cisco ISE supports high availability for the Administration persona, which provides centralized configuration and management of the distributed deployment. You can configure one primary Administration ISE node and one secondary Administration ISE node for high availability. However, the failover from primary to secondary Policy Administration Nodes does not happen automatically, unless you enable the automatic failover feature and configure a health check node to monitor the primary node’s status8. Otherwise, you have to manually promote the secondary node to become the primary node in case of a failure9.
• In two-node standalone ISE deployments, failover must be done manually: Cisco ISE supports high availability for the Policy Service persona, which provides network access, posture, guest access, client provisioning, and profiling services. You can configure multiple Policy Service Nodes (PSNs) in a node group to provide session failover and load balancing for the endpoints. In a two-node standalone ISE deployment, where each node assumes all the personas, the failover for the Policy Service persona does not need to be done manually, as long as the network access devices are configured to use both nodes for RADIUS and TACACS services10.
• ISE supports IPv6 downloadable ACLs: Cisco ISE supports downloadable ACLs (DACLs), which are configured and implemented through authorization profiles. DACLs are used to enforce granular access control policies for the endpoints based on their identity and other attributes. However, Cisco ISE does not support IPv6 downloadable ACLs, as it only supports IPv4 ACLs for RADIUS and TACACS protocols1112.

References:

1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Profiler Service Overview 3: ISE Deployment through NAT Boundaries - Cisco Community 4: Configure ISE 3.3 Native IPSec to Secure NAD (IOS-XE) Communication - Cisco 5: Logging [Cisco Identity Services Engine] - Cisco Systems 6: ISE maximum logging time / data retention - Cisco Community 7: Logs retention on ISE - Cisco Community 8: Cisco Identity Services Engine Administrator Guide, Release 2.4 9: Setting Up Cisco ISE in a Distributed Environment 10: Cisco Content Hub - Network Deployments in Cisco ISE 11: Cisco Identity Services Engine Administrator Guide, Release 2.2 12: Solved: ISE: support for IPv6 DACL’s - Cisco Community

 Cisco ISE use cases can be classified into four categories: device management, asset visibility, software-defined segmentation, and software-defined access. Each of these use cases has a different level of implementation complexity, depending on the network size, topology, security requirements, and integration with other technologies. Among these use cases, software-defined segmentation and software-defined access typically involve the highest level of implementation complexity, because they require:

• A thorough understanding of the network architecture and design principles, such as hierarchical, modular, and scalable design.
• A comprehensive assessment of the network devices, endpoints, users, applications, and policies, and their interdependencies and interactions.
• A careful planning and testing of the network segmentation and access policies, using tools such as Cisco TrustSec, Cisco DNA Center, Cisco SD-Access, and Cisco ISE .
• A smooth and secure migration from the existing network to the software-defined network, with minimal disruption and downtime.
• A continuous monitoring and optimization of the network performance, security, and compliance, using tools such as Cisco Stealthwatch, Cisco Tetration, and Cisco ISE .

References:

Cisco Identity Services Engine (ISE) Use Cases, https://www.cisco.com/c/en/us/products/security/identity-services-engine/use-cases.html : Cisco Enterprise Network Architecture and Design, https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/enterprise-networking-design.html : Cisco ISE Network Discovery, https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010011.html : Cisco TrustSec, https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html : Cisco DNA Center, https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html : Cisco SD-Access, https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/index.html : Cisco ISE Software-Defined Access, https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010110.html : Cisco SD-Access Migration Guide, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-migration-guide.html : Cisco Stealthwatch, https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html : Cisco Tetration, https://www.cisco.com/c/en/us/products/data-center-analytics/tetration/index.html : Cisco ISE Monitoring and Troubleshooting, https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010100.html

 Cisco ISE is a comprehensive solution that enables enterprises to enforce consistent and secure access policies across wired, wireless, and VPN connections. It also provides visibility, control, and automation for the network devices, endpoints, users, and applications. To sell Cisco ISE effectively, it is important to highlight the benefits and features of the solution that address the customer’s pain points and needs. Among the options given, two options help you sell Cisco ISE:

• Showcasing the entire ISE feature set: ISE has a rich and diverse feature set that covers various use cases, such as device management, asset visibility, software-defined segmentation, software-defined access, guest and wireless access, BYOD, posture assessment, threat detection and response, and more1. By showcasing the entire ISE feature set, you can demonstrate the value proposition and differentiation of ISE from other solutions, and how it can help the customer achieve their business and technical goals.
• Explaining ISE support for 3rd party network devices: ISE is not limited to Cisco networks only. It can also support 3rd party network devices that comply with the standard protocols and interfaces, such as RADIUS, SNMP, TACACS+, 802.1X, MAB, CoA, and EAP2. By explaining ISE support for 3rd party network devices, you can show the customer that ISE is a flexible and interoperable solution that can work with their existing network infrastructure, and that they do not need to replace their non-Cisco devices to deploy ISE.

The other three options are not helpful for selling Cisco ISE:

• Referring to TrustSec as being only supported on Cisco networks: TrustSec is a Cisco technology that enables software-defined segmentation based on security group tags (SGTs) and security group access control lists (SGACLs)3. TrustSec is not only supported on Cisco networks, but also on 3rd party network devices that can integrate with ISE through pxGrid, which is a platform for sharing contextual information across multiple security products4. By referring to TrustSec as being only supported on Cisco networks, you can create a false impression that ISE is a proprietary and closed solution that requires a complete Cisco network overhaul, which can discourage the customer from adopting ISE.
• Discussing the importance of custom profiling: Profiling is a feature of ISE that allows it to identify and classify the endpoints on the network based on their attributes, such as MAC address, IP address, device type, operating system, etc.5. Custom profiling is the ability to create custom profiles and policies for the endpoints that are not recognized by the default ISE profiles. While custom profiling is an important feature of ISE, it is not a key selling point, because it is a complex and time-consuming process that requires a deep understanding of the endpoint attributes and behaviors, and it may not be relevant or applicable for all customers. By discussing the importance of custom profiling, you can confuse or overwhelm the customer with technical details that are not essential for their use case, and divert their attention from the core benefits and features of ISE.
• Downplaying the value of pxGrid as compared to RESTful APIs: pxGrid is a platform that enables ISE to share contextual information, such as identity, location, posture, device type, etc., with other security products, such as firewalls, SIEMs, threat detection systems, etc.4. RESTful APIs are a standard way of communicating with web services, such as ISE, using HTTP methods, such as GET, POST, PUT, DELETE, etc… Both pxGrid and RESTful APIs are valuable for ISE, because they provide different capabilities and benefits. pxGrid allows ISE to exchange real-time and bidirectional information with other security products, and to enforce consistent policies across the network4. RESTful APIs allow ISE to be integrated with external applications and systems, such as portals, dashboards, workflows, etc., and to automate and customize the network operations. By downplaying the value of pxGrid as compared to RESTful APIs, you can misrepresent the functionality and potential of ISE, and miss the opportunity to showcase how ISE can enhance the security and efficiency of the network.

References:

Cisco Identity Services Engine (ISE) Use Cases1 : Cisco Identity Services Engine Network Component Compatibility, Release 2.72 : Cisco TrustSec3 : Cisco pxGrid4 : Cisco ISE Network Discovery5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Custom Profiling Policies [Cisco Identity Services Engine] - Cisco : Cisco Identity Services Engine API Reference Guide, Release 2.7 - Cisco ISE REST APIs [Cisco Identity Services Engine] - Cisco

 A “one switch at a time” approach to integrating SD-Access into an existing brownfield environment is a method that allows network administrators to gradually migrate their legacy network devices to SD-Access fabric devices without disrupting the network operations. This approach has two main advantages:

• It is appropriate for campus and remote site environments, where there may be different types of devices and network topologies. By replacing one switch at a time, the network administrators can ensure that the existing network connectivity and functionality are preserved, while gaining the benefits of SD-Access features such as automation, segmentation, and assurance12.
• It allows simplified testing prior to cutover, as the network administrators can verify the performance and compatibility of each switch before adding it to the fabric. This reduces the risk of errors and failures during the migration process, and allows for faster troubleshooting and resolution of any issues34.

References:

• Cisco SD-Access Solution Design Guide (CVD)
• Discuss Cisco 500-490 Exam Topic 1 Question 33 - Pass4Success
• How to provision devices in SD-Access ( SDA ) - Cisco Community
• A quick-start guide to SD-Access - Cisco Blogs

SD-Access and ACI Fabric are both solutions that provide software-defined networking for different domains. SD-Access is designed for the campus and branch networks, while ACI Fabric is designed for the data center networks. However, they share some common features and concepts, such as:

• Use of Scalable Group Tags: Both SD-Access and ACI Fabric use Scalable Group Tags (SGTs) to identify and classify the endpoints based on their attributes, such as user identity, device type, or application. SGTs are numerical labels that are assigned to the endpoints and carried in the packets, either in the header or in the metadata. SGTs enable granular and dynamic policy enforcement based on the endpoint identity and context, rather than the network topology and IP addresses12.
• Use of overlays: Both SD-Access and ACI Fabric use overlays to create a network abstraction layer that decouples the network services and functions from the underlying physical infrastructure. Overlays enable network virtualization and segmentation, as they allow multiple logical networks to coexist on the same physical network. Overlays also simplify the network design and management, as they reduce the complexity and variability of the network elements and interfaces. SD-Access uses VXLAN as the overlay protocol, while ACI Fabric uses VXLAN with EVPN as the overlay protocol34.
• Use of Endpoint Groups: Both SD-Access and ACI Fabric use Endpoint Groups (EPGs) to group the endpoints based on their policy requirements and network scope. EPGs are logical containers that define the allowed interactions between the endpoints, such as the protocols, ports, and quality of service. EPGs also define the network boundaries that isolate the endpoints from each other, based on the security and compliance needs. EPGs are synonymous with Scalable Groups in SD-Access, and they can be mapped between SD-Access and ACI Fabric to enable end-to-end policy across the domains56.

References:

• Cisco TrustSec Overview
• Cisco TrustSec Configuration Guide, Cisco IOS XE Gibraltar 16.12.x - Scalable Group Tags [Cisco IOS XE 16] - Cisco
• Cisco SD-Access Architecture Overview
• Cisco Application Centric Infrastructure Fundamentals, Release 4.0(1) - ACI Fabric Fundamentals [Cisco Application Policy Infrastructure Controller (APIC)] - Cisco
• Cisco SD-Access (SDA) Integration with Cisco Application Centric Infrastructure (ACI) - Cisco Community
• Cisco Application Centric Infrastructure - Cisco Multidomain Integration At-a-Glance

 Cisco ISE benefits our customers by providing network access control and helping them stop and contain real-time threats. Network access control is the ability to enforce policies on who and what can access the network, based on the identity and context of users, devices, and applications. Cisco ISE allows customers to authenticate, authorize, and audit network access, as well as to segment and isolate network traffic based on security and compliance requirements. Cisco ISE also helps customers stop and contain real-time threats by leveraging intel from across the network and security ecosystem, and by automating threat response actions. Cisco ISE can integrate with various security solutions, such as Cisco Stealthwatch, Cisco Firepower, and Cisco Umbrella, to detect and mitigate attacks on the network quickly and effectively. References:

• Cisco Identity Services Engine (ISE) - Cisco1
• Cisco Identity Services Engine (ISE) - Cisco2
• Network Visibility and Segmentation (NVS) - Cisco3
• Rapid Threat Containment - Cisco4

 The new operational paradigm is a way of designing, deploying, and managing networks that leverages the power of intent-based networking. Intent-based networking is a network architecture that aligns the network with the business goals and policies, and uses artificial intelligence and automation to translate the intent into network configurations and actions. The new operational paradigm requires three foundational elements:

• Fabric: A fabric is a network topology that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. A fabric can span across multiple domains, such as campus, branch, data center, and cloud, and can support multiple protocols, such as IP, Ethernet, MPLS, and VXLAN. A fabric enables the network to operate as a single entity, rather than a collection of disparate devices and links. A fabric also simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.
• Assurance: Assurance is the process of continuously monitoring, verifying, and optimizing the network performance and behavior, based on the defined intent and policies. Assurance uses telemetry, analytics, and machine learning to collect and process data from the network devices and applications, and to provide insights and recommendations for network optimization and troubleshooting. Assurance also enables the network to self-heal and self-optimize, by applying corrective actions and adjustments to the network configurations and policies, based on the feedback loop from the data and analytics.
• Policy-based automated provisioning of network: Policy-based automated provisioning of network is the process of applying the intent and policies to the network devices and services, using automation and orchestration tools. Policy-based automated provisioning of network abstracts the network complexity and heterogeneity, and allows the network operators to define the network requirements and outcomes in a high-level and declarative way, rather than specifying the low-level and imperative commands and parameters. Policy-based automated provisioning of network also enables the network to be agile and adaptive, as it can dynamically adjust the network configurations and policies, based on the changing network conditions and business needs.

References:

• Cisco Intent-Based Networking
• Cisco Digital Network Architecture
• Cisco Routed Optical Networking
• Cisco Operational Insights: A New Way of Seeing Operations

Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:

• Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
• Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.

The other options are not primary functions of Cisco ISE, because:

• Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
• Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
• Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
• Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.

References:

1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]