
Try 100% Updated 500-490 Exam Questions [2024]
Pass 500-490 Exam - Real Questions and Answers
Cisco 500-490 exam is designed to test the candidate's knowledge and skills in designing enterprise networks using Cisco technology. 500-490 exam covers a wide range of topics, including network design principles, Cisco Enterprise Network Architecture, and network security considerations. Designing Cisco Enterprise Networks certification exam is intended for network engineers who are involved in the design and implementation of enterprise networks.
NEW QUESTION # 17
Which two activities should occur during an SE's discovery process? (Choose two.)
- A. Working with the customer to develop a reference architecture
- B. Establishing credibility with the customer
- C. Mapping Cisco innovation to customer 's needs
- D. Referencing the PPDIOO model to effectively facilitate the discussion
- E. Gathering information about the current state of the customer 's network environment
Answer: C,E
NEW QUESTION # 18
Which are the three focus areas for reinventing the WAN? (Choose three.)
- A. Cloud Fast
- B. Centralized device authentication
- C. Execution
- D. Application Quality of Experience
- E. Secure Elastic Connectivity
- F. Operations
Answer: A,D,E
NEW QUESTION # 19
Which two statements are true regarding Cisco ISE? (Choose two.)
- A. ISE can provide data about when a specific device connected to the network.
- B. An ISE deployment requires only a Cisco ISE network access control appliance.
- C. The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation.
- D. Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves.
- E. ISE plays a critical role in SD-Access.
Answer: A,E
Explanation:
Explanation
Cisco ISE is a policy decision point that enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Some features and benefits of Cisco ISE include1:
Zero trust across the network: ISE allows only trusted users and devices access to resources on your network. It also uses intel to automatically identify, classify and profile devices.
Policy and lifecycle management: ISE simplifies the delivery of consistent, highly secure access control across wired, wireless, and VPN connections. It also allows users to add and manage their own devices through self-service portals.
Remote management and deployment: ISE supports cloud-based deployment and management, as well as integration with other Cisco products and third-party solutions.
Site survivability: ISE provides local authentication and authorization services for remote sites, even when the connection to the central ISE server is lost.
Visibility of all devices and their users: ISE can provide data about when a specific device connected to the network, what type of device it is, who is using it, what applications are running on it, and where it is located.
Among these features, two statements are true regarding Cisco ISE:
ISE plays a critical role in SD-Access: SD-Access is a network architecture that uses software-defined networking (SDN) principles to create a secure, scalable, and consistent network fabric. ISE is the policy engine that defines and enforces the network segmentation and access policies for SD-Access2.
ISE can provide data about when a specific device connected to the network: ISE uses a number of probes to collect attributes for all endpoints on the network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups. ISE can also provide historical data about the endpoint connections, such as the time, duration, location, and user of the connection3.
The other three statements are false regarding Cisco ISE:
The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation: ISE provides more than just user experience and VLAN segmentation. It also delivers business outcomes such as improved network performance, reduced operational costs, increased security, and simplified compliance4.
An ISE deployment requires only a Cisco ISE network access control appliance: ISE can be deployed on different platforms, such as physical appliances, virtual machines, or cloud services. An ISE deployment also requires other components, such as network devices, endpoints, and external identity sources5.
Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves: ISE can provide the location information of an endpoint based on the network device that it is connected to, such as the switch port or the wireless access point. However, to track the actual physical location of a wireless endpoint as it moves, ISE needs to integrate with other products, such as Cisco DNA Center, Cisco Connected Mobile Experiences (CMX), or Cisco Wireless LAN Controller (WLC)6.
References:
Cisco Content Hub - Cisco ISE Features1 : Cisco SD-Access Solution Design Guide (CVD) - Cisco2 : Cisco ISE Network Discovery3 : Cisco Identity Services Engine (ISE) - Cisco4 : Cisco Identity Services Engine Hardware Installation Guide, Release 2.7 - Cisco ISE Deployment [Cisco Identity Services Engine] - Cisco5 :
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Location Mapping [Cisco Identity Services Engine] - Cisco6
NEW QUESTION # 20
Which two statements are true regarding SD-WAN demonstrations? (Choose two.)
- A. Use demonstrations primarily for large opportunities and competitive situations
- B. As a Cisco SD-WAN SF, you should you should spend your time learning about the technology rather than contributing to demo innovation
- C. There is a big difference between demos that use a top down approach and demos that use a bottom up approach
- D. During a demo you should consider the target audience and the desired outcome
- E. During a demo, you should demonstrate and discuss what the team considers important details
Answer: C,D
NEW QUESTION # 21
Which are two Cisco ISE that benefits our customers? (Choose two.)
- A. provides network access control
- B. helps them stop and contain real-time threats
- C. helps them accelerate application deployment and delivery
- D. enables them to set traffic priorities across the network
Answer: A,B
NEW QUESTION # 22
Which two statements are true regarding Cisco ISE? (Choose two.)
- A. It distributed deployments, failover from primary to secondary Policy Administration Nodes happens automatically.
- B. ISE supports IPv6 downloadable ACLs.
- C. ISE supports up to 100 Policy Services Nodes.
- D. The number of logs that ISE can retain is determined by your disk space.
- E. In two-nodes standalone ISE deployments, failover must be done manually.
- F. ISE can detected endpoints whose addresses have been translated via NAT.
Answer: A,D
NEW QUESTION # 23
Which two statements describes Cisco SD-Access? (Choose two.)
- A. software-defined segmentation and policy enforcement based on user identity and group membership
- B. an automated encryption/decryption engine for highly secured transport requirements
- C. an overlay for the wired infrastructure in which traffic is tunneled via a GRE tunnel to a mobility controller for policy and application visibility
- D. programmable overlays enabling network virtualization across the campus
- E. a collection of tools and applications that are a combination of loose and tight couping
Answer: A,D
Explanation:
Explanation
Cisco SD-Access is a solution within Cisco DNA, which is built on intent-based networking principles. Cisco SD-Access provides visibility-based, automated end-to-end segmentation to separate user, device, and application traffic without redesigning the underlying physical network1. Cisco SD-Access also enables programmable overlays that allow network virtualization across the campus, branch, data center, and cloud2. Cisco SD-Access has two main components: the fabric and the policy3.
The fabric is the network overlay that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. The fabric nodes are classified into four types: edge nodes, border nodes, control plane nodes, and intermediate nodes. The edge nodes are the access switches or wireless controllers that connect to the end devices. The border nodes are the routers or switches that connect the fabric to external networks, such as the Internet, WAN, or data center. The control plane nodes are the routers or switches that maintain the mapping between the endpoint identifiers and the network locators. The intermediate nodes are the routers or switches that provide transit services within the fabric3.
The policy is the network configuration that defines the network behavior and outcomes, based on the business intent and requirements. The policy is composed of three elements: the endpoint groups, the contracts, and the virtual networks. The endpoint groups are the logical containers that group the endpoints based on their attributes, such as user identity, device type, or application. The contracts are the rules that specify the allowed interactions between the endpoint groups, such as the protocols, ports, and quality of service. The virtual networks are the logical partitions that isolate the endpoint groups and contracts from each other, based on the network scope and security3.
Cisco SD-Access addresses the following challenges and benefits:
It simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.
It enhances the network security and compliance, as it enforces granular and dynamic policies based on the endpoint identity and context, rather than the network topology and IP addresses.
It improves the network performance and user experience, as it optimizes the network path, load balancing, and traffic engineering based on the network conditions and application requirements.
It enables the network agility and scalability, as it supports the rapid deployment and integration of new devices, applications, and services, without affecting the existing network operations.
References:
Cisco Software-Defined Access - Cisco Software-Defined Access Solution Overview What Is Software-Defined Access? - SD-Access - Cisco Cisco SD-Access Architecture Overview
NEW QUESTION # 24
What are three ways in which Cisco ISE learns information about devices? (Choose three.)
- A. RPC mechanism via HTTPS
- B. RADIUS attributes
- C. network servers the device has accessed
- D. traffic generated by the device
- E. SMTP agents
- F. user authentication to the ISE
Answer: B,D,F
Explanation:
Explanation
Cisco ISE learns information about devices by using various methods, such as network probes, user authentication, and endpoint identity groups. Three ways in which Cisco ISE learns information about devices are:
B: RADIUS attributes: Cisco ISE can use the RADIUS protocol to collect information about devices from network access devices (NADs), such as switches, routers, and wireless controllers. The NADs can send RADIUS accounting packets to Cisco ISE that contain attributes related to the device identity, such as MAC address, IP address, hostname, device type, and vendor. Cisco ISE can use these attributes to profile the device and assign it to an endpoint identity group12.
D: user authentication to the ISE: Cisco ISE can also learn information about devices by authenticating the users who access the network through the devices. Cisco ISE can use various authentication methods, such as 802.1X, MAC Authentication Bypass (MAB), web authentication, or certificate-based authentication, to verify the identity and credentials of the users. Cisco ISE can then associate the user identity with the device identity and apply the appropriate authorization policies based on the user role, device type, and network context34.
E: traffic generated by the device: Cisco ISE can also learn information about devices by analyzing the traffic generated by the devices on the network. Cisco ISE can use various network probes, such as DHCP, SNMP, HTTP, DNS, or NetFlow, to capture and inspect the packets sent by the devices. Cisco ISE can then extract information from the packet headers and payloads, such as device name, operating system, browser type, application name, or domain name, and use it to profile the device and assign it to an endpoint identity group56.
References :
Cisco ISE Profiling Services
Configuring Profiler Policies
Cisco ISE Authentication Services
Configuring Device Sensor for ISE Profiling
Cisco ISE Endpoint Profiling Policies
ISE Profiling Design Guide
NEW QUESTION # 25
Which Cisco vEdge route offers 20 Gb of encrypted throughput?
- A. Cisco vEdge 1000
- B. Cisco vEdge 5000
- C. Cisco vEdge 2000
D Cisco vEdge 100
Answer: B
NEW QUESTION # 26
Which two statements are true regarding Cisco ISE? (Choose two.)
- A. Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves
- B. ISE plays critical role in SD Access
- C. The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation
- D. ISE am provide data about when a specific device connected to the network
- E. An ISE deployment requires only a Cisco ISE network access control appliance
Answer: B,D
NEW QUESTION # 27
Which three key differentiators that DNA Assurance provides that our competitors are unable match? (Choose three)
- A. Support for Overlay Virtual Transport
- B. VXLAN support
- C. Network time travel
- D. Apply Insights
- E. Proactive approach to guided remediation
- F. On-premise and cloud-base analytics
Answer: C,E,F
NEW QUESTION # 28
Which two activities should occur during an SE's demo process? (Choose two.)
- A. determining whether the customer would like to dive deeper during a follow up.
- B. asking the customer to provide network drawings or white board the environment for you.
- C. highlighting opportunities that although not currently within scope would result in lower operational costs and complexity.
- D. leveraging a company such as Complete Communications to build a financial case.
- E. identifying which capabilities require demonstration.
Answer: C,E
NEW QUESTION # 29
Which two activities should occur during an SE's demo process? (Choose two.)
- A. identifying which capabilities require demonstration
- B. determining whether the customer would like to drive deeper during a follow up
- C. highlighting opportunities that although not currently within scope would result in lower operational costs and complexity
- D. leveraging a company such as Complete Communications to build a financial case.
- E. asking the customer to provide network drawings or white board the environment for you
Answer: A,C
NEW QUESTION # 30
What is the easiest way to enable SD-Access for all your remote sites after you have your campus SD-Access fabric up and running?
- A. Threat all the sites as one fabric domain and use SD-WAN as the underlay.
- B. Use a separate fabric domain for each site and use the traditional physical network as the underlay.
- C. Use a separate fabric domain for each site and use SD-WAN a s the underlay.
- D. Threat all the sites as one fabric domain and use the traditional physical network as the underlay.
Answer: A
Explanation:
Explanation
The easiest way to enable SD-Access for all your remote sites after you have your campus SD-Access fabric up and running is to treat all the sites as one fabric domain and use SD-WAN as the underlay. This option has the following advantages:
It simplifies the network design and management by using a single fabric domain for all the sites, which reduces the complexity of VRF and SGT mapping, and enables consistent policy enforcement across the network.
It leverages the benefits of SD-WAN as the underlay, such as dynamic path selection, application-aware routing, WAN optimization, and security services, which improve the network performance, reliability, and security for the remote sites.
It allows the remote sites to communicate with each other and with the campus fabric using the same SD-Access technology, which eliminates the need for additional protocols or devices to support the transit network.
References:
Cisco SD-Access Solution Design Guide (CVD) - Cisco1 : Cisco SD-Access - Connecting Multiple Sites in a Single Fabric Domain2 : What Is Software-Defined Access? - SD-Access - Cisco3 : How SD-WAN Enables Remote Network Access & Scalability4
NEW QUESTION # 31
Which Cisco vEdge router offers 20 Gb of encrypted throughput?
- A. Cisco vEdge 1000
- B. Cisco vEdge 5000
- C. Cisco vEdge 2000
- D. Cisco vEdge 100
Answer: B
Explanation:
Explanation
According to the Cisco SD-WAN vEdge Routers Data Sheet1, the Cisco vEdge 5000 router is the only model that offers 20 Gbps of encrypted throughput. The vEdge 5000 router delivers highly secure site-to-site data connectivity to large enterprises, offers interface modularity, and supports up to 4 Network Interface Modules (NIMs)2. The other models of vEdge routers have lower encrypted throughput capacities, as shown in Table 6 of the Ordering Guide for SD-WAN3. The vEdge 1000 router has a maximum encrypted throughput of 1 Gbps, the vEdge 2000 router has a maximum encrypted throughput of 5 Gbps, and the vEdge 100 router has a maximum encrypted throughput of 100 Mbps3.
References:
1: Cisco SD-WAN vEdge Routers Data Sheet 2: vEdge 5000 Router 3: Ordering Guide for SD-WAN
NEW QUESTION # 32
Which three ways are SD-Access and ACI Fabric similar? (Choose three.)
- A. use of Scalable Group Tags
- B. use of overlays
- C. use of group policy
- D. focus on user endpoints
- E. use of Virtual Network IDs
- F. use of Endpoint Groups
Answer: B,C,E
NEW QUESTION # 33
How would cisco ISE handle authentication for your printer that does not have a supplicant?
- A. ISE would authenticate the printer using MAC RADIUS authentication
- B. ISE would authenticate the printer using web authentication.
- C. ISE would authenticate the printer using 8.2.1X authentication
- D. ISE would not authenticate the printer as printers are not subject to ISE authentication.
- E. ISE would authenticate the printer using MAB.
Answer: E
NEW QUESTION # 34
Which is a function of the Proactive Insights feature of Cisco DNA Center Assurance?
- A. enabling you to see the complete path of packets from the client to the end application
- B. enabling you to quickly view all of the contextual information related to a single user
- C. generating synthetic traffic to perform tests that raise awareness of potential network issues
- D. pointing out where the most serious issues are happening in the network
Answer: C
Explanation:
Explanation
The Proactive Insights feature of Cisco DNA Center Assurance is a function that generates synthetic traffic to perform tests that raise awareness of potential network issues. This feature uses the Cisco DNA Center platform to create and schedule tests that simulate real user traffic and measure the network performance and user experience. The tests can be run on demand or periodically, and the results are displayed in the Cisco DNA Center dashboard. The Proactive Insights feature helps network administrators to proactively identify and troubleshoot network issues before they affect the end users12. References:
Cisco DNA Center Assurance User Guide, Release 2.1.2
Understanding Cisco DNA Center Assurance!
NEW QUESTION # 35
WhichCiscoproduct supports SD-Access and specificallybuilt to address new challenges faced by enterprises?
- A. Catalyst 6807-XL w/ Sup6T and C6800 10G line cards
- B. ISR 4221
- C. Catalyst 9500
- D. ASR 1000-HX
- E. CSRv virtual router
- F. Nexus 7700 w/ Sup2E and M3 line cards
Answer: D
NEW QUESTION # 36
Which Cisco product were incorporated into Cisco ISE between ISE releases 2.0 and 2.3?
- A. Cisco ACS
- B. Cisco WSA
- C. Cisco ESA
- D. Cisco ASA
Answer: A
NEW QUESTION # 37
Which two options are primary functions of Cisco ISE? (Choose two.)
- A. providing VPN access for any type of device
- B. automatically enabling, disabling, or reducing allocated power to certain devices
- C. enabling WAN deployment over any type of connection
- D. enforcing endpoint compliance with network security policies
- E. allocating resources
- F. providing information about every device that touches the network
Answer: D,F
Explanation:
Explanation
Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:
Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.
The other options are not primary functions of Cisco ISE, because:
Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.
References:
1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]
NEW QUESTION # 38
What statement is true regarding the current time in Enterprise Networking history?
- A. pervasive use of mobile devices
- B. advent of loT
- C. advent of cloud computing
- D. pace of change
Answer: D
NEW QUESTION # 39
What are three ways in Which Cisco ISE learns information about devices? (Choose three,)
- A. RPC mechanism via HTTPS
- B. RADIUS attributes
- C. traffic generated by the device
- D. user authentication to the ISE
- E. network servers the device has accessed
- F. SMIP agents
Answer: B,C,E
NEW QUESTION # 40
Which two statements are true regarding SD-WAN demonstrations? (Choose two.)
- A. During a demo you should consider the target audience and the desired outcome
- B. There is a big difference between demos that use a top down approach and demos that use a bottom up approach
- C. Use demonstrations primarily for large opportunities and competitive situations
- D. During a demo, you should demonstrate and discuss what the team considers important details
- E. As a Cisco SD-WAN SF, you should you should spend your time learning about the technology rather than contributing to demo innovation
Answer: C,E
NEW QUESTION # 41
Which protocol runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella?
- A. VRRP
- B. OSPF
- C. IKE
- D. BGP
- E. OMP
Answer: E
Explanation:
Explanation
The protocol that runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella is the Overlay Management Protocol (OMP)12. OMP is a proprietary protocol that is designed to enable the Cisco SD-WAN solution, which provides a software overlay that runs over standard network transport, including MPLS, broadband, and internet to deliver applications and services3. OMP provides the following services12:
Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN or VRF topologies Distribution of service-level routing information and related location mappings Distribution of data plane security parameters Central control and distribution of routing policy OMP is an all-encompassing information management and distribution protocol that enables the overlay network by separating services from transport. Services provided in a typical VPN setting are usually located within a VPN domain, and they are protected so that they are not visible outside the VPN. In such a traditional architecture, it is a challenge to extend VPN domains and service connectivity. OMP addresses these scalability challenges by providing an efficient way to manage service traffic based on the location of logical transport end points. This method extends the data plane and control plane separation concept from within routers to across the network2.
References:
1: Routing Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.x - Unicast Overlay Routing 2: Introduction to Overlay Management Protocol in Viptela 3: Cisco SD-WAN vEdge vManage vSmart IBM
NEW QUESTION # 42
......
The CCDE certification is highly regarded in the industry and is recognized as a mark of excellence in network design. It is designed for senior-level network engineers who have a deep understanding of network design principles and can provide strategic direction to their organizations. Designing Cisco Enterprise Networks certification is also a testament to the candidate's commitment to professional development and their dedication to staying up-to-date with the latest technologies and trends in the industry.
500-490 Exam Questions Get Updated [2024] with Correct Answers: https://www.free4torrent.com/500-490-braindumps-torrent.html
Free Cisco 500-490 Test Practice Test Questions Exam Dumps: https://drive.google.com/open?id=1hhVZMQUAvPbWZdDM2kY8devEOkhxYgTo