500-490 Sample Questions Answers

The protocol that runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella is the Overlay Management Protocol (OMP)12. OMP is a proprietary protocol that is designed to enable the Cisco SD-WAN solution, which provides a software overlay that runs over standard network transport, including MPLS, broadband, and internet to deliver applications and services3. OMP provides the following services12:

Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN or VRF topologies

Distribution of service-level routing information and related location mappings

Distribution of data plane security parameters

Central control and distribution of routing policy

OMP is an all-encompassing information management and distribution protocol that enables the overlay network by separating services from transport. Services provided in a typical VPN setting are usually located within a VPN domain, and they are protected so that they are not visible outside the VPN. In such a traditional architecture, it is a challenge to extend VPN domains and service connectivity. OMP addresses these scalability challenges by providing an efficient way to manage service traffic based on the location of logical transport end points. This method extends the data plane and control plane separation concept from within routers to across the network2.

References:

1: Routing Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.x - Unicast Overlay Routing 2: Introduction to Overlay Management Protocol in Viptela 3: Cisco SD-WAN vEdge vManage vSmart IBM

 The discovery process is a critical phase in the sales cycle, where the SE gathers information about the customer’s network environment, business goals, challenges, and needs. The discovery process helps the SE to understand the customer’s pain points, identify opportunities, and propose solutions that align with the customer’s objectives and address their problems. The discovery process also helps the SE to establish credibility, trust, and rapport with the customer, and to map Cisco innovation to the customer’s needs.

Some of the activities that should occur during the SE’s discovery process are:

Gathering information about the current state of the customer’s network environment. This includes collecting data about the network topology, devices, protocols, applications, performance, security, availability, scalability, and management. The SE can use various tools and methods to gather this information, such as interviews, questionnaires, surveys, audits, assessments, and network analysis tools. Gathering information about the current state helps the SE to understand the customer’s existing network capabilities, limitations, and gaps, and to benchmark the network against best practices and industry standards12

Mapping Cisco innovation to the customer’s needs. This involves identifying how Cisco products, solutions, and services can help the customer achieve their desired outcomes, address their challenges, and overcome their pain points. The SE can use various tools and methods to map Cisco innovation to the customer’s needs, such as value proposition, business case, return on investment (ROI) analysis, proof of value (POV), proof of concept (POC), and demonstrations. Mapping Cisco innovation to the customer’s needs helps the SE to show the value and benefits of Cisco solutions, differentiate Cisco from competitors, and influence the customer’s decision making34

References:

1: Cisco Discovery Service 2: Cisco Network Assessment Services 3: Cisco Catalyst SD-WAN Demos 4: Cisco Business Critical Services

Cisco DNA Assurance provides three key differentiators that our competitors are unable to match:

Proactive approach to guided remediation: Cisco DNA Assurance uses AI and machine learning to analyze network data and provide insights on network performance, issues, and optimization. It also offers guided remediation options that automate the process of issue resolution and performance enhancement. This reduces manual troubleshooting operations and saves time and resources for network administrators12.

Apple Insights: Cisco DNA Assurance integrates with Apple devices and applications to provide enhanced visibility and analytics on the user experience and network performance. It also leverages the Fast Lane feature to prioritize critical iOS and macOS traffic over the wireless network. This improves the quality of service and collaboration for Apple users and applications13.

Network time travel: Cisco DNA Assurance allows network administrators to go back in time and view the network state and health at any given point. This enables them to identify the root cause of issues, compare network performance over time, and troubleshoot historical problems. This feature is unique to Cisco DNA Assurance and provides a powerful tool for network analysis and optimization1 .

References:

1: Cisco DNA Assurance: AI/ML guided IT operations (AIOps) At-a-Glance 2: Leveraging Cisco Intent-Based Networking DNA Assurance (DNAAS) 3: Cisco DNA Assurance Unlocking the Power of Data, page 39 : Cisco DNA Assurance Unlocking the Power of Data, page 74

 The new operational paradigm is a way of designing, deploying, and managing networks that leverages the power of intent-based networking. Intent-based networking is a network architecture that aligns the network with the business goals and policies, and uses artificial intelligence and automation to translate the intent into network configurations and actions. The new operational paradigm requires three foundational elements:

Fabric: A fabric is a network topology that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. A fabric can span across multiple domains, such as campus, branch, data center, and cloud, and can support multiple protocols, such as IP, Ethernet, MPLS, and VXLAN. A fabric enables the network to operate as a single entity, rather than a collection of disparate devices and links. A fabric also simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.

Assurance: Assurance is the process of continuously monitoring, verifying, and optimizing the network performance and behavior, based on the defined intent and policies. Assurance uses telemetry, analytics, and machine learning to collect and process data from the network devices and applications, and to provide insights and recommendations for network optimization and troubleshooting. Assurance also enables the network to self-heal and self-optimize, by applying corrective actions and adjustments to the network configurations and policies, based on the feedback loop from the data and analytics.

Policy-based automated provisioning of network: Policy-based automated provisioning of network is the process of applying the intent and policies to the network devices and services, using automation and orchestration tools. Policy-based automated provisioning of network abstracts the network complexity and heterogeneity, and allows the network operators to define the network requirements and outcomes in a high-level and declarative way, rather than specifying the low-level and imperative commands and parameters. Policy-based automated provisioning of network also enables the network to be agile and adaptive, as it can dynamically adjust the network configurations and policies, based on the changing network conditions and business needs.

References:

Cisco Intent-Based Networking

Cisco Digital Network Architecture

Cisco Routed Optical Networking

Cisco Operational Insights: A New Way of Seeing Operations

 The vBond orchestrator is an SD-WAN router responsible for authenticating and orchestratingconnectivity between the vSmart controllers and SD-WAN routers. It is the sole device in the network that requires a public IP address for all SD-WAN devices to connect to it. The vBond orchestrator has three major functions:

Controller discovery: The vBond orchestrator acts as the initial point of contact for all SD-WAN components that join the network. It authenticates the devices using pre-installed credentials and assigns them to a vSmart controller. The vBond orchestrator also provides the IP addresses of the vSmart controllers and the vManage NMS to the SD-WAN routers.

NAT traversal: The vBond orchestrator facilitates the establishment of secure DTLS or TLS tunnels between the SD-WAN components that are behind NAT devices. The vBond orchestrator acts as a rendezvous point for the NATed devices and helps them exchange their public IP addresses and port numbers. The vBond orchestrator also performs NAT keepalive and hole punching to maintain the NAT bindings and prevent the NAT devices from timing out the sessions.

Certificate management: The vBond orchestrator acts as the certificate authority (CA) for the SD-WAN network. It generates and signs the certificates for the SD-WAN components and distributes them to the devices. The certificates are used to authenticate the devices and encrypt the control and data plane traffic.

References:

Cisco SD-WAN Architecture Overview

Cisco Catalyst SD-WAN Getting Started Guide

New Training: Identify Cisco SD-WAN Components

Cisco ISE is a policy decision point that enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Some features and benefits of Cisco ISE include1:

Zero trust across the network: ISE allows only trusted users and devices access to resources on your network. It also uses intel to automatically identify, classify and profile devices.

Policy and lifecycle management: ISE simplifies the delivery of consistent, highly secure access control across wired, wireless, and VPN connections. It also allows users to add and manage their own devices through self-service portals.

Remote management and deployment: ISE supports cloud-based deployment and management, as well as integration with other Cisco products and third-party solutions.

Site survivability: ISE provides local authentication and authorization services for remote sites, even when the connection to the central ISE server is lost.

Visibility of all devices and their users: ISE can provide data about when a specific device connected to the network, what type of device it is, who is using it, what applications are running on it, and where it is located.

Among these features, two statements are true regarding Cisco ISE:

ISE plays a critical role in SD-Access: SD-Access is a network architecture that uses software-defined networking (SDN) principles to create a secure, scalable, and consistent network fabric. ISE is the policy engine that defines and enforces the network segmentation and access policies for SD-Access2.

ISE can provide data about when a specific device connected to the network: ISE uses a number of probes to collect attributes for all endpoints on the network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups. ISE can also provide historical data about the endpoint connections, such as the time, duration, location, and user of the connection3.

The other three statements are false regarding Cisco ISE:

The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation: ISE provides more than just user experience and VLAN segmentation. It also delivers business outcomes such as improved network performance, reduced operational costs, increased security, and simplified compliance4.

An ISE deployment requires only a Cisco ISE network access control appliance: ISE can be deployed on different platforms, such as physical appliances, virtual machines, or cloud services. An ISE deployment also requires other components, such as network devices, endpoints, and external identity sources5.

Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves: ISE can provide the location information of an endpoint based on the network device that it is connected to, such as the switch port or the wireless access point. However, to track the actual physical location of a wireless endpoint as it moves, ISE needs to integrate with other products, such as Cisco DNA Center, Cisco Connected Mobile Experiences (CMX), or Cisco Wireless LAN Controller (WLC)6.

References:

Cisco Content Hub - Cisco ISE Features1 : Cisco SD-Access Solution Design Guide (CVD) - Cisco2 : Cisco ISE Network Discovery3 : Cisco Identity Services Engine (ISE) - Cisco4 : Cisco Identity Services Engine Hardware Installation Guide,Release 2.7 - Cisco ISE Deployment [Cisco Identity Services Engine] - Cisco5 : Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Location Mapping [Cisco Identity Services Engine] - Cisco6

Slide 5 & 7https://salesconnect.cisco.com/sc/s/learning-activity-from-plan?ltui__urlRecordId=a0c8c00000Kfw0EAAR <ui__urlRedirect=learning-activity-from-plan<ui__parentUrl=