
最新 [2024年06月27日] リアルCisco 500-490試験問題集解答
500-490問題集を使って一日でField Engineer試験合格(最新の37解答)
質問 # 22
Which two statements regarding Cisco SD-WAN vEdge routers can mitigate DoS attacks against the infrastructure? (Choose two.)
- A. Only authorized controllers are allowed to communicate back to the vEdg e router after the vEdge router establishes connection with the controllers.
- B. The vEdge routers run on hardened Linux operating systems.
- C. In case of direct Internet access, the only traffic allowed back is the traffic matching the state table entries on the vEdge router.
- D. By default, all incoming traffic is denied at the transport (WAN) side interfaces.
- E. Open Certificate Authority and automated enrollment feature.
正解:A、D
解説:
Explanation
Cisco SD-WAN vEdge routers can mitigate DoS attacks against the infrastructure by using two mechanisms:
Only authorized controllers are allowed to communicate back to the vEdge router after the vEdge router establishes connection with the controllers. This means that the vEdge router initiates a secure connection to the vSmart controller and the vBond orchestrator using DTLS or TLS, and verifies their identity using certificates. The vEdge router does not accept any incoming connections from the controllers, and only responds to the messages that match the established sessions. This prevents unauthorized or malicious traffic from reaching the vEdge router and consuming its resources12.
By default, all incoming traffic is denied at the transport (WAN) side interfaces. This means that the vEdge router applies an implicit deny-all policy to any traffic that arrives from the WAN side, unless it is explicitly allowed by a security policy. The security policy can be configured to permit only the traffic that matches certain criteria, such as source, destination, protocol, port, or application. This reduces the attack surface of the vEdge router and protects it from unwanted or harmful traffic34.
References:
Cisco SD-WAN Security Features
Cisco SD-WAN Design Guide
Cisco SD-WAN Security Policy Configuration Guide
Cisco SD-WAN vEdge Routers Denial of Service Vulnerability
質問 # 23
Which two statements are true regarding Cisco ISE? (Choose two.)
- A. ISE supports up to 100 Policy Services Nodes.
- B. In two-nodes standalone ISE deployments, failover must be done manually.
- C. It distributed deployments, failover from primary to secondary Policy Administration Nodes happens automatically.
- D. ISE can detected endpoints whose addresses have been translated via NAT.
- E. The number of logs that ISE can retain is determined by your disk space.
- F. ISE supports IPv6 downloadable ACLs.
正解:C、E
質問 # 24
Which two activities should occur during an SE's demo process? (Choose two.)
- A. leveraging a company such as Complete Communications to build a financial case.
- B. highlighting opportunities that although not currently within scope would result in lower operational costs and complexity.
- C. identifying which capabilities require demonstration.
- D. asking the customer to provide network drawings or white board the environment for you.
- E. determining whether the customer would like to dive deeper during a follow up.
正解:B、C
質問 # 25
Which protocol runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella?
- A. BGP
- B. VRRP
- C. OSPF
- D. IKE
- E. OMP
正解:E
解説:
Explanation
The protocol that runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella is the Overlay Management Protocol (OMP)12. OMP is a proprietary protocol that is designed to enable the Cisco SD-WAN solution, which provides a software overlay that runs over standard network transport, including MPLS, broadband, and internet to deliver applications and services3. OMP provides the following services12:
Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN or VRF topologies Distribution of service-level routing information and related location mappings Distribution of data plane security parameters Central control and distribution of routing policy OMP is an all-encompassing information management and distribution protocol that enables the overlay network by separating services from transport. Services provided in a typical VPN setting are usually located within a VPN domain, and they are protected so that they are not visible outside the VPN. In such a traditional architecture, it is a challenge to extend VPN domains and service connectivity. OMP addresses these scalability challenges by providing an efficient way to manage service traffic based on the location of logical transport end points. This method extends the data plane and control plane separation concept from within routers to across the network2.
References:
1: Routing Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.x - Unicast Overlay Routing 2: Introduction to Overlay Management Protocol in Viptela 3: Cisco SD-WAN vEdge vManage vSmart IBM
質問 # 26
Which are the three focus areas for reinventing the WAN? (Choose three.)
- A. Secure Elastic Connectivity
- B. Operations
- C. Centralized device authentication
- D. Cloud First
- E. Application Quality of Experience
- F. Execution
正解:A、D、E
解説:
Explanation
The three focus areas for reinventing the WAN are:
Secure Elastic Connectivity: This refers to the ability to provide secure and flexible connectivity to any application, anywhere, and anytime. Secure elastic connectivity enables the network to adapt to the changing business needs and user demands, while maintaining security and performance. Secure elastic connectivity leverages SD-WAN technologies, such as Cloud OnRamp, SASE, and ThousandEyes, to optimize the network path, encrypt the traffic, and monitor the end-to-end visibility across the WAN12.
Application Quality of Experience: This refers to the ability to ensure optimal and consistent user experience for any application, regardless of the network conditions. Application quality of experience uses SD-WAN technologies, such as vAnalytics, to measure and improve the application performance, availability, and reliability across the WAN3. Application quality of experience also uses intelligent policies and real-time analytics to prioritize the critical applications and steer the traffic to the best-performing path4.
Cloud First: This refers to the ability to embrace the cloud as the primary platform for delivering applications and services to the users. Cloud first enables the network to support the multicloud strategy and accelerate the cloud adoption. Cloud first leverages SD-WAN technologies, such as Cloud OnRamp, to simplify and automate the connectivity to the public cloud, SaaS, and cloud interconnect providers4. Cloud first also enables the network to operate as a cloud-native WAN overlay, using software-defined automation and orchestration tools5.
References:
Cisco SD-WAN Architecture Overview
SD-WAN and SASE: The new landscape of networking
Under the vAnalytics Hood: Enabling Total Network Visibility, Total Network Control SD-WAN Capabilities - The New Landscape of Networking Software-defined WAN (SD-WAN): the new landscape of networking
質問 # 27
Which Cisco product supports SD-Access and specifically built to address new challenges faced by enterprises?
- A. Catalyst 6807-XL w/ Sup6T and C6800 10G line cards
- B. ISR 4221
- C. ASR 1000-HX
- D. Nexus 7700 w/ Sup2E and M3 line cards
- E. Catalyst 9500
- F. CSRv virtual router
正解:E
解説:
Explanation
The Cisco Catalyst 9500 Series Switches are specifically built to address the new challenges faced by enterprises, such as the need for increased bandwidth, security, and scalability. The Catalyst 9500 Series Switches are also designed to support Cisco SD-Access, which is a software-defined access fabric that simplifies network management and improves network security.
References: =
Designing Cisco Enterprise Networks
(ENDESIGN): https://www.cisco.com/c/en/us/training-events/training-certifications/training/training-serv Cisco Catalyst 9500 Series Switches: https://www.cisco.com/site/us/en/products/networking/switches/catalyst-9500-series-switches/in
質問 # 28
Winch two primary categories are displayed on the overall health page of the assurance component in the Cisco DNA Center? (Choose two.)
- A. Client
- B. Wired
- C. Server
- D. Network
- E. Access-Distribution
正解:D、E
質問 # 29
What are three ways in which Cisco ISE learns information about devices? (Choose three.)
- A. traffic generated by the device
- B. RPC mechanism via HTTPS
- C. network servers the device has accessed
- D. RADIUS attributes
- E. SMTP agents
- F. user authentication to the ISE
正解:A、B、D
質問 # 30
Which three ways are SD-Access and ACI Fabric similar? (Choose three.)
- A. use of Scalable Group Tags
- B. use of Endpoint Groups
- C. focus on user endpoints
- D. use of overlays
- E. use of Virtual Network IDs
- F. use of group policy
正解:C、D、E
質問 # 31
Which are two Cisco recommendations that demonstrates SDA? (Choose two.)
- A. Use the CLI to perform as much of the configuration as possible.
- B. Focus on business benefit s.
- C. Keep the demo at a high level.
- D. Show the customer how to integrate ISE into DNA Center at the end of the demo.
- E. Be sure you explain the major technologies such as VXLAN and LISP in depth.
正解:B、D
解説:
Explanation
Cisco SDA is a network architecture that uses software-defined networking (SDN) principles to create a secure, scalable, and consistent network fabric across wired, wireless, and VPN connections. It also provides visibility, control, and automation for the network devices, endpoints, users, and applications. To demonstrate SDA effectively, it is important to follow some best practices and recommendations, such as1:
Focus on business benefits: SDA delivers business outcomes such as improved network performance, reduced operational costs, increased security, and simplified compliance. By focusing on the business benefits of SDA, you can align the solution with the customer's pain points and needs, and show how SDA can help them achieve their goals.
Show the customer how to integrate ISE into DNA Center at the end of the demo: ISE is the policy engine that defines and enforces the network segmentation and access policies for SDA. DNA Center is the management platform that automates and orchestrates the SDA network. By showing the customer how to integrate ISE into DNA Center at the end of the demo, you can demonstrate the ease of use and configuration of SDA, and how the two products work together to provide a unified and secure network solution.
The other three options are not helpful for demonstrating SDA:
Use the CLI to perform as much of the configuration as possible: SDA is designed to simplify and automate the network configuration and management, and to reduce the reliance on manual and error-prone CLI commands. By using the CLI to perform as much of the configuration as possible, you can undermine the value proposition and differentiation of SDA, and make the solution appear complex and tedious.
Keep the demo at a high level: SDA is a comprehensive and diverse solution that covers various use cases, such as device management, asset visibility, software-defined segmentation, software-defined access, guest and wireless access, BYOD, posture assessment, threat detection and response, and more2.
By keeping the demo at a high level, you can miss the opportunity to showcase the features and capabilities of SDA that are relevant and applicable for the customer's use case, and to address their questions and concerns.
Be sure you explain the major technologies such as VXLAN and LISP in depth: VXLAN and LISP are the underlying technologies that enable the data plane and control plane of SDA, respectively. They are responsible for encapsulating and forwarding the traffic, and mapping the endpoint identities and locations, within the SDA fabric3. While VXLAN and LISP are important for SDA, they are not the key selling points, because they are technical details that are abstracted and automated by SDA. By explaining the major technologies such as VXLAN and LISP in depth, you can confuse or bore the customer with technical details that are not essential for their use case, and divert their attention from the core benefits and features of SDA.
References:
Cisco Identity Services Engine (ISE) Use Cases2 : Software-Defined Access Overview Demo - Cisco1 :
Software-Defined Access - Cisco4 : Cisco SD-Access Solution Design Guide (CVD) - Cisco3
質問 # 32
Which protocol runs between the vSmart controllers and between the vSmart controllers and the vEdge routers, and unifies all control plane functions under a single protocol umbrella?
- A. BGP
- B. VRRP
- C. OSPF
- D. IKE
- E. OMP
正解:E
質問 # 33
Which two activities should occur during an SE's discovery process? (Choose two.)
- A. Working with the customer to develop a reference architecture
- B. Gathering information about the current state of the customer's network environment
- C. Referencing the PPDIOO model to effectively facilitate the discussion
- D. Establishing credibility with the customer
- E. Mapping Cisco innovation to customer's needs
正解:C、E
質問 # 34
What are the three foundational elements required for the new operational paradigm'? (Choose three.)
- A. multiple technologies at multiple OSI layers
- B. assurance
- C. application QoS
- D. policy based automated provisioning of network of
- E. centralization
- F. fabric
正解:B、C、D
質問 # 35
Which Cisco vEdge router offers 20 Gb of encrypted throughput?
- A. Cisco vEdge 1000
- B. Cisco vEdge 2000
- C. Cisco vEdge 100
- D. Cisco vEdge 5000
正解:D
解説:
Explanation
According to the Cisco SD-WAN vEdge Routers Data Sheet1, the Cisco vEdge 5000 router is the only model that offers 20 Gbps of encrypted throughput. The vEdge 5000 router delivers highly secure site-to-site data connectivity to large enterprises, offers interface modularity, and supports up to 4 Network Interface Modules (NIMs)2. The other models of vEdge routers have lower encrypted throughput capacities, as shown in Table 6 of the Ordering Guide for SD-WAN3. The vEdge 1000 router has a maximum encrypted throughput of 1 Gbps, the vEdge 2000 router has a maximum encrypted throughput of 5 Gbps, and the vEdge 100 router has a maximum encrypted throughput of 100 Mbps3.
References:
1: Cisco SD-WAN vEdge Routers Data Sheet 2: vEdge 5000 Router 3: Ordering Guide for SD-WAN
質問 # 36
How would cisco ISE handle authentication for your printer that does not have a supplicant?
- A. ISE would authenticate the printer using MAB.
- B. ISE would authenticate the printer using MAC RADIUS authentication
- C. ISE would authenticate the printer using web authentication.
- D. ISE would authenticate the printer using 8.2.1X authentication
- E. ISE would not authenticate the printer as printers are not subject to ISE authentication.
正解:A
質問 # 37
Which option will help build your customers platform during the discovery phase?
- A. detailed design
- B. business case
- C. POV report
- D. high-level design
- E. PO
正解:E
質問 # 38
Which two statements are true regarding Cisco ISE? (Choose two.)
- A. Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves.
- B. ISE plays a critical role in SD-Access.
- C. An ISE deployment requires only a Cisco ISE network access control appliance.
- D. ISE can provide data about when a specific device connected to the network.
- E. The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation.
正解:B、D
解説:
Explanation
Cisco ISE is a policy decision point that enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Some features and benefits of Cisco ISE include1:
Zero trust across the network: ISE allows only trusted users and devices access to resources on your network. It also uses intel to automatically identify, classify and profile devices.
Policy and lifecycle management: ISE simplifies the delivery of consistent, highly secure access control across wired, wireless, and VPN connections. It also allows users to add and manage their own devices through self-service portals.
Remote management and deployment: ISE supports cloud-based deployment and management, as well as integration with other Cisco products and third-party solutions.
Site survivability: ISE provides local authentication and authorization services for remote sites, even when the connection to the central ISE server is lost.
Visibility of all devices and their users: ISE can provide data about when a specific device connected to the network, what type of device it is, who is using it, what applications are running on it, and where it is located.
Among these features, two statements are true regarding Cisco ISE:
ISE plays a critical role in SD-Access: SD-Access is a network architecture that uses software-defined networking (SDN) principles to create a secure, scalable, and consistent network fabric. ISE is the policy engine that defines and enforces the network segmentation and access policies for SD-Access2.
ISE can provide data about when a specific device connected to the network: ISE uses a number of probes to collect attributes for all endpoints on the network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups. ISE can also provide historical data about the endpoint connections, such as the time, duration, location, and user of the connection3.
The other three statements are false regarding Cisco ISE:
The major business outcomes of ISE are enhanced user experience and secure VLAN segmentation: ISE provides more than just user experience and VLAN segmentation. It also delivers business outcomes such as improved network performance, reduced operational costs, increased security, and simplified compliance4.
An ISE deployment requires only a Cisco ISE network access control appliance: ISE can be deployed on different platforms, such as physical appliances, virtual machines, or cloud services. An ISE deployment also requires other components, such as network devices, endpoints, and external identity sources5.
Without integration with any other product, ISE can track the actual physical location of a wireless endpoint as it moves: ISE can provide the location information of an endpoint based on the network device that it is connected to, such as the switch port or the wireless access point. However, to track the actual physical location of a wireless endpoint as it moves, ISE needs to integrate with other products, such as Cisco DNA Center, Cisco Connected Mobile Experiences (CMX), or Cisco Wireless LAN Controller (WLC)6.
References:
Cisco Content Hub - Cisco ISE Features1 : Cisco SD-Access Solution Design Guide (CVD) - Cisco2 : Cisco ISE Network Discovery3 : Cisco Identity Services Engine (ISE) - Cisco4 : Cisco Identity Services Engine Hardware Installation Guide, Release 2.7 - Cisco ISE Deployment [Cisco Identity Services Engine] - Cisco5 :
Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Location Mapping [Cisco Identity Services Engine] - Cisco6
質問 # 39
Which are two Cisco ISE that benefits our customers ? (Choose two.)
- A. helps them stop and contain real time threats
- B. provides network access controller
- C. enables them to set traffic priorities across the network
- D. helps them accelerate application deployment and delivery
正解:A、B
質問 # 40
Which are two advantages of a "one switch at a tune' approach to integrating SD-Access into an existing brownfield environment? (Choose two.)
- A. involves the least risk of all approaches
- B. allows simplified roll back
- C. opens up many new design and deployment opportunities
- D. allows simplified testing prior to cutover
- E. deal for protecting recent investments while upgrading legacy hardware
- F. appropriate for campus and remote site environments
正解:C、D
質問 # 41
Which two statements describes Cisco SD-Access? (Choose Two.)
- A. software-defined segmentation and policy enforcement based on user identity and group membership
- B. an automated encryption/decryption engine for highly secured transport requirements
- C. programmable overlays enabling network virtualization across the campus
- D. a collection of tools and applications that are a combination of loose and tight coupling
- E. an overlay for the wired infrastructure in which traffic is tunneled via a GRF tunnel lo a mobility controller for policy and application visibility.
正解:A、C
質問 # 42
Which are two Cisco ISE that benefits our customers? (Choose two.)
- A. enables them to set traffic priorities across the network
- B. provides network access control
- C. helps t hem stop and contain real-time threats
- D. helps t hem accelerate application deployment and delivery
正解:B、C
解説:
Explanation
Cisco ISE benefits our customers by providing network access control and helping them stop and contain real-time threats. Network access control is the ability to enforce policies on who and what can access the network, based on the identity and context of users, devices, and applications. Cisco ISE allows customers to authenticate, authorize, and audit network access, as well as to segment and isolate network traffic based on security and compliance requirements. Cisco ISE also helps customers stop and contain real-time threats by leveraging intel from across the network and security ecosystem, and by automating threat response actions.
Cisco ISE can integrate with various security solutions, such as Cisco Stealthwatch, Cisco Firepower, and Cisco Umbrella, to detect and mitigate attacks on the network quickly and effectively. References:
Cisco Identity Services Engine (ISE) - Cisco1
Cisco Identity Services Engine (ISE) - Cisco2
Network Visibility and Segmentation (NVS) - Cisco3
Rapid Threat Containment - Cisco4
質問 # 43
......
500-490試験正確な問題集で学習ノートと理論:https://jp.fast2test.com/500-490-premium-file.html