- Home
- Networking
- CCNP Security 300-208
81.
What is a security group tag?
- A.A luggage tag applied by TSA workers at airports to flag bags as they enter security checkpoints
- B.An internal assignment used in ISE to represent a local copy of an Active Directory group
- C.A 16-bit value that represents the context of a user and/or a device
- D.An RFID tag used to identify a wireless asset to ISE
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| A security group tag (SGT) is a 16-bit value that ISE assigns to the user ’s or endpoint’s session upon login. The SGT can represent the context of the user and device and can be carried in the Layer-2 frame or communicated through SXP. The SGT is assigned at ingress and enforced upon egress. |
82.
Where are security groups defined in the ISE administrative GUI?
- A.Administration > System > Security Group Access > Security Group
- B.Policy > Policy Elements > Results > Security Group Access
- C.Policy > Policy Elements > Dictionaries > System > Security Group Access
- D.Policy > Firewall > Identity by TrustSec
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| SGTs are considered an authorization result in the ISE administrative GUI. They are defined within the policy elements section of the GUI as an authorization result. They also can be defined from the Policy > Security Group Access > Egress Policy screens by clicking on Configure > Create New Security Group; |
83.
What are three ways that an SGT can be assigned to network traffic?
- A.Manual binding of the IP address to an SGT
- B.Manually configured on the switch port
- C.Dynamically assigned by the network access device
- D.Dynamically assigned by the 802.1X authorization result
- E.Manually configured in the NAC agent profile
- F.Dynamically assigned by the AnyConnect network access manager
- Answer & Explanation
- Report
Answer : [A, B, D]
Explanation :
Explanation :
| To use the SGT, the tag needs to be assigned (known as classification). This can happen dynamically and be downloaded as the result of an ISE authorization; they also can be assigned manually at the port level or even mapped to IP addresses and downloaded to SGT-capable devices. |
84.
True or False? An SGT-capable device can automatically map traffic to an SGT based on the
VLAN of that traffic.
- A.True
- B.False
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| Although that gear might not support the classification and transport natively, it might be capable of assigning different VLANs or IP addresses per authorization result. A distribution layer device may have the ability to map subnets and VLANs and assign all source IP addresses from the subnet or VLAN to a specific tag. |
85.
Which peering protocol can be used to transmit a mapping of IP address to SGTs between SGTcapable
devices when traffic is crossing non–SGT-capable network segments?
- A.Enhanced Interior Gateway Routing Protocol (EIGRP)
- B.Intermediate System—Intermediate System (IS-IS)
- C.Border Gateway Protocol (BGP)
- D.Security Group Exchange Protocol (SXP)
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Cisco has developed a peering protocol (similar to BGP or LDP) to enable devices to communicate their database of IP-address-to-SGT mappings to one another. This peering protocol is called Security Group Exchange Protocol (SXP). |
|
|
||||||||||||||||||||||||||||
