300-320 Question #414: Real Exam Question with Answer & Explanation

Question

Options

• AIt is assigned by the Cisco ISE to the user or endpoint session upon login.
• BBest practice dictates it should be statically created on the switch.
• CIt is removed by the Cisco ISE before reaching the endpoint.
• DBest Practice dictates that deployments should include a guest group allowing access to minimal
• EBest Practice dictates that deployments should include a security group for common services

Explanation

Cisco TrustSec uses Security Group Tags (SGTs) to classify and enforce access control policies based on user/endpoint identity. Option A is correct: SGTs are dynamically assigned by Cisco ISE (Identity Services Engine) at the time a user or endpoint authenticates and establishes a session. ISE evaluates identity, posture, and policy, then assigns the appropriate SGT to tag that session's traffic for downstream enforcement. Option E is correct: Cisco best practice for TrustSec deployments recommends creating a dedicated security group for common services (DNS, DHCP, NTP, syslog, etc.) so that all endpoints can reach essential infrastructure regardless of their SGT, ensuring operational functionality. Option B is incorrect - while static SGT assignment is possible for legacy devices, best practice is dynamic assignment via ISE, not static configuration on the switch. Option C is false - ISE assigns SGTs but does not remove them; the SGT travels with the packet through the TrustSec domain for enforcement at the egress point. Option D's guest group detail is not the cited best practice in TrustSec design guidance.

No community discussion yet for this question.