300-420 Question #123: Real Exam Question with Answer & Explanation

The correct answer is C: SGTs and SGTACLs are used to control access to various resources.. End-to-end microsegmentation in Cisco SD-Access is enforced through the use of Security Group Tags (SGTs) to classify endpoints and Security Group Access Control Lists (SGTACLs) to define access policies between these groups.

Advanced Enterprise Campus Networks

Question

How is end-to-end microsegmentation enforced in a Cisco SD-Access architecture?

Options

AVLANs are used to segment traffic at Layer 2.
B5-tuples and ACLs are used to permit or deny traffic.
CSGTs and SGTACLs are used to control access to various resources.
DVRFs are used to segment traffic at Layer 3.

Explanation

End-to-end microsegmentation in Cisco SD-Access is enforced through the use of Security Group Tags (SGTs) to classify endpoints and Security Group Access Control Lists (SGTACLs) to define access policies between these groups.

Common mistakes.

A. VLANs provide Layer 2 segmentation, but they are not the primary mechanism for end-to-end, identity-based microsegmentation across the entire SD-Access fabric.
B. While 5-tuples and ACLs can permit or deny traffic, they are static and IP-address dependent, which makes them less scalable and dynamic compared to the SGT/SGTACL approach for microsegmentation in SD-Access.
D. VRFs (Virtual Routing and Forwarding) provide macro-segmentation by separating Layer 3 routing domains, but they do not offer the fine-grained, identity-based microsegmentation that SGTs provide within those segments.

Concept tested. SD-Access microsegmentation mechanism

Reference. https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html#_group_based_access_control

Topics

#SD-Access#Microsegmentation#Security Group Tags#TrustSec

Community Discussion

No community discussion yet for this question.

Full 300-420 Practice Browse All 300-420 Questions