300-420 Question #277: Real Exam Question with Answer & Explanation

Question

Which two statements are true regarding Cisco ISE? (Choose two.)

Options

• AThe number of logs that ISE can retain is determined by your disk space
• BISE supports IPv6 downloadable ACLs
• CIn two-node standalone ISE deployments, failover must be done manually
• DISE supports up to 100 Policy Services Nodes
• EISE can detected endpoints whose addresses have been translated via NAT
• FIn distributed deployments, failover from primary to secondary Policy Administration Nodes

Explanation

Cisco ISE's log retention capability is directly limited by available disk space, and the platform fully supports the use of IPv6 within downloadable access control lists (DACLs).

Common mistakes.

• C. In two-node ISE deployments configured for high availability, failover from the primary to the secondary node typically occurs automatically, not manually.
• D. Cisco ISE supports a maximum of 50 Policy Service Nodes (PSNs) in a distributed deployment, not 100.
• E. While ISE gathers endpoint information, detecting endpoints whose addresses have been translated via NAT is challenging for ISE, as it primarily sees the NAT device's public IP.
• F. In a distributed deployment, failover from a primary Policy Administration Node (PAN) to a secondary PAN is automatic, but the statement incorrectly refers to failover to a PSN.

Concept tested. Cisco ISE capabilities and limitations

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_guide_32/b_ise_admin_guide_32_chapter_0110.html

No community discussion yet for this question.