300-715 Question #355: Real Exam Question with Answer & Explanation

Question

An engineer configures Cisco ISE and Cisco Catalyst switches to enforce Cisco TrustSec policies. The engineer must use a nondisruptive deployment approach for new devices by deploying TrustSec policies in staging, preproduction, and production. Which action must be taken to complete the configuration?

Options

• AConfigure Security Group Tag Exchange Protocol on the new devices and integrate the devices
• BConfigure policy matrices in Cisco ISE and assign the new devices to the policy matrices.
• CIntegrate the new devices in staging, preproduction, and production network device groups.
• DConfigure a different security group tag for the new devices in the staging, preproduction, and

Explanation

To nondisruptively deploy Cisco TrustSec policies for new devices across various environments, Security Group Tag Exchange Protocol (SXP) must be configured on those devices, and they must be integrated into the existing TrustSec domain.

Common mistakes.

• B. While policy matrices define access rules between SGTs, simply configuring them and assigning devices to matrices does not enable the devices to enforce those policies if SGTs are not properly exchanged and propagated, which SXP facilitates.
• C. Integrating devices into network device groups in Cisco ISE is for management and device classification, but it does not directly enable TrustSec policy enforcement or SGT propagation on the devices themselves.
• D. Configuring a different security group tag for new devices is a policy design consideration, but it does not describe the technical action needed to enable the devices to participate in the TrustSec framework and enforce policies.

Concept tested. Cisco TrustSec SGT Exchange Protocol (SXP) Deployment

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ise_30_admin_guide/b_ise_30_admin_guide_chapter_01101.html#concept_81EF567B139F47BE8682E6E85BB548D

No community discussion yet for this question.