nerdexam
Exams300-715Questions#390
CiscoCisco

300-715 · Question #390

300-715 Question #390: Real Exam Question with Answer & Explanation

The correct answer is A: Create static IP-to-SGT mapping for the restricted web server.. To implement inline SGT tagging for wireless users and restrict access to a server, static IP-to-SGT mapping for the server and inline tag propagation on the switch and WLC are required.

Policy Enforcement

Question

Wireless network users authenticate to Cisco ISE using 802.1X through a Cisco Catalyst switch. An engineer must create an updated configuration to assign a security group tag to the user's traffic using inline tagging to prevent unauthenticated users from accessing a restricted server. The configurations were performed: - configured Cisco ISE as a Cisco TrustSec AAA server - configured the switch as a RADIUS device in Cisco ISE - configured the wireless LAN controller as a TrustSec device in Cisco ISE - created a security group tag for the wireless users - created a certificate authentication profile - created an identity source sequence - assigned an appropriate security group tag to the wireless users - defined security group access control lists to specify an egress policy - enforced the access control lists on the TrustSec policy matrix in Cisco ISE - configured TrustSec on the switch - configured TrustSec on the wireless LAN controller Which two actions must be taken to complete the configuration? (Choose two.)

Options

  • ACreate static IP-to-SGT mapping for the restricted web server.
  • BConfigure inline tag propagation on the switch and wireless LAN controller.
  • CConfigure Security Group Tag Exchange Protocol to distribute IP to security group tags on Cisco
  • DConfigure Security Group Tag Exchange Protocol on the switch.
  • EConfigure Security Group Tag Exchange Protocol on the wireless LAN controller.

Explanation

To implement inline SGT tagging for wireless users and restrict access to a server, static IP-to-SGT mapping for the server and inline tag propagation on the switch and WLC are required.

Common mistakes.

  • C. Security Group Tag Exchange Protocol (SXP) is used for exchanging SGT-to-IP mappings between devices, primarily for those not supporting inline tagging or for communicating SGTs across network layers, but it is not the mechanism for inline tagging itself nor for creating specific server IP-to-SGT mappings.
  • D. Configuring SXP on only the switch would not fully address the wireless user traffic originating from the WLC, and SXP is not the technology for inline tagging as requested in the scenario.
  • E. Configuring SXP on only the WLC would not provide complete end-to-end inline tagging across the switch or for the restricted server, and SXP is for mapping exchange rather than inline tagging.

Concept tested. Cisco TrustSec Inline Tagging and SGT Assignment

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ise_30_admin_guide/b_ise_30_admin_guide_chapter_01101.html#concept_81EF567B139F47BE8682E6E85BB548D

Topics

#Cisco TrustSec#Security Group Tag (SGT)#Inline Tagging#IP-to-SGT Mapping

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-715 PracticeBrowse All 300-715 Questions