CCNP Security FAQ: ISE Scale and High Availability

CCNP Security FAQ: ISE Scale and High Availability

Q1. How does a PSN join an ISE cube?
a. From the Deployment screen on the secondary nodes, select Join Cube and enter the FQDN and credentials of the cube controller.
b. From the Deployment screen on the PAN, click Create Cube. Then click Register and add the FQDN and credentials for the other nodes.
c. From the Deployment screen on the PAN, click Register and add the FQDN and credentials for the other nodes.
d. PSNs are standalone. They do not join an ISE cube.

Answer: C. After a standalone node has been promoted to primary on the deployment screen, you click Register and enter the FQDN and the credentials for any other node that you want to join the new primary and form an ISE cube.

Q2. True or False? When joining a node to an ISE cube, you specify which personas the node should have.
a. True
b. False

Answer: A. When joining the node to the cube, you will specify the persona and whether it will be primary or secondary (Monitoring only).

Q3. Which three pieces of information are needed for an ISE license?
a. The output from the show license CLI command.
b. The unique device ID (UDID), version number (VPID), and serial number
c. The product ID (SPID), unique device ID (UDID), and serial number
d. The product ID (SPID), version number (VPID), and serial number

Answer: D. The show udi CLI command and the GUI will provide the three required items: SPID, VPID, and serial number.

Q4. How does HA work for an ISE policy administration node?
a. Gigabit Ethernet 4 is used for stateful heartbeat. When the primary no longer responds, the secondary takes over.
b. The secondary is manually promoted from the secondary’s GUI.
c. The secondary is manually promoted from the primary’s GUI.
d. There is no HA for the policy administration node.

Answer: B. There is no automatic failover, but there is a manual promotion from the secondary’s GUI.

Q5. How does the monitoring persona’s high availability work?
a. ISE uses TCP syslog, and if the primary node does not respond, then the other nodes will send logs to the secondary.
b. Gigabit Ethernet 4 is used for stateful heartbeat. When the primary no longer responds, the secondary takes over.
c. Monitoring persona does not have an HA function.
d. Logs are sent to both MnT nodes automatically. If one MnT node goes down, the other node is still receiving logs.

Answer: D. There is no automatic failover, but the ISE nodes are configured to send logging to both primary and secondary MnT automatically. If one fails, the other is still receiving the logs.

Q6. What is the purpose of a node group?
a. Node groups are used for stateful sync between PSNs. If one PSN goes down, another PSN from the node group will assume its sessions automatically.
b. Node groups are used for a multicast heartbeat between PANs. If one PAN goes down, another PAN from the node group will take over.
c. Node groups are used for a multicast heartbeat between PSNs. If one PSN goes down, another PSN from the node group will send a change of authorization (CoA) for establishing sessions of the fallen node.
d. Node groups are used for a multicast heartbeat between MnT nodes. If one MnT goes down, another MnT from the node group will take over.


Table: ISE Nodes and Personas
Answer: C. Node groups are made up of Layer-2 adjacent (same VLAN) PSNs, where the PSNs maintain a heartbeat with each other. In the event that a PSN were to go down while a session was being authenticated, one of the other PSNs in the node group would send a CoA to the NAD so the endpoint could restart the session establishment with a new PSN.

Q7. True or False? Cisco ISE cannot be used with load balancers.
a. True
b. False

Answer: B. Cisco ISE is commonly deployed with load balancers. There are caveats to pay attention to, such as not to use Source NAT (SNAT).

Q8. How are patches applied to Cisco ISE?
a. Patches are downloaded and applied automatically using Cisco github.
b. Patches are downloaded from Cisco.com and applied through the GUI.
c. Patches are downloaded but not applied automatically. They are downloaded from Cisco github.
d. Patches are downloaded and applied automatically as part of the ISE feed service.

Answer: B. Patches are downloaded from cisco.com and applied to the PAN under Administration > System > Maintenance > Patch Management. The PAN will push the patch to the other nodes in the deployment.

Q9. How do you verify the status of an ISE backup?
a. The status can be viewed only from the CLI.
b. The status of a restore is available in the GUI, but not backup status.
c. The status is not viewable in ISE version 1.2.
d. The status of a backup can be viewed from the GUI under Administration > System > Backup & Restore.

Answer: D. The status of a backup can be viewed from the GUI or the CLI, but the status of a restore can only be viewed from the CLI.

Q10. Where do you set the order for patching ISE nodes?
a. This is configured under Administration > System > Settings > Patch Management.
b. It is configured on the Administration > System > Maintenance > Patch Management page.
c. It is not configurable and will patch all nodes simultaneously.
d. It is not configurable and will patch all nodes in alphabetical order.

Answer: D. It is not configurable, and will patch all nodes in alphabetical order. The PAN is patched first, and will push the patch to all other nodes.

About the author

James Palmer

Leave a Comment