Examice

Exam 300-715 All QuestionsBrowse all questions from this exam

Question 220

An organization has a SGACL locally configured on a switch port, but when a user in the Executives group connects to the network, they receive a different level of network access than expected. When Cisco ISE pushes SGACLs to the switch after the authorization phase, how does the switch decide which access to grant the user?

Dynamically downloaded policies override local policies in all cases.

Local policies override dynamically downloaded policies in all cases.

The policies are merged, but local policies receive priority.

The policies are merged, but dynamically downloaded policies receive priority.

Correct Answer: D

When Cisco ISE pushes SGACLs to a switch, the dynamically downloaded policies will override any conflicting locally-defined policies. This means that the switch will grant access based on the dynamically downloaded SGACLs instead of the locally configured ones whenever there is a conflict.

Discussion

Jor466077Option: A

An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will override any conflicting locally-defined policy. https://content.cisco.com/chapter.sjs?uri=%2Fsearchable%2Fchapter%2Fcontent%2Fen%2Fus%2Ftd%2Fdocs%2Fswitches%2Flan%2Fcatalyst9500%2Fsoftware%2Frelease%2F16-11%2Fconfiguration_guide%2Fcts%2Fb_1611_cts_9500_cg%2Fm9-1611-trustsec-sgacl-policies.html.xml&platform=Cisco%20Catalyst%209500%20Series%20Switches&release=IOS%20XE%20Gibraltar%2016.11.x#concept_wrg_5pl_2gb

IETF1

A is stating in "all cases" but the document states any conflicting policies which means it will not affect any existing local policies that are not conflicting.

4004aa3

the is no merging

IETF1Option: D

D: An SGACL policy downloaded dynamically from the Cisco Secure ACS or a Cisco ISE will override any conflicting locally-defined policy.

G0909Option: D

Only conflicting policies are overridden.