Implementing and Configuring Cisco Identity Services Engine (SISE) — Question 204

An organization has a SGACL locally configured on a switch port, but when a user in the Executives group connects to the network, they receive a different level of network access than expected. When Cisco ISE pushes SGACLs to the switch after the authorization phase, how does the switch decide which access to grant the user?

Answer options

• A. Dynamically downloaded policies override local policies in all cases.
• B. Local policies override dynamically downloaded policies in all cases.
• C. The policies are merged, but local policies receive priority.
• D. The policies are merged, but dynamically downloaded policies receive priority.

Correct answer: A

Explanation

The correct answer is A because dynamically downloaded policies from Cisco ISE will always supersede local policies, ensuring that the user receives the intended access level based on their group classification. Options B and C are incorrect as they suggest that local policies have priority, which is not the case. Option D is also incorrect because while it states the policies are merged, it fails to acknowledge that local policies do not override downloaded ones.