CCIE/CCNP 350-401 ENCOR Dumps Full Questions with VCE & PDF

CCNA 350-401 Dumps Project

Multiple Choice Questions

1. Which function does a fabric edge node perform in an SD-Access deployment?

  • A. Connects endpoints to the fabric and forwards their traffic.
  • B. Encapsulates end-user data traffic into LISP.
  • C. Connects the SD-Access fabric to another fabric or external Layer 3 networks.
  • D. Provides reachability between border nodes in the fabric underlay.

Correct Answer: A

Explanation: There are five basic device roles in the fabric overlay:
+ Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.

2. Refer to the exhibit.Which privilege level is assigned to VTY users?

  • A. 1
  • B. 7
  • C. 13
  • D. 15

Correct Answer: A

Explanation: Lines (CON, AUX, VTY) default to level 1 privileges.

3. What is the difference between a RIB and a FIB?

  • A. The FIB is populated based on RIB content.
  • B. The RIB maintains a minor image of the FIB.
  • C. The RIB is used to make IP source prefix-based switching decisions.
  • D. The FIB is where all IP routing information is stored.

Correct Answer: A

Explanation: CEF uses a Forwarding Information Base (FIB) to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with earlier switching paths such as fast switching and optimum switching.
Note: In order to view the Routing information base (RIB) table, use the “show ip route” command.
To view the Forwarding Information Base (FIB), use the “show ip cef” command. RIB is in Control plane while FIB is in Data plane.

4. Which requirement for an Ansible-managed node is true?

  • A. It must have an SSH server running.
  • B. It must be a Linux server or a Cisco device.
  • C. It must support ad hoc commands.
  • D. It must have an Ansible Tower installed.

Correct Answer: A

5. A client device fails to see the enterprise SSID, but other client devices are connected to it. What is the cause of this issue?

  • A. The client has incorrect credentials stored for the configured broadcast SSID.
  • B. The hidden SSID was not manually configured on the client.
  • C. The broadcast SSID was not manually configured on the client.
  • D. The client has incorrect credentials stored for the configured hidden SSID.

Correct Answer: B

6. Which two descriptions of FlexConnect mode for Cisco APs are true? (Choose two.)

  • A. APs that operate in FlexConnect mode cannot detect rogue APs
  • B. FlexConnect mode is used when the APs are set up in a mesh environment and used to bridge between each other.
  • C. FlexConnect mode is a feature that is designed to allow specified CAPWAP-enabled APs to exclude themselves from managing data traffic between clients and infrastructure.
  • D. When connected to the controller, FlexConnect APs can tunnel traffic back to the controller
  • E. FlexConnect mode is a wireless solution for branch office and remote office deployments

Correct Answer: CD

7. Which OSPF network types are compatible and allow communication through the two peering devices?

  • A. point-to-multipoint to nonbroadcast
  • B. broadcast to nonbroadcast
  • C. point-to-multipoint to broadcast
  • D. broadcast to point-to-point

Correct Answer: B

Explanation:

The following different OSPF types are compatible with each other:
+ Broadcast and Non-Broadcast (adjust hello/dead timers)
+ Point-to-Point and Point-to-Multipoint (adjust hello/dead timers)
Broadcast and Non-Broadcast networks elect DR/BDR so they are compatible. Point-topoint/ multipoint do not elect DR/BDR so they are compatible.

Reference: https://www.freeccnaworkbook.com/workbooks/ccna/configuring-ospf-network-types

8. Which NGFW mode blocks flows crossing the firewall?

  • A. tap
  • B. inline
  • C. passive
  • D. inline tap

Correct Answer: B

Explanation: Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN).
When Inline Pair Mode is in use, packets can be blocked since they are processed inline When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified
Reference: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

9. Which statement about route targets is true when using VRF-Lite?

  • A. Route targets control the import and export of routes into a customer routing table.
  • B. When BGP is configured, route targets are transmitted as BGP standard communities.
  • C. Route targets allow customers to be assigned overlapping addresses.
  • D. Route targets uniquely identify the customer routing table.

Correct Answer: A

Explanation: Answer ‘Route targets allow customers to be assigned overlapping addresses’ and answer ‘Route targets uniquely identify the customer routing table’ are not correct as only route distinguisher (RD) identifies the customer routing table and “allows customers to be assigned overlapping addresses”.
Answer ‘When BGP is configured, route targets are transmitted as BGP standard communities’ is not correct as “When BGP is configured, route targets are transmitted as BGP extended communities”

10. How does Cisco TrustSec enable more flexible access controls for dynamic networking environments and data centers?

  • A. uses flexible NetFlow
  • B. assigns a VLAN to the endpoint
  • C. classifies traffic based on advanced application recognition
  • D. classifies traffic based on the contextual identity of the endpoint rather than its IP address

Correct Answer: D

Explanation: The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without net-work redesign.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-726831.pdf

11. Refer to the exhibit. Which statement about the OPSF debug output is true?

  • A. The output displays OSPF hello messages which router R1 has sent or received on interface Fa0/1.
  • B. The output displays OSPF messages which router R1 has sent or received on all interfaces.
  • C. The output displays OSPF messages which router R1 has sent or received on interface Fa0/1.
  • D. The output displays OSPF hello and LSACK messages which router R1 has sent or received.

Correct Answer: A

Explanation: This combination of commands is known as “Conditional debug” and will filter the debug output based on your conditions. Each condition added, will behave like an ‘And’ operator in Boolean logic.
Some examples of the “debug ip ospf hello” are shown below:

12. Which LISP infrastructure device provides connectivity between non-LISP sites and LISP sites by receiving non-LISP traffic with a LISP site destination?

  • A. PITR
  • B. map resolver
  • C. map server
  • D. PETR

Correct Answer: A

Explanation: Proxy ingress tunnel router (PITR): answer ‘PETR’ PITR is an infrastructure LISP network entity that receives packets from non-LISP sites and encapsulates the packets to LISP sites or natively forwards them to non-LISP sites.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/5-0/LISPmobility/DCI_LISP_Host_Mobility/LISPmobile_2.html

13. Which two protocols are used with YANG data models? (Choose two.)

  • A. TLS
  • B. RESTCONF
  • C. SSH
  • D. NETCONF
  • E. HTTPS

Correct Answer: BD

Explanation: YANG (Yet Another Next Generation) is a data modeling language for the definition of data sent over network management protocols such as the NETCONF and RESTCONF.

14. Which HTTP status code is the correct response for a request with an incorrect password applied to a REST API session?

  • A. HTTP Status Code: 200
  • B. HTTP Status Code: 302
  • C. HTTP Status Code: 401
  • D. HTTP Status Code: 504

Correct Answer: C

Explanation: A 401 error response indicates that the client tried to operate on a protected resource without providing the proper authorization. It may have provided the wrong credentials or none at all.
Note: answer ‘HTTP Status Code 200’ 4xx code indicates a “client error” while a 5xx code indicates a “server error”.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

15. The login method is configured on the VTY lines of a router with these parameters.

  • The first method for authentication is TACACS
  • If TACACS is unavailable, login is allowed without any provided credentials

Which configuration accomplishes this task?

A.
R1#sh run | include aaa
aaa new-model
aaa authentication login VTY group tacacs+ none
aaa session-id common
R1#sh run | section vty
line vty 0 4
password 7 0202039485748
R1#sh run | include username
R1#

B.
R1#sh run | include aaa
aaa new-model
aaa authentication login telnet group tacacs+ none
aaa session-id common
R1#sh run | section vty
line vty 0 4
R1#sh run | include username
R1#

C.
R1#sh run | include aaa
aaa new-model
aaa authentication login default group tacacs+ none
aaa session-id common
R1#sh run | section vty
line vty 0 4
password 7 0202039485748

D.
R1#sh run | include aaa
aaa new-model
aaa authentication login default group tacacs+
aaa session-id common
R1#sh run | section vty
line vty 0 4
transport input none
R1#

Correct Answer: C

Explanation: According to the requirements (first use TACACS+, then allow login with no authentication), we have to use “aaa authentication login … group tacacs+ none” for AAA command.
The next thing to check is the if the “aaa authentication login default” or “aaa authentication login list-name” is used. The ‘default’ keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
From above information, we can find out answer ‘R1#sh run | include aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial – Part 2.
For your information, answer ‘R1#sh run | include aaa
aaa new-model
aaa authentication login telnet group tacacs+ none
aaa session-id common
R1#sh run | section vty
line vty 0 4
R1#sh run | include username
R1#’ would be correct if we add the following command under vty line (“line vty 0 4”): “login authentication telnet” (“telnet” is the name of the AAA list above)

16. Which statement about multicast RPs is true?

  • A. RPs are required only when using protocol independent multicast dense mode.
  • B. RPs are required for protocol independent multicast sparse mode and dense mode.
  • C. By default, the RP is needed periodically to maintain sessions with sources and receivers.
  • D. By default, the RP is needed only to start new sessions with sources and receivers.

Correct Answer: D

Explanation: A rendezvous point (RP) is required only in networks running Protocol Independent Multicast sparse mode (PIM-SM).
By default, the RP is needed only to start new sessions with sources and receivers.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/ip_multicast/White_papers/rps.html

17. To increase total throughput and redundancy on the links between the wireless controller and switch, the customer enabled LAG on the wireless controller. Which EtherChannel mode must be configured on the switch to allow the WLC to connect?

  • A. Active
  • B. Passive
  • C. On
  • D. Auto

Correct Answer: C

18. Which feature does Cisco TrustSec use to provide scalable, secure communication throughout a network?

  • A. security group tag ACL assigned to each port on a switch
  • B. security group tag number assigned to each user on a switch
  • C. security group tag number assigned to each port on a network
  • D. security group tag ACL assigned to each router on a network

Correct Answer: B

19. An engineer configures a WLAN with fast transition enabled. Some legacy clients fail to connect to this WLAN. Which feature allows the legacy clients to connect while still allowing other clients to use fast transition based on their OUIs?

  • A. over the DS
  • B. 802.11k
  • C. adaptive R
  • D. 802.11v

Correct Answer: C

20. Which exhibit displays a valid JSON file?

A.

B.

C.

D.

Correct Answer: B

21. A network administrator is implementing a routing configuration change and enables routing debugs to track routing behavior during the change. The logging output on the terminal is interrupting the command typing process.
Which two actions can the network administrator take to minimize the possibility of typing commands incorrectly? (Choose two.)

  • A. Configure the logging synchronous global configuration command.
  • B. Configure the logging synchronous command under the vty.
  • C. Increase the number of lines on the screen using the terminal length command.
  • D. Configure the logging delimiter feature.
  • E. Press the TAB key to reprint the command in a new line.

Correct Answer: AB

22. Which two pieces of information are necessary to compute SNR? (Choose two.)

  • A. transmit power
  • B. noise floor
  • C. EIRP
  • D. RSSI
  • D. antenna gain

Correct Answer: AB

23. Which statements are used for error handling in Python?

  • A. try/catch
  • B. catch/release
  • C. block/rescue
  • D. try/except

Correct Answer: D

Explanation: The words “try” and “except” are Python keywords and are used to catch exceptions. For example:
try:
print 1/0
except ZeroDivisionError:
print ‘Error! We cannot divide by zero!!!’

24. What are two benefits of virtualizing the server with the use of VMs in a data center environment? (Choose two.)

  • A. reduced rack space, power, and cooling requirements
  • B. smaller Layer 2 domain
  • C. increased security
  • D. speedy deployment
  • E. reduced IP and MAC address requirements

Correct Answer: AD

Explanation: Server virtualization and the use of virtual machines is profoundly changing data center dynamics.
Most organizations are struggling with the cost and complexity of hosting multiple physical servers in their data centers. The expansion of the data center, a result of both scale-out server architectures and traditional “one application, one server” sprawl, has created problems in housing, powering, and cooling large numbers of underutilized servers. In addition, IT organizations continue to deal with the traditional cost and operational challenges of matching server resources to organizational needs that seem fickle and ever changing.
Virtual machines can significantly mitigate many of these challenges by enabling multiple application and operating system environments to be hosted on a single physical server while maintaining complete isolation between the guest operating systems and their respective applications. Hence, server virtualization facilitates server consolidation by enabling organizations to exchange a number of underutilized servers for a single highly utilized server running multiple virtual machines.
By consolidating multiple physical servers, organizations can gain several benefits:
+ Underutilized servers can be retired or redeployed.
+ Rack space can be reclaimed.
+ Power and cooling loads can be reduced.
+ New virtual servers can be rapidly deployed.
+ CapEx (higher utilization means fewer servers need to be purchased) and OpEx (few servers means a simpler environment and lower maintenance costs) can be reduced.

25. Which two steps are required for a complete Cisco DNA Center upgrade? (Choose two.)

  • A. automation backup
  • B. system update
  • C. golden image selection
  • D. proxy configuration
  • E. application updates

Correct Answer: BE

Explanation: A complete Cisco DNA Center upgrade includes “System Update” and “Appplication Updates”

26. What is a benefit of data modeling languages like YANG?

  • A. They create more secure and efficient SNMP OIDs.
  • B. They provide a standardized data structure, which results in configuration scalability and consistency.
  • C. They enable programmers to change or write their own applications within the device operating system.
  • D. They make the CLI simpler and more efficient.

Correct Answer: B

Explanation: Yet Another Next Generation (YANG) is a language which is only used to describe data models (structure). It is not XML or JSON.

27. Refer to the exhibit.

What is the JSON syntax that is formed from the data?

  • A. {Name: Bob Johnson, Age: 75, Alive: true, Favorite Foods: [Cereal, Mustard, Onions]}
  • B. {“Name”: “Bob Johnson”, “Age”: 75, “Alive”: true, “Favorite Foods”: [“Cereal”, “Mustard”, “Onions”]}
  • C. {‘Name’: ‘Bob Johnson’, ‘Age’: 75, ‘Alive’: True, ‘Favorite Foods’: ‘Cereal’, ‘Mustard’, ‘Onions’}
  • D. {“Name”: “Bob Johnson”, “Age”: Seventyfive, “Alive”: true, “Favorite Foods”: [“Cereal”, “Mustard”, “Onions”]}

Correct Answer: B

Explanation:

JSON data is written as name/value pairs.
A name/value pair consists of a field name (in double quotes), followed by a colon, followed by a
value:
“name”:”Mark”
JSON can use arrays. Array values must be of type string, number, object, array, boolean or null.
For example:
{
“name”:”John”,
“age”:30,
“alive”:true,
“cars”:[ “Ford”, “BMW”, “Fiat” ]
}

28. Based on this interface configuration, what is the expected state of OSPF adjacency?

  • A. 2WAY/DROTHER on both routers
  • B. not established
  • C. FULL on both routers
  • D. FULL/BDR on R1 and FULL/BDR on R2

Correct Answer: B

Explanation: On Ethernet interfaces the OSPF hello intervl is 10 second by default so in this case there would be a Hello interval mismatch -> the OSPF adjacency would not be established.

29. Refer to the exhibit.

Link1 is a copper connection and Link2 is a fiber connection. The fiber port must be the primary port for all forwarding. The output of the show spanning-tree command on SW2 shows that the fiber port is blocked by spanning tree. An engineer enters the spanning-tree port-priority 32 command on G0/1 on SW2, but the port remains blocked.

Which command should be entered on the ports that are connected to Link2 to resolve the issue?

  • A. Enter spanning-tree port-priority 4 on SW2.
  • B. Enter spanning-tree port-priority 32 on SW1.
  • C. Enter spanning-tree port-priority 224 on SW1.
  • D. Enter spanning-tree port-priority 64 on SW2.

Correct Answer: B

Explanation: SW1 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches.
Unfortunately, it blocked the fiber port Link2. But how does SW2 select its blocked port? Well, the answer is based on the BPDUs it receives from SW1. answer ‘Enter spanning-tree port-priority 32 on
SW1’ BPDU is superior than another if it has:
1. answer ‘Enter spanning-tree port-priority 32 on SW1’ lower Root Bridge ID
2. answer ‘Enter spanning-tree port-priority 32 on SW1’ lower path cost to the Root
3. answer ‘Enter spanning-tree port-priority 32 on SW1’ lower Sending Bridge ID
4. answer ‘Enter spanning-tree port-priority 32 on SW1’ lower Sending Port ID These four parameters are examined in order. In this specific case, all the BPDUs sent by SW1 have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID.
The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). And the port index of Gi0/0 is lower than the port index of Gi0/1 so Link 1 has been chosen as the primary link.
Therefore we must change the port priority to change the primary link. The lower numerical value of port priority, the higher priority that port has. In other words, we must change the port-priority on Gi0/1 of SW1 (not on Gi0/1 of SW2) to a lower value than that of Gi0/0.

30. Which JSON syntax is valid?

  • A. {“switch”: “name”: “dist1”, “interfaces”: [“gig1”, “gig2”, “gig3”]}
  • B. {/“switch/”: {/“name/”: “dist1”, /“interfaces/”: [“gig1”, “gig2”, “gig3”]}}
  • C. {“switch”: {“name”: “dist1”, “interfaces”: [“gig1”, “gig2”, “gig3”]}}
  • D. {‘switch’: (‘name’: ‘dist1’, ‘interfaces’: [‘gig1’, ‘gig2’, ‘gig3’])}

Correct Answer: C

Explanation: This JSON can be written as follows:
{
‘switch’: {
‘name’: ‘dist1’,
‘interfaces’: [‘gig1’, ‘gig2’, ‘gig3’]
}}

31. What are two common sources of interference for Wi-Fi networks? (Choose two.)

  • A. LED lights
  • B. radar
  • C. fire alarm
  • D. conventional oven
  • E. rogue AP

Correct Answer: AE

32. When using TLS for syslog, which configuration allows for secure and reliable transportation of messages to its default port?

  • A. logging host 10.2.3.4 vrf mgmt transport tcp port 514
  • B. logging host 10.2.3.4 vrf mgmt transport udp port 514
  • C. logging host 10.2.3.4 vrf mgmt transport tcp port 6514
  • D. logging host 10.2.3.4 vrf mgmt transport udp port 6514

Correct Answer: C

Explanation: The TCP port 6514 has been allocated as the default port for syslog over Transport Layer Security (TLS).
Reference: https://tools.ietf.org/html/rfc5425

33. Which behavior can be expected when the HSRP version is changed from 1 to 2?

  • A. No changes occur because the standby router is upgraded before the active router.
  • B. No changes occur because version 1 and 2 use the same virtual MAC OUI.
  • C. Each HSRP group reinitializes because the virtual MAC address has changed.
  • D. Each HSRP group reinitializes because the multicast address has changed.

Correct Answer: C

34. Which protocol does REST API rely on to secure the communication channel?

  • A. HTTP
  • B. SSH
  • C. HTTPS
  • D. TCP

Correct Answer: C

Explanation: The REST API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JavaScript Object Notation (JSON) or Extensible Markup Language (XML) documents. You can use any programming language to generate the messages and the JSON or XML documents that contain the API methods or Managed Object (MO) descriptions.

35. Refer to this output.

R1# *Feb 14 37:09:53.129: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

What is the logging severity level?

  • A. notification
  • B. emergency
  • C. critical
  • D. alert

Correct Answer: A

36. Refer to the exhibit.Which IP address becomes the active next hop for 192.168.102.0/24 when 192.168.101.2 fails?

  • A. 192.168.101.10
  • B. 192.168.101.14
  • C. 192.168.101.6
  • D. 192.168.101.18

Correct Answer: D

Explanation: The ‘>’ shown in the output above indicates that the path with a next hop of 192.168.101.2 is the current best path.
Path Selection Attributes: Weight > Local Preference > Originate > AS Path > Origin > MED > External > IGP Cost > eBGP Peering > Router ID BGP prefers the path with highest weight but the weights here are all 0 (which indicate all routes that are not originated by the local router) so we need to check the Local Preference. Answer ‘192.168.101.18’ path without LOCAL_PREF (LocPrf column) means it has the default value of 100.
Therefore we can find the two next best paths with the next hop of 192.168.101.18 and 192.168.101.10.
We have to move to the next path selection attribute: Originate. BGP prefers the path that the local router originated (which is indicated with the “next hop 0.0.0.0”). But none of the two best paths is self-originated.
The AS Path of the next hop 192.168.101.18 is shorter than the AS Path of the next hop 192.168.101.10 then the next hop 192.168.101.18 will be chosen as the next best path.

37. Which PAgP mode combination prevents an EtherChannel from forming?

  • A. auto/desirable
  • B. desirable/desirable
  • C. desirable/auto
  • D. auto/auto

Correct Answer: D

Explanation: There are two PAgP modes:

Auto Responds to PAGP messages but does not aggressively negotiate a PAGP EtherChannel. Answer ‘auto/auto’ channel is formed only if the port on the other end is set to Desirable. This is the default mode.
Desirable Port actively negotiates channeling status with the interface on the other end of the link. Answer ‘auto/auto’ channel is formed if the other side is Auto or Desirable.

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

Reference: https://www.omnisecu.com/cisco-certified-network-associate-ccna/etherchannel-pagp-and-lacp-modes.php

38. If a VRRP master router fails, which router is selected as the new master router?

  • A. router with the lowest priority
  • B. router with the highest priority
  • C. router with the highest loopback address
  • D. router with the lowest loopback address

Correct Answer: B

39. Which QoS component alters a packet to change the way that traffic is treated in the network?

  • A. policing
  • B. classification
  • C. marking
  • D. shaping

Correct Answer: C

Explanation: QoS Packet Marking refers to changing a field within a packet either at Layer 2 (802.1Q/p CoS, MPLS EXP) or Layer 3 (IP Precedence, DSCP and/or IP ECN).

40. Refer to the exhibit. Assuming that R1 is a CE router, which VRF is assigned to Gi0/0 on R1?

  • A. default VRF
  • B. VRF VPN_A
  • C. VRF VPN_B
  • D. management VRF

Correct Answer: A

Explanation: There is nothing special with the configuration of Gi0/0 on R1. Only Gi0/0 interface on R2 is assigned to VRF VPN_A. The default VRF here is similar to the global routing table concept in Cisco IOS

41. Refer to the exhibit.Based on the configuration in this WLAN security setting, which method can a client use to authenticate to the network?

  • A. text string
  • B. username and password
  • C. RADIUS token
  • D. certificate

Correct Answer: A

42. Which two mechanisms are available to secure NTP? (Choose two.)

  • A. IPsec
  • B. IP prefix list-based
  • C. encrypted authentication
  • D. TACACS-based authentication
  • E. IP access list-based

Correct Answer: CE

Explanation: The time kept on a machine is a critical resource and it is strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. The two security features available are an access list-based restriction scheme and an encrypted authentication mechanism.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/ios-xml/ios/bsm/configuration/xe-3se/3650/bsm-xe-3se-3650-book.html

43. Which technology provides a secure communication channel for all traffic at Layer 2 of the OSI model?

  • A. SSL
  • B. Cisco TrustSec
  • C. MACsec
  • D. IPsec

Correct Answer: C

Explanation: MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using outofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the MKA peer. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a MKA peer) using the current session key.

44. Refer to the exhibit.

An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet.
Which explanation of this behavior is true?

  • A. Access control lists that are applied outbound to a router interface do not affect traffic that is sourced from the router.
  • B. After an access control list is applied to an interface, that interface must be shut and no shut for the access control list to take effect.
  • C. Only standard access control lists can block traffic from a source IP address.
  • D. The access control list must contain an explicit deny to block traffic from the router.

Correct Answer: A

45. Which two methods are used by an AP that is trying to discover a wireless LAN controller? (Choose two.)

  • A. Cisco Discovery Protocol neighbor
  • B. querying other APs
  • C. DHCP Option 43
  • D. broadcasting on the local subnet
  • E. DNS lookup CISCO-DNA-PRIMARY.localdomain

Correct Answer: CD

46. Which IP SLA operation requires the IP SLA responder to be configured on the remote end?

  • A. UDP jitter
  • B. ICMP jitter
  • C. TCP connect
  • D. ICMP echo

Correct Answer: A

Explanation:

Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to respond to Cisco IOS IP SLA request packets. The IP SLA source sends control packets before the operation starts to establish a connection to the responder. Once the control packet is acknowledged, test packets are sent to the responder. The responder inserts a time-stamp when it receives a packet and factors out the destination processing time and adds time-stamps to the sent packets. This feature allows the calculation of unidirectional packet loss, latency, and jitter measurements with the kind of accuracy that is not possible with ping or other dedicated probe testing.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/46sg/configuration/guide/Wrapper-46SG/swipsla.pdf

47. Which statement explains why Type 1 hypervisor is considered more efficient than Type2 hypervisor?

  • A. Type 1 hypervisor is the only type of hypervisor that supports hardware acceleration techniques.
  • B. Type 1 hypervisor relies on the existing OS of the host machine to access CPU, memory, storage, and network resources.
  • C. Type 1 hypervisor runs directly on the physical hardware of the host machine without relying on the underlying OS.
  • D. Type 1 hypervisor enables other operating systems to run on it.

Correct Answer: C

Explanation: There are two types of hypervisors: type 1 and type 2 hypervisor.
In type 1 hypervisor (or native hypervisor), the hypervisor is installed directly on the physical server.
Then instances of an operating system (OS) are installed on the hypervisor. Type 1 hypervisor has direct access to the hardware resources. Therefore they are more efficient than hosted architectures.
Some examples of type 1 hypervisor are VMware vSphere/ESXi, Oracle VM Server, KVM and Microsoft Hyper-V.
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. answer ‘Type 1 hypervisor runs directly on the physical hardware of the host machine without relying on the underlying OS’ big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows).

48. A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web servers. Which statement allows this traffic?

  • A. permit tcp host 209.165.200.225 lt 80 host 209.165.201.25
  • B. permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
  • C. permit tcp host 209.165.200.225 eq 80 host 209.165.201.25
  • D. permit tcp host 209.165.200.225 host 209.165.201.25 eq 80

Correct Answer: C

49. In OSPF, which LSA type is responsible for pointing to the ASBR router?

  • A. type 1
  • B. type 2
  • C. type 3
  • D. type 4

Correct Answer: D

Explanation: Summary ASBR LSA (Type 4) – Generated by the ABR to describe an ASBR to routers in other areas so that routers in other areas know how to get to external routes through that ASBR. For example, suppose R8 is redistributing external route (EIGRP, RIP…) to R3. This makes R3 an Autonomous System Boundary Router (ASBR). When R2 (which is an ABR) receives this LSA Type 1 update, R2 will create LSA Type 4 and flood into Area 0 to inform them how to reach R3. When R5 receives this LSA it also floods into Area 2.
In the above example, the only ASBR belongs to area 1 so the two ABRs (R2 & R5) send LSA Type 4 to area 0 & area 2 (not vice versa). This is an indication of the existence of the ASBR in area 1.
Note:
+ Type 4 LSAs contain the router ID of the ASBR.
+ There are no LSA Type 4 injected into Area 1 because every router inside area 1 knows how to reach R3. R3 only uses LSA Type 1 to inform R2 about R8 and inform R2 that R3 is an ASBR.

50. Refer to the exhibit.

VLANs 50 and 60 exist on the trunk links between all switches. All access ports on SW3 are configured for VLAN 50 and SW1 is the VTP server. Which command ensures that SW3 receives frames only from VLAN 50?

  • A. SW1(config)#vtp mode transparent
  • B. SW3(config)#vtp mode transparent
  • C. SW2(config)#vtp pruning
  • D. SW1(config)#vtp pruning

Correct Answer: D

Explanation: SW3 does not have VLAN 60 so it should not receive traffic for this VLAN (sent from SW2).
Therefore we should configure VTP Pruning on SW3 so that SW2 does not forward VLAN 60 traffic to SW3. Also notice that we need to configure pruning on SW1 (the VTP Server), not SW2.
Reference: https://www.orbit-computer-solutions.com/vtp-pruning/

51. Which statement about a fabric access point is true?

  • A. It is in local mode and must be connected directly to the fabric edge switch.
  • B. It is in local mode and must be connected directly to the fabric border node
  • C. It is in FlexConnect mode and must be connected directly to the fabric border node.
  • D. It is in FlexConnect mode and must be connected directly to the fabric edge switch.

Correct Answer: A

Explanation: Fabric mode APs continue to support the same wireless media services that traditional APs support; apply AVC, quality of service (QoS), and other wireless policies; and establish the CAPWAP control plane to the fabric WLC. Fabric APs join as local-mode APs and must be directly connected to the fabric edge node switch to enable fabric registration events, including RLOC assignment via the fabric WLC. The fabric edge nodes use CDP to recognize APs as special wired hosts, applying special port configurations and assigning the APs to a unique overlay network within a common EID space across a fabric. The assignment allows management simplification by using a single subnet to cover the AP infrastructure at a fabric site.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-sdg-2019oct.html

52. Which First Hop Redundancy Protocol maximizes uplink utilization and minimizes the amount of configuration that is necessary?

  • A. GLBP
  • B. HSRP v2
  • C. VRRP
  • D. HSRP v1

Correct Answer: A

53. Which standard access control entry permits traffic from odd-numbered hosts in the 10.0.0.0/24 subnet?

  • A. permit 10.0.0.0 0.0.0.1
  • B. permit 10.0.0.1 0.0.0.254
  • C. permit 10.0.0.1 0.0.0.0
  • D. permit 10.0.0.0 255.255.255.254

Correct Answer: B

Explanation: Remember, for the wildcard mask, 1s are I DON’T CARE, and 0s are I CARE. So now let’s analyze a simple ACL:
access-list 1 permit 172.23.16.0 0.0.15.255
Two first octets are all 0’s meaning that we care about the network .x.x. The third octet of the wildcard mask, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 0001111 = 31).

The fourth octet is 255 (all 1 bits) that means I don’t care.
Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.
Now let’s consider the wildcard mask of 0.0.0.254 (four octet: 254 = 1111 1110) which means we only care the last bit. Therefore if the last bit of the IP address is a “1” (0000 0001) then only odd numbers are allowed. If the last bit of the IP address is a “0” (0000 0000) then only even numbers are allowed.
Note: In binary, odd numbers are always end with a “1” while even numbers are always end with a “0”.
Therefore in this question, only the statement “permit 10.0.0.1 0.0.0.254” will allow all oddnumbered hosts in the 10.0.0.0/24 subnet.

54. Refer to the exhibit.Which configuration establishes EBGP connected neighborship between these two directly connected neighbors and exchanges the loopback network of the two routers through BGP?

A. R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.10.2 remote-as 2
R1(config-router)#network 10.1.1.0 mask 255.255.255.0
R2(config)#router bgp 2
R2(config-router)#neighbor 192.168.10.1 remote-as 1
R2(config-router)#network 10.2.2.0 mask 255.255.255.0

B. R1(config)#router bgp 1
R1(config-router)#neighbor 10.2.2.2 remote-as 2
R1(config-router)#network 10.1.1.0 mask 255.255.255.0
R2(config)#router bgp 2
R2(config-router)#neighbor 10.1.1.1 remote-as 1
R2(config-router)#network 10.2.2.0 mask 255.255.255.0

C. R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.10.2 remote-as 2
R1(config-router)#network 10.0.0.0 mask 255.0.0.0
R2(config)#router bgp 2
R2(config-router)#neighbor 192.168.10.1 remote-as 1
R2(config-router)#network 10.0.0.0 mask 255.0.0.0

D. R1(config)#router bgp 1
R1(config-router)#neighbor 10.2.2.2 remote-as 2
R1(config-router)#neighbor 10.2.2.2 update-source |o0
R1(config-router)#network 10.1.1.0 mask 255.255.255.0
R2(config)#router bgp 2R2(config-router)#neighbor 10.1.1.1 remote-as 1
R2(config-router)#neighbor 10.1.1.1 update-source |o0
R2(config-router)#network 10.2.2.0 mask 255.255.255.0

Correct Answer: A

Explanation: With BGP, we must advertise the correct network and subnet mask in the “network” command (in this case network 10.1.1.0/24 on R1 and network 10.2.2.0/24 on R2). BGP is very strict in the routing advertisements. In other words, BGP only advertises the network which exists exactly in the routing table. In this case, if you put the command “network x.x.0.0 mask 255.255.0.0” or “network x.0.0.0 mask 255.0.0.0” or “network x.x.x.x mask 255.255.255.255” then BGP will not advertise anything.
It is easy to establish eBGP neighborship via the direct link. But let’s see what are required when we want to establish eBGP neighborship via their loopback interfaces. We will need two commands:
+ the command “neighbor 10.1.1.1 ebgp-multihop 2” on R1 and “neighbor 10.2.2.2 ebgpmultihop 2” on R1. This command increases the TTL value to 2 so that BGP updates can reach the BGP neighbor which is two hops away.
+ Answer ‘R1 (config) #router bgp 1
R1 (config-router) #neighbor 192.168.10.2 remote-as 2
R1 (config-router) #network 10.1.1.0 mask 255.255.255.0
R2 (config) #router bgp 2
R2 (config-router) #neighbor 192.168.10.1 remote-as 1
R2 (config-router) #network 10.2.2.0 mask 255.255.255.0
Quick Wireless Summary
Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight
+ Autonomous: self-sufficient and standalone. Used for small wireless networks.
+ Lightweight: A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller (WLC) to function.
LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels.
– Control and Provisioning for Wireless Access Point (CAPWAP) is an IETF standard for control messaging for setup, authentication and operations between APs and WLCs. CAPWAP is similar to LWAPP except the following differences:
+CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES.
+ CAPWAP has a dynamic maximum transmission unit (MTU) discovery mechanism.
+ CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages) An LAP operates in one of six different modes:
+ Local mode (default mode): measures noise floor and interference, and scans for intrusion detection (IDS) events every 180 seconds on unused channels
+ FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode: allows data traffic to be switched locally and not go back to the controller. The FlexConnect AP can perform standalone client authentication and switch VLAN traffic locally even when it’s disconnected to the WLC (Local Switched). FlexConnect AP can also tunnel (via CAPWAP) both user wireless data and control traffic to a centralized WLC (Central Switched).
+ Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a sensor for location-based services (LBS), rogue AP detection, and IDS
+ Rogue detector mode: monitor for rogue APs. It does not handle data at all.
+ Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to a remote machine where you can use protocol analysis tool (Wireshark, Airopeek, etc) to review the packets and diagnose issues. Strictly used for troubleshooting purposes.
+ Bridge mode: bridge together the WLAN and the wired infrastructure together. Mobility Express is the ability to use an access point (AP) as a controller instead of a real WLAN controller. But this solution is only suitable for small to midsize, or multi-site branch locations where you might not want to invest in a dedicated WLC. A Mobility Express WLC can support up to 100 Aps.

55. Refer to the exhibit. Which type of antenna do the radiation patterns present?

  • A. Yagi
  • B. patch
  • C. omnidirectional
  • D. dipole

Correct Answer: B

56. Which method creates an EEM applet policy that is registered with EEM and runs on demand or manually?

  • A. event manager applet ondemand event none action 1.0 syslog priority critical msg ‘This is a message from ondemand’
  • B. event manager applet ondemand action 1.0 syslog priority critical msg ‘This is a message from ondemand’
  • C. event manager applet ondemand event register action 1.0 syslog priority critical msg ‘This is a message from ondemand’
  • D. event manager applet ondemand event manual action 1.0 syslog priority critical msg ‘This is a message from ondemand’

Correct Answer: A

Explanation: An EEM policy is an entity that defines an event and the actions to be taken when that event occurs. There are two types of EEM policies: an applet or a script. An applet is a simple form of policy that is defined within the CLI configuration. answer ‘event manager applet ondemand event register action 1.0 syslog priority critical msg ‘This is a message from ondemand’
<=”” p=”” style=”box-sizing: border-box;”>
There are two ways to manually run an EEM policy. EEM usually schedules and runs policies on the basis of an event specification that is contained within the policy itself. The event none command allows EEM to identify an EEM policy that can be manually triggered. To run the policy, use either the action policy command in applet configuration mode or the event manager run command in privileged EXEC mode.

57. An engineer is configuring local web authentication on a WLAN. The engineer chooses the Authentication radio button under the Layer 3 Security options for Web Policy. Which device presents the web authentication for the WLAN?

  • A. ISE server
  • B. RADIUS server
  • C. anchor WLC
  • D. local WLC

Correct Answer: D

58. Which controller is the single plane of management for Cisco SD-WAN?

  • A. vBond
  • B. vSmart
  • C. vManage
  • D. vEdge

Correct Answer: C

Explanation: The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
+ vManage – This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network.
+ vSmart controller – This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture.
+ vBond orchestrator – This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT).
+ vEdge router – This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Design-2018OCT.pdf

59. A network is being migrated from IPv4 to IPv6 using a dual-stack approach. Network management is already 100% IPv6 enabled.
In a dual-stack network with two dual-stack NetFlow collectors, how many flow exporters are needed per network device in the flexible NetFlow configuration?

  • A. 1
  • B. 2
  • C. 4
  • D. 8

Correct Answer: B

60. Which statement about TLS is true when using RESTCONF to write configurations on network devices?

  • A. It is used for HTTP and HTTPS requests.
  • B. It requires certificates for authentication.
  • C. It is provided using NGINX acting as a proxy web server.
  • D. It is not supported on Cisco devices.

Correct Answer: C

Explanation: When a device boots up with the startup configuration, the nginx process will be running. NGINX is an internal webserver that acts as a proxy webserver. It provides Transport Layer Security (TLS)-based HTTPS. RESTCONF request sent via HTTPS is first received by the NGINX proxy web server, and the request is transferred to the confd web server for further syntax/semantics check.

61. Which reason could cause an OSPF neighborship to be in the EXSTART/EXCHANGE state?

  • A. mismatched OSPF link costs
  • B. mismatched OSPF network type
  • C. mismatched areas
  • D. mismatched MTU size

Correct Answer: D

Explanation:

When OSPF adjacency is formed, a router goes through several state changes before it becomes fully adjacent with its neighbor. The states are Down -> Attempt (optional) -> Init -> 2-Way -> Exstart -> Exchange -> Loading -> Full. Short descriptions about these states are listed below:
Down: no information (hellos) has been received from this neighbor.
Attempt: only valid for manually configured neighbors in an NBMA environment. In Attempt state, the router sends unicast hello packets every poll interval to the neighbor, from which hellos have not been received within the dead interval.
Init: specifies that the router has received a hello packet from its neighbor, but the receiving router’s ID was not included in the hello packet
2-Way: indicates bi-directional communication has been established between two routers.
Exstart: Once the DR and BDR are elected, the actual process of exchanging link state information can start between the routers and their DR and BDR.
Exchange: OSPF routers exchange database descriptor (DBD) packets
Loading: In this state, the actual exchange of link state information occurs Full: routers are fully adjacent with each other (Reference:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f0e.s html)
Neighbors Stuck in Exstart/Exchange State the problem occurs most frequently when attempting to run OSPF between a Cisco router and another vendor’s router. The problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces don’t match. If the router with the higher MTU sends a packet larger that the MTU set on the neighboring router, the neighboring router ignores the packet.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/166/b_166_programmability_cg/b_166_programmability_cg_chapter_01011.html

62. Which LISP device is responsible for publishing EID-to-RLOC mappings for a site?

  • A. ETR
  • B. MR
  • C. ITR
  • D. MS

Correct Answer: A

Explanation:

An Egress Tunnel Router (ETR) connects a site to the LISP-capable part of a core network (such as the Internet), publishes EID-to-RLOC mappings for the site, responds to Map-Request messages, and decapsulates and delivers LISP-encapsulated user data to end systems at the site.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/locator-id-separation-protocol-lisp/white_paper_c11-652502.html

63. Which method does the enable secret password option use to encrypt device passwords?

  • A. MD5
  • B. PAP
  • C. CHAP
  • D. AES

Correct Answer: A

64. Which statement about agent-based versus agentless configuration management tools is true?

  • A. Agentless tools use proxy nodes to interface with slave nodes.
  • B. Agentless tools require no messaging systems between master and slaves.
  • C. Agent-based tools do not require a high-level language interpreter such as Python or Ruby on slave nodes.
  • D. Agent-based tools do not require installation of additional software packages on the slave nodes.

Correct Answer: B

65. Which statement about Cisco Express Forwarding is true?

  • A. The CPU of a router becomes directly involved with packet switching decisions.
  • B. It uses a fast cache that is maintained in a router data plane.
  • C. It maintains two tables in the data plane: the FIB and adjacency table.
  • D. It makes forwarding decisions by a process that is scheduled through the IOS scheduler.

Correct Answer: C

Explanation: Cisco Express Forwarding (CEF) provides the ability to switch packets through a device in a very quick and efficient way while also keeping the load on the router’s processor low. CEF is made up of two different main components: the Forwarding Information Base (FIB) and the Adjacency Table. These are automatically updated at the same time as the routing table.
The Forwarding Information Base (FIB) contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions.
The FIB allows for very efficient and easy lookups. Below is an example of the FIB table:

The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB. An example of the adjacency table is shown below:

It uses a fast cache that is maintained in a router data plane’ fast cache is only used when fast switching is enabled while CEF is disabled.

66. Refer to the exhibit. What are two effects of this configuration? (Choose two.)

  • A. It establishes a one-to-one NAT translation.
  • B. The 209.165.201.0/27 subnet is assigned as the outside local address range.
  • C. The 10.1.1.0/27 subnet is assigned as the inside local addresses.
  • D. Inside source addresses are translated to the 209.165.201.0/27 subnet.
  • E. The 10.1.1.0/27 subnet is assigned as the inside global address range.

Correct Answer: CD

67. When configuring WPA2 Enterprise on a WLAN, which additional security component configuration is required?

  • A. PKI server
  • B. NTP server
  • C. RADIUS server
  • D. TACACS server

Correct Answer: C

68. What is the structure of a JSON web token?

  • A. three parts separated by dots: header, payload, and signature
  • B. three parts separated by dots: version, header, and signature
  • C. header and payload
  • D. payload and signature

Correct Answer: A

Explanation: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JSON Web Tokens are composed of three parts, separated by a dot (.): Header, Payload, Signature.
Therefore, a JWT typically looks like the following:
xxxxx.yyyyy.zzzzz
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data.
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
Reference: https://auth0.com/docs/tokens/references/jwt-structure

69. A response code of 404 is received while using the REST API on Cisco DNA Center to POST to this URI:
/dna/intent/api/v1/template-programmer/project

What does the code mean?

  • A. The POST/PUT request was fulfilled and a new resource was created. Information about the resource is in the response body.
  • B. The request was accepted for processing, but the processing was not completed.
  • C. The client made a request for a resource that does not exist.
  • D. The server has not implemented the functionality that is needed to fulfill the request.

Correct Answer: C

Explanation: The 404 (Not Found) error status code indicates that the REST API can’t map the client’s URI to a resource but may be available in the future. Subsequent requests by the client are permissible.

70. What is a benefit of deploying an on-premises infrastructure versus a cloud infrastructure deployment?

  • A. ability to quickly increase compute power without the need to install additional hardware
  • B. less power and coding resources needed to run infrastructure on-premises
  • C. faster deployment times because additional infrastructure does not need to be purchased
  • D. lower latency between systems that are physically located near each other

Correct Answer: D

Explanation: The difference between on-premise and cloud is essentially where this hardware and software resides. On-premise means that a company keeps all of this IT environment onsite either managed by themselves or a third-party. Cloud means that it is housed offsite with someone else responsible for monitoring and maintaining it.

71. A customer has several small branches and wants to deploy a Wi-Fi solution with local management using CAPWAP. Which deployment model meets this requirement?

  • A. local mode
  • B. autonomous
  • C. SD-Access wireless
  • D. Mobility Express

Correct Answer: A

72. Which two operations are valid for RESTCONF? (Choose two.)

  • A. PULL
  • B. PUSH
  • C. PATCH
  • D. REMOVE
  • E. ADD
  • F. HEAD

Correct Answer: CF

73. Refer to the exhibit. The WLC administrator sees that the controller to which a roaming client associates has Mobility Role Anchor configured under Clients > Detail.
Which type of roaming is supported?

  • A. indirect
  • B. Layer 3 intercontroller
  • C. intracontroller
  • D. Layer 2 intercontroller

Correct Answer: B

74. In which part of the HTTP message is the content type specified?

  • A. HTTP method
  • B. body
  • C. header
  • D. URI

Correct Answer: C

75. Which statement about VXLAN is true?

  • A. VXLAN encapsulates a Layer 2 frame in an IP-UDP header, which allows Layer 2 adjacency across router boundaries.
  • B. VXLAN uses the Spanning Tree Protocol for loop prevention.
  • C. VXLAN extends the Layer 2 Segment ID field to 24-bits, which allows up to 4094 unique Layer 2 segments over the same network.
  • D. VXLAN uses TCP as the transport protocol over the physical data center network.

Correct Answer: A

Explanation: 802.1Q VLAN identifier space is only 12 bits. The VXLAN identifier space is 24 bits. This doubling in size allows the VXLAN ID space to support 16 million Layer 2 segments -> Answer ‘VXLAN extends the Layer 2 Segment ID field to 24-bits, which allows up to 4094 unique Layer 2 segments over the same network’ is not correct.
VXLAN is a MAC-in-UDP encapsulation method that is used in order to extend a Layer 2 or Layer 3 overlay network over a Layer 3 infrastructure that already exists.

76. Which statement about Cisco EAP-FAST is true?

  • A. It requires a client certificate.
  • B. It is an IETF standard.
  • C. It does not require a RADIUS server certificate.
  • D. It operates in transparent mode.

Correct Answer: C

77. What do Cisco DNA southbound APIs provide?

  • A. interface between the controller and the consumer
  • B. RESTful API interface for orchestrator communication
  • C. interface between the controller and the network devices
  • D. NETCONF API interface for orchestrator communication

Correct Answer: C

Explanation: The Southbound API is used to communicate with network devices.

78. Which DNS lookup does an access point perform when attempting CAPWAP discovery?

  • A. CISCO-CONTROLLER.local
  • B. CAPWAP-CONTROLLER.local
  • C. CISCO-CAPWAP-CONTROLLER.local
  • D. CISCO-DNA-CONTROLLER.local

Correct Answer: C

79. Which TCP setting is tuned to minimize the risk of fragmentation on a GRE/IP tunnel?

  • A. MSS
  • B. MTU
  • C. MRU
  • D. window size

Correct Answer: A

Explanation: The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination.

80. Which statement about an RSPAN session configuration is true?

  • A. Only one session can be configured at a time.
  • B. A special VLAN type must be used as the RSPAN destination.
  • C. A filter must be configured for RSPAN sessions.
  • D. Only incoming traffic can be monitored.

Correct Answer: B

Explanation: in all participating switches -> This VLAN can be considered a special VLAN type -> Answer ‘A special VLAN type must be used as the RSPAN destination’ is correct.

81. Refer to the exhibit.

An engineer must modify the access control list EGRESS to allow all IP traffic from subnet 10.1.10.0/24 to 10.1.2.0/24. The access control list is applied in the outbound direction on router interface GigabitEthernet 0/1.
Which configuration commands can the engineer use to allow this traffic without disrupting existing traffic flows?

A.

B.

C.

D.

Correct Answer: D

82. What is the role of a fusion router in an SD-Access solution?

  • A. acts as a DNS server
  • B. provides additional forwarding capacity to the fabric
  • C. performs route leaking between user-defined virtual networks and shared services
  • D. provides connectivity to external networks

Correct Answer: C

Explanation: Today the Dynamic Network Architecture Software Defined Access (DNA-SDA) solution requires a fusion router to perform VRF route leaking between user VRFs and Shared-Services, which may be in the Global routing table (GRT) or another VRF. Shared Services may consist of DHCP, Domain Name System (DNS), Network Time Protocol (NTP), Wireless LAN Controller (WLC), Identity Services Engine (ISE), DNAC components which must be made available to other virtual networks (VN’s) in the Campus.

Reference: https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/213525-sda-steps-to-configure-fusion-router.html#anc1

83. Refer to the exhibit.

A port channel is configured between SW2 and SW3. SW2 is not running a Cisco operating system. When all physical connections are made, the port channel does not establish. Based on the configuration except of SW3, what is the cause of the problem?

  • A. The port-channel mode should be set to auto.
  • B. The port channel on SW2 is using an incompatible protocol.
  • C. The port-channel trunk is not allowing the native VLAN.
  • D. The port-channel interface load balance should be set to src-mac.

Correct Answer: B

Explanation: The Cisco switch was configured with PAgP, which is a Cisco proprietary protocol so non-Cisco switch could not communicate.

84. What does this EEM applet event accomplish?
“event snmp oid 1.3.6.1.3.7.0.9.5.3.1.2.9 get-type next entry-op gt entry-val 75 poll-interval 5”

  • A. Upon the value reaching 75%, a SNMP event is generated and sent to the trap server.
  • B. It reads an SNMP variable, and when the value exceeds 75%, it triggers an action.
  • C. It issues email when the value is greater than 75% for five polling cycles.
  • D. It presents a SNMP variable that can be interrogated.

Correct Answer: B

Explanation: EEM offers the ability to monitor events and take informational or corrective action when the monitored events occur or reach a threshold. An EEM policy is an entity that defines an event and the actions to be taken when that event occurs. There are two types of EEM policies: an applet or a script. An applet is a simple form of policy that is defined within the CLI configuration.
To specify the event criteria for an Embedded Event Manager (EEM) applet that is run by sampling Simple Network Management Protocol (SNMP) object identifier values, use the event snmp command in applet configuration mode.
event snmp oid oid-value get-type {exact | next} entry-op operator entry-val entryvalue
[exit-comb {or | and}] [exit-op operator] [exit-val exit-value] [exit-time exit-timevalue] poll-interval poll-int-value
+ oid: Specifies the SNMP object identifier (object ID)
+ get-type: Specifies the type of SNMP get operation to be applied to the object ID specified by the oid-value argument.
– next – Retrieves the object ID that is the alphanumeric successor to the object ID specified by the oid-value argument.
+ entry-op: Compares the contents of the current object ID with the entry value using the specified operator. If there is a match, an event is triggered and event monitoring is disabled until the exit criteria are met.
+ entry-val: Specifies the value with which the contents of the current object ID are compared to decide if an SNMP event should be raised.
+ exit-op: Compares the contents of the current object ID with the exit value using the specified operator. If there is a match, an event is triggered and event monitoring is reenabled.
+ poll-interval: Specifies the time interval between consecutive polls (in seconds)

85. Which method displays text directly into the active console with a synchronous EEM applet policy?

  • A. event manager applet boom
    event syslog pattern ‘UP’
    action 1.0 syslog priority direct msg ‘logging directly to console’
  • B. event manager applet boom
    event syslog pattern ‘UP’
    action 1.0 gets ‘logging directly to console’
  • C. event manager applet boom
    event syslog pattern ‘UP’
    action 1.0 string ‘logging directly to console’
  • D. event manager applet boom
    event syslog pattern ‘UP’
    action 1.0 puts ‘logging directly to console’

Correct Answer: B

86. Which two GRE features are configured to prevent fragmentation? (Choose two.)

  • A. TCP window size
  • B. IP MTU
  • C. TCP MSS
  • D. DF bit clear
  • E. MTU ignore

Correct Answer: BC

87. Which action is the vSmart controller responsible for in an SD-WAN deployment?

  • A. onboard vEdge nodes into the SD-WAN fabric
  • B. gather telemetry data from vEdge routers
  • C. distribute security information for tunnel establishment between vEdge routers
  • D. manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric

Correct Answer: C

Explanation:

+ Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay (-> Therefore answer “onboard vEdge nodes into the SD-WAN fabric” mentioned about vBond). The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information.
+ Management plane (vManage) is responsible for central configuration and monitoring. The vManage controller is the centralized network management system that provides a single pane of glass GUI interface to easily deploy, configure, monitor and troubleshoot all Cisco SD-WAN components in the network. (-> Answer “manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric” and answer “gather telemetry data from vEdge routers” are about vManage)
+ Control plane (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement (-> Answer “distribute security information for tunnel establishment between vEdge routers” is about vSmart)

88. Which description of an SD-access wireless network infrastructure deployment is true?

  • A. The access point is part of the fabric overlay.
  • B. The wireless client is part of the fabric overlay.
  • C. The access point is part of the fabric underlay.
  • D. The WLC is part of the fabric underlay.

Correct Answer: A

Explanation: Access Points
+ AP is directly connected to FE (or to an extended node switch)
+ AP is part of Fabric overlay

89. Which feature is supported by EIGRP but is not supported by OSPF?

  • A. route filtering
  • B. unequal-cost load balancing
  • C. route summarization
  • D. equal-cost load balancing

Correct Answer: B

90. What is the correct EBGP path attribute list, ordered from most preferred to least preferred, that the BGP best-path algorithm uses?

  • A. local preference, weight, AS path, MED
  • B. weight, local preference, AS path, MED
  • C. weight, AS path, local preference, MED
  • D. local preference, weight, MED, AS path

Correct Answer: B

Explanation: Path Selection Attributes: Weight > Local Preference > Originate > AS Path > Origin > MED > External > IGP Cost > eBGP Peering > Router ID

91. At which layer does Cisco DNA Center support REST controls?

  • A. session layer
  • B. northbound APIs
  • C. EEM applets or scripts
  • D. YAML output from responses to API calls

Correct Answer: B

92. On which protocol or technology is the fabric data plane based in Cisco SD-Access fabric?

  • A. VXLAN
  • B. LISP
  • C. Cisco TrustSec
  • D. IS-IS

Correct Answer: A

Explanation: The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN encapsulation is UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not. Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy.

93. What is the difference between the enable password and the enable secret password when service password encryption is enabled on an IOS device?

  • A. The enable secret password is protected via stronger cryptography mechanisms.
  • B. The enable password cannot be decrypted.
  • C. The enable password is encrypted with a stronger encryption method.
  • D. There is no difference and both passwords are encrypted identically.

Correct Answer: A

Explanation: The “enable secret” password is always encrypted (independent of the “service passwordencryption” command) using MD5 hash algorithm. The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. This command will encrypt the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse.
The MD5 hash is a stronger algorithm than Vigenere so answer ‘The enable secret password is protected via stronger cryptography mechanisms’ is correct.

94. Which access controls list allows only TCP traffic with a destination port range of 22-443, excluding port 80?

  • A. deny tcp any any eq 80
    permit tcp any any gt 21 lt 444
  • B. permit tcp any any range 22 443
    deny tcp any any eq 80
  • C. permit tcp any any ne 80
  • D. deny tcp any any ne 80
    permit tcp any any range 22 443

Correct Answer: A

95. Which statement describes the IP and MAC allocation requirements for virtual machines on Type 1 hypervisors?

  • A. Virtual machines do not require a unique IP or unique MAC. They share the IP and MAC address of the physical server.
  • B. Each virtual machine requires a unique IP address but shares the MAC address with the physical server.
  • C. Each virtual machine requires a unique IP and MAC addresses to be able to reach to other nodes.
  • D. Each virtual machine requires a unique MAC address but shares the IP address with the physical server.

Correct Answer: C

Explanation: A virtual machine (VM) is a software emulation of a physical server with an operating system.
From an application’s point of view, the VM provides the look and feel of a real physical server, including all its components, such as CPU, memory, and network interface cards (NICs).
The virtualization software that creates VMs and performs the hardware abstraction that allows multiple VMs to run concurrently is known as a hypervisor.
There are two types of hypervisors: type 1 and type 2 hypervisor.
In type 1 hypervisor (or native hypervisor), the hypervisor is installed directly on the physical server.
Then instances of an operating system (OS) are installed on the hypervisor. Type 1 hypervisor has direct access to the hardware resources. Therefore they are more efficient than hosted architectures.
Some examples of type 1 hypervisor are VMware vSphere/ESXi, Oracle VM Server, KVM and
Microsoft Hyper-V.
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. answer ‘Each virtual machine requires a unique IP and MAC addresses to be able to reach to other nodes’ big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows).

96. A local router shows an EBGP neighbor in the Active state. Which statement is true about the local router?

  • A. The local router is attempting to open a TCP session with the neighboring router.
  • B. The local router is receiving prefixes from the neighboring router and adding them in RIB-IN.
  • C. The local router has active prefixes in the forwarding table from the neighboring router.
  • D. The local router has BGP passive mode configured for the neighboring router.

Correct Answer: A

Explanation: The BGP session may report in the following states
1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is waiting for a BGP start event, generally either the establishment of a TCP connection or the re-establishment of a previous connection. Once the connection is established, BGP moves to the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If the TCP connection completes, BGP will move to the Open Sent stage; if the connection cannot complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP session with the BGP speaker it wants to peer with. If this can be done, the BGP state goes to Open Sent state.
4 – Open Sent: the BGP speaker is waiting to receive an OPEN message from the remote BGP speaker
5 – Open Confirm: Once the BGP speaker receives the OPEN message and no error is detected, the BGP speaker sends a KEEPALIVE message to the remote BGP speaker
6 – Established: All of the neighbor negotiations are complete. You will see a number, which tells us the number of prefixes the router has received from a neighbor or peer group.

97. Which feature must be configured to allow packet capture over Layer 3 infrastructure?

  • A. RSPAN
  • B. ERSPAN
  • C. VSPAN
  • D. IPSPAN

Correct Answer: B

Explanation:

Encapsulated remote SPAN (ERSPAN): encapsulated Remote SPAN (ERSPAN), as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains.
Reference: https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951

98. Witch two actions provide controlled Layer 2 network connectivity between virtual machines running on the same hypervisor? (Choose two.)

  • A. Use a single trunk link to an external Layer2 switch.
  • B. Use a virtual switch provided by the hypervisor.
  • C. Use a virtual switch running as a separate virtual machine.
  • D. Use a single routed link to an external router on stick.
  • E. Use VXLAN fabric after installing VXLAN tunneling drivers on the virtual machines.

Correct Answer: BD

99. What is calculated using the numerical values of the transmitter power level, cable loss, and antenna gain?

  • A. EIRP
  • B. dBi
  • C. RSSI
  • D. SNR

Correct Answer: A

Explanation: Once you know the complete combination of transmitter power level, the length of cable, and the antenna gain, you can figure out the actual power level that will be radiated from the antenna. This is known as the effective isotropic radiated power (EIRP), measured in dBm. EIRP is a very important parameter because it is regulated by governmental agencies in most countries. In those cases, a system cannot radiate signals higher than a maximum allowable EIRP. To find the EIRP of a system, simply add the transmitter power level to the antenna gain and subtract the cable loss.

EIRP = Tx Power – Tx Cable + Tx Antenna
Suppose a transmitter is configured for a power level of 10 dBm (10 mW). answer ‘SNR’ cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The resulting EIRP of the system is 10 dBm – 5 dB + 8 dBi, or 13 dBm.

You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an isotropic antenna (dBi), and decibel (dB) values. Even though the units appear to be differrent, you can safely combine them because they are all in the dB “domain”.

Reference: CCNA Wireless 640-722 Official Cert Guide

100. Which type of antenna does the radiation pattern represent?

  • A. Yagi
  • B. multidirectional
  • C. directional patch
  • D. omnidirectional

Correct Answer: A

Explanation:

A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipolelike antenna, and shaping the beam using a well-chosen series of non-driven elements whose length and spacing are tightly controlled.

https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/prod_white_paper0900aecd806a1a3e.htm

101. Refer to the exhibit.

SwitchC connects HR and Sales to the Core switch However, business needs require that no traffic from the Finance VLAN traverse this switch. Which command meets this requirement?

Correct Answer: D

Explanation: From the “show vlan brief” we learn that Finance belongs to VLAN 110 and all VLANs (from 1 to 1005) are allowed to traverse the trunk (port-channel 1). Therefore we have to remove VLAN 110 from the allowed VLAN list with the “switchport trunk allowed vlan remove ” command. The pruning feature cannot do this job as Finance VLAN is active.

102. Refer to the exhibit.Which HTTP JSON response does the python code output give?

  • A. NameError: name ‘json’ is not defined
  • B. KeyError ‘kickstart_ver_str’
  • C. 7.61
  • D. 7.0(3)I7(4)

Correct Answer: B

103. When a wired client connects to an edge switch in an SDA fabric, which component decides whether the client has access to the network?

  • A. control-plane node
  • B. Identity Service Engine
  • C. RADIUS server
  • D. edge node

Correct Answer: B

104. Refer to the exhibit.

An engineer must ensure that all traffic leaving AS 200 will choose Link 2 as the exit point. Assuming that all BGP neighbor relationships have been formed and that the attributes have not been changed on any of the routers, which configuration accomplish task?

  • A. R4(config-router)#bgp default local-preference 200
  • B. R3(config-router)#neighbor 10.1.1.1 weight 200
  • C. R3(config-router)#bgp default local-preference 200
  • D. R4(config-router)#neighbor 10.2.2.2 weight 200

Correct Answer: A

Explanation: Local preference is an indication to the AS about which path has preference to exit the AS in order to reach a certain network. A path with a higher local preference is preferred. The default value for local preference is 100.

Unlike the weight attribute, which is only relevant to the local router, local preference is an attribute that routers exchange in the same AS. The local preference is set with the “bgp default local-preference value” command.

In this case, both R3 & R4 have exit links but R4 has higher local-preference so R4 will be chosen as the preferred exit point from AS 200.

105. Which protocol infers that a YANG data model is being used?

  • A. SNMP
  • B. REST
  • C. RESTCONF
  • D. NX-API

Correct Answer: C

Explanation: YANG (Yet another Next Generation) is a data modeling language for the definition of data sent over network management protocols such as the NETCONF and RESTCONF.

106. Which configuration restricts the amount of SSH that a router accepts 100 kbps?

A.
class-map match-all CoPP_SSH
match access-group name CoPP_SSH
!
Policy-map CoPP_SSH
class CoPP_SSHpolice cir 100000
exceed-action drop
! ! !
Interface GigabitEthernet0/1
ip address 209.165.200.225 255.255.255.0
ip access-group CoPP_SSH out
duplex auto
speed auto
media-type rj45
service-policy input CoPP_SSH
!
ip access-list extended CoPP_SSH
permit tcp any any eq 22
!

B.
class-map match-all CoPP_SSH
match access-group name CoPP_SSH
!
Policy-map CoPP_SSH
class CoPP_SSH
police cir CoPP_SSH
exceed-action drop
!
Interface GigabitEthernet0/1
ip address 209.165.200.225 255.255.255.0
ip access-group … out
duplex auto
speed auto
media-type rj45
service-policy input CoPP_SSH
!
Ip access-list extended CoPP_SSH
deny tcp any any eq 22
!

C.
class-map match-all CoPP_SSH

match access-group name CoPP_SSH
!
Policy-map CoPP_SSH
class CoPP_SSH
police cir 100000
exceed-action drop
!Control-plane
service-policy input CoPP_SSH
!
Ip access-list extended CoPP_SSH
deny tcp any any eq 22
!

D.
class-map match-all CoPP_SSH
match access-group name CoPP_SSH
!
Policy-map CoPP_SSH
class CoPP_SSH
police cir 100000 exceed-action drop
!
Control-plane transit
service-policy input CoPP_SSH
!
Ip access-list extended CoPP_SSH
permit tcp any any eq 22
!

Correct Answer: C

Explanation: CoPP protects the route processor on network devices by treating route processor resources as a separate entity with its own ingress interface (and in some implementations, egress also). CoPP is used to police traffic that is destined to the route processor of the router such as:
+ routing protocols like OSPF, EIGRP, or BGP.
+ Gateway redundancy protocols like HSRP, VRRP, or GLBP.
+ Network management protocols like telnet, SSH, SNMP, or RADIUS.

Therefore we must apply the CoPP to deal with SSH because it is in the management plane. CoPP must be put under “control-plane” command.

107. What NTP stratum level is a server that is connected directly to an authoritative time source?

  • A. Stratum 0
  • B. Stratum 1
  • C. Stratum 14
  • D. Stratum 15

Correct Answer: B

Explanation: The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).
NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. A stratum 1 time server typically has an authoritative time source (such as a radio or atomic clock, or a Global Positioning System (GPS) time source) directly attached, a stratum 2 time server receives its time via NTP from a stratum 1 time server, and so on.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/bsm/16-6-1/b-bsm-xe-16-6-1-asr920/bsm-time-calendar-set.html

108. How does QoS traffic shaping alleviate network congestion?

  • A. It drops packets when traffic exceeds a certain bitrate.
  • B. It buffers and queue packets above the committed rate.
  • C. It fragments large packets and queues them for delivery.
  • D. It drops packets randomly from lower priority queues.

Correct Answer: B

Explanation: Traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time. The result of traffic shaping is a smoothed packet output rate.

109. An engineer is describing QoS to a client. Which two facts apply to traffic policing? (Choose two)

  • A. Policing adapts to network congestion by queuing excess traffic
  • B. Policing should be performed as close to the destination as possible
  • C. Policing drops traffic that exceeds the defined rate
  • D. Policing typically delays the traffic, rather than drops it
  • E. Policing should be performed as close to the source as possible

Correct Answer: CE

Explanation: Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate (or committed information rate), excess traffic is dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs.
Unlike traffic shaping, traffic policing does not cause delay.
Classification (which includes traffic policing, traffic shaping and queuing techniques) should take place at the network edge. It is recommended that classification occur as close to the source of the traffic as possible.
Also according to this Cisco link, “policing traffic as close to the source as possible”.

110. What mechanism does PIM use to forward multicast traffic?

  • A. PIM sparse mode uses a pull model to deliver multicast traffic
  • B. PIM dense mode uses a pull model to deliver multicast traffic
  • C. PIM sparse mode uses receivers to register with the RP
  • D. PIM sparse mode uses a flood and prune model to deliver multicast traffic

Correct Answer: A

Explanation: PIM dense mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network. This push model is a brute-force method of delivering data to the receivers. This method would be efficient in certain deployments in which there are active receivers on every subnet in the network. PIM-DM initially floods multicast traffic throughout the network. Routers that have no downstream neighbors prune the unwanted traffic. This process repeats every 3 minutes.
PIM Sparse Mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network segments with active receivers that have explicitly requested the data receive the traffic. PIM-SM distributes information about active sources by forwarding data packets on the shared tree. Because PIM-SM uses shared trees (at least initially), it requires the use of an RP. The RP must be administratively configured in the network.
Answer C seems to be correct but it is not, PIM spare mode uses sources (not receivers) to register with the RP. Sources register with the RP, and then data is forwarded down the shared tree to the receivers.

111. Which two namespaces does the LISP network architecture and protocol use? (Choose two)

  • A. TLOC
  • B. RLOC
  • C. DNS
  • D. VTEP
  • E. EID

Correct Answer: BE

Explanation: Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
+ Endpoint identifiers (EIDs)—assigned to end hosts.
+ Routing locators (RLOCs)—assigned to devices (primarily routers) that make up the global routing system.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-overview.html

112. Which First Hop Redundancy Protocol should be used to meet a design requirements for more efficient default bandwidth usage across multiple devices?

  • A. GLBP
  • B. LCAP
  • C. HSRP
  • D. VRRP

Correct Answer: A

Explanation: The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the active gateway and used to forward traffic whilst the rest are unused until the active one fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it supports load balancing among members in a GLBP group.

113. Refer to the exhibit.

A network engineer is configuring OSPF between router R1 and router R2. The engineer must ensure that a DR/BDR election does not occur on the Gigabit Ethernet interfaces in area 0. Which configuration set accomplishes this goal?

A. R1 (config-if) #interface Gi0/0
R1 (config-if) #ip ospf network point-to-point
R2 (config-if) #interface Gi0/0
R2 (config-if) #ip ospf network point-to-point

B. R1 (config-if) #interface Gi0/0
R1 (config-if) #ip ospf network broadcast
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf network broadcast

C. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf database-filter all out
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf database-filter all out

D. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf priority 1
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf priority 1

Correct Answer: A

Explanation: Broadcast and Non-Broadcast networks elect DR/BDR while Point-to-point/multipoint do not elect DR/BDR. Therefore we have to set the two Gi0/0 interfaces to point-to-point or point-to-multipoint network to ensure that a DR/BDR election does not occur.

114. What are two reasons why broadcast radiation is caused in the virtual machine environment? (Choose two)

  • A. vSwitch must interrupt the server CPU to process the broadcast packet
  • B. The Layer 2 domain can be large in virtual machine environments
  • C. Virtual machines communicate primarily through broadcast mode
  • D. Communication between vSwitch and network switch is broadcast based
  • E. Communication between vSwitch and network switch is multicast based

Correct Answer: BC

Explanation: Broadcast radiation is the accumulation of broadcast and multicast traffic on a computer network.
Extreme amounts of broadcast traffic constitute a broadcast storm.
The amount of broadcast traffic you should see within a broadcast domain is directly proportional to the size of the broadcast domain. Therefore if the layer 2 domain in virtual machine environment is too large, broadcast radiation may occur -> VLANs should be used to reduce broadcast radiation.
Also if virtual machines communicate via broadcast too much, broadcast radiation may occur.
Another reason for broadcast radiation is using a trunk (to extend VLANs) from the network switch to the physical server.
Note about the structure of virtualization in a hypervisor:
Hypervisors provide virtual switch (vSwitch) that Virtual Machines (VMs) use to communicate with other VMs on the same host. The vSwitch may also be connected to the host’s physical NIC to allow VMs to get layer 2 access to the outside world.
Each VM is provided with a virtual NIC (vNIC) that is connected to the virtual switch. Multiple vNICs can connect to a single vSwitch, allowing VMs on a physical host to communicate with one another at layer 2 without having to go out to a physical switch.

Although vSwitch does not run Spanning-tree protocol but vSwitch implements other loop prevention mechanisms. For example, a frame that enters from one VMNIC is not going to go out of the physical host from a different VMNIC card.

115. A company plans to implement intent-based networking in its campus infrastructure. Which design facilities a migrate from a traditional campus design to a programmer fabric designer?

  • A. Layer 2 access
  • B. three-tier
  • C. two-tier
  • D. routed access

Correct Answer: C

Explanation: Intent-based Networking (IBN) transforms a hardware centric, manual network into a controller-led network that captures business intent and translates it into policies that can be automated and applied consistently across the network. The goal is for the network to continuously monitor and adjust network performance to help assure desired business outcomes. IBN builds on software-defined networking (SDN). SDN usually uses spine-leaf architecture, which is typically deployed as two layers: spines (such as an aggregation layer), and leaves (such as an access layer).

116. When a wireless client roams between two different wireless controllers, a network connectivity outage is experience for a period of time. Which configuration issue would cause this problem?

  • A. Not all of the controllers in the mobility group are using the same mobility group name
  • B. Not all of the controllers within the mobility group are using the same virtual interface IP address
  • C. All of the controllers within the mobility group are using the same virtual interface IP address
  • D. All of the controllers in the mobility group are using the same mobility group name

Correct Answer: B

Explanation: A prerequisite for configuring Mobility Groups is “All controllers must be configured with the same virtual interface IP address”. If all the controllers within a mobilitygroup are not using the same virtual interface, inter controller roaming may appear to work, but the handoff does not complete, and the client loses connectivity for a period of time. -> Answer B is correct.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/mobility_groups.html

117. Which algorithms are used to secure REST API from brute attacks and minimize the impact?

  • A. SHA-512 and SHA-384
  • B. MD5 algorithm-128 and SHA-384
  • C. SHA-1, SHA-256, and SHA-512
  • D. PBKDF2, BCrypt, and SCrypt

Correct Answer: D

Explanation: One of the best practices to secure REST APIs is using password hash. Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing algorithms which can prove really effective for password security e.g. PBKDF2, bcrypt and scrypt algorithms.
Other ways to secure REST APIs are: Always use HTTPS, Never expose information on URLs (Usernames, passwords, session tokens, and API keys should not appear in the URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation.
Reference: https://restfulapi.net/security-essentials/
We should not use MD5 or any SHA (SHA-1, SHA-256, SHA-512…) algorithm to hash password as they are not totally secure.
Note: A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.

118. What is the role of the RP in PIM sparse mode?

  • A. The RP responds to the PIM join messages with the source of requested multicast group
  • B. The RP maintains default aging timeouts for all multicast streams requested by the receivers
  • C. The RP acts as a control-plane node and does not receive or forward multicast packets
  • D. The RP is the multicast that is the root of the PIM-SM shared multicast distribution tree

Correct Answer: A

119. A network administrator is preparing a Python script to configure a Cisco IOS XE based device on the network. The administrator is worried that colleagues will make changes to the device while the script is running. Which operation of the client manager in prevent colleague making changes to the device while the script is running?

  • A. m.lock (config=’running’)
  • B. m.lock (target=’running’)
  • C. m.freeze (target=’running’)
  • D. m.freeze(config=’running’)

Correct Answer: B

Explanation: The example below shows the usage of lock command:

def demo(host, user, names):
With manager. Connect(host=host, port=22, username=user) as m:
With m.locked(target='running'):
for n in names:
m.edit_config (target='running', config=template % n)

The command “m.locked (target=’running’)” causes a lock to be acquired on the running datastore.

120. What are two device roles in Cisco SD-Access fabric? (Choose two)

  • A. core switch
  • B. vBond controller
  • C. edge node
  • D. access switch
  • E. border node

Correct Answer: CE

Explanation: There are five basic device roles in the fabric overlay:

+ Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.

121. Which action is a function of VTEP in VXLAN?

  • A. tunneling traffic from IPv6 to IPv4 VXLANs
  • B. allowing encrypted communication on the local VXLAN Ethernet segment
  • C. encapsulating and de-encapsulating VXLAN Ethernet frames
  • D. tunneling traffic from IPv4 to IPv6 VXLANs

Correct Answer: C

Explanation: VTEPs connect between Overlay and Underlay network and they are responsible for encapsulating frame into VXLAN packets to send across IP network (Underlay) then decapsulating when the packets leaves the VXLAN tunnel.

122. What does the Cisco DNA Center use to enable the delivery of applications through a network and to yield analytics for innovation?

  • A. process adapters
  • B. Command Runner
  • C. intent-based APIs
  • D. domain adapters

Correct Answer: C

Explanation:

The Cisco DNA Center open platform for intent-based networking provides 360- degree extensibility across multiple components, including:
+ Intent-based APIs leverage the controller to enable business and IT applications to deliver intent to the network and to reap network analytics and insights for IT and business innovation. These enable APIs that allow Cisco DNA Center to receive input from a variety of sources, both internal to IT and from line-of-business applications, related to application policy, provisioning, software image management, and assurance.

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-cent-plat-sol-over-cte-en.html

123. Which component handles the orchestration plane of the Cisco SD-WAN?

  • A. vBond
  • B. vSmart
  • C. vManage
  • D. vEdge

Correct Answer: A

Explanation: + Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay. The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information.

124. Which two entities are Type 1 hypervisors? (Choose two)

  • A. Oracle VM Virtual Box
  • B. Microsoft Hyper-V
  • C. VMware server
  • D. VMware ESX
  • E. Microsoft Virtual PC

Correct Answer: BD

Explanation: A bare-metal hypervisor (Type 1) is a layer of software we install directly on top of a physical server and its underlying hardware. There is no software or any operating system in between, hence the name bare-metal hypervisor. A Type 1 hypervisor is proven in providing excellent performance and stability since it does not run inside Windows or any other operating system. These are the most common type 1 hypervisors:
+ VMware vSphere with ESX/ESXi
+ KVM (Kernel-Based Virtual Machine)
+ Microsoft Hyper-V
+ Oracle VM
+ Citrix Hypervisor (formerly known as Xen Server)

125. Which access point mode allows a supported AP to function like a WLAN client would, associating and identifying client connectivity issues?

  • A. client mode
  • B. SE-connect mode
  • C. sensor mode
  • D. sniffer mode

Correct Answer: D

Explanation: An lightweight AP (LAP) operates in one of six different modes:
+ Local mode (default mode): measures noise floor and interference, and scans for intrusion detection (IDS) events every 180 seconds on unused channels
+ Flex Connect, formerly known as Hybrid Remote Edge AP (HREAP), mode: allows data traffic to be switched locally and not go back to the controller. The Flex Connect AP can perform standalone client authentication and switch VLAN traffic locally even when it’s disconnected to the WLC (Local Switched). Flex Connect AP can also tunnel (via CAPWAP) both user wireless data and control traffic to a centralized WLC (Central Switched).
+ Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a sensor for location-based services (LBS), rogue AP detection, and IDS
+ Rogue detector mode: monitor for rogue APs. It does not handle data at all.
+ Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to a remote machine where you can use protocol analysis tool (Wireshark, Airopeek, etc) to review the packets and diagnose issues. Strictly used for troubleshooting purposes.
+ Bridge mode: bridge together the WLAN and the wired infrastructure together.

126. Refer to the exhibit.

An engineer must deny Telnet traffic from the loopback interface of router R3 to the loopback interface of router R2 during the weekend hours. All other traffic between the loopback interfaces of routers R3 and R2 must be allowed at all times. Which command accomplish this task?

A. R3(config)#time-range WEEKEND
R3(config-time-range)#periodic Saturday Sunday 00:00 to 23:59
R3(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND
R3(config)#access-list 150 permit ip any any time-range WEEKENDR3(config)#interface Gi0/1
R3(config-if)#ip access-group 150 out

B. R1(config)#time-range WEEKEND
R1(config-time-range)#periodic Friday Sunday 00:00 to 00:00
R1(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND
R1(config)#access-list 150 permit ip any any
R1(config)#interface Gi0/1
R1(config-if)#ip access-group 150 in

C. R1(config)#time-range WEEKEND
R1(config-time-range)#periodic weekend 00:00 to 23:59
R1(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND
R1(config)#access-list 150 permit ip any any
R1(config)#interface Gi0/1
R1(config-if)#ip access-group 150 in

D. R3(config)#time-range WEEKEND
R3(config-time-range)#periodic weekend 00:00 to 23:59
R3(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND
R3(config)#access-list 150 permit ip any any time-range WEEKEND
R3(config)#interface Gi0/1
R3(config-if)#ip access-group 150 out

Correct Answer: C

Explanation: We cannot filter traffic that is originated from the local router (R3 in this case) so we can only configure the ACL on R1 or R2. “Weekend hours” means from Saturday morning through Sunday night so we have to configure: “periodic weekend 00:00 to 23:59”.
Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59.

127. Which tool is used in Cisco DNA Center to build generic configurations that are able to be applied on device with similar network settings?

  • A. Command Runner
  • B. Template Editor
  • C. Application Policies
  • D. Authentication Template

Correct Answer: B

Explanation: Cisco DNA Center provides an interactive editor called Template Editor to author CLI templates. Template Editor is a centralized CLI management tool to help design a set of device configurations that you need to build devices in a branch. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use Template Editor to build generic configurations and apply the configurations to one or more devices in the branch.
Reference

128. A client device roams between access points located on different floors in an atrium. The access points joined to the same controller and configuration in local mode. The access points are in different IP addresses, but the client VLAN in the group same. What type of roam occurs?

  • A. inter-controller
  • B. inter-subnet
  • C. intra-VLAN
  • D. intra-controller

Correct Answer: B

Explanation:

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. Three popular types of client roaming are:

Intra-Controller Roaming: Each controller supports same-controller client roaming across access points managed by the same controller. This roaming is transparent to the client as the session is sustained, and the client continues using the same DHCP-assigned or client-assigned IP address.
Inter-Controller Roaming: Multiple-controller deployments support client roaming across access points managed by controllers in the same mobility group and on the same subnet. This roaming is also transparent to the client because the session is sustained and a tunnel between controllers allows the client to continue using the same DHCP- or client-assigned IP address as long as the session remains active.

Inter-Subnet Roaming: Multiple-controller deployments support client roaming across access points managed by controllers in the same mobility group on different subnets. This roaming is transparent to the client because the session is sustained and a tunnel between the controllers allows the client to continue using the same DHCP-assigned or client-assigned IP address as long as the session remains active.

Click Here

129. What does the LAP send when multiple WLCs respond to the CISCO_CAPWAP-CONTROLLER.localdomain hostname during the CAPWAP discovery and join process?

  • A. broadcast discover request
  • B. join request to all the WLCs
  • C. unicast discovery request to each WLC
  • D. Unicast discovery request to the first WLC that resolves the domain name

Correct Answer: D

130. Refer to the exhibit.

What is the result when a technician adds the monitor session 1 destination remote vlan 233 command?

  • A. The RSPAN VLAN is replaced by VLAN 223
  • B. RSPAN traffic is sent to VLANs 222 and 223
  • C. An error is flagged for configuring two destinations
  • D. RSPAN traffic is split between VLANs 222 and 223

Correct Answer: A

131. In an SD-Access solution what is the role of a fabric edge node?

  • A. to connect external Layer 3- network to the SD-Access fabric
  • B. to connect wired endpoint to the SD-Access fabric
  • C. to advertise fabric IP address space to external network
  • D. to connect the fusion router to the SD-Access fabric

Correct Answer: B

Explanation: + Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.

132. Refer to the exhibit.

access-list 1 permit 172.16.1.0 0.0.0.255
ip nat inside source list 1 interface gigabitethernet0/0 overload

The inside and outside interfaces in the NAT configuration of this device have been correctly identified. What is the effect of this configuration?

  • A. dynamic NAT
  • B. static NAT
  • C. PAT
  • D. NAT64

Correct Answer: C

Explanation: The command “ip nat inside source list 1 interface gigabitethernet0/0 overload” translates all source addresses that pass access list 1, which means 172.16.1.0/24 subnet, into an address assigned to gigabitethernet0/0 interface. Overload keyword allows to map multiple IP addresses to a single registered IP address (manyto-one) by using different ports so it is called Port Address Translation (PAT).

133. Which component of the Cisco Cyber Threat Defense solution provides user and flow context analysis?

  • A. Cisco Firepower and FireSIGHT
  • B. Cisco Stealth watch system
  • C. Advanced Malware Protection
  • D. Cisco Web Security Appliance

Correct Answer: B

Explanation: 

The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can help facilitate the discovery, containment, and remediation of threats once they have penetrated into the network interior.
Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its objectives:
* NetFlow and the Lancope StealthWatch System
– Broad visibility
– User and flow context analysis
– Network behavior and anomaly detection
– Incident response and network forensics
* Cisco FirePOWER and FireSIGHT
– Real-time threat management
– Deeper contextual visibility for threats bypassing the perimeters
– URL control
* Advanced Malware Protection (AMP)
– Endpoint control with AMP for Endpoints
– Malware control with AMP for networks and content
* Content Security Appliances and Services
– Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
– Dynamic threat control for web traffic
– Outbound URL analysis and data transfer controls
– Detection of suspicious web activity
– Cisco Email Security Appliance (ESA)
– Dynamic threat control for email traffic
– Detection of suspicious email activity
* Cisco Identity Services Engine (ISE)
– User and device identity integration with Lancope StealthWatch
– Remediation policy actions using pxGrid
https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-0/design_guides/ctd_2-0_cvd_guide_jul15.pdf

134. Which feature of EIGRP is not supported in OSPF?

  • A. load balancing of unequal-cost paths
  • B. load balance over four equal-costs paths
  • C. uses interface bandwidth to determine best path
  • D. per-packet load balancing over multiple paths

Correct Answer: A

135. An engineer must protect their company against ransom ware attacks. Which solution allows the engineer to block the execution stage and prevent file encryption?

  • A. Use Cisco AMP deployment with the Malicious Activity Protection engineer enabled
  • B. Use Cisco AMP deployment with the Exploit Prevention engine enabled
  • C. Use Cisco Firepower and block traffic to TOR networks
  • D. Use Cisco Firepower with Intrusion Policy and snort rules blocking SMB exploitation

Correct Answer: A

Explanation: Ransomware are malicious software that locks up critical resources of the users. Ransomware uses well-established public/private key cryptography which leaves the only way of recovering the files being the payment of the ransom, or restoring files from backups.

Cisco Advanced Malware Protection (AMP) for Endpoints Malicious Activity Protection (MAP) engine defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute and stops them from running. Because the MAP engine detects threats by observing the behavior of the process at run time, it can generically determine if a system is under attack by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection. The first release of the MAP engine targets identification, blocking, and quarantine of ransomware attacks on the endpoint.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-for-endpoints/white-paper-c11-740980.pdf

136. Refer to the exhibit.

Assuming the WLC’s interfaces are not in the same subnet as the RADIUS server, which interface would the WLC use as the source for all RADIUS related traffic?

  • A. the interface specified on the WLAN configuration
  • B. any interface configured on the WLC
  • C. the controller management interface
  • D. the controller virtual interface

Correct Answer: A

137. Which benefit is offered by a cloud infrastructure deployment but is lacking in an on-premises deployment?

  • A. efficient scalability
  • B. virtualization
  • C. storage capacity
  • D. supported systems

Correct Answer: A

138. Wireless users report frequent disconnections from the wireless network. While troubleshooting a network engineer finds that after the user a disconnect, the connection reestablishes automatically without any input required. The engineer also notices these message logs.
Which action reduces the user impact?

  • A. increase the dynamic channel assignment interval
  • B. increase BandSelect
  • C. increase the AP heartbeat timeout
  • D. enable coverage hole detection

Correct Answer: A

Explanation: These message logs inform that the radio channel has been reset (and the AP must be down briefly). With dynamic channel assignment (DCA), the radios can frequently switch from one channel to another but it also makes disruption. The default DCA interval is 10 minutes, which is matched with the time of the message logs. By increasing the DCA interval, we can reduce the number of times our users are disconnected for changing radio channels.

139. Which DHCP option helps lightweight APs find the IP address of a wireless LAN controller?

  • A. Option 43
  • B. Option 60
  • C. Option 67
  • D. Option 150

Correct Answer: A

140. A network administrator applies the following configuration to an IOS device.

aaa new-model
aaa authentication login default local group tacacs+

What is the process of password checks when a login attempt is made to the device?

  • A. A TACACS+ server is checked first. If that check fail, a database is checked
  • B. A TACACS+ server is checked first. If that check fail, a RADIUS server is checked. If that check fail, a local database is checked
  • C. A local database is checked first. If that fails, a TACACS+server is checked, if that check fails, a RADIUS server is checked
  • D. A local database is checked first. If that check fails, a TACACS+server is checked

Correct Answer: D

Explanation: The “aaa authentication login default local group tacacs+” command is broken down as follows:

+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/ password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local database (the first method). If the credentials are not found on the local database, then the TACACS+ server is used (the second method).

141. What is the role of the vsmart controller in a Cisco SD-WAN environment?

  • A. IT performs authentication and authorization
  • B. It manages the control plane
  • C. It is the centralized network management system
  • D. It manages the data plane

Correct Answer: B

Explanation: Control plane (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement.

142. Why is an AP joining a different WLC than the one specified through option 43?

  • A. The WLC is running a different software version
  • B. The API is joining a primed WLC
  • C. The AP multicast traffic unable to reach the WLC through Layer 3
  • D. The APs broadcast traffic is unable to reach the WLC through Layer 2

Correct Answer: B

143. Which devices does Cisco Center configure when deploying an IP-based access control policy?

  • A. All devices integrating with ISE
  • B. selected individual devices
  • C. all devices in selected sites
  • D. all wired devices

Correct Answer: A

Explanation: When you click Deploy, Cisco DNA Center requests the Cisco Identity Services Engine (Cisco ISE) to send notifications about the policy changes to the network devices.

Reference: Click here

144. Which method of account authentication does OAuth 2.0 within REST APIs?

  • A. username/role combination
  • B. access tokens
  • C. cookie authentication
  • D. basic signature workflow

Correct Answer: B

Explanation: The most common implementations of OAuth (OAuth 2.0) use one or both of these tokens:

+ access token: sent like an API key, it allows the application to access a user’s data; optionally, access tokens can expire.

+ refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired. OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.

145. Which outbound access list, applied to the WAN interface of a router, permits all traffic except for http traffic sourced from the workstation with IP address 10.10.10.1?

A.

B.

C.

D.

  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D

Correct Answer: A

146. A server running Linux is providing support for virtual machines along with DNS and DHCP services for a small business. Which technology does this represent?

  • A. container
  • B. Type 1 hypervisor
  • C. hardware pass-thru
  • D. Type 2 hypervisor

Correct Answer: D

Explanation: In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. A big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows)

147. Refer to the exhibit. An engineer is using XML in an application to send information to a RESTCONFenabled device. After sending the request, the engineer gets this response message and a HTTP response code of 400. What do these responses tell the engineer?

  • A. The Accept header sent was application/xml
  • B. POST was used instead of PUT to update
  • C. The Content-Type header sent was application/xml.
  • D. JSON body was used

Correct Answer: C

Explanation:

148. Which statement about LISP encapsulation in an EIGRP OTP implementation is true?

  • A. LISP learns the next hop
  • B. OTP uses LISP encapsulation to obtain routes from neighbors
  • C. OTP uses LISP encapsulation for dynamic multipoint tunneling
  • D. OTP maintains the LISP control plane

Correct Answer: D

Explanation: The EIGRP Over the Top solution can be used to ensure connectivity between disparate EIGRP sites.

This feature uses EIGRP on the control plane and Locator ID Separation Protocol (LISP) encapsulation on the data plane to route traffic across the underlying WAN architecture. EIGRP is used to distribute routes between customer edge (CE) devices within the network, and the traffic forwarded across the WAN architecture is LISP encapsulated.

EIGRP OTP only uses LISP for the data plane, EIGRP is still used for the control plane. Therefore we cannot say OTP uses LISP encapsulation for dynamic multipoint tunneling as this requires encapsulating both data and control plane traffic -> Answer ‘OTP uses LISP encapsulation for dynamic multipoint tunneling’ is not correct.

In OTP, EIGRP serves as the replacement for LISP control plane protocols (therefore EIGRP will learn the next hop, not LISP -> Answer ‘LISP learns the next hop’ is not correct). Instead of doing dynamic EID-to-RLOC mappings in native LISP-mapping services, EIGRP routers running OTP over a service provider cloud create targeted sessions, use the IP addresses provided by the service provider as RLOCs, and exchange routes as EIDs. Let’s take an example:

If R1 and R2 ran OTP to each other, R1 would learn about the network 10.0.2.0/24 from R2 through EIGRP, treat the prefix 10.0.2.0/24 as an EID prefix, and take the advertising next hop 198.51.100.62 as the RLOC for this EID prefix. Similarly, R2 would learn from R1 about the network 10.0.1.0/24 through EIGRP, treat the prefix 10.0.1.0/24 as an EID prefix, and take the advertising next hop 192.0.2.31 as the RLOC for this EID prefix. On both routers, this information would be used to populate the LISP mapping tables. Whenever a packet from 10.0.1.0/24 to 10.0.2.0/24 would arrive at R1, it would use its LISP mapping tables just like in ordinary LISP to discover that the packet has to be LISP encapsulated and tunneled toward 198.51.100.62, and vice versa. The LISP data plane is reused in OTP and does not change; however, the native LISP mapping and resolving mechanisms are replaced by EIGRP.

149. Refer to the exhibit.Which command must be applied to R2 for an OSPF neighborship to form?

  • A. network 20.1.1.2.0.0.0.0 area 0
  • B. network 20.1.1.2 255.255.0.0. area 0
  • C. network 20.1.1.2.0.0.255.255 area 0
  • D. network 20.1.1.2 255.255.255 area 0

Correct Answer: A

Explanation: The network 20.0.0.0 0.0.0.255 area (” command on R2 did not cover the IP address of Fal/1 interface of R2 so OSPF did not run on this interface. Therefore we have to use the command “network 20.1.1.2 0.0.255.255 area 0” to turn on OSPF on this interface.
Note: The command “network 20.1.1.2 0.0.255.255 area 0” can be used too so this answer is also correct but answer C is the best answer here.
The network 0.0.0.0 255.255.255.255 area 0 command on R1 will run OSPF on all active interfaces of R1.

150. Which two statements about VRF-lite are true? (Choose two)

  • A. It can support multiple customers on a single switch
  • B. It supports most routing pr
  • C. It should be used when a customer’s router is connected to an ISP over OSPF
  • D. It can increase the packet switching rate
  • E. It supports MPLS-VRF label exchange and labeled packets

Correct Answer: AB

Explanation: In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and allows customers to be assigned overlapping addresses. Therefore it can support multiple customers with overlapping addresses -> Answer ‘It can support multiple customers on a single switch’ is correct. VRFs are commonly used for MPLS deployments, when we use VRFs without MPLS then we call it VRF lite -> Answer ‘It supports MPLS-VRF label exchange and labeled packets’ is not correct. VRF-Lite supports most populr routing protocols: BGP, OSPF, EIGRP, RIP, and static routing -> Answer ‘It supports most routing protocols, including EIGRP, ISIS, and OSPF’ is correct.

151. How are the Cisco Express Forwarding table and the FIB related to each other?

  • A. Cisco Express Forwarding uses a FIB to make IP destination prefix-based switching decisions correct
  • B. The FIB is used to populate the Cisco Express Forwarding table
  • C. There can be only one FIB but multiple Cisco Express Forwarding tables on IOS devices
  • D. The Cisco Express Forwarding table allows route lookups to be forwarded to the route processor for processing before they are sent to the FIB

Correct Answer: A

Explanation: The Forwarding Information Base (FIB) table – CEF uses a FIB to make IP destination prefix basedswitching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and these changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table.

152. Refer to the exhibit.

An engineer configures monitoring on SW1 and enters the show command to verify operation. What does the output confirm?

  • A. SPAN session 1 monitors activity on VLAN 50 of a remote switch
  • B. SPAN session 2 only monitors egress traffic exiting port FastEthernet 0/14.
  • C. SPAN session 2 monitors all traffic entering and exiting port FastEthernet 0/15.
  • D. RSPAN session 1 is incompletely configured for monitoring

Correct Answer: C

153. Which EIGRP feature allows the use of leak maps?

  • A. neighbor
  • B. stub
  • C. offset-list
  • D. address-family

Correct Answer: B

Explanation: If we configured an EIGRP stub router so that it only advertises connected and summary routes.
But we also want to have an exception to this rule then we can configure a leak-map. For example:

R4(config-if)#router eigrp 1
R4(config-router)#eigrp stub
R4(config)#ip access-list standard R4_L0opback0
R4(config-std-nacl)#permit host 4.4.4.4
R4(config)#route-map R4_L0opback0_LEAKMAP
R4(config-route-map)#match ip address R4_L0opback0
R4(config)#router eigrp 1
R4(config-router)#eigrp stub leak-map

As we can see the leak-map feature goes long with ‘eigrp stub’ command.

154. Which two LISP infrastructure elements are needed to support LISP to non-LISP internetworking? (Choose two)

  • A. PETR
  • B. PITR
  • C. MR
  • D. MS
  • E. ALT

Correct Answer: AC

155. What is used to measure the total output energy of a Wi-Fi device?

  • A. dBi
  • B. EIRP
  • C. mW
  • D. dBm

Correct Answer: C

Explanation: Output power is measured in mW (milliwatts). answer ‘dBi’ milliwatt is equal to one thousandth (10-3) of a watt.

156. Refer to the exhibit.

An engineer reconfigures the pot-channel between SW1 and SW2 from an access port to a trunk and immediately notices this error in SW1’s log.

%PM-SP-4-ERR_DISABLE: bpduguard error detected on Gi0/0, putting Gi0/0 in errdisable state.

Which command set resolves this error?

A.
Sw1(config)# interface G0/0
Sw1(config-if)# spanning-tree bpduguard enable
Sw1(config-if)# shut
Sw1(config-if)# no shut

B.
Sw1(config)# interface G0/0
Sw1(config-if)# no spanning-tree bpduguard enable
Sw1(config-if)# shut
Sw1(config-if)# no shut

C.
Sw1(config)# interface G0/1
Sw1(config-if)# spanning-tree bpduguard enable
Sw1(config-if)# shut
Sw1(config-if)# no shut

D.
Sw1(config)# interface G0/0
Sw1(config-if)# no spanning-tree bpdufilter
Sw1(config-if)# shut
Sw1(config-if)# no shut

  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D

Correct Answer: B

157. Refer to the exhibit.

(YOUR CONNECTION IS NOT PRIVATE WARNING )
An engineer is designing a guest portal on Cisco ISE using the default configuration. During the testing phase, the engineer receives a warning when displaying the guest portal. Which issue is occurring?

  • A. The server that is providing the portal has an expired certificate
  • B. The server that is providing the portal has a self-signed certificate
  • C. The connection is using an unsupported protocol
  • D. The connection is using an unsupported browser

Correct Answer: B

158. Refer to the exhibit.

An engineer must create a configuration that executes the show run command and then terminates the session when user CCNP logs in. Which configuration change is required”

  • A. Add the access-class keyword to the username command
  • B. Add the access-class keyword to the aaa authentication command
  • C. Add the autocommand keyword to the username command
  • D. Add the autocommand keyword to the aaa authentication command

Correct Answer: C

Explanation: The “autocommand” causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line “username CCNP autocommand show running config”.


159. Refer to the exhibit. A network engineer configures a GRE tunnel and enters the show Interface tunnel command. What does the output confirm about the configuration?

  • A. The keepalive value is modified from the default value.
  • B. Interface tracking is configured.
  • C. The tunnel mode is set to the default.
  • D. The physical interface MTU is 1476 bytes.

Correct Answer: C

Explanation: From the “Tunnel protocol/transport GRE/IP” line, we can deduce this tunnel is using the default IPv4 Layer-3 tunnel mode. We can return to this default mode with the tunnel mode gre ip command.


160. What is the result of applying this access control list?

ip access-list extended STATEFUL
10 permit tcp any any established
20 deny ip any any
  • A. TCP traffic with the URG bit set is allowed
  • B. TCP traffic with the SYN bit set is allowed
  • C. TCP traffic with the ACK bit set is allowed
  • D. TCP traffic with the DF bit set is allowed

Correct Answer: C

Explanation: The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an “established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

161. How does the RIB differ from the FIB?

  • A. The RIB is used to create network topologies and routing tables. The FIB is a list of routes to particular network destinations.
  • B. The FIB includes many routes a single destination. The RIB is the best route to a single destination.
  • C. The RIB includes many routes to the same destination prefix. The FIB contains only the best route
  • D. The FIB maintains network topologies and routing tables. The RIB is a Iist of routes to particular network destinations.

Correct Answer: A

Explanation: RIB is derived from the control plane, FIB is used for forwarding

162. Refer to the exhibit. Which IPv6 OSPF network type is applied to interface Fa0/0 of R2 by default?

  • A. multipoint
  • B. broadcast
  • C. Ethernet
  • D. point-to-point

Correct Answer: B

Explanation: The Broadcast network type is the default for an OSPF enabled ethernet interface (while Point-toPoint is the default OSPF network type for Serial interface with HDLC and PPP encapsulation).

163. Refer the exhibit. Which router is the designated router on the segment 192.168.0.0/24?


  • A. This segment has no designated router because it is a nonbroadcast network type.
  • B. This segment has no designated router because it is a p2p network type.
  • C. Router Chicago because it has a lower router ID
  • D. Router NewYork because it has a higher router ID

Correct Answer: A

164. Which two statements about Cisco Express Forwarding load balancing are true? (Choose two)

  • A. Each hash maps directly to a single entry in the RIB
  • B. It combines the source IP address subnet mask to create a hash for each destination
  • C. Cisco Express Forwarding can load-balance over a maximum of two destinations
  • D. It combines the source and destination IP addresses to create a hash for each destination
  • E. Each hash maps directly to a single entry in the adjacency table

Correct Answer: DE

Explanation: Cisco IOS software basically supports two modes of CEF load balancing: On per-destination or perpacket basis.
For per destination load balancing a hash is computed out of the source and destination IP address (- > Answer ‘It combines the source and destination IP addresses to create a hash for each destination’ is correct). This hash points to exactly one of the adjacency entries in the adjacency table (-> Answer ‘Each hash maps directly to a single entry in the adjacency table’ is correct), providing that the same path is used for all packets with this source/destination address pair. If per packet load balancing is used the packets are distributed round robin over the available paths. In either case the information in the FIB and adjacency tables provide all the necessary forwarding information, just like for nonload balancing operation.
The number of paths used is limited by the number of entries the routing protocol puts in the routing table, the default in IOS is 4 entries for most IP routing protocols with the exception of BGP, where it is one entry. The maximum number that can be configured is 6 different paths -> Answer ‘Cisco Express Forwarding can load-balance over a maximum of two destinations’ is not correct.

165. What is the main function of VRF-lite?

  • A. To connect different autonomous systems together to share routes
  • B. To allow devices to use labels to make Layer 2 Path decisions
  • C. To route IPv6 traffic across an IPv4 backbone
  • D. To segregate multiple routing tables on a single device

Correct Answer: D

166. Which statement about a Cisco APIC controller versus a more traditional SDN controller is true?

  • A. APIC does support a Southbound REST API
  • B. APIC supports OpFlex as a Northbound protocol
  • C. APIC uses a policy agent to translate policies into instructions
  • D. APIC uses an imperative model

Correct Answer: C

Explanation: The southbound protocol used by APIC is OpFlex that is pushed by Cisco as the protocol for policy enablement across physical and virtual switches.
Southbound interfaces are implemented with some called Service Abstraction Layer (SAL), which talks to the network elements via SNMP and CLI.
Note: Cisco OpFlex is a southbound protocol in a software-defined network (SDN).

167. An engineer reviews a router’s logs and discovers the following entry. What is the event’s logging severity level?

Router# *Feb 03 11:13:44 334: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
  • A. notification
  • B. error
  • C. informational
  • D. warning

Correct Answer: B

Explanation: Syslog levels are listed below:

Number 3 in %LINK-3-UPDOWN is the severity level of this message so in this case it is errors.

168. Which characteristic distinguishes Ansible from Chef?

  • A. Ansible lacs redundancy support for the master server. Chef runs two masters in an active/active mode.
  • B. Ansible uses Ruby to manage configurations. Chef uses YAML to manage configurations.
  • C. Ansible pushes the configuration to the client. Chef client pulls the configuration from the server.
  • D. The Ansible server can run on Linux, Unix or Windows. The Chef server must run on Linux or Unix.

Correct Answer: C

Explanation: Ansible works by connecting to your nodes and pushing out small programs, called “Ansible modules” to them. These programs are written to be resource models of the desired state of the system. Ansible then executes these modules (over SSH by default), and removes them when finished.
Chef is a much older, mature solution to configure management. Unlike Ansible, it does require an installation of an agent on each server, named chef-client. Also, unlike Ansible, it has a Chef server that each client pulls configuration from.

169. Refer to the exhibit. What is the effect of the configuration?

  • A. The device will allow users at 192.168.0.202 to connect to vty lines 0 through 4 using the password ciscotestkey
  • B. The device will allow only users at 192 168.0.202 to connect to vty lines 0 through 4
  • C. When users attempt to connect to vty lines 0 through 4. the device will authenticate them against TACACS* if local authentication fails
  • D. The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+

Correct Answer:D

170. Which technology is used to provide Layer 2 and Layer 3 logical networks in the Cisco SD Access architecture?

  • A. underlay network
  • B. VPN routing/forwarding
  • C. easy virtual network
  • D. overlay network

Correct Answer: D

Explanation: An overlay network is created on top of the underlay network through virtualization (virtual network). The data plane traffic and control plane signaling are contained within each virtualized network, maintaining ioslation among the network and an indepence from the underlay.

171. Refer to the exhibit. A network architect has partially configured static NAT. which commands should be asked to complete the configuration?

R1(config)# ip nat inside source static 10.70.5.1 10.45.1.7

A.
R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat outside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip pat inside

B.
R1(config)#interface GigabitEthernet0/0
R1(config)#ip nat outside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip nat inside

C.
R1(config)#interface GigabitEthernet0/0
R1(config)#ip nat inside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip nat outside

D.
R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat inside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip pat outside

Correct Answer: B

172. Refer to the exhibit. An engineer configures CoPP and enters the show command to verify the implementation. What is the result of the configuration?

  • A. All traffic will be policed based on access-list 120.
  • B. If traffic exceeds the specified rate, it will be transmitted and remarked.
  • C. Class-default traffic will be dropped.
  • D. ICMP will be denied based on this configuration.

Correct Answer: A

173. Refer to the exhibit. An engineer is installing a new pair of routers in a redundant configuration. Which protocol ensures that traffic is not disrupted in the event of a hardware failure?

  • A. HSRPv1
  • B. GLBP
  • C. VRRP
  • D. HSRPv2

Correct Answer: A

Explanation: The “virtual MAC address” is 0000.0c07.acXX (XX is the hexadecimal group number) so it is using HSRPv1.
Note: HSRP Version 2 uses a new MAC address which ranges from 0000.0C9F.F000 to 0000.0C9F.FFFF.

174. Refer to the exhibit. PC-1 must access the web server on port 8080. To allow this traffic, which statement must be added to an access control list that is applied on SW2 port G0/0 in the inbound direction?

  • A. permit host 172.16.0.2 host 192.168.0.5 eq 8080
  • B. permit host 192.168.0.5 host 172.16.0.2 eq 8080
  • C. permit host 192.168.0.5 eq 8080 host 172.16.0.2
  • D. permit host 192.168.0.5 it 8080 host 172.16.0.2

Correct Answer: C

Explanation: The inbound direction of G0/0 of SW2 only filter traffic from Web Server to PC-1 so the source IP address and port is of the Web Server.

175. What would be the preferred way to implement a loopless switch network where there are 1500 defined VLANs and it is necessary to load the shared traffic through two main aggregation points based on the VLAN identifier?

  • A. 802.1D
  • B. 802.1s
  • C. 802.1W
  • D. 802.1AE

Correct Answer: B

Explanation: Where to Use MST
This diagram shows a common design that features access Switch A with 1000 VLANs redundantly connected to two distribution Switches, D1 and D2. In this setup, users connect to Switch A, and the network administrator typically seeks to achieve load balancing on the access switch Uplinks based on even or odd VLANs, or any other scheme deemed appropriate.

176. How is a data modeling language used?

  • A. To enable data to be easily structured, grouped validated, and replicated
  • B. To represent finite and well-defined network elements that cannot be changed.
  • C. To model the flows of unstructured data within the infrastructure.
  • D. To provide human readability to scripting languages

Correct Answer: D

Explanation: replacing the process of manual configuration. Data models are written in a standard, industry-defined language. Although configurations using CLIs are easier (more human-friendly), automating the configuration using data models results in scalability.

177. Which two statements about VRRP are true? (Choose two)

  • A. It supports both MD5 and SHA1 authentication.
  • B. It is assigned multicast address 224.0.0.9.
  • C. Three versions of the VRRP protocol have been defined.
  • D. It is assigned multicast address 224.0.0.8.
  • E. The TTL for VRRP packets must be 255.
  • F. Its IP address number is 115.

Correct Answer: CE

178. Refer to the exhibit.

A wireless client is connecting to FlexAP1 which is currently working standalone mode. The AAA authentication processis returning the following AVPs:

Tunnel-Private-Group-Id(81): 15
Tunnel-Medium-Type(65): IEEE-802(6)
Tunnel-Type(64): VLAN(13)

Which three behaviors will the client experience? (Choose three.)

  • A. While the AP is in standalone mode, the client will be placed in VLAN 15.
  • B. While the AP is in standalone mode, the client will be placed in VLAN 10.
  • C. When the AP transitions to connected mode, the client will be de-authenticated.
  • D. While the AP is in standalone mode, the client will be placed in VLAN 13.
  • E. When the AP is in connected mode, the client will be placed in VLAN 13.
  • F. When the AP transitions to connected mode, the client will remain associated.
  • G. When the AP is in connected mode, the client will be placed in VLAN 15.
  • H. When the AP is in connected mode, the client will be placed in VLAN 10.

Correct Answer: ADE

179. Refer to the exhibit. Which LISP component do routers in the public IP network use to forward traffic between the two networks?

  • A. RLOC
  • B. map resolver
  • C. EID
  • D. map server

Correct Answer: A

Explanation: Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
+ Endpoint identifiers (EIDs) – assigned to end hosts.
+ Routing locators (RLOCs) – assigned to devices (primarily routers) that make up the global routing system.

180. Which variable in an EEM applet is set when you use the sync yes option?

  • A. $_cli_result
  • B. $_exit_status
  • C. $_string_result
  • D. $_result

Correct Answer: B

Explanation: With Synchronous ( sync yes), the CLI command in question is not executed until the policy exits.
Whether or not the command runs depends on the value for the variable _exit_status. If_exit_status is 1, the command runs, if it is 0, the command is skipped.

181. Refer to the exhibit. An engineer attempts to configure a router on a stick to route packets between Clients, Servers, and Printers; however, initial tests show that this configuration is not working. Which command set resolves this issue?

  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D

Correct Answer: C

Explanation: We must reconfigure the IP address after assigning or removing an interface to a VRF. Otherwise that interface does not have an IP address.

182. In a Cisco SD-WAN solution, how is the health of a data plane tunnel monitored?

  • A. with IP SLA
  • B. ARP probing
  • C. using BFD
  • D. with OMP

Correct Answer: C

Explanation: The BFD (Bidirectional Forwarding Detection) is a protocol that detects link failures as part of the Cisco SD-WAN (Viptela) high availability solution, is enabled by default on all vEdge routers, and you cannot disable it.

183. What does Call Admission Control require the client to send in order to reserve the bandwidth?

  • A. SIP flow information
  • B. Wi-Fi multimedia
  • C. traffic specification
  • D. VoIP media session awareness

Correct Answer: D

184. Which data modeling language is commonly used by NETCONF?

  • A. REST
  • B. YANG
  • C. HTML
  • D. XML

Correct Answer: B

Explanation: Cisco IOS XE supports the Yet Another Next Generation (YANG) data modeling language. YANG can be used with the Network Configuration Protocol (NETCONF) to provide the desired solution of automated and programmable network operations. NETCONF(RFC6241) is an XML-based protocol that client applications use to request information from and make configuration changes to the device. YANG is primarily used to model the configuration and state data used by NETCONF operations.

185. Refer to the exhibit. Which two commands ensure that DSW1 becomes root bridge for VLAN 10 and 20?

  • A. spanning-tree mst 1 priority 1
  • B. spanning-tree mst 1 root primary
  • C. spanning-tree mstp vlan 10,20 root primary
  • D. spanning-tree mst vlan 10,20 priority root
  • E. spanning-tree mst 1 priority 4096

Correct Answer: BE

Explanation: Priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected.

186. During deployment, a network engineer notices that voice traffic is not being tagged correctly as it traverses the network. Which COS to DSCP map must be modified to ensure that voice traffic is treated properly?

  • A. COS of 5 to DSCP 46
  • B. COS of 7 to DSCP 48
  • C. COS of 6 to DSCP 46
  • D. COS of 3 to DSCP of 26

Correct Answer: A

Explanation: CoS value 5 is commonly used for VOIP and CoS value 5 should be mapped to DSCP 46. DSCP 46 is defined as being for EF (Expedited Forwarding) traffic flows and is the value usually assigned to all interactive voice and video traffic. This is to keep the uniformity from end-to-end that DSCP EF (mostly for VOICE RTP) is mapped to COS 5.
Note:

+ CoS is a L2 marking contained within an 802.1q tag,. The values for CoS are 0 – 7

+ DSCP is a L3 marking and has values 0 – 63

+ The default DSCP-to-CoS mapping for CoS 5 is DSCP 40

187. Which two statements about IP SLA are true? (Choose two)

  • A. It uses NetFlow for passive traffic monitoring
  • B. It can measure MOS
  • C. The IP SLA responder is a component in the source Cisco device
  • D. It is Layer 2 transport-independent correct
  • E. It uses active traffic monitoring correct
  • F. SNMP access is not supported

Correct Answer: DE

Explanation: IP SLAs allows Cisco customers to analyze IP service levels for IP applications and services, to increase productivity, to lower operational costs, and to reduce the frequency of network outages. IP SLAs uses active traffic monitoring-the generation of traffic in a continuous, reliable, and predictable manner-for measuring network performance.
Being Layer-2 transport independent, IP SLAs can be configured end-to-end over disparate networks to best reflect the metrics that an end-user is likely to experience.

188. You are configuring a controller that runs Cisco IOS XE by using the CLI. Which three configuration options are used for 802.11w Protected Management Frames? (Choose three.)

  • A. mandatory
  • B. association-comeback
  • C. SA teardown protection
  • D. saquery-retry-time
  • E. enable
  • F. comeback-time

Correct Answer: ABD

189. Refer to the exhibit. Which two commands are needed to allow for full reachability between AS 1000 and AS 2000? (Choose two)

  • A. R1#network 19.168.0.0 mask 255.255.0.0
  • B. R2#no network 10.0.0.0 255.255.255.0
  • C. R2#network 192.168.0.0 mask 255.255.0.0
  • D. R2#network 209.165.201.0 mask 255.255.192.0
  • E. R1#no network 10.0.0.0 255.255.255.0

Correct Answer: BC

190. Refer to the exhibit. R1 is able to ping the R3 fa0/1 interface. Why do the extended pings fail?

  • A. The maximum packet size accepted by the command is 1476 bytes.
  • B. R3 is missing a return route to 10.99.69.0/30
  • C. R2 and R3 do not have an OSPF adjacency
  • D. The DF bit has been set

Correct Answer: D

Explanation: If the DF bit is set, routers cannot fragment packets. From the output below, we learn that the maximum MTU of R2 is 1492 bytes while we sent ping with 1500 bytes. Therefore these ICMP packets were dropped.
Note: Record option displays the address(es) of the hops (up to nine) the packet goes through.


191. An engineer must configure interface GigabitEthernet0/0 for VRRP group 10. When the router has the highest priority in the group, it must assume the master role. Which command set must be added to the initial configuration to accomplish this task?

  • A. vrrp 10 ip 172.16.13.254
    vrrp 10 preempt
  • B. standby 10 ip 172.16.13.254
    standby 10 priority 120
  • C. vrrp group 10 ip 172.16.13 254.255.255.255.0
    vrrp group 10 priority 120
  • D. standby 10 ip 172.16.13.254 255.255.255.0
    standby 10 preempt

Correct Answer: C

Explanation: By default, a preemptive scheme is enabled. A backup high-priority virtual router that becomes available takes over for the backup virtual router that was elected to become the virtual router master.

192. What is a Type 1 hypervisor?

  • A. runs directly on a physical server and depends on a previously installed operating system
  • B. runs directly on a physical server and includes its own operating system
  • C. runs on a virtual server and depends on an already installed operating system
  • D. run on a virtual server and includes its own operating system

Correct Answer: B

Explanation: There are two types of hypervisors: type 1 and type 2 hypervisor.
In type 1 hypervisor (or native hypervisor), the hypervisor is installed directly on the physical server. Then instances of an operating system (OS) are installed on the hypervisor. Type 1 hypervisor has direct access to the hardware resources. Therefore they are more efficient than hosted architectures. Some examples of type 1 hypervisor are VMware vSphere/ESXi, Oracle VM Server, KVM and Microsoft Hyper-V.
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. A big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows).

193. Refer to the exhibit. Which network script automation option or tool is used in the exhibit?

  • A. EEM
  • B. Bash script
  • C. REST correct
  • D. NETCONF
  • E. Python

Correct Answer: C

194. An engineer uses the Design workflow to create a new network infrastructure in Cisco DNA Center. How is the physical network device hierarchy structured?

  • A. by location
  • B. by role
  • C. by organization
  • D. by hostname naming convention

Correct Answer: A

Explanation: About Network Hierarchy

You can create a network hierarchy that represents your network’s geographical locations.

195. Refer to Exhibit. MTU has been configured on the underlying physical topology, and no MTU command has been configured on the tunnel interfaces. What happens when a 1500-byte IPv4 packet traverses the GRE tunnel from host X to host Y, assuming the DF bit is cleared?

  • A. The packet arrives on router C without fragmentation.
  • B. The packet is discarded on router A
  • C. The packet is discarded on router B
  • D. The packet arrives on router C fragmented.

Correct Answer: D

Explanation: Like any protocol, using GRE adds a few bytes to the size of data packets. This must be factored into the MSS and MTU settings for packets. If the MTU is 1,500 bytes and the MSS is 1,460 bytes (to account for the size of the necessary IP and TCP headers), the addition of GRE 24-byte headers will cause the packets to exceed the MTU:

1,460 bytes [payload] + 20 bytes [TCP header]+ 20 bytes [IP header] + 24 bytes [GRE header + IP header] = 1,524 bytes

As a result, the packets will be fragmented. Fragmentation slows down packet delivery times and increases how much compute power is used, because packets that exceed the MTU must be broken down and then reassembled.

196. Into which two pieces of information does the LISP protocol split the device identity? (Choose two)

  • A. Device ID
  • B. Enterprise Identifier
  • C. LISP ID
  • D. Routing Locator
  • E. Resource Location
  • F. Endpoint Identifier

Correct Answer: DF

Explanation: Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
+ Endpoint identifiers (EIDs)-assigned to end hosts.
+ Routing locators (RLOCs)-assigned to devices (primarily routers) that make up the global routing system.

197. Company policy restricts VLAN 10 to be allowed only on SW1 and SW2. All other VLANs can be on all three switches. An administrator has noticed that VLAN 10 has propagated to SW3. Which configuration corrects the issue?

A.
SW2(config)#interface gi1/2
SW2(config)#switchport trunk allowed vlan 10

B.
SW1(config)#interface gi1/1
SW1(config)#switchport trunk allowed vlan 1-9,11-4094

C.
SW2(config)#interface gi1/2
SW2(config)#switchport trunk allowed vlan 1-9,11-4094

D.
SW2(config)#interface gi1/1
SW2(config)#switchport trunk allowed vlan 10

  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D

Correct Answer: C

198. Which two characteristics define the Intent API provided by Cisco DNA Center? (Choose two.)

  • A. northbound API
  • B. business outcome oriented
  • C. device-oriented
  • D. southbound API
  • E. procedural

Correct Answer: AB

Explanation: The Intent API is a Northbound REST API that exposes specific capabilities of the Cisco DNA Center platform. The Intent API provides policy-based abstraction of business intent, allowing focus on an outcome rather than struggling with individual mechanisms steps.

199. Refer to the exhibit. Which command allows hosts that are connected to FastEthernet0/2 to access the Internet?

  • A. ip nat inside source list 10 interface FastEthernet0/1 overload
  • B. ip nat inside source list 10 interface FastEthernet0/2 overload
  • C. ip nat outside source list 10 interface FastEthernet0/2 overload
  • D. ip nat outside source static 209.165.200.225 10.10.10.0 overload

Correct Answer: A

200. A GRE tunnel is down with the error message %TUN-5-RECUR DOWN:

Tunnel0 temporarily disabled due to recursive routing error.

Which two options describe possible causes of the error? (Choose two)

  • A. There is link flapping on the tunnel
  • B. Incorrect destination IP addresses are configured on the tunnel
  • C. The tunnel mode and tunnel IP address are misconfigured
  • D. There is instability in the network due to route flapping
  • E. The tunnel destination is being routed out of the tunnel interface

Correct Answer: DE

Explanation: The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message means that the generic routing encapsulation (GRE) tunnel router has discovered a recursive routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network

201. Which statement about the default QoS configuration on a Cisco switch is true?

  • A. The Cos value of each tagged packet is modified
  • B. Port trust is enabled
  • C. The Port Cos value is 0
  • D. All traffic is sent through four egress queues

Correct Answer: C

202. Refer to the exhibit.

You have just created a new VRF on PE3. You have enabled debug ip bgp vpnv4 unicast updates on PE1, and you can see the route in the debug, but not in the BGP VPNv4 table. Which two statements are true? (Choose two)

  • A. After you configure route-target import 999:999 for a VRF on PE1, the route will be accepted
  • B. VPNv4 is not configured between PE1 and PE3
  • C. address-family ipv4 vrf is not configured on PE3
  • D. PE1 will reject the route due to automatic route filtering
  • E. After you configure route-target import 999:999 for a VRF on PE3, the route will be accepted

Correct Answer: AD

Explanation: Because some PE routers might receive routing information they do not require, a basic requirement is to be able to filter the MP-iBGP updates at the ingress to the PE router so that the router does not need to keep this information in memory.
The Automatic Route Filtering feature fulfills this filtering requirement. This feature is available by default on all PE routers, and no additional configuration is necessary to enable it. Its function is to filter automatically VPN-IPv4 routes that contain a route target extended community that does not match any of the PE’s configured VRFs. This effectively discards any unwanted VPN-IPv4 routes silently, thus reducing the amount of information that the PE has to store in memory -> Answer ‘PE1 will reject the route due to automatic route filtering’ is correct.

203. Which two statements about HSRP are true? (Choose two)

  • A. It supports unique virtual MAC addresses
  • B. Its virtual MAC is 0000.0C07.ACxx
  • C. Its default configuration allows for pre-emption
  • D. It supports tracking
  • E. Its multicast virtual MAC is 0000.5E00.01xx

Correct Answer: BD

204. What function does vxlan perform in an SD-Access deployment?

  • A. policy plane forwarding
  • B. control plane forwarding
  • C. data plane forwarding
  • D. systems management and orchestration

Correct Answer: C

205. Which antenna type should be used for a site-to-site wireless connection?

  • A. Omnidirectional
  • B. dipole
  • C. patch
  • D. Yagi

Correct Answer: D

Explanation: Yagi Antenna

  • Used to communicate in one direction (unidirectional)
  • They have a longer range in comparison to Qmni Antennas
  • Typically only communicate with one other radio, however can talk to multiple
  • More common to see used in remote locations

206. Refer to the exhibit. Edge-01 is currently operational as the HSRP primary with priority 110. Which command on Edge-02 causes it to take over the forwarding role when Edge-01 is down?

  • A. standby 10 priority
  • B. standby 10 preempt
  • C. standby 10 track
  • D. standby 10 timers

Correct Answer: A

207. What is the purpose of an RP in PIM?

  • A. send join messages toward a multicast source SPT
  • B. ensure the shortest path from the multicast source to the receiver.
  • C. receive IGMP joins from multicast receivers.
  • D. secure the communication channel between the multicast sender and receiver.

Correct Answer: A

208. Which two statements about EIGRP load balancing are true? (Choose two)

  • A. Cisco Express Forwarding is required to load-balance across interfaces
  • B. A path can be used for load balancing only if it is a feasible successor
  • C. EIGRP supports unequal-cost paths by default
  • D. Any path in the EIGRP topology table can be used for unequal-cost load balancing
  • E. EIGRP supports 6 unequal-cost paths

Correct Answer: BE

Explanation: EIGRP provides a mechanism to load balance over unequal cost paths (or called unequal cost load balancing) through the “variance” command. In other words, EIGRP will install all paths with metric < variance * best metric into the local routing table, provided that it meets the feasibility condition to prevent routing loop. The path that meets this requirement is called a feasible successor. If a path is not a feasible successor, it is not used in load balancing.
Note: The feasibility condition states that, the Advertised Distance (AD) of a route must be lower than the feasible distance of the current successor route.

209. What is the difference between CEF and process switching?

  • A. CEF processes packets that are too complex for process switching to manage.
  • B. CEF is more CPU-intensive than process switching.
  • C. CEF uses the FIB and the adjacency table to make forwarding decisions, whereas process switching punts each packet.
  • D. Process switching is faster than CEF.

Correct Answer: C

Explanation: CEF uses a FIB to make IP destination prefix-based switching decisions.

210. Which QoS mechanism will prevent a decrease in TCP performance?

  • A. Shaper
  • B. Rate-Limit
  • C. Policer
  • D. Fair-Queue
  • E. WRED
  • F. LLQ

Correct Answer: E

Explanation: Weighted Random Early Detection (WRED) is just a congestion avoidance mechanism. WRED drops packets selectively based on IP precedence. Edge routers assign IP precedences to packets as they enter the network. When a packet arrives, the following events occur:
The average queue size is calculated.
2. If the average is less than the minimum queue threshold, the arriving packet is queued.
3. If the average is between the minimum queue threshold for that type of traffic and the maximum threshold for the interface, the packet is either dropped or queued, depending on the packet drop probability for that type of traffic.
4. If the average queue size is greater than the maximum threshold, the packet is dropped.
WRED reduces the chances of tail drop (when the queue is full, the packet is dropped) by selectively dropping packets when the output interface begins to show signs of congestion (thus it can mitigate congestion by preventing the queue from filling up). By dropping some packets early rather than waiting until the queue is full, WRED avoids dropping large numbers of packets at once and minimizes the chances of global synchronization. Thus, WRED allows the transmission line to be used fully at all times.
WRED generally drops packets selectively based on IP precedence. Packets with a higher IP precedence are less likely to be dropped than packets with a lower precedence. Thus, the higher the priority of a packet, the higher the probability that the packet will be delivered.

211. Which IPv6 migration method relies on dynamic tunnels that use the 2002::/16 reserved address space?

  • A. GRE
  • B. 6RD
  • C. 6to4
  • D. ISATAP

Correct Answer: C

Explanation: 6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must remember this range). These tunnels determine the appropriate destination address by combining the IPv6 prefix with the globally unique destination 6to4 border router’s IPv4 address, beginning with the 2002::/16 prefix, in this format:
2002:border-router-IPv4-address::/48
For example, if the border-router-IPv4-address is 64.101.64.1, the tunnel interface will have an IPv6 prefix of 2002:4065:4001:1::/64, where 4065:4001 is the hexadecimal equivalent of 64.101.64.1. This technique allows IPv6 sites to communicate with each other over the IPv4 network without explicit tunnel setup but we have to implement it on all routers on the path.

212. What are three valid HSRP states? (Choose three)

  • A. INIT
  • B. listen
  • C. full
  • D. learning
  • E. speak
  • F. established

Correct Answer: BDE

213. What are two reasons a company would choose a cloud deployment over an on-prem deployment? (Choose Two)

  • A. In a cloud environment, the company controls technical issues. On-prem environments rely on the service provider to resolve technical issue.
  • B. Cloud costs adjust up or down depending on the amount of resources consumed. On- Prem costs for hardware, power, and space are ongoing regardless of usage
  • C. Cloud deployments require long implementation times due to capital expenditure processes. OnPrem deployments can be accomplished quickly using operational expenditure processes.
  • D. Cloud resources scale automatically to an increase in demand. On-prem requires additional capital expenditure.
  • E. In a cloud environment, the company is in full control of access to their data. On-prem risks access to data due to service provider outages

Correct Answer: BD

Explanation: AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. Using AWS Auto Scaling, it’s easy to setup application scaling for

214. Which two security features are available when implementing NTP? (Choose two )

  • A. symmetric server passwords
  • B. dock offset authentication
  • C. broadcast association mode
  • D. encrypted authentication mechanism
  • E. access list-based restriction scheme

Correct Answer: DE

Explanation: The time kept on a machine is a critical resource and it is strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. The two security features available are an access list-based restriction scheme and an encrypted authentication mechanism.
Reference

215. How does SSO work with HSRP to minimize network disruptions?

  • A. It enables HSRP to elect another switch in the group as the active HSRP switch.
  • B. It ensures fast failover in the case of link failure.
  • C. It enables data forwarding along known routes following a switchover, white the routing protocol reconverges.
  • D. It enables HSRP to failover to the standby RP on the same device.

Correct Answer: A

Explanation: SSO enables the standby RP to tank over if the active RP fails.

216. Which three methods does Cisco DNA Centre use to discover devices? (Choose three)

  • A. CDP
  • B. SNMP
  • C. LLDP
  • D. ping
  • E. NETCONF
  • F. a specified range of IP addresses

Correct Answer: ACF

Explanation: There are three ways for you to discover devices:

  • Use Cisco Discovery Protocol (CDP) and provide a seed IP address.
  • Specify a range of IP addresses. (A maximum range of 4096 devices is supported.)
  • Use Link Layer Discovery Protocol (LLDP) and provide a seed IP address.

217. What is the primary effect of the spanning-tree portfast command?

  • A. It enables BPDU messages
  • B. It minimizes spanning-tree convergence time
  • C. It immediately puts the port into the forwarding state when the switch is reloaded
  • D. It immediately enables the port in the listening state

Correct Answer: C

Explanation: Portfast feature should only be used on edge ports (ports directly connected to end stations). Neither edge ports or PortFast enabled ports generate topology changes when the link toggles so we cannot say Portfast reduces the STP convergence time.
PortFast causes a switch or trunk port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states so answer ‘It immediately puts the port into the forwarding state when the switch is reloaded ‘ is the best choice.

218. Refer to the exhibit. Which command when applied to the Atlanta router reduces type 3 LSA flooding into the backbone area and summarizes the inter-area routes on the Dallas router?

  • A. Atlanta(config-route)#area 0 range 192.168.0.0 255.255.248.0
  • B. Atlanta(config-route)#area 0 range 192.168.0.0 255.255.252.0
  • C. Atlanta(config-route)#area 1 range 192.168.0.0 255.255.252.0
  • D. Atlanta(config-route)#area 1 range 192.168.0.0 255.255.248.0

Correct Answer: C

219. Refer to the exhibit. Which two statements about the EEM applet configuration are true? (Choose two.)

  • A. The EEM applet runs after the CLI command is executed
  • B. The running configuration is displayed only if the letter Y is entered at the CLI
  • C. The EEM applet runs before the CLI command is executed
  • D. The EEM applet requires a case-insensitive response

Correct Answer: BC

Explanation: When you use the sync yes option in the event cli command, the EEM applet runs before the CLI command is executed. The EEM applet should set the _exit_status variable to indicate whether the CLI command should be executed (_exit_status set to one) or not (_exit_status set to zero).
With the sync no option, the EEM applet is executed in background in parallel with the CLI command.

220. Refer to the exhibit. What does the error message relay to the administrator who is trying to configure a Cisco IOS device?

  • A. A NETCONF request was made for a data model that does not exist.
  • B. The device received a valid NETCONF request and serviced it without error.
  • C. A NETCONF message with valid content based on the YANG data models was made, but the request failed.
  • D. The NETCONF running datastore is currently locked.

Correct Answer: A

Explanation: 

221. Refer to the exhibit.

An engineer must establish eBGP peering between router R3 and router R4. Both routers should use their loopback interfaces as the BGP router ID. Which configuration set accomplishes this task?

A.
R3(config)#router bgp 200
R3(config-router)#neighbor 10.24.24.4 remote-as 100
R3(config-router)#bgp router-id 10.3.3.3
R4(config)#router bgp 100
R4(config-router)#neighbor 10.24.24.3 remote-as 200
R4(config-router)#bgp router-id 10.4.4.4

B.
R3(config)#router bgp 200
R3(config-router)#neighbor 10.4.4.4 remote-as 100
R3(config-router)#neighbor 10.4.4.4 update-source loopback0R4(config)#router bgp 100
R4(config-router)#neighbor 10.3.3.3 remote-as 200
R4(config-router)#neighbor 10.3.3.3 update-source loopback0

C.
R3(config)#router bgp 200
R3(config-router)#neighbor 10.24.24.4 remote-as 100
R3(config-router)#neighbor 10.24.24.4 update-source loopback0
R4(config)#router bgp 100
R4(config-router)#neighbor 10.24.24.3 remote-as 200
R4(config-router)#neighbor 10.24.24.3 update-source loopback0

222. Which statement about dynamic GRE between a headend router and a remote router is true?

  • A. The headend router learns the IP address of the remote end router statically
  • B. A GRE tunnel without an IP address has a status of administratively down
  • C. GRE tunnels can be established when the remote router has a dynamic IP address
  • D. The remote router initiates the tunnel connection

Correct Answer: D

223. Which two statements about AAA authentication are true? (Choose two)

  • A. RADIUS authentication queries the router’s local username database
  • B. TACACS+ authentication uses an RSA server to authenticate users
  • C. Local user names are case-insensitive
  • D. Local authentication is maintained on the router
  • E. KRB5 authentication disables user access when an incorrect password is entered

Answer: DE

224. Which action is performed by Link Management Protocol in a Cisco stackwise virtual domain?

  • A. It discovers the stackwise domain and brings up SVL interfaces
  • B. It rejects any unidirectional link traffic forwarding
  • C. It determines if the hardware is compatible to form the stackwise virtual domain
  • D. It determines which switch becomes active or standby

Answer: B

Explanation: The Link Management Protocol (LMP) performs the following functions: + Verifies link integrity by establishing bidirectional traffic forwarding, and rejects any unidirectional links + Exchanges periodic hellos to monitor and maintain the health of the links + Negotiates the version of StackWise Virtual header between the switches StackWise Virtual link role resolution
Reference: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9000/nb-06-cat-9k-stack wp-cte-en.html

225. Which two actions provide controlled Layer 2 network connectivity between virtual machines running on the same hypervisor? (Choose two)

  • A. Use a single trunk link to an external Layer2 switch
  • B. Use a virtual switch provided by the hypervisor
  • C. Use VXLAN fabric after installing VXLAN tunnelling drivers on the virtual machines
  • D. Use a single routed link to an external router on stick
  • E. Use a virtual switch running as a separate virtual machine

Answer: BE

226. Refer to the exhibit. An engineer configures COPP and enters the show command to verify the implementation. What is the result of the configuration?

  • A. All traffic will be policed based on access-list 120
  • B. If traffic exceeds the specified rate, it will be transmitted and remarked
  • C. Class-default traffic will be dropped
  • D. ICMP will be denied based on this configuration

Answer: A

227. Which three methods does Cisco DNA Center use to discover devices? (Choose three)

  • A. CDP
  • B. LLDP
  • C. SNMP
  • D. ping
  • E. NETCONF
  • F. a specified range of IP addresses

Answer: A B F

228. In an SD-WAN deployment, which action in the vSmart controller responsible for?

  • A. handle, maintain, and gather configuration and status for nodes within the SD-WAN fabric
  • B. onboard vEdge nodes into the SD-WAN fabric
  • C. gather telemetry data from yEdge routers
  • D. distribute policies that govern data forwarding performed within the SD-WAN fabric

Answer: D

Explanation: Control plane (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement.

Drag & Drop Questions

1. Drag and drop the descriptions from the left onto the correct QoS components on the right.

Answer

2. Drag and drop the characteristics from the left onto the correct infrastructure deployment types on the right.

Answer

3. Drag and drop the characteristics from the left onto the correct routing protocol types on the right.

Answer

4. Drag and drop the LISP components from the left onto the function they perform on the right. Not all options are used.

Answer

+ accepts LISP encapsulated map requests: LISP map resolver
+ learns of EID prefix mapping entries from an ETR: LISP map server
+ receives traffic from LISP sites and sends it to non-LISP sites: LISP proxy ETR
+ receives packets from site-facing interfaces: LISP ITR

Explanation: ITR is the function that maps the destination EID to a destination RLOC and then encapsulates the original packet with an additional header that has the source IP address of the ITR RLOC and the destination IP address of the RLOC of an Egress Tunnel Router (ETR).
After the encapsulation, the original packet become a LISP packet.
ETR is the function that receives LISP encapsulated packets, decapsulates them and forwards to its local EIDs. This function also requires EID-to-RLOC mappings so we need to point out an “map server” IP address and the key (password) for authentication.
A LISP proxy ETR (PETR) implements ETR functions on behalf of non-LISP sites. A PETR is typically used when a LISP site needs to send traffic to non-LISP sites but the LISP site is connected through a service provider that does not accept no routable EIDs as packet sources. PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites.
Map Server (MS) processes the registration of authentication keys and EID-to-RLOC mappings. ETRs sends periodic Map-Register messages to all its configured Map Servers.
Map Resolver (MR): a LISP component which accepts LISP Encapsulated Map Requests, typically from an ITR, quickly determines whether or not the destination IP address is part of the EID namespace.

5. Drag and drop the descriptions from the left onto the routing protocol they describe on the right.

Answer

Explanation: Unlike OSPF where we can summarize only on ABR or ASBR, in EIGRP we can summarize anywhere. Manual summarization can be applied anywhere in EIGRP domain, on every router, on every interface via the ip summary-address eigrp asnumber address mask [administrative-distance summary-address eigrp 1 192.168.16.0 255.255.248.0). Summary route will exist in routing table as long as at least one more specific route will exist. If the last specific route will disappear, summary route also will fade out. The metric used by EIGRP manual summary route is the minimum metric of the specific routes.

6. Drag and drop the threat defense solutions from the left onto their descriptions on the right.

Answer

Answer:
+ StealWatch: performs security analytics by collecting network flows
+ ESA: protects against email threat vector
+ AMP4E: provides malware protection on endpoints
+ Umbrella: provides DNS protection
+ FTD: provides IPS/IDS capabilities

7. Drag and drop the characteristics from the left onto the routing protocols they describe on the right.

Answer

OSPF:
– Link State Protocol
– supports only equal multipath load balancing
– quickly computers new path upon link failure

EIGRP:
– maintains alternative loop-free backup path if available
– selects routes using the DUAL algorithm
– Advanced Distance Vector Protocol

8. Drag and drop the characteristics from the left onto the infrastructure types on the right.

Answer

9. Drag and drop the REST API authentication method from the left to the description on the right.

Answer

HTTP basic authentication : username and password in an encoded string
token-based authentication : authorization through identity provider
secure vault : public API resource
OAuth : API-dependent secret

Explanation: When Secure Vault is not in use, all information stored in its container is encrypted.
When a user wants to use the files and notes stored within the app, they have to first decrypt the database. This happens by filling in a previously determined Security Lock – which could be a PIN or a password of the user’s choosing.When a user leaves the app, it automatically encrypts everything again. This way all data stored in Secure Vault is decrypted only while a user is actively using the app. In all other instances, it remains locked to any attacker, malware or spyware trying to access the data.
How token-based authentication works: Users log in to a system and – once authenticated – are provided with a token to access other services without having to enter their username and password multiple times. In short, token-based authentication adds a second layer of security to application, network, or service access.
OAuth is an open standard for authorization used by many APIs and modern applications. The simplest example of OAuth is when you go to log onto a website and it offers one or more opportunities to log on using another website’s/service’s logon. You then click on the button linked to the other website, the other website authenticates you, and the website you were originally connecting to logs you on itself afterward using permission gained from the second website.

10. Drag and drop the DHCP messages that are exchanged between a client and an AP into the order they are exchanged on the right.

Answer

11. Drag and drop the Qos mechanisms from the left to the correct descriptions on the right.

Answer

service policy – bandwidth management technique which delays datagrams
shaping – mechanism to create a scheduler for packets prior to forwarding
DSCP – portion of the IP header used to classify packets
policy map – mechanism to apply a Qos policy to an interface
policing – tool to enforce rate limiting on ingress/egress
Cos – portion of the 802.1Q header used to classify packets

Explanation:
To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the servicepolicy command in the appropriate configuration mode.

Class of Service (CoS) is a 3 bit field within an Ethernet frame header when we use 802.1q which supports virtual LANs on an Ethernet network. This field specifies a priority value which is between 0 and 63 inclusive which can be used in the Quality of Service (QoS) to differentiate traffic.

The Differentiated Services Code Point (DSCP) is a 6-bit field in the IP header for the classification of packets. Differentiated Services is a technique which is used to classify and manage network traffic and it helps to provide QoS for modern Internet networks. It can provide services to all kinds of networks.

Traffic policing is also known as rate limiting as it propagates bursts. When the traffic rate reaches the configured maximum rate (or committed information rate), excess traffic is dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs.

Traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time -> It causes delay.

12. Drag and drop the Qos mechanisms from the left to the correct descriptions on the right.

Answer

On-premises:
– significant initial investment but lower reoccurring costs
– company has control over the physical security of equipment

Cloud:
– pay-as-you-go model
– physical location of data can be defined in contract with provider
– very scalable and fast delivery of changes in scale

13. Drag and drop the characteristics from the left onto the routing protocols they describe on the right.

Answer
OSPF
+ Link State Protocol
+ supports only equal multipath load balancing
+ quickly computes new path upon link failure
EIGRP
+ selects routes using the DUAL algorithm
+ maintains alternative loop-free backup path if available
+ Advanced Distance Vector Protocol

Explanation: EIGRP maintains alternative loop-free backup via the feasible successors. To qualify as a feasible successor, a router must have an Advertised Distance (AD) less than the Feasible distance (FD) of the current successor route.

Advertised distance (AD): the cost from the neighbor to the destination.

Feasible distance (FD): The sum of the AD plus the cost between the local router and the next-hop router

Update logs:

18 Oct 2020: v2.0
6 Oct 2020: v1.0

Download VCE & PDF:

4.3 6 votes
Article Rating

Related Articles

guest
36 Comments
Inline Feedbacks
View all comments
ricardo
ricardo
1 day ago

team good day, one question. Does the certification exam have practices (laboratories) 350-401 encore?

Reddit
Reddit
3 days ago

i want to online test

Rwon
Rwon
3 days ago

Hi do you have the vce of this dump? Thanks

Dat Le
Dat Le
3 days ago

Admin please provide dump CCNP ENARSI ? Please.Reply…

web
web
4 days ago

Passed the exam with another paid dump. I can confirm that all the questions are valid. trust me

Debashish Saha
Debashish Saha
4 days ago

Hi admin, This dump is valid ? Pls. Reply…

Zakky
Zakky
6 days ago

Admin Please confirm if this is valid

Tester
Tester
6 days ago
you would have the answers of the V8 exams ?

Thanks for help us.
RAHMA
RAHMA
7 days ago

this is valid dump ? or not yet!! anybody toke the exam by studied this dump ?

Kitty
Kitty
7 days ago

I have some corrections that I would like to share:
6.D & E
20.D
21.B & E
31.B & E
64.C
71.D
85.D
1 Sim. Switch delay and jitter

John
John
10 days ago

Thanks a lot 🙂
When can we get VCE File.

ricardo
ricardo
10 days ago

wow, great admin. After passing the donare exam on your website, you deserve it for the great work. thank you very much. We wait for the vce. have nice day

cayayo
cayayo
14 days ago

Will be waiting for the VCE file. Thank you admin great work.

Bamse
Bamse
16 days ago

WOW. Great job. Thank You.

NAAB
NAAB
17 days ago

Will there be a curriculum, like ccna curriculum?

PARIKSHATH SAI THALLURI
PARIKSHATH SAI THALLURI
20 days ago

Dear admin, from when questions will be available

ukr
ukr
23 days ago

please also start for CCNP security

Ahd
Ahd
24 days ago

Great job … we are waiting…

PARIKSHATH SAI THALLURI
PARIKSHATH SAI THALLURI
25 days ago

From when questions will be available