CCNP ENCOR v8 Certification Practice Test Online

Hint

Network Time Protocol (NTP) is used to synchronize the time across all devices on the network to make sure accurate timestamping on devices for managing, securing and troubleshooting. NTP networks use a hierarchical system of time sources. Each level in this hierarchical system is called a stratum. The stratum 1 devices are directly connected to the authoritative time sources.

Hint

The ntp server ip-address global configuration command configures the NTP server for IOS devices.

Hint

The Routed access design has a number of advantages over the STP-based design: No FHRP required – no need for FHRP protocols such as HSRP and VRRP. No STP required – since there are no L2 links to block, this design removes the need for STP. Easier troubleshooting – It offers common end-to-end troubleshooting tools (such as ping and traceroute). The Routed access is an excellent design for many environments, but it has the same limitation as the STP-based design, in which it does not support spanning VLANs across multiple access switches. Additionally, it might not be the most cost-effective solution because access layer switches with Layer 3 routing capability might cost more than Layer 2 switches do.

Hint

The primary function of the distribution layer is to aggregate access layer switches in a given building or campus. The distribution layer provides a boundary between the Layer 2 domain of the access layer and the Layer 3 domain of the core. On the Layer 2 side, it creates a boundary for Spanning Tree Protocol (STP), limiting propagation of Layer 2 faults. On the Layer 3 side, it provides a logical point to summarize IP routing information when it enters the core Layer. The summarization reduces IP route tables for easier troubleshooting and reduces protocol overhead for faster recovery from failures.

Hint

Through the use of telemetry, the network assurance and analytics feature of SD-Access improves the performance of the network through proactive prediction of network-related and security-related risks.

Hint

The management layer of the Cisco SD-Access Architecture abstracts all the complexities and dependencies of the other layers and provides the user with GUI tools and workflows to manage and operate the Cisco DNA network.

Hint

The Cisco SD-WAN solution has four main components: The vManage Network Management System (NMS) is the single pane of glass for managing the SD-WAN solution. The vSmart controller acts as the brains of the solution. The SD-WAN routers serve vEdge and cEdge routers. The vBond orchestrator authenticates and orchestrates connectivity between SD-WAN routers and vSmart controllers.

Hint

In order to deliver end-to-end QoS, DiffServ architecture has two major components, packet marking using the IPv4 ToS byte and PHBs. The Differentiated Services (DS) field uses 6 bits to classify packets. DSCP uses the leftmost six bits from the ToS byte in the IPv4 header to specify class of service for each IP packet to form the DiffServ (DS) field. With 6 bits, DSCP has up to 64 DSCP values (0 to 63) that are assigned to various classes of traffic. These selective values are called per-hop behaviors (PHB) and determine how packets are treated at each hop along the path from the source to the destination.

Hint

VoIP traffic is extremely sensitive to delay, and the QoS category to be set for this type of traffic on a Cisco WLC is platinum.

Hint

The forwarding information base (FIB) and adjacency tables are the main components of CEF. The FIB is similar to a routing table, but neither the routing table, nor the ARP table, nor the MAC-address table is part of CEF.

Hint

CEF uses the FIB and adjacency table to make fast forwarding decisions without control plane processing. The adjacency table is pre-populated by the ARP table and the FIB is pre-populated by the routing table.​

Hint

Cisco DNA Center is a main component of the Cisco NFV solution that provides centralized consistent policies across enterprise branch offices.

Hint

SR-IOV is an enhancement to PCI passthrough that allows multiple VNFs to share the same pNIC.

Hint

Locator/Identifier Separation Protocol (LISP) is used by Internet providers, data centers, branch networks, and campus networks to address routing scalability problems and provide an overlay tunneling technology. LIST separates IP addresses into endpoint identifiers (EID) and routing locators (RLOCs) so endpoints can roam from site to site with only the RLOC changing. An egress tunnel router (ETR), ingress tunnel router (ITR), proxy ETR, proxy ITR, or xTR, a device that is both an ETR and an ITR, are used to connect LISP and non-LISP sites in a variety of ways.

Hint

• Virtual Network Function (VNF) is a software version of a network function that runs on the hypervisor as a VM.
• Virtualized Infrastructure Manager (VIM) is responsible for controlling NFVI hardware resources and virtualized resources.
• Element Managers (EMs) are responsible for the functional management of the VMs.
• NFV orchestrator is responsible for creating, maintaining and tearing down VNF services.
• Business Support System (BSS) works in tandem with OSS (platform typically operated by service providers) to improve overall customer experience.

Hint

In a virtualized server the vSwitch is connected to external networks through physical NICs (pNICs) and to VMs through virtual NICs (vNICs).

Hint

A virtual switch (vSwitch) is a software-based Layer 2 switch that operates like a physical Ethernet switch. A vSwitch enables VMs to communicate with each other within a virtualized server and with external physical networks through the physical network interface cards (pNICs.) Multiple vSwitches can be created under a virtualized server, but network traffic cannot flow directly from one vSwitch to another vSwitch within the same host, and the vSwitches cannot share the same pNIC.

Hint

Virtual routing and forwarding (VRF) is a Layer 3 technology used to create separate virtual routers on a physical router. Each VRF instance has associated router interface(s) or subinterface(s), routing table, and forwarding table. Overlapping and even duplicate IP addresses can be used when using VRF because VRF creates segmentation between the interfaces, IP addresses, and routing tables.

Hint

A virtual machine (VM) is a software emulation of a physical server with an operating system. A container is an isolated environment where containerized applications run. Containers all share the same OS while remaining isolated from each other. They all use virtualized memory managed by the hypervisor. Because a container does not have a guest OS, it relies on the host operating system to provide underlying services. It typically takes a few seconds to start.

Hint

Each VM on a server has an dedicated OS and all containers on a server share the host OS while remaining isolated from each other. A VM contains a guest OS. Containers do not contain one, so they are lightweight (small in size). When a VM starts, the guest OS needs to load first, and once it is operational, the application in the VM can then start and run. This whole process may take minutes. When a container starts, it leverages the kernel of the host OS, which is already running, and it typically takes a few seconds to start.

Hint

The priority value 24576 is a predefined value that is implemented by the command spanning-tree vlan 10 root primary . This command configures Switch_2 to become the root switch. A root switch will have all forwarding interfaces and no root ports.

Hint

A virtual machine is a software emulation of a physical server including a CPU, memory, network interface, and operating system. The hypervisor is virtualization software that performs hardware abstraction. It allows multiple VMs to run concurrently in the virtual environment.

Hint

One of the major benefits of the STP PortFast feature is that the access ports bypass the earlier 802.1D STP states (learning and listening) and forward traffic immediately. PortFast can be enabled on trunk links, but only with ports that are connecting to a single host, such as a server with only one NIC that is running a hypervisor with VMs on different VLANs.

Hint

STP is the 802.1D standard. RSTP is the 802.1W standard. MSTP is the 802.1S standard. MST, PVST+, and Rapid PVST+ are Cisco proprietary.

Hint

By default, all VLANs are assigned to IST before VLANs are assigned to other instances. In the configuration shown, IST contains all VLANs except for the 32 VLANs assigned to instances 1 and 2, which is 4062 VLANs.

Hint

Based on the output, three conclusions can be drawn: The interface gigbitEthernet 1/0/1 port is not an Edge port. It is inside the region. The cost value on the interface gigbitEthernet 1/0/1 port is adjusted to 20 from 20000 for instance 0. The priority value on the interface gigbitEthernet 1/0/1 port is adjusted to 64 from 128 for instance 2.

Hint

Spanning tree should never be disabled. Without it, the MAC address table becomes unstable, broadcast storms can render network clients and the switches unusable, and multiple copies of unicast frames can be delivered to the end devices.

Hint

High CPU consumption and low free memory space are common symptoms of a Layer 2 forwarding loop. In Layer 2 forwarding loops, besides constantly consuming switch bandwidth, the CPU spikes as well. As the packet is received on a different interface, the switch must move the MAC address from one interface to the next. The network throughput is impacted drastically, users will probably notice a slow-down on their network applications, and the switches might crash because of an exhausted CPU and low memory resources.

Hint

Root guard is an STP feature that is enabled on a port-by-port basis. It prevents a configured port from becoming a root port. Root guard prevents a downstream switch from becoming a root bridge in a topology. Root guard is placed on designated ports toward other switches that should never become root bridges. In order to prevent SW4 and SW5 from becoming root bridges, root guard has to be placed on SW2 Gi0/4 port toward SW4 and on SW3 Gi0/5 port toward SW5.

Hint

Cisco switches support two protocols for negotiating a channel between two switches: LACP and PAgP. PAgP is Cisco-proprietary. In the topology shown, the switches are connected to each other using redundant links. By default, STP is enabled on switch devices. STP will block redundant links to prevent loops.

Hint

Before the switch is put in the correct VTP domain and in client mode, the switch must be connected to any other switch in the VTP domain through a trunk in order to receive/transmit VTP information.

Hint

In the exchange OSPF neighbor state, two routers exchange link states using DBD packets that summarize their link-state databases.

Hint

OSPFv3 DR/BDR routers send link-state updates and link acknowledgments to the AllSPFRouter IPv6 multicast address of FF02::5.

Hint

In MST operation, the instance priority is a value between 0 and 61,440, in increments of 4096.

Hint

In MST configuration, an MST instance priority can be defined in one of two methods: spanning-tree mst instance-number priority priority , where the priority is a value between 0 and 61,440, in increments of 4096 spanning-tree mst instance-number root { primary | secondary }[ diameter diameter ], where the primary keyword sets the priority to 24,576, and the secondary keyword sets the priority to 28,672

Hint

The multiple-exit discriminator (MED) is a nontransitive BGP attribute for best-path determination. MED uses a 32-bit value (0 to 4,294,967,295) called a metric. The purpose of MED is to influence traffic flows inbound from a different AS. A lower MED is preferred over a higher MED.

Hint

Channels 1, 6, and 11 are selected because they are 5 channels apart. thus minimizing the interference with adjacent channels. A channel frequency can interfere with channels on either side of the main frequency. All wireless devices need to be used on nonadjacent channels.

Hint

If one trunk port is in auto DTP negotiation mode, a trunk will be formed if the adjacent switch port is placed in trunk or dynamic desirable mode.

Hint

IGMP snooping reduces multicast flooding on a LAN segment by learning and maintaining multicast group memberships at the Layer 2 level.

Hint

After hello packets are exchanged, an OSPF router sends a database description packet summarizing its link-state database to its neighbors.

Hint

WPA3-Personal uses the Simultaneous Authentication of Equals (SAE) method to strengthen the key exchange between the clients and AP.

Hint

The broadcast network type is the default for OSPF Ethernet links and includes the DR/BDR field in hellp packets and uses a 10 seconds hello and 40 seconds dead interval.

Hint

There are several key advantages to using multiarea vs single area OSPF:

• Shortest path first (SPF) tree calculations are contained within an area when a link flaps.
• The LSDB is more manageable.
• Summarization of route information can occur.

Hint

An OSPF DR advertises attached multiaccess network segments with the type 2 network LSA.

Hint

Type 3 LSAs are originated by ABRs to advertise networks learned from other areas.

Hint

Both Layer 2 and Layer 3 roams are intercontroller roaming. In intercontroller roaming, a client roams from one AP to another AP that is bound to a different WLC. If both APs are configured with the same VLAN and IP address subnet, the client has made a Layer 2 intercontroller roam and it stays on the same VLAN and subnet. The process of Layer 2 roaming is faster than Layer 3 roaming (usually less than 20 ms). Both Layer 2 roaming and Layer 3 roaming allow the client to keep the same IP address.

Hint

Catalyst switches provide the Switched Port Analyzer (SPAN), which makes it possible to capture packets by using the following techniques:

• Local Switched Port Analyzer. Local network traffic is captured on a switch and a copy of it is sent to a local port attached to a traffic analyzer.
• Remote Switched Port Analyzer (RSPAN). Network traffic is captured on a remote switch and a copy of it is sent to the local switch through Layer 2 (switching) toward a local port attached to a traffic analyzer.
• Encapsulated Remote Switched Port Analyzer (ERSPAN). Network traffic is captured on a remote device and it is sent to the local system through Layer 3 (routing) toward a local port attached to a traffic analyzer.

Hint

To complete the ZBFW configuration the zone-member security OUTSIDE command must be issued to GigabitEthernet 0/2.

Hint

PACLs have some limitations and restrictions. PACLs do not support filtering of outbound traffic on an interface, and they do not support ACLs to filter IPv6 traffic.

Hint

When an organization deploys network access control, MAB and WebAuth can be used as a fallback authentication mechanism for 802.1x. If both MAB and WebAuth are configured as fallbacks for 802.1x, when 802.1x times out, a switch first attempts to authenticate through MAB, and if it fails, the switch attempts to authenticate with WebAuth.

Hint

The BGP best-path algorithm uses attributes for the best-path selection. The top 5 attributes, ranked in order of consideration, are the following:

• 1. Weight.
• 2. Local preference.
• 3. Local originated (network statement, redistribution, or aggregation).
• 4. AIGP.
• 5. Shortest AS_Path.

BGP weight is a Cisco-defined attribute and is a 16-bit value assigned locally on the router; it is not advertised to other routers. Thus, the weight attributes as specified in RTD and RTE have no effect in RTA for determining the best outbound path. Assuming that the attributes in ranks 2 to 4 are not specified, the shortest AS_Path attribute is used to choose the outbound path when two paths are available.

Hint

RESTful APIs are software interfaces into an application or a controller. For security considerations, access to APIs should require authentication such that an API is considered just like any other device to which a user needs to authenticate to gain access to utilize the APIs. A developer who is authenticated has access to making changes using the API, changes that can affect that application. It is best practice to use a dedicated development instance of the application to test change codes to avoid accidental impact to a production environment.

Hint

Spectrum analyzers are designed to detect and measure RF energy that is present in those frequency ranges at 2.4 GHz and 5 GHz. A spectrum analyzer takes RF radio information, whether it is from wireless access points or other equipment using the free ISM band, and puts it into a visible display format.

Hint

A JavaScript Object Notation (JSON) object is a key-value data format that is typically rendered in curly braces { }.

Hint

Because Pim dense mode uses more bandwidth during its periodic flood and prune behavior, it is not recommended for production environments.

Hint

Ansible is an agentless automation tool that uses playbooks to deploy configuration changes or retrieve information from hosts. The Ansible playbook is a structured set of instructions used to enforce configuration and deployment steps or to retrieve information from hosts.

Hint

In MST operation, the instance priority is a value between 0 and 61,440, in increments of 4096.

Hint

To enable a trunking EtherChannel successfully, the range of VLANs allowed on all the interfaces must match; otherwise, the EtherChannel cannot be formed. The interfaces involved in an EtherChannel do not have to be physically contiguous, or on the same module. Because the EtherChannel is a trunking one, participating interfaces are configured as trunk mode, not access mode.

Hint

There are five EIGRP packet types exchanged between EIGRP routers:

• Hello
• Request
• Update
• Query
• Reply

Hint

System messages of levels 0 (emergencies) through 4 (warnings) are sent to the syslog server at 192.168.10.10.

Hint

NetFlow flows are unidirectional. One user connection exists as two flows. The flow in each direction must be captured. This is done by using both the ip flow ingress and ip flow egress command on the interface.

Hint

The show monitor session command is used to verify how SPAN is configured (what ports are involved in the traffic mirroring).

Hint

NetFlow consumes additional memory to accommodate the data stored in cache. The collector must have adequate RAM and hard disk space to support NetFlow. Two individual flows exist for each user connection. All devices are not required to support NetFlow. Data can be collected from devices that do support it.

Hint

The Switched Port Analyzer (SPAN) feature on Cisco switches is a type of port mirroring that sends copies of the frame entering a source port (or VLAN), out another port on the same switch. Typically the destination port is attached with a packet sniffer or IPS device. Remote SPAN (RSPAN) allows source and destination ports to be in different switches.

Hint

The basic BGP configuration steps include the following: Initialize the BGP routing process with the global command router bgp as-number . Identify the IP address and autonomous system number associated with a BGP neighbor by the BGP router configuration command neighbor ip-address remote-as as-number . Identify the specific network prefixes to be installed into the BGP table with the network statements.

Hint

Both Layer 2 and Layer 3 roams are intercontroller roaming. In intercontroller roaming, a client roams from one AP to another AP that is bound to a different WLC. An AP communicates to the bounding WLC through a CAPWAP tunnel. If the two APs involved in an intercontroller roaming are configured with the same VLAN and IP subnet, Layer 2 roaming occurs. If they are configured with different VLANs and IP subnets, a Layer 3 roaming occurs.

Hint

IP SLA is a tool that allows for the continuous monitoring of various aspects of the network. Different types of probes can be configured to monitor traffic within a network environment:

• Delay
• Jitter (directional)
• Packet loss (directional)
• Packet sequencing (packet ordering)
• Path (per hop)
• Connectivity (directional)
• Server or website download time
• Voice quality scores

Hint

The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a public key exchange method that allows two IPsec peers to establish a shared secret key over an insecure channel.

Hint

The IP address that is assigned to the tunnel interface on the local router is 172.16.1.1 with a prefix mask of /30. The only other address, 172.16.1.2, would be the destination tunnel interface IP address. Although 209.165.200.226 is listed as a destination address in the output, this is the address of the physical interface at the destination, not the tunnel interface.

Hint

The GRE tunneling protocol is Cisco proprietary and does not include any flow-control mechanisms by default. GRE does not support encryption and is used to manage the transportation of IP multicast and multiprotocol traffic.

Hint

The acronym CIA provides three critical functions of the IPsec service: confidentiality, integrity, and authentication. Speed, accounting, and authorization are possible factors within the IPsec service but are not critical.

Hint

Syslog operations include gathering information, selecting which type of information to capture, and directing the captured information to a storage location. The logging service stores messages in a logging buffer that is time-limited, and cannot retain the information when a router is rebooted. Syslog does not authenticate or encrypt messages.

Hint

The default zone is a system-level zone. If an interface is not configured as part of another security zone, it is placed in the default zone automatically.

Hint

Type 7 passwords are considered insecure. They are encrypted with a weak Vigenere cypher that is easily deciphered in seconds.

Hint

Email is a top attack vector for security breaches. Cisco ESA includes many threat protection capabilities for email such as spam protection, forged email detection, and Cisco advanced phishing protection.

Hint

802.1x is an industry standard for providing port-based network access control. It provides a mechanism to authenticate devices onto local-area networks and WLANs.

Hint

The authentication for Telnet connections is defined by AAA method list AUTHEN. The AUTHEN list defines that the first authentication method is through an ACS server using the RADIUS protocol (or RADIUS server). If the RADIUS server cannot be contacted, the second authentication method is to use the local user database. In this scenario, the local user database is used with a username of ADMIN and a password of Pa$$w0rD.

Hint

Local AAA authentication works very similar to the login local command, except that it allows you to specify backup authentication methods as well. Both methods require that local usernames and passwords be manually configured on the router.

Hint

The extended access list in the exhibit is permitting SSH (TCP port 22) traffic that is sourced from the 192.168.1.0/24 network and traveling to the 192.168.2.0/24 network. The packets meeting this criteria are logged to the local logging buffer (the default), a syslog server, or both depending on how the router is configured for syslog settings. All other traffic is denied because of the implicit deny at the end of every ACL.

Hint

The access list stops Telnet traffic from the 10.1.1.2 device to the 10.1.1.1 device. It also stops Telnet traffic from 10.1.2.2 device to 10.1.2.1. All other TCP/IP-based transmissions are allowed. The access list is working because there have been 15 matches on the last ACE.

Hint

The ACL configuration guidelines recommend placing extended access control lists as close to the source of network traffic as possible and placing standard access control lists as close to the destination of network traffic as possible.

Hint

The common data formats that are used in many applications including network automation and programmability are as follows: JavaScript Object Notation (JSON) – In JSON, the data known as an object is one or more key/value pairs enclosed in braces { }. Keys must be strings within double quotation marks ” “. Keys and values are separated by a colon. eXtensible Markup Language (XML) – In XML, the data is enclosed within a related set of tags data. YAML Ain’t Markup Language (YAML) – In YAML, the data known as an object is one or more key value pairs. Key value pairs are separated by a colon without the use of quotation marks. YAML uses indentation to define its structure, without the use of brackets or commas.

Hint

The print command is used for console output. The command for is used for repetition logic , from is used for module importing, and return is a function definition.

Hint

A compiled computer language is a computer language that compiles its programs into a set of machine-language instructions, whereas an interpreted programming language allows for an interpretation of the instructions directly without first compiling them into machine language.

Hint

A module is a file containing Python definitions and statements.

Hint

Chef and Puppet have several similarities, to include:

• Both have free open source versions available.
• Both have paid enterprise versions available.
• Both manage code that needs to be updated and stored.
• Both manage devices or nodes to be configured.
• Both leverage a pull model.
• Both function as a client/server model.

Hint

The Cisco DNA Center controller expects all incoming data from the REST API to be in JSON format.

Hint

There are several available agent based configuration and automation tools, including Puppet, Chef, and SaltStack. Ansible, Puppet Bolt, and EEM are agentless tools.

Hint

Puppet is a configuration management and automation tool that uses modules to support the configuration of most devices that can be configured manually. Puppet modules contain three components: Manifests, templates, and files.

Hint

BPDU guard can be enabled globally on all PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. If PortFast is not configured, then BPDU guard is not activated.

Hint

There are two types of hypervisors:

• Type 1 – This type of hypervisor runs directly on the system hardware.
• Type 2 – This type of hypervisor requires a host OS to run.

Both types of hypervisors can run on regular computer systems and support multiple OS virtualizations.

Hint

The BGP session summary report includes information as follows:

• Neighbor – the IP address of the BGP peer
• V – the BGP version spoken by the BGP peer
• AS – the autonomous system number of the BGP peer
• MsgRcvd – the count of messages received from the BGP peer
• MsgSent – the count of messages sent to the BGP peer
• TblVer – the last version of the BGP database sent to the peer
• InQ – the number of messages queued to be processed by the peer
• OutQ – the number of messages queued to be sent to the peer
• Up/Down – the length of time the BGP session is established or the current status if the session is not in an established state
• State/PfxRcd – the current state of the BGP peer or the number of prefixes received from the peer

Hint

The origin is a well-known mandatory BGP path attribute used in the BGP best-path algorithm. A value of i represents an IGP, e indicates EGP, and ? indicates a route that was redistributed into BGP.