Incercare Flashcards

Question

How is STP path cost calculated?

Answer 1

Received path cost (included in BPDU received by the switch) + the locally calculated cost of the ingress interface (the interface BPDUs are received on). The cost in BDPUs sent downstream does not include the cost of the egress interface.

Answer 2

Highest OSPF interface priority wins, second highest becomes the BDR. In case of a tie, the highest RID wins. A router with interface priority set to 0 will never become a DR or BDR.

Answer 3

0000.0C07.ACxx, where xx is the HSRP group ID

Answer 4

0000.0C9F.Fxxx, where xxx is the HSRP group ID.

Answer 5

0005.73A0.0xxx, where xxx is the HSRP group ID.

Answer 6

HSRPv2 when used with IPv4

Answer 7

HSRPv2 with IPv6

Answer 8

224.0.0.2 (all routers)

Answer 9

224.0.0.102

Answer 10

Device that encapsulates and de-encapsulates VXLAN

Answer 11

Logical interface that encapsulates and de-encapsulates VXLAN

Answer 12

VXLAN Network Identifier. VNIs are used for VXLAN network segmentation and are mapped to VLANs on VTEPs.

Answer 13

Over 16 million:

2²⁴= 16777216

Answer 14

Link-state advertisements. They are used to advertise the router's link-local IPv6 addresses, prefixes and options. These LSA are not flooded outside local links.

Answer 15

Intra-area prefix LSA. It carries IPv6 prefix information that is carried by type 1 and type 2 LSA in OSPFv2

Answer 16

disable

enable

exit

help

logout

Answer 17

IS-IS. Other protocols can be used, but it is not recommended by Cisco and have to be configured manually.

Answer 18

Only transit traffic. Host-originating traffic will not be filtered by an outbound ACL.

Answer 19

vBond orchestrator

Answer 20

An Intent API is a business-outcome-oriented northbound REST API. It is used to facilitate DNA Center policy workflow that is used to define business intent, that is then translated into policy-based access control, routing and QoS.

Answer 21

Integration APIs are westbound APIs used to integrate third party sysetms, such as IT Service Management (ITSM) and IP Address Management (IPAM).

Answer 22

1. MM_NO_STATES - Peers have not yet agreed on IKE SA parameters

2. MM_SA_SETUP - SA parameters agreed upon, Diffie-Helman exchange pending

3. MM_KEY_EXCH - Diffie-Helman exchange done, IKE SA not yet successful

4. MM_KEY_AUTH - IKE SA authentication complete

5. QM_IDLE - quick mode negotiation now possible

Answer 23

Type 1 hypervisor - bare metal, running directly on hardware

Type 2 hypervisor - runs on top of a host OS.

Answer 24

STP Dispute is a condition when a switch receives a BPDU inferior to its own. This is an indication of either:

Uni-directional link - the other switch is not receiving superior BDPUs and thus is still sending its own, inferior BPDU

Software issue on the other switch.

Answer 25

10 minutes

Answer 26

A tunnel key is a 4-byte pre-shared cleartext password that needs to match for a GRE packet to be accepted.

Answer 27

Cisco-proprietary southbound API. It uses Java, C, or Python to configure network devices. It can use either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data in transit.

Answer 28

Southbound API using an Imperative SDN model, sending detailed instructions to network devices.

Answer 29

Southbound API using a Declarative SDN model, sending instructions but leaving the implementations to the devices.

Answer 30

IEEE 802.1AE

Answer 31

1. Weight - highest is best (local, Cisco-specific)

2. Local preference - highest is best (this is set by the router in our AS)

3. Originated locally (added by network statement or redistributed from IGP on this router) are preferred to routes received from other routers. Locally originated routes will have a weight of 32768.

4. AS path - Shortest is best

5. Origin - Origin “i” (IGP, added via network statement) beats “?” (incomplete, meaning redistributed). “e” is no longer used.

6. Multiple Exit Discriminator - if there are multiple routes from the same AS, the lowest MED (set by the router in foreign AS)

7. Path - External (eBGP) paths are preferred over internal (iBGP)

8. if iBGP, smallest iBGP metric

9. if iBGP and Route Reflection is used, shortest Cluster-List length

10. Router ID - Lowest Router ID

11. Lowest Peer Address

Answer 32

1. Configuration name

2. Configuration revision

3. A digest (i.e. the output of a hash function) of the VLAN-MSTI mapping.

Answer 33

IST is an instance of MST that is always present and has an ID of 0. It runs on all ports and also carries information about other instances, so there’s only one set of BDPUs sent.

Answer 34

Hello: 30s

Answer 35

LACP slow - Hello 30s, Dead 90s

LACP fast - Hellos 1s, Dead 3s

Answer 36

(config-if)# lacp rate fast

Answer 37

Hello - 5s

Hold - 15s

Answer 38

Network Layer Reachability Information (NLRI)

Answer 39

TTL of packets containing eBGP messages is set to 1.

Answer 40

1. No route towards peer

2. BGP peer is administratively down

3. Timeout after an unsuccessful peering attempt. After the first attempt, the ConnectRetryTimer is set to 60 and is doubled after each subsequent unsuccessful attempt. When the ConnectRetryTimer counts down to 0, the condition is cleared and another connection attempt is made.

Answer 41

BGP community is an optional transitive BGP attribute that is used to “tag” an NLRI as it traverses different routers and AS. Each router can act upon a community using route-maps or a similar mechanism.

A community is a 32-bit number (possibly larger with new RFCs) presented as either a single 32-bit value or two 16-bit values side-by-side (xxxxxx:yyyyyy).

Answer 42

1. Hello - sent at regular intervals, includes priority value and information about the device (physical IP, virtual IP)

2. Coup - Sent by a router preempting another router

3. Resign - Sent when router ceases to be active, either due to preemption or due to being shut down

4. Advertise - Sent periodically (30 seconds in my lab) by passive devices.

Answer 43

1. Priority - higher is better

2. IP address - higher is better, if priorities are equal

Answer 44

224.0.0.10

Answer 45

1. Configure IKE policy (Optional).

2. Add a pre-shared key to a keyring and associate it with a particular peer.

3. Configure an IPSec transform set.

4. Configure an IKE profile.

5. Configure an IPsec profile.

6. Apply IPSec to traffic.

Answer 46

1. Create and apply a crypto map to a physical interface. This will punt all traffic hitting the interface and matching the crypto map into an IPSec tunnel (no GRE)

2. Create and apply a crypto map to a GRE tunnel interface. This will encapsulate egressing GRE packets in IPSec.

3. Apply an IPSec profile to a GRE tunnel interface

4. Create a Virtual Tunnel Interface (VTI) and configure it with an IPSec profile

Answer 47

Higher values are preferred

Answer 48

Lower values are preferred

Answer 49

1. i - IGP
2. e - EGP
3.? - incomplete

Answer 50

Prefixes added using network BGP command

Answer 51

Prefixes for Exterior Gateway Protocol.

This protocol and the origin code are no longer used.

Answer 52

Prefixes redistibuted from other routing protocols.

Answer 53

0 when originating locally, equal to IGP metric when redistributed.

Answer 54

Only when comparing paths from the same AS (unless bgp always-compare-med is configured)

Answer 55

1. Bandwidth

2. Delay

3. Reliability

4. Load

Answer 56

Bandwidth and delay

Answer 57

Metric = 256*(10^7/BW+delay/10)

Answer 58

Slowest link on the path, measured in bps.

Answer 59

Cumulative delay from all hops on the path.

Answer 60

1. Neighbour table

2. Topology table

3. Routing table

Answer 61

Distance to destination route reported by the next-hop router.

Answer 62

Computed distance – distance to the destination subnet, used as metric. Reported distance + distance to next hop.

Answer 63

Next-hop for the successor (i.e. best) route.

Answer 64

EIGRP route with the lowest metric for the destination

Answer 65

Fallback routes with the second-lowest metric that satisfy the feasability condition.

Answer 66

Feasible successor must have a reported distance lower than the feasible distance.

Answer 67

Shortest computed distance for a destination. In other words, the computed distance of successor route.

Answer 68

1. Network prefix

2. EIGRP neighbours that advertised this prefix

3. Metric advertised by each neighbour

4. Attributes used to calculate each metric.

5. Originating routers

6. Hop counts

Answer 69

Set variance parameter to value higher than 1. All paths whose computed distance is shorter than feasible distance times variance and which satisfy the feasibility condition will be be eligible for loadbalancing.

(config-router)# variance <1-255>

Answer 70

Automatically and manually

Answer 71

To the classful network (e.g. 172.16.1.0/24 to 172.16.0.0/16).

Answer 72

Only when at least one of the subnets summarised is directly connected.

Answer 73

(config-router)# auto-summary

Answer 74

On the advertising interface:

(config-if)# ip summary-address eigrp ASN summary-prefix netmask

Answer 75

Create a keychain:

(config)# key chain chain-name
(config-keychain)# key n
(config-keychain-key)# key-string string

And then apply it to an interface:

(config-if)# ip authentication mode eigrp as-number md5
(config-if)# ip authentication key-chain eigrp as-number chain-name

Answer 76

(config-router)# distance int_distance ext_distance

Answer 77

Full-mesh of peer relatioships or use of a route reflector

Answer 78

This is the starting state. In Idle state, routers do not attempt to initiate a TCP connection to their peers.

Answer 79

A router has sent a SYN TCP segment to its configured peer’s port 179 and awaits a reply. It also listens at its own port 179 for SYN TCP segments incoming from its configured peer.

Answer 80

The router has (again) tried to initiate a TCP connection. It also listens at its own port 179 for SYN TCP segments incoming from its configured peer.

Answer 81

The originating router has already sent an Open message (which mean a TCP handshake was successful) and is awaiting one in return. The parameters in the messages have to match to progress to next state.

Answer 82

Matching BGP versions
Source IP for Open message matches the configured peer IP
AS in the Open message matches the configure peer AS
BGP Router ID (RID) must be present and unique.
Security parameters (password, TTL) must be correct

Answer 83

A Notification message is sent and the state is changed to Idle.

Answer 84

After sending a Keepalive message, the router waits for a reply. If it receives a Keepalive message, it moves to Established state. If it receives a Notification, it moves to Idle.

Answer 85

This is the final stable state for BGP peer relationship. NLRIs are exchanged using Update message - in a burst at first and then only in incremental updates - and Keepalive is used to maintain the peering.

Answer 86

180 seconds

Answer 87

The smaller hold timer value is used by both peers.

Answer 88

To establish BGP adjacency and negotiate session capabilities.

Answer 89

To keep the session alive in absence of updates. Exchanged every one-third of the hold time (so every 60 seconds, by default).

Answer 90

To advertise routes or withdraw previously advertised routes.

Answer 91

To signal an error in the BGP session and to close the session.

Answer 92

(config-router)# aggregate-address network subnet-mask [summary-only] [as-set]

Answer 93

It suppressed more specific prefixes within the range of summary prefix. Without it, both are advertised.

Answer 94

It preserves the AS_Path of aggregated routes in a separate AS_Set attribute.

Answer 95

It counts as a single AS in AS_Path length calculation, but its components are used for loop detection.

Answer 96

Create a static null route and advertise it via BGP network statement:

(config)# ip route prefix netmask null0

(config-router)# network prefix mask netmask

Answer 97

The highest IP from among loopback interfaces in an UP state. If no loopbacks are up, the highest IP from among physical interfaces in an UP state.

Answer 98

IPv4 Unicast

Answer 99

(config-router)# bgp router-id router-id

Answer 100

(config-router)# address-family afi safi - for IP traffic AFI is either ipv4 or ipv6, SAFI is either unicast or multicast. IPv4+unicast by default.
(config-router-af)# neighbor ip-address activate

Answer 101

Distribution lists
Prefix lists
AS path ACL
Route maps

Answer 102

The source part of an extended ACL matches network (as with standard ACL) and the destination part matches the subnet mask.

Example:

permit 172.16.0.0 0.0.255.255 255.255.128.0 0.0.127.0

This will match all networks in 172.16.0.0/16 range that have subnet masks between 255.255.128.0 and 255.255.255.0, i.e. prefix length /17 to /24.

Answer 103

(config-router-af)# neighbor neighbour-ip distribute-list {name | id} {in | out}

Answer 104

Use both ge and le operators in the same entry

Answer 105

(config-router-af)# neighbor neighbour-ip prefix-list name {in | out}

Answer 106

(config)# ip prefix-list list-name seq seq-no {permit | deny} prefix/prefix-len [ge prefix-len] [le prefix-len] [eq prefix-len]

Answer 107

It matches the network exactly, i.e. just this single network and none within it.

Answer 108

It matches all networks within the specified one that have a prefix length exactly the same as the value.

Answer 109

(config)# ip as-path access-list acl-number {deny | permit} regex

Answer 110

clear ip bgp ip-address [soft]

clear bgp afi safi ip-address [soft] [in | out]

Answer 111

Tears down the BGP session, forcing it to be re-established from scratch.

Answer 112

Triggers a full BGP advertisment to rebuild the BGP cache.

Answer 113

The router receiving such a route should not advertise it any further.

Answer 114

The router receiving such route should advertise it into iBGP, but not into eBGP. Other routers in the receiving AS should honour this community, which means that the route should not be advertised beyond that AS.

Answer 115

The route should not be advertised outside the local AS or, in confederation, outside the local sub-AS.

Answer 116

No, they need to be explicitly enabled on a per neighbour basis:

(config-router)# neighbor ip-address send-community [standard | extended | both]

Answer 117

24 bytes (20 bytes IP header + 4 bytes GRE header).

Answer 118

When the next hop for tunnel destination points at the tunnel. This causes the tunnel to fail.

Answer 119

There is no route to the tunnel destination address
The source interface is down
Router has detected recursive routing
Keepalive is configured and has expired
Tunnel interface is administratively disabled
Tunnel is configured with IPSec and the associated IPSec SA is down.

Answer 120

Peer authentication, data authentication and replay detection, but no encryption

Answer 121

Peer authentication, data encryption, data authentication and replay detection

Answer 122

IP header remains intact, IPSec header is added after the IP header and only the payload is encrypted.

Answer 123

The whole IP packet is encapsulated. A new IP header + IPSec header are added before the encrypted original packet.

Answer 124

Transport mode does not add a new IP header, so if either source or destination for the traffic is a non-publicly routable (e.g. RFC 1918) address, packets will go out into the internet with a non-routable destination or source address and promptly get lost.

Answer 125

The original packet + GRE header is encrypted by transport mode and then a new IP header is added in the beginning. This allows transport mode to work for a site-to-site tunnel.

Answer 126

The original packet is encapsulated in GRE and then again encapsulated by IPSec.

Answer 127

maim mode - 6 messages
aggressive mode - 3 messages at the cost of reduced encryption security and leaking the identities of both IKE peers.

Answer 128

Boolean OR logic applies. Only one has to match for the statement to take effect.

Answer 129

Boolean AND logic applies, all need to match for the route map entry to be applied.

Answer 130

224.0.0.0/4 (224.0.0.0-239.255.255.255)

Answer 131

It's an eastbound API used by appplications to establish a notification handler for Cisco DNA to notify them of events.

Answer 132

Best effort - No QoS.
Integrated Services (IntServ) - Applications reserver bandwidth using RSVP and CAC.
Differentiated Services (DiffServ) - Packets are classified for shaping and policing purposes.

Answer 133

On both ingress and egress.

Answer 134

On egress only

Answer 135

Class of Service (CoS) for Ethernet and WiFi Multimedia (WMM)

Answer 136

IP Precedence (IPP) - deprecated
Differentiated Service Code Point (DSCP)

Answer 137

6 bits + 2 bit Explicit Congestion Notification (ECN).

Answer 138

3 bits in the Type of Service (ToS) byte for 8 classes, out of which 6 are usable.

Answer 139

3 bits Priority Code Point + 1 bit Drop Eligible Identifier. Of the 8 values available (0-7), 6 and 7 are reserved. Of the available, 5 is best (used e.g. for voice traffic by Cisco IP phones), 0 is the worst.

Answer 140

voice (AC_VO)
video (AC_VI)
best effort (AC_BE)
background (AC_BK)

Answer 141

WMM class determines how long a client should wait, when a collision occurs, before retransmitting. The shorter the wait, the higher probability the client will start transmitting first, forcing others to wait.

Answer 142

CIR is the rate (in bps) at which tokens are added to a bucket.

Answer 143

The size of bucket used for policing.

Answer 144

This is the time (in ms) over which a committed burst is sent.

Answer 145

Data is sent in bursts, i.e. data is sent at full line rate up to the value of Bc and then stops until the end of Tc interval.

Answer 146

Single-rate, two-colour
Single-rate, three-colour (srTCM)
Two-rate, three-colour (trTCM)

Answer 147

It's the simplest type of policier: uses a single bucket and performs the configured action on all excess traffic

Answer 148

Uses two buckets, one for committed burst (Bc bucket), the other for excess burst (Be bucket). Tokens are added to the regular Bc bucket, and, when Bc bucket is full, they overflow to the Be bucket. Similarly, they are taken from the Bc bucket first and, when it is emptied, they are taken from Be bucket. This means that the Be bucket fills when traffic is below the CIR and represents “savings” that can be used when traffic exceeds CIR. When Be bucket runs out, traffic is capped at CIR.

Answer 149

Uses two buckets, Bc and Be, and two rates: CIR and Peak Information Rate (PIR), which needs to be higher than CIR. Bc is filled at CIR, Be independently at PIR. Traffic up to CIR is accepted, traffic exceeding CIR and up to PIR is marked down, the rest is dropped.

Answer 150

CBWFQ is a queuing algorithm used for trafic shaping. It assigns traffic to classes (up to 256) depending on priority, with each class having a minimum guaranteed bandwidth. Each class is given weight to determine the allocation of bandwidth.

Answer 151

Special queue for real-time traffic. Traffic assigned to LLQ is given priority and transmitted first. LLQ is configured with maximum share of bandwidth to make sure it doesn't crowd out other traffic.

Answer 152

During congestion, it drops packets depending on how much of the queue has filled, thus signalling to senders to slow down transmission. DSCP drop probability or IPP class determine the relative likelihood of a packet being dropped.

Answer 153

When a router senses congestion, it sets both ECN bits in ToS byte in IP header to 1. Then, the receiver will notify the sender of congestion by setting an ECN-Echo TCP flag. The sender then acknowledges this with Congestion Window Reduced (CWR) TCP flag.

Answer 154

Define class-maps to categorise traffic into classes
Define policies for classes using policy-maps
Apply policy maps to interfaces

Answer 155

IP address of an endpoint in a LISP site

Answer 156

IP address of a LISP router

Answer 157

1. A packet arrives at an ITR.

2. ITR sends a Map Request to an MR.

3. MR looks up the destination EID it forwards the Map Request to the Egress Tunnel Router (ETR) that is associated with the destination EID.

4. The ETR responds to the ITR with the ETR’s RLOC.

5. The ITR caches the response.

Answer 158

Power relative to 1 milliwatt

Answer 159

Power gain relative to ideal-type isotropic antenna that radiates signal equally in all directions.

Answer 160

+2 to +5 dB

Answer 161

+6 to +10 dBi

Answer 162

+10 to +14 dBi

Answer 163

+20 to +30 dBi

Answer 164

Transmit power (dBm, Tx) + antenna gain (dBi, Rx+Tx) - cable loss (Rx+Tx) - free space loss

Answer 165

Normalised received signal strength, taking into account the receiver's sensitivity threshold

Answer 166

Relative strength of signal to noise measured in dB

Answer 167

Tx✕Rx:streams

Where Tx is the number of radios on the transmitter, Rx is the number of radios on the receiver, and streams is the number of spatial streams in use.

Answer 168

Adaptation of the data rate and modulation scheme to changes in signal quality

Answer 169

Multi-user Multiple-Input Multiple-Output

Answer 170

Multiple-Input Multiple-Output, i.e. usage of multiple radios on the transmitter and receiver.

Answer 171

Creation of multiple spatial streams on the same channel, multiplying throughput in a process called spatial multiplexing. Multiple signal processing techniques are used to make sure that these transmissions are distinguishable from each other.

Answer 172

TxBF allows transmission to different devices on the same channel simultaneously. Since multiple signals travel along slightly different paths, beamforming is able to shift the phase of each signal so that they arrive in phase at a specific receiver (improving signal quality and SNR) and out of phase at other receivers.

Answer 173

1. Boot

2. WLC discovery

3. WLC selection

4. Establishment of CAPWAP tunnel

5. WLC Join

6. Check firmware image offered by WLC. If different from own, download it, install and reboot

7. Config download

8. Run state

Answer 174

1. Broadcast with CAPWAP Discovery Request packets to UDP 5246

2. Prior knowledge - configured WLCs + 8 of last WLCs the AP joined

3. DHCP Option 43

4. DNS query for CISCO-CAPWAP-CONTROLLER.local-domain, where local-domain is learned from DHCP.

Answer 175

1. Primary configured WLC

2. Secondary configured WLC

3. Tertiary configured WLC

4. WLCs determined by other means, based on reported load

Answer 176

An AP sends keepalive messages to the WLC every 30 seconds by default. If no response is received, the AP sends four more keepalives in 3 second intervals. If it receives no response to these, it starts failover:
1. To the secondary or tertiary configured WLC
2. To other discovered WLCs

Answer 177

Group of WLCs in hot-standby mode. All share a single Mobility MAC and runtime information. If the active fails, a standby seamlessly takes over in Stateful Switchover (SSO)

Answer 178

It's an old name for FlexConnect

Answer 179

WLC maintains a database of clients and cryptographic keys and provides the keys to APs (and possibly other WLCs during an inter-controller roam) so that a new key doesn’t have to be negotiated.

Answer 180

A client maintains a list of keys (up to 8) it used for different APs. If it associates with an AP it saw previously, it can use a cached key instead of negotiating a new one.

Answer 181

The client performs an FT handshake with the new AP before roaming, in which it quickly negotiates new cryptographic keys while avoiding a full 802.11i/EAP handshake. Additionally, QoS parameters can be transferred in the same way. A client can also initiate the handshake via the original AP to reduce the delay even further.

Answer 182

When a client roams between APs associated to two different WLCs

Answer 183

When a client roams between two APs associated with the same WLC

Answer 184

Roaming between two WLCs that have the WLAN mapped to the same VLAN.

Answer 185

Roaming between WLCs that have the WLAN used by client mapped to different VLANs

Answer 186

Both WLCs have to be in the same mobility group

Answer 187

VXLAN with customised header

Answer 188

Cisco TrustSec

Answer 189

The packet format a number of additional fields, primarily the Group Policy ID field, that are used to identify the policy that has been applied to the packet.

Answer 190

A node the registers and resolves EID to RLOC mappings. Basically a LISP MS/MR.

Answer 191

A node that connects external Layer 3 networks to the SDA fabric and acts as PxTR.

Answer 192

Node connecting wired devices (both end devices and APs) to the SDA fabric. Acts as LISP xTR.

Answer 193

WLC that connects APs and wireless endpoints to SDA fabric. Not part of the fabric, but fabric-aware (fabric-enabled).

Answer 194

Nodes that provide only underlay services with no overlay role.

Answer 195

Devices use VRF to create multiple routing tables
Control plane uses LISP Instance IDs to separate the VRFs.
Data plane uses VXLAN VNID field to carry VN information.

Answer 196

Cisco ISE and Cisco DNA Center appliances

Answer 197

vManage NMS
vSmart Controller
vBond Orchestrator
SD-WAN routers
vAnalytics

Answer 198

Network Management System, allows monitoring and configuration of SD-WAN.

Answer 199

Establishes tunnels with SD-WAN routers, exchanges routes using Overlay Management Protocol (OMP), distributes policies to SD-WAN routers.

Answer 200

WAN edge at a site, talks to vSmart controller and establishes tunnels with it.

Answer 201

vEdge - Dedicated router running Viptela software.
cEdge - Cisco router running a specialised IOS XE with SD-WAN functionality. Offers additional security features compared to vEdge.

Answer 202

Authenticates SD-WAN routers and facilitates their connection to vSmart controllers (e.g. using NAT traversal), manages load-balancing between multiple vSmart controllers.

Answer 203

Optional service for data collection and analysis

Answer 204

A feature of Cisco SD-WAN that continuously monitors connection to cloud services and selects the best path.

Answer 205

A filter to only show debug messages related to a particular condition (e.g. an interface)

Answer 206

Source IP
Destination IP
Source port
Destination port
Layer 4 protocol type (TCP, UDP etc.), i.e. the IP protocol field
ToS byte
Input logical interface

Answer 207

1, 5 and 9

Answer 208

Allows customisation of key fields used to identify a flow
Allows traffic sampling to reduce the CPU and memory load
Allows configuration of different receivers for different flows

Answer 209

Flow exporters - destinations where NetFlow data should be sent
Flow records - defines key fields used to identify flows and non-key fields which should be collected
Flow monitors - combines records with exporters, i.e. “this data should be sent to this receiver”. Monitors are then applied to interfaces to effect the configuration and start collecting data. Monitor caches data structured per the record attached and sends it to the exporters at moments determined by cache configuration (see configuration below)
Flow samplers - Enable sampling. Flow samplers are applied to flow records.

Answer 210

Traffic is mirrored to a different interface on the same switch where an analyser is connected.

Answer 211

Mirrored traffic is forwarded to all ports assigned to a special VLAN. Another switch that has this VLAN trunked to can then mirror this traffic to one of its ports, where an analyser is connected.

Answer 212

Mirrored traffic is encapsulated in L3 packets and can be routed to a remote analyser.

Answer 213

(config)# monitor session session-id filter vlan vlan-id

Answer 214

(config-vlan)# remote-span

Answer 215

(config)# monitor session session-id source {interface {ifname|ifrange} | vlan vlan-id} [rx|tx|both] - add a source interface/vlan. An interface range can be specified, and multiple sources can be configured for the same session if the command is repeated. By default, both ingress and egress traffic is captured, this can be overridden with tx (egress only) or rx (ingress only) keywords.
(config)# monitor session session-id destination interface ifname - mirror traffic from source(s) to the specified interface.

Answer 216

(config)# monitor session session-id source {interface {ifname|ifrange} | vlan vlan-id} [rx|tx|both] - add a source interface/vlan. An interface range can be specified, and multiple sources can be configured for the same session if the command is repeated.
(config)# monitor session session-id destination remote vlan vlan-id

Answer 217

(config)# monitor session session-id source remote vlan vlan-id
(config)# monitor session session-id destination interface ifname

Answer 218

(config)# monitor session session-id erspan-source - Enter ERSPAN configuration mode
(config-mon-erspan-src)# source interface if-name
(config-mon-erspan-src)# filter vlan-id (optional)
(config-mon-erspan-src)# destination - enter destination configuration mode
(config-mon-erspan-src-dst)# ip address ipaddress - configure destination IP
(config-mon-erspan-src-dst)# erspan-id id - (optional) configure ERSPAN ID, used to differentiate different sessions from same source at the destination
(config-mon-erspan-src-dst)# origin ip address ipaddress - (optional) configure source IP for this traffic

Answer 219

Branch - Remote, more difficult to secure
Campus - Numerous users
Data centre - Highly critical
Edge
Cloud
WAN

Answer 220

Management - management of devices and systems
Security intelligence - detection of emerging security threats
Compliance - compliance with security and privacy regulations.
Segmentation
Threat defense
Secure services

Answer 221

A threat intelligence tool compiling data on malware from a wide range of sources.

Answer 222

Static (comparison with malware samples) and dynamic (behavioural analysis) file analysis

Answer 223

A service for malware analysis and detection

Answer 224

A VPN solution. Also assesses endpoint’s compliance before allowing connection.

Answer 225

DNS resolver that block malicious domains. Formerly known as OpenDNS

Answer 226

Collector and aggregator of telemetry data. Monitors and analyses network security to identify threats. Collects NetFlow/IPFix data.

Answer 227

A Network Access Control (NAC) solution. It provides, among others, a 802.1x Authentication Server and can be integrated into DNA Centre to provide intent-based access policy.

Answer 228

An end device attempting to access the network

Answer 229

This is the network device (AP, switch or WLC) that the supplicant communicates with and that forwards this communication to an authentication server.

Answer 230

This is the server that the supplicant authenticates against.

Answer 231

Either the supplicant with an EAPoL-Start message or the authenticator with an EAPoL-Request-Identity message.

Answer 232

Using EAP over LAN (EAPoL)

Answer 233

Mac Address Bypass (MAB) or WebAuth

Answer 234

When the authenticator prompts the end device with EAP Request-Identity message and the supplicant doesn’t respond, after a timeout, the authenticator forwards the MAC address of the end device to the authentication server. The authentication server then checks the MAC address against its MAB list and either grant or deny access.

Answer 235

The end device is allowed access to a web server and redirected there. The user can then input their credentials on a web page to authenticate and receive network access.

Answer 236

Local Web Authentication (LWA) - the switch hosts the web server and redirects HTTP/HTTPS traffic to it. Credentials input via WebAuth are sent to the Radius server, which then either grants or denies access. Little customisation is possible. No VLAN assignment possible. dACL is possible.
Central Web Authentication (CWA) - Uses Cisco ISE. Switch initiates MAB, Cisco ISE responds with an URL hosted on itself. HTTP/HTTPS traffic is redirected to this URL where the end user can authenticate via a web browser. VLAN assignment and dACL are possible.

Answer 237

An enhancement to NAC using MAB or WebAuth that eliminates the wait before 802.1X authentication times out and alternative methods are tried. It allows setting MAB as the first method, with 802.1X configured as either a fallback or the priority method.

Answer 238

It's an integrated NAC solution using the following components:

Cisco ISE
Common Classification Policy Language (C3PL)
Enhanced FlexAuth

In some contexts, it's a synonym of Common Classification Policy Language (C3PL) new-style 802.1X configuration.

Answer 239

It's a new style of 802.1X configuration. If any IBNS 2.0/C3PL command is used, the configuration mode will be permanently switched - the only option to go back is to boot with a startup-config with legacy configuration (either by reloading before writing changes or by copying an appropriate startup-config and then reloading).

Answer 240

It's a policy plane solution using Scalable Group Tags (SGT) to assign devices to groups that then determine the access policies applied to them.

Answer 241

16 bits = 65536 values

Answer 242

Dynamically - Cisco ISE assigns a tag depending on the outcome of the authentication process.
Statically - SGT mapped statically to IPs, subnets, VLANs, interfaces etc.

Answer 243

SGT is embedded in custom Cisco Meta Data (CMD) field in Ethernet header. This requires hardware support from each forwarding device, otherwise the frame will be dropped.

Answer 244

Devices exchange IP-to-SGT mappings using SXP. An SXP-Speaker sends updates to SXP-Listeners (which in turn can act as speakers for other listeners if the connection is multi-hop). SXP can work together with inline tagging, bridging gap where there is no support for the inline tags.

Answer 245

On the egress of a TrustSec network, where they decide whether traffic should be allowed or dropped.

Answer 246

Using either of the two:

Security Group ACL (SGACL) - Distributed by Cisco ISE and installed on routers and switches
Security Groupd Firewall (SGFW) - FW rules referencing SGTs and defined locally on the FW.

Answer 247

MACsec is a protocol for Layer 2 data enryption and authentication. Ethernet frames are encrypted on the wire and decrypted at each hop, so that relevant header fields can be read, and their values used for forwarding decisions.

Answer 248

MACsec adds a 16-byte 802.1AE header after the source MAC field, and a 16-byte Integrity Check Value at the end, before CRC, which provides authentication. Only destination MAC, source MAC and CRC remain unencrypted. The whole frame is authenticated.

Answer 249

Authentication using Galois Method Authentication Code (GMAC)
Encryption+authentication using Galois/Counter Mode AES (GCM-AES)

Answer 250

Security Association Protocol (SAP) - Cisco proprietary, used only between switches (uplink MACsec)
MACsec Key Agreement (MKA) - Open standard, used both between switches (uplink MACsec) and between the edge switch and end device (downlink MACsec)

Answer 251

As Port ACLs (PACL)

Answer 252

Either layer 2 or layer 3

Answer 253

(config)# mac access-list {standard | extended} acl-name
(config-ext-macl)# {deny | permit} source destination
(config-if)# mac access-group acl-name {in | out}

Answer 254

Define an ACL to match IP or Ethernet traffic
Create a VLAN access map to match ACL with an action (forward or drop)
Apply the VLAN access map to a VLAN

Answer 255

(config)# vlan access-map name seq
(config-access-map)# match {ip address {acl-number | acl-name} | mac address acl-name}
(config-access-map)# action {forward | drop} [log]
(config)# vlan filter access-map-name vlan-list list - the list can be a single number, a range, or several comma-separated numbers and ranges

Answer 256

Inbound PACL
Inbound VACL
Outbound VACL

Answer 257

Inbound PACL
Inbound VACL
Inbound RACL
Outbound RACL
Outbound VACL

Answer 258

(config-line)# exec-timeout 0 0

or

(config-line)# no exec-timeout

Answer 259

Passwords configured directly on lines - not recommended
Local usernames and passwords - recommended as fallback
AAA - recommended as the primary method

Answer 260

(config-line)# login - enable password checking for the specified line
(config-line)# password {[0] password | 7 encrypted-string} - specify password. It will be stored in cleartext unless (badly) encrypted if service password-encryption is enabled.

Answer 261

Self-zone - contains the device’s own IPs. Any host-inbound or host-outbound traffic will cross this zone’s boundary.
Default zone - all interfaces that are not explicitly assigned to another zone. Default zone needs to be explicitly enabled, otherwise all traffic to and from interfaces not assigned to a zone is dropped.

Answer 262

Create zones
Assign interfaces to zones
Create inspection class-maps to classify traffic
Create inspection policy-maps to define actions for each traffic class

Answer 263

drop [log]
pass [log]
inspect

Answer 264

It allows traffic unidirectionally, without creating an FW session. A separate rule is required for return traffic.

Answer 265

It forwards the packet and creates an FW session, so that return traffic is allowed

Answer 266

CoPP is a mechanism used to rate-limit host-inbound traffic that is punted to the control plane in order to avoid overloading CPU. CoPP uses class-maps to classify inbound traffic and a single policy-map called POLICY-CoPP to define thresholds and actions in response to threshold violation.

Answer 267

It's a mechanism that restricts the interfaces and protocols over which remote administration can be performed.

Answer 268

Yes, transit traffic is unaffected. MPP only filters host-inbound management traffic.

Answer 269

(config)# management-interace ifname allow protocol [protocol…]

Answer 270

All host-inbound management traffic that is not explicitly allowed is rejected.

Answer 271

Docker
LXD
rkt
Linux-VServer
Windows Containers

Answer 272

An architectural framework and set of standards to systematise network virtualisation maintained by European Telecommunications Standards Institute (ETSI).

Answer 273

Virtualised devices performing layer 3 (routing), layer 4 (FW, loadbalancing) and layer 7 (NGFW, loadbalancing).

Answer 274

The whole environment in which VNFs are deployed.

Answer 275

Open vSwitch Data Plane Development Kit (OVS-DPDK)
PCI passthrough
Single-root I/O virtualisation (SR-IOV)

Answer 276

A special DPDK Poll Mode Driver polls for data incoming on a pNIC and punts it directly to user space, eliminating the need for an interrupt and a context switch.

Answer 277

VMs access PCI devices, including pNICs directly. This creates a one-to-one mapping between a VM/VNF and a pNIC, which means the pNIC is dedicated to the VNF and cannot be accessed by either the host OS or other VMs

Answer 278

Multiple virtual NICs (called virtual functions, VF) are emulated on top of a pNIC (called a physical function, PF) and are assigned to VMs/VNFs which access them as in PCI passthrough. Traffic between VFs has to be switched either internally or by an external switch.

Answer 279

Switching solution for SR-IOV in which switching is performed by the pNIC itself.

Answer 280

Switching solution for SR-IOV in which switching is performed by an external switch.

Answer 281

Cisco ENFV is a virtualisation solution that simplifies management and maintenance of virtualised network.

Answer 282

Hardware layer - x86-based physical hardware that runs other components. Cisco offers tailor-made hardware packages:
Network Functions Virtualization Infrastructure Software (NFVIS) - Linux-based OS that provides virtualisation and works with orchestration, management and monitoring software.
VNF - Both Cisco (vISR, ASAv, NGFWv, vEdge, cEdge, vWAAS, vWLC) and third party
Management and Orchestration (MANO) - provided by Cisco DNA Center

Answer 283

Enterprise Network Compute System (ENCS)
Cisco 4000 Series ISR + UCS E-Series
UCS C-Series
Cisco Cloud Services Platforms

Answer 284

SSH or TLS with X.509 authentication

Answer 285

- request running configuration and device’s state
- request all or part of configuration from a datastore
- Edit configuration on a datastore
- Copy configuration to another data store
- Deletes configuration from a datastore

Answer 286

YANG (Yet Another Next Generation) is a modelling language. It is used to create hierarchical data models that describe elements of a device’s configuration, objects that can be modified, actions that can be performed etc.

Answer 287

If authorisation is enabled, one need to specify the user to execute CLI commands in an EEM script, otherwise they will fail:
(config)# event manager session cli username username

Answer 288

Ansible
Salt SSH
Puppet Bolt

Answer 289

Puppet
Salt
Chef

Answer 290

Custom Ruby-based domain-specific language

Answer 291

536 bytes for remote destinations, 1460 bytes for local LAN.

Answer 292

(config)# ip tcp mss bytes

Answer 293

(config-if)# ip tcp mss-adjust bytes

Answer 294

Lower is better

Answer 295

(config)# spanning-tree mode mst - enable MSTP
(config)# spanning-tree mst configuration - enter MSTP configuration mode
(config-mst)# name region-name - configuration name for the MST region
(config-mst)# revision no - Configuration revision for the MST region
(config-mst)# instance msti vlan vlan-list - associate VLANs with MSTI

Answer 296

(config)# spanning-tree mst msti root {primary | secondary} - set priority to make switch primary or secondary root

or

(config)# spanning-tree mst msti priority value - set priority

Answer 297

(config)# spanning-tree bpduguard default

Answer 298

(config)# spanning-tree bpduguard {enable | disable}

Answer 299

(config-if)# ip nat inside – declare the interface to be on the internal network
(config-if)# ip nat outside – declare the interface to be on the outside
(config)# ip nat inside source static inside_local inside_global – create a static mapping. This command needs to be issued separately for each mapping.

Answer 300

(config-if)# ip nat inside – declare the interface to be on the internal network>
(config-if)# ip nat outside – declare the interface to be on the outside
(config)# ip access-list {acl_number | acl_name} rule – create/populate an ACL to specify which inside local addresses can use NAT
(config)# ip nat pool pool-name first-address last-address netmask subnet-mask – define a range of inside global addresses to use. Netmask is used only for verification: if the address range does not fit the subnet as determined by netmask, the command is rejected.
(config)# ip nat inside source list {acl_number | acl_name} pool pool-name – enable dynamic NAT and allow mappings between inside local addresses permitted by the specified ACL and inside global addresses in the pool

Answer 301

(config-if)# ip nat inside – declare the interface to be on the internal network
(config-if)# ip nat outside – declare the interface to be on the outside
(config)# ip access-list {acl_number | acl_name} rule – create/populate an ACL to specify which inside local addresses can use NAT
(config)# ip nat inside source list {acl_number | acl_name} interface ifname overload – allow dynamic mappings between inside local addresses, permitted by the specified ACL, and ports and the inside global interface ifname and its ports.

Answer 302

WiFi power-saving standard

Answer 303

Fast Transition roaming standard

Answer 304

Wireless management frame protection standard

Answer 305

Assisted wireless roaming standard

Answer 306

1. Solicit

2. Advertise

3. Request

4. Reply

Answer 307

1-99, 1300-1999

Answer 308

100-199, 2000-2699

Answer 309

Non-broadcast and point-to-multipoint non-broadcast

Answer 310

Broadcast and non-broadcast

Answer 311

Hello - 10s

Dead - 40s

Answer 312

Hello - 10s

Dead - 40s

Answer 313

Hello - 40s

Dead - 120s

Answer 314

Hello - 40s

Dead - 120s

Answer 315

Hello - 40s

Dead - 120s

Answer 316

The host queries the NTP server for time and also acts as a server for other clients.

Answer 317

(config)# ntp server {address | hostname}

Answer 318

Host passively listens to NTP broadcasts from NTP servers to adjust its own clock. Less accurate than querying the server.

Answer 319

On an interface:

(config-if)# ntp broadcast client

Answer 320

(config)# ntp master [stratum] – default stratum 8

Answer 321

Two or more devices synchronise their clocks with each other.

Answer 322

(config)# ntp peer {address | hostname}

Answer 323

(config)# ntp access group [ipv4 | ipv6] {peer | query-only | serve | serve-only} access-list [kod]

Answer 324

(config-if)# switchport mode dynamic desirable

Answer 325

(config-if)# switchport mode dynamic auto

Answer 326

Trunk on one end, access on the other

Answer 327

(config-router)# passive-interface ifname

Answer 328

(config-router)# eigrp stub [receive-only] [leak-map map-name] [connected] [summary] [static] [redistributed]

Answer 329

Performance

Protocol-independent neighbour relationships

Can carry routing information for multiple protocols

Can form neighbour relationships using loopback addresses