Part_10 Flashcards

Question 1

Q

Question 1
Which option must be used to support a WLC with an IPv6 management address and 100 Cisco Aironet 2800 Series access points that will use DHCP to register?

A. 43 
B. 52 
C. 60 
D. 82

Answer

A

Answer:B

Explanation

The CAPWAP protocol allows a lightweight access point (AP) to use DHCP to discover a wireless controller to which it is connected to. Cisco lightweight APs running 8.0 and above support DHCP discovery for both IPv4 and IPv6 networks:
+ IPv4 – Cisco lightweight APs implement DHCP option 43 to supply the IPv4 management interface addresses of the primary, secondary, and tertiary wireless controllers (see the guide).
+ IPv6 – Cisco lightweight APs implementDHCPv6 option 52(RFC 5417) to supply the IPv6 management interface addresses of the primary, secondary, and tertiary wireless controllers.
Reference:https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/IPV6_DG.html
This question asks about DHCPv6, not DHCPv4 so Option 52 is the best answer.

Question 2

Q

Question 5
In which two ways does the routing protocol OSPF differ from EIGRP? (Choose two)

A. OSPF supports only equal-cost load balancing. EIGRP supports unequal-cost load balancing 
B. OSPF supports an unlimited number of hops. EIGRP supports a maximum of 255 hops 
C. OSPF is distance vector protocol. EIGRP is a link-state protocol 
D. OSPF provides shorter convergence time than EIGRP 
E. OSPF supports unequal-cost load balancing. EIGRP supports only equal-cost load balancing

Answer

A

Answer:A B

Explanation

EIGRP supports unequal-cost load balancing via “variance” command -> Answer A is correct while answer E is not correct.
Answer C is not correct obviously.
The maximum number of hops that EIGRP will accept is 100 by default, the maximum can be configured to 225 with metric maximum hops -> Answer B is correct.
Reference:https://www.oreilly.com/library/view/cisco-ios-in/0596008694/re597.html
The network convergence time is faster than OSPF networks, because EIGRP network can learn the topology information and updates more rapidly -> Answer D is not correct.
Reference:https://scialert.net/fulltext/?doi=aujcs.2014.1.8

Question 3

Q

Question 6
A customer wants to connect a device to an autonomous Cisco AP configured as a WGB. The WGB is configured property; however, it fails to associate to a CAPWAP-enabled AP. Which change must be applied in the advanced WLAN settings to resolve this issue?

A. Disable FlexConnect local switching 
B. Enable Aironet IE 
C. Disable AAA override 
D. Enable passive client

Answer

A

Answer:B

Explanation

Step 6. Ensure that the WLAN has Aironet IE enable, otherwise WGB wont be able to
associate.
Reference:https://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/211293-Configure-Work-Group-Bridge-WGB-Multip.html

Question 4

Q

Question 7
A customer deploys a new wireless network to perform location-based services using Cisco DNA Spaces. The customer has a single WLC located on-premises in a secure data center. The security team does not want to expose the WLC to the public Internet. Which solution allows the customer to securely send RSSI updates to Cisco DNA Spaces?

A. Replace the WLC with a cloud-based controller 
B. Deploy a Cisco DNA Spaces connector as a VM 
C. Implement Cisco Mobility Services Engine 
D. Perform tethering with Cisco DNA Center

Answer

A

Answer:B

Explanation

Deploying the Cisco DNA Spaces: Connector OVA
This deployment is recommended when most of the devices that are managed by the Connector are on private or internal networks.
Reference:https://www.cisco.com/c/en/us/td/docs/wireless/cisco-dna-spaces/connector/config/b_connector/m_ova.html
Note:
Cisco DNA Spaces: Detect and Locate maintains a device eviction time of 10 minutes. As long as you receive updates (RSSI, AOA, Info, Stats) from the controller, the device is kept active and is displayed on the dashboard. If updates (RSSI, AOA, Info, Stats) are not received for a particular device within this eviction time, the device is removed from the system.

Question 5

Q

Question 9
By default, which virtual MAC address does HSRP group 32 use?

A. 05:5e:5c:ac:0c:32 
B. 00:00:0c:07:ac:20 
C. 00:5e:0c:07:ac:20 
D. 04:19:20:96:7e:32

Question 6

Q

Question 11
In Cisco DNA Center, what is the integration API?

A. southbound consumer-facing RESTful API, which enables network discovery and configuration management 
B. westbound interface, which allows the exchange of data to be used by ITSM, IPAM and reporting 
C. an interface between the controller and the network devices, which enables network discovery and configuration management 
D. northbound consumer-facing RESTful API, which enables network discovery and configuration management

Answer

A

Answer:B

Explanation

+Westbound(Integration) APIs: provide the capability to publish the network data,
events and notifications to the external systems and consume information in Cisco DNA Center from the connected systems. Through integration APIs, Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating various domains such as IT Service Management (ITSM), IP address management (IPAM), and reporting. By leveraging the REST-based Integration Adapter APIs, bi-directional interfaces can be built to allow the exchange of contextual information between Cisco DNA Center and the external, third-party IT systems.

Question 7

Q

Question 12
Which function does a Cisco SD-Access extended node perform?

A. provides fabric extension to nonfabric devices through remote registration and configuration 
B. performs tunneling between fabric and nonfabric devices to route traffic over unknown networks 
C. used to extend the fabric connecting to downstream nonfabric enabled Layer 2 switches 
D. in charge of establishing Layer 3 adjacencies with nonfabric unmanaged node

Answer

A

Answer:C

Explanation

SD-Access Extended nodes – Switch operating in Layer2 mode connected to a Fabric Edge device

Reference:https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKCRS-2817.pdf

Question 8

Q

Question 13
An engineer is configuring Local WebAuth on a Cisco Wireless LAN Controller. According to RFC 5737, which virtual IP address must be used in this configuration?

A. 1.1.1.1 
B. 192.168.0.1 
C. 192.0.2.1 
D. 172.20.10.1

Question 9

Q

Question 15
An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?

A. aaa authorization exec default local group tacacs+ 
B. aaa authorization exec default local group radius none 
C. aaa authorization exec default group radius local none 
D. aaa authorization exec default group radius local

Answer

A

Answer:D

Explanation

AAA server can be RADIUS or TACACS+ server so we can use either of them.
Note: “none” means no authorization is required.

Question 10

Q

Question 17
What is one characteristic of VXLAN?

A. It supports a maximum of 4096 VLANs. 
B. It supports multitenant segments. 
C. It uses STP to prevent loops in the underlay network. 
D. It uses the Layer 2 header to transfer packets through the network underlay.

Answer

A

Answer:B

Explanation

VXLAN has a 24-bit VXLAN network identifier (VNI), which allows for up to 16 million (= 224) VXLAN segments to coexist within the same infrastructure -> Answer A is not correct.
VXLAN does not use STP to prevent loops. It uses Equal-Cost Multi-Path (ECMP) links for load sharing and near-instant failure recovery -> Answer C is not correct.
VXLAN offers the following benefits: VLAN flexibility inmultitenant segments: It provides a solution to extend Layer 2 segments over the underlying network infrastructure so that tenant workload can be placed across physical pods in the data center.
VXLAN uses Layer 3, not Layer 2 header to transfer packets through the underlay -> Answer D is not correct.
Reference:https://www.ciscopress.com/articles/article.asp?p=2999385&seqNum=3

Question 11

Q

Question 18
What is one benefit of adopting a data modeling language?

A. augmenting management process using vendor centric actions around models 
B. refactoring vendor and platform specific configurations with widely compatible configurations 
C. augmenting the use of management protocols like SNMP for status subscriptions 
D. deploying machine-friendly codes to manage a high number of devices

Question 12

Q

Question 23
An engineer must configure a new WLAN that allows a user to enter a passphrase and provides forward secrecy as a security measure. Which Layer 2 WLAN configuration is required on the Cisco WLC?

A. WPA2 Personal 
B. WPA3 Enterprise 
C. WPA3 Personal 
D. WPA2 Enterprise

Question 13

Q

Question 26
A customer has a wireless network deployed within a multi-tenant building. The network provides client access, location-based services, and is monitored using Cisco DNA Center. The security department wants to locate and track malicious devices based on threat signatures. Which feature is required for this solution?

A. Cisco aWIPS policies on Cisco DNA Center 
B. Cisco aWIPS policies on the WLC 
C. malicious rogue rules on Cisco DNA Center 
D. malicious rogue rules on the WLC

Answer

A

Answer:A

Explanation

The Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism. The aWIPS uses an advanced approach to wireless threat detection and performance management. The AP detects threats and generates alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention.
Because the aWIPS functionality is integrated into Cisco DNA Center, the aWIPS can configure and monitor WIPS policies and alarms and report threats.
Reference:https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/b_wl_17_11_cg_chapter_010001100.html

Question 14

Q

Question 28
In a Cisco SD-Access wireless environment, which device is responsible for hosting the anycast gateway?

A. fabric border node 
B. fusion router 
C. fabric edge node 
D. control plane node

Answer

A

Answer:C

Explanation

Edge Node provides first-hop services for Users / Devices connected to a Fabric … + Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)
Reference:https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKCRS-2810.pdf

Question 15

Q

Question 37
Where in Cisco DNA Center is documentation of each API call, organized by its functional area?

A. Developer Toolkit 
B. platform management 
C. platform bundles 
D. Runtime Dashboard

Answer

A

Answer:A

Explanation

About Developer Toolkit
The Cisco DNA Center platform provides you with the following software developer tools to access and program with Cisco DNA Center, as well as to integrate Cisco DNA Center with other applications: APIs: Available APIs organized within categories by functionality (for example, Operational Tasks or Site Management APIs).

The Cisco DNA Center GUI displays documentation about each API call, including the request method and URL, query parameters, request header parameters, responses, and schema, and ways to preview or test the request.
Reference:https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center-platform/2-1-2-0/user_guide/b_dnac_platform_ug_2_1_2/b_dnac_platform_ug_2_1_1_chapter_0111.html

Question 16

Q

Question 39
What does a YANG model provide?

A. standardized data structure independent of the transport protocols 
B. creation of transport protocols and their interaction with the OS 
C. user access to interact directly with the CLI of the device to receive or modify
network configurations 
D. standardized data structure that can be used only with NETCONF or RESTCONF transport protocol

Answer

A

Answer:A

Explanation

YANG (Yet Another Next Generation) is protocol independent, and YANG data models can be usedindependent of the transportor RPC protocol and can be converted into any encoding format supported by the network configuration protocol.
Reference:https://www.juniper.net/documentation/us/en/software/junos/netconf/topics/concept/netconf-yang-overview.html
Currently YANG can be used by NETCONF, RESTCONF and gRPC.

Question 17

Q

Question 40
A network engineer must configure a switch to allow remote access for all feasible protocols. Only a password must be requested for device authentication and all idle sessions must be terminated in 30 minutes. Which configuration must be applied?

A. line vty 0 15 password cisco transport input all exec-timeout 0 30

B. line console 0 password cisco exec-timeout 30 0

C. line vty 0 15 password cisco transport input telnet ssh exec-timeout 30 0

D. username cisco privilege 15 cisco line vty 0 15 transport input telnet ssh login local exec-timeout 0 30

Answer

A

Answer:C

Explanation

The “exec-timeout” command is used to configure the inactive session timeout on the console port or the virtual terminal. The syntax of this command is:
exec-timeoutminutes[seconds]
Therefore we need to use the “exec-timeout 30 0” command to set the user inactivity timer to 30 minutes.

Question 18

Q

Question 42
What is the recommended minimum SNR for voice applications on wireless networks?

A. 10 
B. 25 
C. 15 
D. 20

Question 19

Q

Question 44
Which free application has the ability to make REST cans against Cisco DNA Center?

A. API Explorer 
B. REST Explorer 
C. Postman 
D. Mozilla

Question 20

Q

Question 45
If AP power level is increased from 25 mW to 100 mW, what is the power difference in dBm?

A. 6 dBm 
B. 14 dBm 
C. 17 dBm 
D. 20 dBm

Answer

A

Answer:A

Explanation

3 dB of gain =+3 dB = doubles signal strength(Let’s say, the base is P. So 10log10(P/P)= 0 dB and 10log10(2P/P) = 10*log10(2) = 3dB -> double signal)

Question 21

Q

Question 46
When does a Cisco StackWise primary switch lose its role?

A. when the priority value of a stack member is changed to a higher value 
B. when a switch with a higher priority is added to the stack 
C. when the stack primary is reset 
D. when a stack member fails

Answer

A

Answer:C

Explanation

The new priority value takes effect immediately but does not affect the current active switch. The new priority value helps determine which stack member is elected as the new active switch when thecurrent active switch or the switch stack resets-> Answer A is not correct while answer C is correct.
Reference:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-5/configuration_guide/stck_mgr_ha/b_165_stck_mgr_ha_9300_cg/managing_switch_stacks.html

Question 22

Q

Question 47
Which activity requires access to Cisco DNA Center CLI?

A. provisioning a wireless LAN controller 
B. creating a configuration template 
C. upgrading the Cisco DNA Center software 
D. graceful shutdown of Cisco DNA Center

Answer

A

Answer:D

Explanation

The Cisco DNA Center GUI can creates a configuration template by clicking on Menu icon and choose Tools > Template Editor -> Answer B is not correct.
The Cisco DNA Center GUI can also upgrade the Cisco DNA Center software by clicking the menu icon and choose System > Software Updates -> Answer C is not correct.
Between the two answers left, answer D is the best choice. We can shutdown the DNA Center with the “sudo shutdown -h now” command.

Question 23

Q

Question 48
Which record type should be configured for access points to resolve the IP address of a wireless LAN controller using DNS?

A. CISCO.CONTROLLER.localdomain 
B. CISCO.CAPWAP.CONTROLLER.localdomain 
C. CISCO-CONTROLLER.localdomain 
D. CISCO-CAPWAP-CONTROLLER.localdomain

Answer

A

Answer:D

Explanation

The AP will attempt to resolve the DNS name CISCO-CAPWAP-CONTROLLER.localdomain. When the AP is able to resolve this name to one or more IP addresses, the AP sends a unicast CAPWAP Discovery Message to the resolved IP address(es). Each WLC that receives the CAPWAP Discovery Request Message replies with a unicast CAPWAP Discovery Response to the AP.
Reference:https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107606-dns-wlc-config.html

Question 24

Q

Question 49
Which NTP mode must be activated when using a Cisco router as an NTP authoritative server?

A. primary 
B. server 
C. broadcast client 
D. peer

Answer

A

Answer:B

Explanation

Cisco routers and switches can use 3 different NTP modes: NTP client mode. NTP server mode. NTP symmetric active mode. The symmetric active mode is used between NTP devices to synchronize with each other, it’s used as a backup mechanism when they are unable to reach the (external) NTP server.
The NTP server can operate in master mode to serve time using the local clock, when it has lost synchronization.

Question 25

Q

Question 51
Which signal strength and noise values meet the minimum SNR for voice networks?

A. signal strength -67 dBm, noise 91 dBm 
B. signal strength -69 dBm, noise 94 dBm 
C. signal strength -68 dBm, noise 89 dBm 
D. signal strength -66 dBm, noise 90 dBm

Answer

A

Answer:B

Explanation

The recommended minimum SNR for voice applications on wireless networks is25dB. The noise should be in negative number so if the question says “noise 91 dBm” we should understand: N = -91 dBm.
If your SNR measurements are already in decibel form, then you can subtract the noise quantity from the desired signal: SNR = S – N. This is because when you subtract logarithms, it is the equivalent of dividing normal numbers. Also, the difference in the numbers equals the SNR. In this question, only “signal strength -69 dBm, noise 94 dBm” has SNR = -69 – (-94) = 25dB which is equal to the recommended minimum SNR for voice applications.

Question 26

Q

Question 52
An engineer is connected to a Cisco router through a Telnet session. Which command must be issued to view the logging messages from the current session as soon as they are generated by the router?

A. logging buffer 
B. service timestamps log uptime 
C. logging host 
D. terminal monitor

Answer

A

Answer:D

Explanation

The command “terminal monitor” helps logging messages appear on the your current terminal session.

Question 27

Q

Question 53
An engineer is configuring RADIUS-Based Authentication with EAP. MS-CHAPv2 is configured on a client device. Which outer method protocol must be configured on the ISE to support this authentication type?

A. EAP-TLS 
B. EAP-FAST 
C. LDAP 
D. PEAP

Answer

A

Answer:D

Explanation

You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client.
Reference:https://social.technet.microsoft.com/Forums/Lync/en-US/7962d24d-7aa2-4413-97da-4f03793f2405/very-confused-on-authenciation-concepts-eap-peap-eapmschapv2-?forum=winserversecurity

Question 28

Q

Question 58
Which technology reduces the implementation of STP and leverages both unicast and multicast?

A. VPC 
B. VXLAN 
C. VSS 
D. VLAN

Answer

A

Answer:C

Explanation

A VSS combines a pair of switches into a single network element -> It reduces STP.
For Layer 3 multicast in the VSS, learned multicast routes are stored in hardware in the standby supervisor engine. After a switchover, multicast forwarding continues, using the existing hardware entries.
Reference:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup6T/15_3_sy_swcg_6T/virtual_switching_systems.pdf
VXLAN solved Layer 2 STP limitations. VXLAN packets are transferred through the underlying network based on its Layer 3 header and can take complete advantage of Layer 3 routing, equal-cost multipath (ECMP) routing, and link aggregation protocols to use all available paths.
VXLAN uses Layer 3 routing so it also supports multicast. Therefore in fact we have two correct answers in this question.

Question 29

Q

Question 59
Which application has the ability to make REST calls against Cisco DNA Center?

A. API Explorer 
B. Postman 
C. REST Explorer 
D. Mozilla

Question 30

Q

Question 61
A company recently decided to use RESTCONF instead of NETCONF and many of their NETCONF scripts contain the operation <edit-config>(operation=”create”). Which RESTCONF operation must be used to replace these statements?</edit-config>

A. CREATE 
B. GET 
C. PUT 
D. POST

Answer

A

Answer:D

Explanation

POST: This method creates a data resource or invokes an operations resource.

Question 31

Q

Question 62
An engineer must protect the password for the VTY lines against over-the-shoulder attacks. Which configuration should be applied?

A. service password-encryption 
B. username netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDA 
C. username netadmin secret 7$1$42J36k33008Pyh4QzwXyZ4 
D. line vty 0 15 p3ssword XD822j

Answer

A

Answer:A

Explanation

Over-the-shoulder attack is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder. We can protect the password by encrypting it.

Question 32

Q

Question 63
Which QoS feature uses the IP Precedence bits in the ToS field of the IP packet header to partition traffic into different priority levels?

A. marking 
B. shaping 
C. policing 
D. classification

Question 33

Q

Question 70
What is a benefit of using segmentation with TrustSec?

A. Integrity checks prevent data from being modified in transit. 
B. Packets sent between endpoints on a LAN are encrypted using symmetric key cryptography. 
C. Security group tags enable network segmentation. 
D. Firewall rules are streamlined by using business-level profiles.

Answer

A

Answer:C

Explanation

TrustSec Segmentation – Segmentation is performed at a Ethernet Frame level – traffic is classified at ingress when a user logs in, it’sassociated with a SGTadded to the Layer 2 frame and this SGT is propagated and enforced across the TrustSec domain. It is topology independent and pervasive, regardless of factors such as client mobility. The correct access is enforced whether the user is in the Data Centre, HQ, Branch Office, or working at home.
Reference:https://www.mbne.net/tech-notes/trustsec

Question 34

Q

Question 73
What are two best practices when designing a campus Layer 3 infrastructure? (Choose two)

A. Configure passive-interface on nontransit links. 
B. Implement security features at the core. 
C. Summarize routes from the aggregation layer toward the core layer. 
D. Tune Cisco Express Forwarding load balancing hash for ECMP routing. 
E. Summarize from the access layer toward the aggregation layer.

Answer

A

Answer:C D

Explanation

We should be implement security features at the core as it would reduce the speed in this layer -> Answer B is not correct.
It is a recommended practice to configure summarization in a large network from the distribution layers toward the core. Implementing summarization at the distribution layer optimizes the convergence process -> Answer C is correct while answer E is not correct.
Reference:https://www.ccexpert.us/network-design/route-summarization.html
Also in the above link, it is recommended to configure “Passive Interfaces for IGP at the Access Layer”, not “nontransit links” which makes answer A to be not correct.
“As a best practice for ECMP-based Layer 3 networks, Cisco recommendsfine-tuning Cisco Express Forwarding load balancingto include Layer 3 and Layer 4 tuple inclusion to compute and derive the first phase of the optimal forwarding decision process between two upstream Layer 3 MEC interfaces.” -> Answer D is correct.
Reference:https://www.cisco.com/c/dam/global/shared/assets/pdf/cisco_enterprise_campus_infrastructure_design_guide.pdf

Question 35

Q

Question 75

Refer to the exhibit.

How should the programmer access the list of VLANs that were received via the API call?

A. VlanNames[‘response’] 
B. VlanNames[0] 
C. VlanNames[‘Vlan1’] 
D. list(VlanNames)

Question 36

Q

Question 76
An EEM applet contains this command:

event snmp oid 1.3.6.1.4.3.8.0.5.8.7.1.3 get-type next entry-op gt entry-val 80 poll-interval 8

What is the result of the command?

A. An SNMP event is generated when the value equals 80% for eight polling cycles. 
B. An SNMP event is generated when the value is greater than 80% for eight polling cycles. 
C. An SNMP event is generated when the value reaches 80%. 
D. An SNMP variable is monitored and an action is triggered when the value exceeds 80%.

Answer

A

Answer:D

Explanation

To specify the event criteria for an Embedded Event Manager (EEM) applet that is run by sampling Simple Network Management Protocol (SNMP) object identifier values, use the event snmp command in applet configuration mode. event snmp oidoid-valueget-type {exact | next} entry-opoperatorentry-valentry-value[exit-comb {or | and}] [exit-opoperator] [exit-valexit-value] [exit-timeexit-time-value]poll-intervalpoll-int-value
Here’s a breakdown of the different components of the EEM command:
+ oid: Specifies the SNMP object identifier (object ID) + get-type: Specifies the type of SNMP get operation to be applied to the object ID specified by the oid-value argument. — next – Retrieves the object ID that is the alphanumeric successor to the object ID specified by the oid-value argument. + entry-op: Compares the contents of the current object ID with the entry value using the specified operator.If there is a match, an event is triggeredand event monitoring is disabled until the exit criteria are met. + entry-val: Specifies the value with which the contents of the current object ID are compared to decide if an SNMP event should be raised. + exit-op: Compares the contents of the current object ID with the exit value using the specified operator. If there is a match, an event is triggered and event monitoring is reenabled. + poll-interval: Specifies the time interval between consecutive polls (in seconds)
Reference:https://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtioseem.html
In particular, the EEM in this question will read the next value of above OID every 8 seconds and will trigger an action if the value is greater or equal (ge) 80%.

Question 37

Q

Question 78

Refer to the exhibit.

for x in range(6):
print(x)

What is output by this code?

A. 0 5 
B. 0 1 2 3 4 5 
C. 0 1 2 3 4 
D. (0,5)

Answer

A

Answer:B

Explanation

The range() function returns a sequence of numbers, starting from 0 by default, and increments by 1 (by default), and stops before a specified number.

Question 38

Q

Question 79
What is the purpose of the weight attribute in an EID-to-RLOC mapping?

A. It determines the administrative distance of LISP generated routes in the RIB. 
B. It indicates the load-balancing ratio between ETRs of the same priority. 
C. It indicates the preference for using LISP over native IP connectivity. 
D. It identifies the preferred RLOC address family.

Answer

A

Answer:B

Explanation

In the LISP context, for each RLOC mapped to an EID, the mapping system provides a priority and a weight. When several RLOCs have the same priority, the LISP traffic is split among the different RLOCs in proportion to their weight.
Reference:https://www.cs.rice.edu/~eugeneng/inm08/papers/12.pdf

Question 39

Q

Question 80
A network engineer is designing a QoS policy for voice and video applications. Which software queuing feature provides strict-priority servicing?

A. Class-Based Weighted Fair Queuing 
B. Low Latency Queuing 
C. Link Fragmentation 
D. Automatic QoS

Answer

A

Answer:B

Explanation

Low-latency queuing (LLQ) is a feature developed by Cisco to bring strict priority queuing (PQ) to class-based weighted fair queuing (CBWFQ).

Question 40

Q

Question 81
Which characteristic applies to a traditional WAN solution but not to a Cisco SD-WAN solution?

A. lengthy installation times 
B. centralized reachability, security, and application policies 
C. low complexity and increased overall solution scale 
D. operates over DTLS/TLS authenticated and secured tunnels

Question 41

Q

Question 82
Which of the following are features typically only found in a Next Generation (NextGen) firewall? (Choose two)

A. Network Address Translation (NAT) 
B. Secure remote access VPN (RA VPN) 
C. Deep packet inspection 
D. reputation based malware detection 
E. IPSec site-to-site VPN

Answer

A

Answer:C D

Explanation

Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
Reference:https://www.gartner.com/en/information-technology/glossary/next-generation-firewalls-ngfws

Question 42

Q

Question 83
JSON web tokens (JWT) are used to secure JSON based communications. Which of the following fields make up a JWT? (Choose three)

A. Header 
B. Trailer 
C. Payload 
D. Sequence number 
E. Signature

Answer

A

Answer:A C E

Explanation

An example of a JWT before being encoded is shown below:

Question 43

Q

Question 84
Ansible is being used in a network for configuration and management automation. Which of the following are true statements regarding Ansible? (Choose two)

A. Requires an agent on the end device. 
B. Utilizes the concept of playbooks to execute the configuration. 
C. Uses a pull model, where the end devices pull configuration files from the Ansible server. 
D. Utilizes SSH.

Answer

A

Answer:B D

Explanation

Ansible uses an agentless architecture to manage network devices. Agentless means that the managed device does not need any code (agent) to be installed on it -> Answer A is not correct.
Ansible uses SSH (NETCONF over SSH in particular) to “push” changes and extract information to managed devices -> Ansible uses push model -> Answer C is not correct.
Once Ansible is installed, it creates several text files:
+Playbooks: These files provide actions and logic about what Ansible should do. Ansible playbooks are files that contain tasks to configure hosts. Ansible playbooks are written in YAML format. +Inventory: a file contains a list of the hosts (usually their IP addresses, ports) which you want to configure or manage. Hosts in an inventory can be divided into smaller groups for easier management and configuration. Each group can run different tasks. An example of a task is to ping all hosts in group [routers]. +Templates: Using Jinja2 language, the templates represent a device’s configuration but with variables. +Variables: Using YAML, a file can list variables that Ansible will substitute into templates.

Question 44

Q

Question 85
In a Cisco Software Defined Networking (SDN) architecture, what is used to describe the API communication between the SDN controller and the network elements (routers and switches) that it manages?

A. Southbound API 
B. Northbound API 
C. Westbound API 
D. Eastbound API

Answer

A

Answer:A

Explanation

We use Southbound API to communicate between the Controllers and Network Elements.

Question 45

Q

Question 86
In a Cisco VXLAN based network, which of the following best describes the main function of a VXLAN Tunnel Endpoint (VTEP)?

A. A device that performs VXLAN encapsulation and decapsulation. 
B. It is a 24 bit segment ID that defines the broadcast domain. 
C. It is the Logical interface where the encapsulation and de-encapsulation occurs. 
D. It is a device that performs tunneling using GRE.

Answer

A

Answer:A

Explanation

VTEPs connect between Overlay and Underlay network and they are responsible for encapsulating frame into VXLAN packets to send across IP network (Underlay) then decapsulating when the packets leaves the VXLAN tunnel.

Note: VXLAN has a 24-bit VXLAN network identifier (VNI), not VTEP.

Question 46

Q

Question 87
What does the Cisco DNA Center Authentication API provide?

A. list of global issues that are logged in Cisco DNA Center 
B. access token to make calls to Cisco DNA Center 
C. list of VLAN names 
D. dent health status

Answer

A

Answer:B

Explanation

Cisco DNA Center has a REST API that an authenticated and authorized user can leverage to do operations over an HTTPS connection. When the user authenticates, it receives a token that it needs to send in the following requests in order to be authorized to execute calls to the API.
Reference:https://developer.cisco.com/docs/dna-center/#!authentication-and-authorization/authentication-and-authorization-guide

Question 47

Q

Question 88
What is a client who is running 802.1x for authentication reffered to as?

A. supplicant 
B. NAC device 
C. authenticator 
D. policy enforcement point

Answer

A

Answer:A

Explanation

To understand 802.1x, you need to understand three terms: +Supplicant: The user or client that wants to be authenticated + Authentication server: The actual server doing the authentication, typically a RADIUS server + Authenticator: The device in between the supplicant and the authentication server, such as a wireless access point
Reference:https://www.networkworld.com/article/2216499/wireless-what-is-802-1x.html

Question 48

Q

Question 90
What does the statement print(format(0.8, ‘.0%’)) display?

A. 80% 
B. 8% 
C. .08% 
D. 8.8%

Answer

A

Answer:A

Explanation

Let’s break down the code:
Theformat()function is being used to convert the number 0.8 into a formatted string.
The first argument toformat()is the number to be formatted, which is 0.8 in this case.
The second argument is the format specifier, which is ‘.0%’ in this case. The ‘%” character is a special character that indicates that the number should be formatted as a percentage. The ‘.0’ specifies that the number should be rounded to zero decimal places.
Therefore, the output of theformat()function will be the string ‘80%’, which will be printed to the console by theprint()function.
We also tested it and this is the result:

Question 49

Q

Question 91
Refer to the exhibit.

Router#show running-config | include aaa
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
aaa session-id common

Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available?

A. Router(config)# aaa authentication login default local Router(config)# aaa authorization exec default local

B. Router(config)# aaa authentication login default group tacacs+ local Router(config)# aaa authorization exec default group tacacs+ local

C. Router(config)# aaa fallback local

D. Router(config)# aaa authentication login FALLBACK local Router(config)# aaa authorization exec FALLBACK local

Question 50

Q

Question 92
Which collection contains the resources to obtain a list of fabric nodes through the vManage API?

A. device management 
B. administration 
C. device inventory 
D. monitoring

Answer

A

Answer:C

Explanation

Display all devices in the overlay network that are connected to the vManage instance. GET https://{vmanage-ip-address}/dataservice/device
(Also in the below reference we see this command is under “Device Inventory” menu)
Reference:https://developer.cisco.com/docs/sdwan/#!device-inventory/connect-devices
The Viptela REST API resources are grouped into the following collections: + Monitoring: This collection views status, statistics, and other information about operational devices in the overlay network. Viptela devices collect monitoring information about themselves every 10 minutes. After collecting these statistics, each Viptela device places them in a zip file. The vManage server retrieves these zip files every 10 minutes or, if the vManage server cannot log in to the device, it retrieves them whenever it is next able to log in.
+ Real-Time Monitoring: This collection retrieves, views, and manages real-time statistics and traffic information. Real-time monitoring information is gathered in real time, approximately once per second.
+ Configuration: This collection creates feature and device configuration templates, retrieves the configurations in existing templates, and creates and configures vManage clusters.
+ Administration: This collection manages users and user groups, views audit logs, and manages the local vManage server.
+Device Inventory: This collection collects device inventory information including serial numbers and system status.
+ Certificate Management: This collection manages certificates and security keys.
+ Troubleshooting Tools: This collection provides tools to help troubleshoot devices, determine the effect of policy, update software, and retrieve software version information.

Question 51

Q

Question 93
Which security measure mitigates a man-in-the-middle attack of a REST API?

A. SSL certificates 
B. biometric authentication 
C. password hash 
D. non repudiotion feature

Answer

A

Answer:A

Explanation

Thanks to the “Asymmetric Cryptography”, known as the Public Key Cryptography, web and electronic communications are protected from man-in-the-middle (MitM) attacks. A message can be encrypted by anyone via a public key, but it can only be decrypted by the holder via its matching private key.
In this way, a hacker won’t be able to decrypt and read any messages sent through an encrypted protocol because the key pair is negotiated only between the existing two parties.
How SSL Certificates help you defend from these attacks? By upgrading to the HTTPS protocol.
Reference:https://medium.com/@munteanu210/ssl-certificates-vs-man-in-the-middle-attacks-3fb7846fa5db

Question 52

Q

Question 95
Which solution supports end to end line-rate encryption between two sites?

A. IPsec 
B. TrustSec 
C. MACsec 
D. GRE

Answer

A

Answer:C

Explanation

Unlike IPsec, which is typically performed on a centralized application-specific integrated circuit (ASIC) optimized for accelerating encryption,MACsecis enabled on a per-port basis with no performance impact.
For a router capable of forwarding terabits of traffic, IPsec encryption will be the bottleneck and limiting factor of maximum throughput of the device. For example, if a router has multiterabit forwarding capabilities, and ten 100-GE ports require encryption at line-rate, the MACsec solution offers 1 Tbps of AES-256 encryption on each port, regardless of the packet size, so theoverall encryption throughput utilizing MACsec can leverage the full forwarding capabilityof the router, while also offering encryption of each bit on the Ethernet wire.
Reference:https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf
Note:Line-rate encryptionrefers to the practice of encrypting data at the maximum speed or data rate allowed by the communication channel or network infrastructure, without compromising security or performance. In other words, it is a type of encryption that can encrypt and decrypt data as fast as the data can be transmitted over the communication channel or network.

Question 53

Q

Question 97
Which access control feature does MAB provide?

A. user access based on IP address 
B. allows devices to bypass authenticate 
C. network access based on the physical address of a device 
D. simultaneous user and device authentication

Answer

A

Answer:C

Explanation

Standalone MAC Authentication Bypass (MAB) is an authentication method that grants network access to specific MAC addresses regardless of 802.1X capability or credentials. As a result, devices such as cash registers, fax machines, and printers can be readily authenticated, and network features that are based on authorization policies can be made available.
Reference:https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html

Question 54

Q

Question 98
Which authorization framework gives third-party applications limited access to HTTP services?

A. IPsec 
B. Basic Auth 
C. GRE 
D. OAuth 2.0

Answer

A

Answer:D

Explanation

OAuth 2.0 is the industry-standard protocol for authorization. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
Reference:https://docs.oracle.com/cd/B31315_01/191000/Universal%20Service%20Mapper%20User%20Guide/Output/oath.htm

Question 55

Q

Question 99
In the Cisco DNA Center Image Repository, what is a golden image?

A. The latest software image that is available for a specific device type 
B. The Cisco recommended software image for a specific device type. 
C. A software image that is compatible with multiple device types. 
D. A software image that meets the compliance requirements of the organization.

Answer

A

Answer:B

Explanation

Cisco DNA Center allows you to designate software images and SMUs as golden. A golden software image or SMU is avalidated image that meets the compliance requirements for the particular device type. Designating a software image or SMU as golden saves you time by eliminating the need to make repetitive configuration changes and ensures consistency across your devices.
-> In this question, answer B is better than answer D as golden image is surely the Cisco recommended software image.

Question 56

Q

Question 101
Which two methods are used to assign security group tags to the user in a Cisco Trust Sec architecture? (Choose two)

A. modular QoS 
B. policy routing 
C. web authentication 
D. DHCP 
E. IEEE 802.1x

Answer

A

Answer:C E

Explanation

Cisco ISE assigns the SGT tags to users or devices that are successfully authenticated and authorized through 802.1x, MAB, or WebAuth.
Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide

Question 57

Q

Question 102

Refer to the exhibit.

count = 8
while count > 4 :
print(count)
count -= 1

What is output by this code?

A. 8 7 6 5 
B. -4 -5 -6 -7 
C. -1 -2 -3 -4 
D. 4 5 6 7

Answer

A

Answer:A

Explanation

This code will print out the count variable while it is still greater than 4, then decrease it by 1.

Note: count -= 1 means “count = count – 1”.

Question 58

Q

Question 103
When a DNS host record is configured for a new Cisco AireOS WLC, which hostname must be added to allow APs to successfully discover the WLC?

A. CONTROLLER-CAPWAP-CISCO 
B. CISCO-CONTROLLER-CAPWAP 
C. CAPWAP-CISCO-CONTROLLER 
D. CISCO-CAPWAP-CONTROLLER

Question 59

Q

Question 110
What is a benefit of Cisco TrustSec in a multilayered LAN network design?

A. Policy or ACLs are not required. 
B. There is no requirements to run IEEE 802.1X when TrustSec is enabled on a switch port. 
C. Applications flows between hosts on the LAN to remote destinations can be encrypted. 
D. Policy can be applied on a hop-by-hop basis.

Answer

A

Answer:D

Explanation

Cisco TrustSec can be used to implement policies that define who can access resources at each layer of the network. This can help to prevent unauthorized access and ensure that users only have access to the resources they need to do their jobs. For example, a policy could be implemented that only allows HR personnel to access HR data stored on servers located in the data center, while preventing other users from accessing that data -> Answer A is not correct.
Trustsec usesSGT tags to perform ingress tagging and egress filtering to enforce access control policy. Cisco ISE assigns the SGT tags to users or devices that are successfully authenticated and authorized through 802.1x, MAB, or WebAuth. -> Therefore we still need 802.1X -> Answer B is not correct.  Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide
We could not find any document mentioning about encrypted traffic with TrustSec while TrustSec designed for hop-to-hop integrity and confidentiality so answer D is the best choice.

Question 60

Q

Question 111
Refer to the exhibit.

no aaa new-model
username admin privilege 15 secret cisco123
ip http secure-port 445

Which command must be applied to complete the configuration and enable RESTCONF?

A. ip http secure-server 
B. ip http server 
C. ip http secure-port 443 
D. ip http client username restconf

Question 61

Q

Question 112
Which two features are available only in next-generation firewalls? (Choose two)

A. virtual private network 
B. deep packet inspection 
C. stateful inspection 
D. application awareness 
E. packet filtering

Answer

A

Answer:B D

Explanation

NGFWs combine many of the capabilities of traditional firewalls — including packet filtering, network address translation (NAT) and port address translation (PAT), URL blocking, and virtual private networks (VPNs) — with quality of service (QoS) functionality and other features not found in traditional firewalls. These include intrusion prevention, SSL and SSH inspection,deep-packet inspection, and reputation-based malware detection, as well asapplication awareness.
Reference:https://www.techtarget.com/searchsecurity/definition/next-generation-firewall-NGFW

Question 62

Q

Question 114
Which configuration enables password checking on the console line, using only a password?

A. router(config)#line con 0 router(config-line)#exec-timeout 0 0

B. router(config)#line con 0 router(config-line)#login

C. router(config)#line con 0 router(config-line)#login local

D. router(config)#line vty 0 4 router(config-line)#login

Answer

A

Answer:B

Explanation

We need to enable password checking on console line -> we must set in “line con 0”.
We only need a password without username -> use keyword “login”, not “login local”. The latter will asks for local username and password.

Question 63

Q

Question 115
Which language defines the structure or modelling of data for NETCONF and RESTCONF?

A. YAM 
B. YANG 
C. JSON 
D. XML

Question 64

Q

Question 118
How do cloud deployments compare to on-premises deployments?

A. Cloud deployments provide a better user experience across world regions, whereas on-premises deployments depend upon region-specific conditions 
B. Cloud deployments are inherently unsecure, whereas a secure architecture is mandatory for on-premises deployments. 
C. Cloud deployments mandate a secure architecture, whereas on-premises deployments are inherently unsecure. 
D. Cloud deployments must include automation infrastructure, whereas on-premises deployments often lack the ability for automation.

Answer

A

Answer:A

Explanation

Answer B is not totally correct as encryption can be difficult for companies to implement across the entire environment, butcloud providers usually offer encryption right out of the box. Encryption helps prevent data exposure, because thebig cloud providers use military-grade AES 256 encryptionso attackers won’t be able to read any data they might steal.
Answer C is not correct for the part “whereas on-premises deployments are inherently unsecure”. On-premises deployments’ security depends on the budget of that company. If the company is big enough, they can have dedicated firewall, dedicated and secured server rooms…
Answer D seems to be not correct for the part “whereas on-premises deployments often lack the ability for automation” too.
Answer A is the best choice as on-premises deployments usually provide better user experience for connections from the same country with the on-premises deployments.

Answer 51

A

Answer:D

Explanation

Ping uses ICMP packets while Cisco is using UDP for traceroute actually. So if we can ping but not traceroute then many be the firewall blocked UDP traffic.

Answer 52

A

Answer:A

Explanation

The “logging discriminator DOT1X facility drops DOT1X” command creates a logging message filter that drops log messages with a specific facility of “DOT1X”.
Here’s a breakdown of the command:
+logging discriminator DOT1X: This command creates a logging message discriminator named “DOT1X” which can be used to filter specific types of log messages.
+facility drops DOT1X: This option tells the discriminator to drop log messages that have a facility of “DOT1X”. Facilities are used to group log messages based on the type of device or process that generated them.
Overall, this command creates a logging message filter that drops log messages with a facility of “DOT1X”. Any log messages that have this facility will not be saved to the router’s log buffer.
This command could be useful in situations where a large number of log messages are generated by the 802.1X authentication process and these messages are not required for troubleshooting or auditing purposes. By dropping these messages, the router’s log buffer can be conserved and the visibility of other log messages can be improved.
Reference:https://community.cisco.com/t5/network-management/filtering-of-logging-messages-to-a-syslog-server-on-a-catalyst/td-p/2585566

Answer 53

A

Answer:B

Explanation

Egress Tunnel Router(ETR) is the device (or function) that connects a site to the LISP-capable part of a core network (such as the Internet), publishes EID-to-RLOC mappings for the site, responds to Map-Request messages, anddecapsulatesand delivers LISP-encapsulated user data to end systems at the site. During operation, an ETR sends periodic Map-Register messages to all its configured map servers.

Answer 54

A

Answer:D

Explanation

The data modeling process is often compared to the way an architect creates a blueprint before building a house.
Data modeling gives stakeholders across your organization a high-level view of the types of data you collect, how it should be managed, and what you want to achieve with it.
Modeling allows everyone to come to a mutual understanding of the needs of the business and how end users will use information to make data-driven decisions whenever they need to.
Reference:https://powerbi.microsoft.com/en-us/what-are-the-advantages-of-data-modeling-tools/

Answer 55

A

Answer:C

Explanation

In order to work with NETCONF, we have a library called ncclient. It’s a Python library that facilitates client-side scripting and application development around the NETCONF protocol.
Reference:https://blog.wimwauters.com/networkprogrammability/2020-03-30-netconf_python_part1/

Answer 56

A

Answer:B

Explanation

“A Layer 3 intercontroller roam consists of an extra tunnel that is built between the client’s original controller and the controller it has roamed to. The tunnel carries data to and from the client as if it is still associated with the original controller and IP subnet.”

The client begins with a connection to AP B on WLC 1. This creates an ANCHOR entry in the WLC client database. As the client moves away from AP B and makes an association with AP C, WLC 2 sends a mobility announcement to peers in the mobility group looking for the WLC with the client MAC address. WLC 1 responds to the announcement, handshakes, and ACKs. Next the client database entry for the roaming client is copied to WLC 2, andmarked as FOREIGN.
Reference:https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/TechArch.html

Answer 57

A

Answer:C

Explanation

Ingress Tunnel Router(ITR) is the device (or function) that is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites. After the encapsulation, the original packet become a LISP packet.

Answer 58

A

Answer:D

Explanation

+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.

Answer 59

A

Answer:A

Explanation

On the other hand, theon-prem security technology wins in compliance with government regulations. This technology is well suited for organizations that are required to follow the government’s strict security requirements like big tech companies, academic institutions, and insurance providers, as it is easier to customize an in-house system to meet these requirements -> Answer A is correct.
Reference:https://www.openpath.com/blog-post/cloud-and-on-premise-security
Note:
We don’t choose answer B because it is not totally correct according to this paragraph:
“A huge security advantage the cloud has over on-premisesservers and infrastructure issegmentation from user workstations. The most common way attackers get into networks is through phishing and email-borne threats. The attacks almost always enter through user workstations. They rarely come directly through the server environment.
When you’re hosted in the cloud, all of your workstations are completely segmented. In the cloud, users aren’t sitting on the corporate network where the data lives.”
Reference:https://techbeacon.com/security/why-your-data-safer-cloud-premises

Answer 60

A

Answer:D E

Explanation

Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to addapplication-level inspection,intrusion prevention, and bringing intelligence from outside the firewall.
Reference:https://www.gartner.com/en/information-technology/glossary/next-generation-firewalls-ngfws

Answer 61

A

Answer:C

Explanation

Stateful switchover (SSO) establishes one of the supervisor engines as active while the other supervisor engine is designated as standby, and then SSO synchronizes information between them. A switchover from the active to the redundant supervisor engine occurs when the active supervisor engine fails, or is removed from the switch, or is manually shut down for maintenance.
Reference:https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/nsfsso.html

Answer 62

A

Answer:C

Explanation

The statement “authenticate over the network” means it is not authenticated via local database.

Brainscape's Knowledge GenomeTM

Part_10 Flashcards

Brainscape's Knowledge Genome^TM