Part_5

Question 1

Question 2
What are two characteristics of Cisco SD-Access elements? (Choose two)

A. Fabric endpoints are connected directly to the border node

B. The border node is required for communication between fabric and nonfabric devices

C. The control plane node has the full RLOC-to-EID mapping database

D. Traffic within the fabric always goes through the control plane node

E. The border node has the full RLOC-to-EID mapping database

Answer 1

Answer:B C

Explanation

There are five basic device roles in the fabric overlay:
+ Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.

Question 2

Question 3
Refer to the exhibit.

Current configuration: 142 bytes
vrf definition STAFF
!
!
interface GigabitEthernet1
vrf forwarding STAFF
no ip address
negotiation auto
no mop enabled
no mop sysid
end

An engineer must assign an IP address of 192.168.1.1/24 to the GigabitEthemet1 interface. Which two commands must be added to the existing configuration to accomplish this task? (Choose two)

A. Router(config-vrf)#address-family ipv6

B. Router(config-if)#ip address 192.168.1.1 255.255.255.0

C. Router(config-vrf)#ip address 192.168.1.1 255.255.255.0

D. Router(config-if)#address-family ipv4

E. Router(config-vrf)#address-family ipv4

Answer 2

Answer:B E

Explanation

In fact we only need to assign IP address to Gi1 with the command “Router(config-if)#ip address 192.168.1.1 255.255.255.0”. The command “Router(config-vrf)#address-family ipv4” is unnecessary unless we have other configurations.

Question 3

Question 4
What is the data policy in a Cisco SD-WAN deployment?

A. list of ordered statements that define node configurations and authentication used within the SD-WAN overlay

B. Set of statements that defines how data is forwarded based on IP packet information and specific VPNs

C. detailed database mapping several kinds of addresses with their corresponding location

D. group of services tested to guarantee devices and links liveliness within the SD-WAN overlay

Answer 3

Answer:B

Explanation

Data policy operates on the data plane in the Cisco SD-WAN overlay network and affects how data traffic is sent among Cisco SD-WAN devices in the network. The Cisco SD-WAN architecture defines two types of data policy, centralized data policy, which controls the flow of data traffic based on the IP header fields in the data packets and based on network segmentation, and localized data policy, which controls the flow of data traffic into and out of interfaces and interface queues on the devices.

Question 4

Question 9
Which encryption hashing algorithm does NTP use for authentication?

A. SSL

B. AES256

C. AES128

D. MD5

Answer 4

Answer:D

Explanation

An example of configuring NTP authentication is shown below:
Router1(config)#ntp authentication-key 2 md5 9tut
Router1(config)#ntp authenticate
Router1(config)#ntp trusted-key 2

Question 5

What is a VPN in a Cisco SD-WAN deployment?

A. virtual channel used to carry control plane information

B. attribute to identify a set of services offered in specific places in the SD-WAN fabric

C. common exchange point between two different services

D. virtualized environment that provides traffic isolation and segmentation in the SD-WAN fabric

Answer 5

Answer:D

Question 6

Question 13
What is an emulated machine that has dedicated compute, memory, and storage resources and a fully installed operating system?

A. host

B. virtual machine

C. container

D. mainframe

Answer 6

Answer:B

Question 7

Question 14
Which two methods are used to reduce the AP coverage area? (Choose two)

A. Reduce AP transmit power

B. Increase minimum mandatory data rate

C. Reduce channel width from 40 MHz to 20 MHz

D. Enable Fastlane

E. Disable 2.4 GHz and use only 5 GHz

Answer 7

Answer:A B

Explanation

Thetransmit power of an AP affects the wireless coverage areaand the maximum achievable signal-to-noise ratio. Proper configuration of transmit power is important for ensuring a wireless network is operating at its highest capacity.
Reference:https://documentation.meraki.com/MR/Radio_Settings/Transmit_Power_and_Antenna_Configuration
According to thisCisco link, there are two ways to reduce the AP coverage area (or the cell size):
+ Tuning Cell Size with Transmit Power
+ Tuning Cell Size with Data Rates
Setting the transmit power level is a simplistic approach to defining the cell size, but that is not the only variable involved. The cell size of an AP is actually a compromise between its transmit power and the data rates that it offers.
To design a wireless LAN for best performance, you would most likely need todisable some of the lower data rates. For example, you could disable the 1, 2, and 5.5 Mbps rates to force clients to use higher rates and better modulation and coding schemes. That would improve throughput for individual clients and would also benefit the BSS as a whole by eliminating the slower rates that use more time on a channel.

Question 8

Question 18
In a three-tier hierarchical campus network design, which action is a design best-practice for the core layer?

A. provide QoS prioritization services such as marking, queueing, and classification for critical network traffic

B. provide advanced network security features such as 802. IX, DHCP snooping, VACLs, and port security

C. provide redundant Layer 3 point-to-point links between the core devices for more predictable and faster convergence

D. provide redundant aggregation for access layer devices and first-hop redundancy protocols such as VRRP

Answer 8

Answer:C

Explanation

The core should be highly available and redundant. The core aggregates the traffic from all the distribution layer devices, so it must be capable of forwarding large amounts of data quickly.
Considerations at the core layer include
– Providing high-speed switching (i.e., fast transport)
– Providing reliability and fault tolerance
– Scaling by using faster, and not more, equipment
– Avoiding CPU-intensive packet manipulation caused by security, inspection, quality of service (QoS) classification, or other processes

Question 9

Question 19
Which two network problems indicate a need to implement QoS in a campus network? (Choose two)

A. port flapping

B. misrouted network packets

C. excess jitter

D. bandwidth-related packet loss

E. duplicate IP addresses

Answer 9

Answer:C D

Question 10

Question 20
In a Cisco SD-Access solution, what is the role of the Identity Services Engine?

A. It provides GUI management and abstraction via apps that share context.

B. It is leveraged for dynamic endpoint to group mapping and policy definition.

C. It is used to analyze endpoint to app flows and monitor fabric status.

D. It manages the LISP EID database.

Answer 10

Answer:B

Explanation

DNA Controller – Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context
Identity Services – External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition
Analytics Engine – External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status
Reference:https://www.cisco.com/c/dam/global/da_dk/assets/training/seminaria-materials/Software_Defined_Access_2017.pdf

Question 11

Question 21
A customer has completed the installation of a Wi-Fi 6 greenfield deployment at their new campus. They want to leverage Wi-Fi 6 enhanced speeds on the trusted employee WLAN. To configure the employee WLAN, which two Layer 2 security policies should be used? (Choose two)

A. WPA (AES)

B. WPA2 (AES) + WEP

C. 802.1X

D. OPEN

Answer 11

Answer:C D

Explanation

Wi-Fi 6 (IEEE 802.11ax)
In greenfield we don’t need to use any security policy to reduce the wasting time of encryption/decryption.
Wi-Fi 6 does not support WPA with AES while WPA2 (AES) would slow down the connection -> Only 802.1X is the best choice left.

Question 12

Question 22
Which outcome is achieved with this Python code?

client.connect (ip, port=22,username=usr,password=pswd)
stdin,stdout,stderr = client.exec_command(‘show ip bgp 192.168.10.100 bestpath\n’)
print(stdout)

A. displays the output of the show command in a formatted way

B. connects to a Cisco device using SSH and exports the routing table information

C. connects to a Cisco device using Telnet and exports the routing table information

D. connects to a Cisco device using SSH and exports the BGP table for the prefix

Answer 12

Answer:D

Question 13

Question 23
What is YANG used for?

A. scraping data via CLI

B. providing a transport for network configuration data between client and server

C. processing SNMP read-only polls

D. describing data models

Answer 13

Answer:D

Explanation

YANG is used to model each protocol based on RFC 6020.

Question 14

Question 29
Which two actions, when applied in the LAN network segment, will facilitate Layer 3 CAPWAP discovery for lightweight AP? (Choose two)

A. Utilize DHCP option 17

B. Utilize DHCP option 43

C. Configure WLC IP address on LAN switch

D. Enable port security on the switch port

E. Configure an ip helper-address on the router interface

Answer 14

Answer:B E

Explanation

In a Cisco Unified Wireless network, the LAPs must first discover and join a WLC before they can service wireless clients.
However, this presents a question: how did the LAPs find the management IP address of the controller when it is on a different subnet?
If you do not tell the LAP where the controller isvia DHCP option 43, DNS resolution of “Cisco-capwap-controller.local_domain”, or statically configure it, the LAP does not know where in the network to find the management interface of the controller.

Question 15

Question 31
The following system log message is presented after a network administrator configures a GRE tunnel:

%TUN-RECURDOWN: Interface Tunnel 0 temporarily disabled due to recursive routing.

Why is Tunnel 0 disabled?

A. Because the tunnel cannot reach its tunnel destination

B. Because the best path to the tunnel destination is through the tunnel itself

C. Because dynamic routing is not enabled

D. Because the router cannot recursively identify its egress forwarding interface

Answer 15

Answer:B
Explanation
The%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing errormessage means that the generic routing encapsulation (GRE) tunnel router has discovered a recursive routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network

Question 16

Question 32
What is provided by the Stealthwatch component of the Cisco Cyber Threat Defense solution?

A. real-time threat management to stop DDoS attacks to the core and access networks

B. real-time awareness of users, devices and traffic on the network

C. malware control

D. dynamic threat control for web traffic

Answer 16

Answer:B

Explanation

Cisco Stealthwatch is a comprehensive, network telemetry-based, security monitoring and analytics solution that streamlines incident response through behavioral analysis; detecting denial of service attacks, anomalous behaviour, malicious activity and insider threats. Based on a scalable enterprise architecture,Stealthwatch provides near real-time situational awareness of all users and devices on the network.
Reference:https://www.endace.com/cisco-stealthwatch-solution-brief.pdf
Note: Although answer A seems to be correct but in fact, Stealthwatch does not providereal-timeprotection for DDoS attack. It just helps detect DDoS attack only.
Stealthwatch aggregates observed network activity and performs behavioral and policy driven analytics against what it sees in order to surface problematic activities. While we don’t position our self as a DDOS solution, we’re going to leverage our analytical capabilities to identify a DDoS attack against an internal host using the WebUI.
Reference:https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2016/pdf/LTRSEC-8421-LG.pdf

Question 17

Question 33
How does Protocol Independent Multicast function?

A. It uses unicast routing information to perform the multicast forwarding function.

B. It uses the multicast routing table to perform the multicast forwarding function.

C. In sparse mode it establishes neighbor adjacencies and sends hello messages at 5-second intervals.

D. It uses broadcast routing information to perform the multicast forwarding function.

Answer 17

Answer:A

Explanation

Although PIM is called a multicast routing protocol,it actually uses the unicast routing tableto perform the reverse path forwarding (RPF) check function instead of building up a completely independent multicast routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.

Question 18

Question 34
Under which network conditions is an outbound QoS policy that is applied on a router WAN interface most beneficial?

A. under all network conditions

B. under network convergence conditions

C. under interface saturation conditions

D. under traffic classification and marking conditions

Answer 18

Answer:C

Explanation

Traffic classification and marking should only be done near the sources with an inbound QoS policy before entering our networks. When the packets are sent to a WAN interface (to ISP), we should make sure the ISP does not drop our packets, especially in saturation conditions

Question 19

Question 35
Which technology does VXLAN use to provide segmentation for Layer 2 and Layer 3 traffic?

A. bridge domain

B. VLAN

C. VRF

D. VNI

Answer 19

Answer:D

Explanation

VXLAN has a 24-bit VXLAN network identifier (VNI), which allows for up to 16 million (= 224) VXLAN segments to coexist within the same infrastructure. This surely solve the small number of traditional VLANs.

Question 20

Question 36
A company has an existing Cisco 5520 HA cluster using SSO. An engineer deploys a new single Cisco Catalyst 9800 WLC to test new features. The engineer successfully configures a mobility tunnel between the 5520 cluster and 9800 WLC. Clients connected to the corporate WLAN roam seamlessly between access points on the 5520 and 9800 WLC. After a failure on the primary 5520 WLC, all WLAN services remain functional; however clients cannot roam between the 5520 and 9800 controllers without dropping their connection. Which feature must be configured to remedy the issue?

A. mobility MAC on the 5520 cluster

B. mobility MAC on the 9800 WLC

C. new mobility on the 5520 cluster

D. new mobility on the 9800 WLC

Answer 20

Answer:B

Question 21

Question 37
What are two methods of ensuring that the multicast RPF check passes without changing the unicast routing table? (Choose two)

A. disabling BGP routing protocol

B. implementing static mroutes

C. disabling the interface of the router back to the multicast source

D. implementing MBGP

E. implementing OSPF routing protocol

Answer 21

Answer:B D

Question 22

Question 38
What is the result when an active route processor fails in a design that combines NSF with SSO?

A. An NSF-aware device immediately updates the standby route processor RIB without churning the network

B. The standby route processor temporarily forwards packets until route convergence is complete

C. An NSF-capable device immediately updates the standby route processor RIB without churning the network

D. The standby route processor immediately takes control and forwards packets along known routes

Answer 22

Answer:D

Explanation

The forwarding can continue despite the loss of routing protocols peering sessions with other peering routers. The now active route processor (which was the standby) will initially have no active routing session(s) with any peers (no neighbors, link-state database, BGP table …), however it has an identical FIB and Adjacency information synced from the former Active route processor. Routing information is recovered dynamically, in the background, while packet forwarding proceeds uninterrupted using the FIB and Adjacency information synced from the former Active router processor.

Question 23

Question 39
What is a benefit of a virtual machine when compared with a physical server?

A. Deploying a virtual machine is technically less complex than deploying a physical server.

B. Virtual machines increase server processing performance.

C. The CPU and RAM resources on a virtual machine cannot be affected by other virtual machines.

D. Multiple virtual servers can be deployed on the same physical server without having to buy additional hardware.

Answer 23

Answer:D

Question 24

Question 40
What is the wireless received signal strength indicator?

A. The value of how strong the wireless signal is leaving the antenna using transmit power, cable loss, and antenna gain

B. The value given to the strength of the wireless signal received compared to the noise level

C. The value of how much wireless signal is lost over a defined amount of distance

D. The value of how strong a wireless signal is received, measured in dBm

Answer 24

Answer:D

Explanation

RSSI, or “Received Signal Strength Indicator,” is a measurement of how well your device can hear a signal from an access point or router. It’s a value that is useful for determining if you have enough signal to get a good wireless connection.
This value is measured in decibels (dBm) from 0 (zero) to -120 (minus 120). The closer to 0 (zero) the stronger the signal is which means it’s better, typically voice networks require a -65db or better signal level while a data network needs -80db or better.

Question 25

Question 41
Which controller is capable of acting as a STUN server during the onboarding process of Edge devices?

A. vManage

B. vSmart

C. vBond

D. PNP server

Answer 25

Answer:C

Explanation

An additional vBond is deployed on the Internet and acts as a STUN server for WAN Edge devices with Internet access and redirects them to the private controller IP addresses.

Question 26

Question 42
What is the process for moving a virtual machine from one host machine to another with no downtime?

A. live migration

B. disaster recovery

C. high availability

D. multisite replication

Answer 26

Answer:A
Explanation
Live migration refers to the process of moving a running virtual machine or application between different physical machines without disconnecting the client or application. Memory, storage, and network connectivity of the virtual machine are transferred from the original guest machine to the destination. An example of live migration tool is VMware vSphere vMotion.

Question 27

Question 43
What are two features of NetFlow flow monitoring? (Choose two)

A. Can track ingress and egress information

B. Include the flow record and the flow importer

C. Copies all ingress flow information to an interface

D. Does not required packet sampling on interfaces

E. Can be used to track multicast, MPLS, or bridged traffic

Answer 27

Answer:A E

Explanation

The following are restrictions for Flexible NetFlow:
+ Traditional NetFlow (TNF) accounting is not supported.
+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.
+Both ingress and egress NetFlow accounting is supported.
+ Microflow policing feature shares the NetFlow hardware resource with FNF.
+ Only one flow monitor per interface and per direction is supported.

Question 28

Question 44
Which method should an engineer use to deal with a long-standing contention issue between any two VMs on the same host?

A. Adjust the resource reservation limits

B. Reset the host

C. Reset the VM

D. Live migrate the VM to another host

Answer 28

Answer:A

Question 29

Question 45
What is the recommended MTU size for a Cisco SD-Access Fabric?

A. 4464

B. 9100

C. 1500

D. 17914

Answer 29

Answer:B

Question 30

Question 46
What does the number in an NTP stratum level represent?

A. The number of hops it takes to reach the master time server.

B. The amount of drift between the device clock and true time.

C. The amount of offset between the device clock and true time.

D. The number of hops it takes to reach the authoritative time source.

Answer 30

Answer:D

Explanation

NTP uses the concept of a stratum to describe how many hops (routers) away a machine is from an authoritative time source, usually a reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

Question 31

Question 51
Which protocol is implemented to establish secure control plane adjacencies between Cisco SD-WAN nodes?

A. IKE

B. DTLS

C. IPsec

D. ESP

Answer 31

Answer:B

Explanation

The Cisco SD-WAN control plane has been designed with network and device security in mind. The foundation of the control plane is one of two security protocols derived from SSL (Secure Sockets Layer)— the Datagram Transport Layer Security (DTLS) protocol and the Transport Layer Security (TLS) protocol.

Question 32

Question 53
When does a stack master lose its role?

A. When the priority value of a stack member is changed to a higher value

B. When a switch with a higher priority is added to the stack

C. When the stack master is reset

D. When a stack member fails

Answer 32

Answer:C

Explanation

A stack master retains its role unless one of these events occurs:
+ The switch stack is reset.
+ The stack master is removed from the switch stack.
+The stack master is resetor powered off -> Answer C is correct.
+ The stack master fails.
+ The switch stack membership is increased by adding powered-on standalone switches or switch stacks.
In the events marked by an asterisk (*), the current stack master might be reelected based on the listed factors.

Question 33

Question 54
What is the calculation that is used to measure the radiated power of a signal after it has gone through the radio, antenna cable, and antenna?

A. dBi

B. mW

C. dBm

D. EIRP

Answer 33

Answer:D

Explanation

Once you know the complete combination of transmitter power level, the length of cable, and the antenna gain, you can figure out the actual power level that will be radiated from the antenna. This is known as the effective isotropic radiated power (EIRP), measured in dBm.
EIRP is a very important parameter because it is regulated by governmental agencies in most countries. In those cases, a system cannot radiate signals higher than a maximum allowable EIRP. To find the EIRP of a system, simply add the transmitter power level to the antenna gain and subtract the cable loss.

EIRP = Tx Power – Tx Cable + Tx Antenna
Suppose a transmitter is configured for a power level of 10 dBm (10 mW). A cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The resulting EIRP of the system is 10 dBm – 5 dB + 8 dBi, or 13 dBm.
You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an isotropic antenna (dBi), and decibel (dB) values. Even though the units appear to be different, you can safely combine them because they are all in the dB “domain”.