Part_8 Flashcards
Question 1
Which protocol is used to encrypt control plane traffic between SD-WAN controllers and SD-WAN endpoints?
A. DTLS
B. IPsec
C. PGP
D. HTTPS
Answer:A
Explanation
DTLS protocol is used to encrypt control plane traffic between vSmart (controllers) and other SD-WAN endpoints.
Question 2
Which network devices secure API platform?
A. next-generation intrusion detection systems
B. Layer 3 transit network devices
C. content switches
D. web application firewalls
Answer:D
Explanation
Cisco Secure Web Application Firewall (WAF) and bot protection defends your online presence and ensures that website, mobile applications, and APIs are secure, protected, and “always on.”
Reference:https://www.cisco.com/c/en/us/products/collateral/security/advanced-waf-bot-aag.pdf
Question 3
An engineer must configure the strongest password authentication to locally authenticate on a router. Which configuration must be used?
A. username netadmin secret 5 $1$bfjk$kdiSiDKKdkXksufZ2
B. username netadmin secret $1$bfjk$kdiSiDKKdkXksufZ2
C. line console 0
password $1$bfjk$k
D. username netadmin secret 9 $9$vFpMf83kdDJ9kdjDdjdu/dkfhZiz
Answer:D
Explanation
Best Practices
+ The enable password command should no longer be used. Use enable secret instead.
username joeblow password mypass command should no longer be used. Use username joeblow secret mypass instead.
+ Type 4 Passwords should never be used!
+Use Type 6, Type 8 and Type 9 wherever possible.
+ Type 0, Type 5 and Type 7 should be migrated to other stronger methods.
Reference:https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238
Question 4
Refer to the exhibit.
Device#configure terminal
Device(config)#netconf ssh acl 1
Device(config)#netconf lock-time 100
Device(config)#netconf max-sessions 1
Device(config)#netconf max-message 10
A network engineer must configure NETCONF. After creating the configuration, the engineer gets output from the command show line, but not from show running-config. Which command completes the configuration?
A. Device(config)# no netconf ssh acl 1
B. Device(config)# netconf max-sessions 100
C. Device(config)# netconf lock-time 500
D. Device(config)# netconf max-message 1000
Answer:D
Explanation
If we use the “no netconf ssh acl 1” then the whole NETCONF function will be disabled so the best answer should be “netconf max-message 1000” as it will increase the maximum size of messages received in a NETCONF session to 1000KB (~1MB).
Note:
+ The valid range for thenetconf lock-timesecondsis 1 to 300 so 500 is not a valid value.
+ The valid range for thenetconf max-sessionsnumberis 4 to 16 so 100 is not a valid value.
Question 5
An engineer is configuring a new SSID to present users with a splash page for authentication. Which WLAN Layer 3 setting must be configured to provide this functionally?
A. CCKM
B. WPA2 Policy
C. Local Policy
D. Web Policy
Answer:D
Explanation
In the figure below, we have to tick on “Web Policy” to enable “Splash Page Web Redirect”.
Question 9
An engineer is implementing a route map to support redistribution within BGP. The route map must configured to permit all unmatched routes. Which action must the engineer perform to complete this task?
A. Include a permit statement as the first entry
B. Include at least one explicit deny statement
C. Remove the implicit deny entry
D. Include a permit statement as the last entry
Answer:D
Question 12
Which threat defense mechanism, when deployed at the network perimeter, protects against zero-day attacks?
A. intrusion prevention
B. stateful inspection
C. sandbox
D. SSL decryption
Answer:A
Explanation
A zero-day (or 0-day) vulnerability is a software vulnerability that is discovered by attackers before the vendor has become aware of it. By definition, no patch exists for zero-day vulnerabilities and user systems have no defenses in place, making attacks highly likely to succeed. The name “zero-day” is designed to imply how long since the vulnerability was discovered. The term also indicates that system developers have had zero days to fix it.
Intrusion Protection
While the precise methods of a zero-day exploit can’t be known in advance, a network intrusion protection system (NIPS) can monitor the firms’ network for unusual activity.
The advantage of NIPS over a traditional antivirus only system is it does not rely on checking software against a known database of threats. This means it does not need updates or patches to learn about the latest attacks. NIPS works by monitoring the day-to-day patterns of network activity across the network.
When traffic or events far out of the ordinary are detected action can be taken to alert system administrators and lock down the firewall. Devices such as USB drives and mobile devices can all introduce threats to the network. They can often make it past the firewall because they are physically introduced to the system.
NIPS protects against threats introduced to the network from both external and internal sources.
Reference:https://cybriant.com/how-to-prevent-zero-day-attacks-in-5-steps/
Question 13
What is a Type 2 hypervisor?
A. also referred to as a “bare metal hypervisor” because it sits directly on the physical server
B. runs directly on a physical server and includes its own operating system
C. supports over-allocation of physical resources
D. installed as an application on an already installed operating system
Answer:D
Explanation
There are two types of hypervisors: type 1 and type 2 hypervisor.
In type 1 hypervisor (or native hypervisor), the hypervisor is installed directly on the physical server. Then instances of an operating system (OS) are installed on the hypervisor. Type 1 hypervisor has direct access to the hardware resources. Therefore they are more efficient than hosted architectures. Some examples of type 1 hypervisor are VMware vSphere/ESXi, Oracle VM Server, KVM and Microsoft Hyper-V.
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. A big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows).
Question 14
Which two items are found in YANG data models? (Choose two)
A. HTTP return codes
B. rpc statements
C. JSON schema
D. container statements
E. XML schema
Answer:B D
Explanation
The following YANG example uses a container statement to define a timeout mechanism for a request to a server. The timeout has two components: access-timeout, which represents the maximum time without server response, and retries, which represents the number of request attempts before giving up.
container timeout {
leaf access-timeout {
type uint32;
}
leaf retries {
type uint8;
}
}
Reference:https://www.tail-f.com/wordpress/wp-content/uploads/2014/02/Tail-f-Instant-YANG.pdf
IOS XR actions areRPC statementsthat trigger an operation or execute a command on the router. Theses actions are defined as YANG models using RPC statements. An action is executed when the router receives the corresponding NETCONF RPC request. Once the router executes an action, it replies with a NETCONF RPC response.
Reference:https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5000/DataModels/b-data-models-config-guide-ncs5000/b-data-models-config-guide-ncs5000_chapter_010.html
Note: A data model is simply a well understood and agreed upon method to describe “something”. As an example, consider this simple “data model” for a person.
Person
Gender-male, female, other
Height-Feet/Inches or Meters
Weight-Pounds or Kilos
Hair Color-Brown, Blond, Black, Red, other
*Eye Color-Brown, Blue, Green, Hazel, other
Question 15
What is a characteristic of Cisco DNA Northbound APIs?
A. They utilize RESTCONF
B. They enable automation of network infrastructure based on intent
C. They simplify the management of network infrastructure devices
D. They utilize multivendor support APIs
Answer:B
Explanation
Software-Defined Access (SDA) uses the software-defined architectural model, with a controller and various APIs. At the center sits the Digital Network Architecture (DNA) Center controller. DNA Center is the controller for SDA networks.
Question 16
What is required for intercontroller Layer 3 roaming?
A. Mobility groups are established between wireless controllers.
B. WLCs have the same IP addresses configured on their interfaces.
C. WLCs use separate DHCP servers.
D. The management VLAN is present as a dynamic VLAN on the second WLC.
Answer:A
Explanation
If the management VLAN of one controller is present as a dynamic VLAN on another controller, the mobility feature is not supported -> Answer D is not correct.
Cisco Wireless Controllers (that are mobility peers) must use the same DHCP server to have an updated client mobility move count on intra-VLAN -> Answer C is not correct.
The figure below shows intercontroller Layer 3 roaming, which occurs when the wireless LAN interfaces of the controllers are on different IP subnets… -> Answer B is not correct.
Reference:https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/overview.html
Therefore answer A is the only answer left.
Question 17
What is required for a virtual machine to run?
A. a hypervisor and physical server hardware
B. a Type 1 hypervisor and a host operating system
C. only a Type 1 hypervisor
D. only a Type 2 hypervisor
Answer:A
Explanation
In order to run VM, we need a Physical Server and a hypervisor.
Question 18
Which technology uses network traffic telemetry, contextual information, and file reputation to provide insight into cyber threats?
A. threat defense
B. security services
C. security intelligence
D. segmentation
Answer:A
Explanation
According to the CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide Book inChapter 25: Secure Network
Access Control:
Threat defense:It is important to have visibility into the most dangerous cyber threats. Threat defense provides this visibility throughnetwork traffic telemetry, file reputation, and contextual information(such as device types, locations, users, identities, roles, privileges levels, login status, posture status, and so on). It enables assessment of the nature and the potential risk of suspicious activity so that the correct next steps for cyber threats can be taken.
Note:
Security intelligence:Security intelligence provides detection of emerging malware and cyber threats. It enables an infrastructure to enforce policy dynamically, as reputations are augmented by thecontext of new threats. This enables accurate and timely security protection.
Question 19
An engineer must configure AAA on a Cisco 9800 WLC for central web authentication. Which two commands are needed to accomplish this task? (Choose two)
A. (Cisco Controller)> config radius acct add 10.10.10.12 1812 SECRET
B. (Cisco Controller)> config wlan aaa-override enable <wlan-id>
C. (Cisco Controller)> config wlan aaa-override disable <wlan-id>
D. Device(config-locsvr-da-radius)#client 10.10.10.12 server-key 0 SECRET
E. Device(config)# aaa server radius dynamic-author</wlan-id></wlan-id>
Answer:D E
Explanation
Answer B and answer C are used to enable/disable AAA Override option but it is just optional so they are not the correct answers. AAA Override enables you to apply VLAN tagging, Quality of Service, and Access Control Lists to individual clients based on the returned RADIUS attributes from the AAA server.
According to thisCisco link(under AAA Configuration on 9800 WLCs) section, we need the following commands:
# aaa new-model
# radius server <radius-server-name>
# address ipv4 <radius-server-ip> auth-port 1812 acct-port 1813
# timeout 300
# retransmit 3
# key <shared-key>
# exit
# aaa group server radius <radius-grp-name>
# server name <radius-server-name>
# exit
#aaa server radius dynamic-author
#client <radius-server-ip> server-key <shared-key>
# aaa authentication dot1x <dot1x-list-name> group <radius-grp-name>
Therefore answer D and answer E are correct.</radius-grp-name></dot1x-list-name></shared-key></radius-server-ip></radius-server-name></radius-grp-name></shared-key></radius-server-ip></radius-server-name>
Question 21
What is a benefit of Type 1 hypervisors?
A. Network engineers are able to create virtual networks of interconnected virtual machines in Layer 2 topologies
B. Storage engineers are able to leverage VMDK files to provide storage to virtual machine.
C. Operators are able to leverage orchestrators to manage workloads that run on multiple Type 1 hypervisors
D. Administrators are able to load portable virtual machine packages in OVA or QCOW2 formats.
Answer:A
Question 23
What are two benefits of implementing a Cisco SD-WAN architecture? (Choose two)
A. It provides resilient and effective traffic flow using MPLS
B. It improves endpoint protection by integrating embedded and cloud security features
C. It allows configuration of application-aware policies with real time enforcement
D. It simplifies endpoint provisioning through standalone router management
E. It enforces a single, scalable, hub-and-spoke topology
Answer:B C
Explanation
The top SD-WAN benefits are:
+ Increased bandwidth at a lower cost
+Centralized management across branch networks
+ Full visibility into the network
+ Providing organizations with more connection type options and vendor selection when building a network.
Reference:https://www.sdxcentral.com/networking/sd-wan/definitions/sd-wan-technology/
-> We can provision endpoints (vEdges) through a centralized router vManage, but not standalone router management -> Answer D is not correct.
Answer A is not correct as we can use different kind of connections on SD-WAN: MPLS, LTE, 4G, xDSL, Internet connections…
Application-Aware Routing policyis configured in vManage as a centralized data policy that maps the service-side application(s) to specific SLA requirements. The centralized policies provisioned in vSmart controller is pushed to relevant WAN Edge devices for enforcement. The defined policy consists of match-action pairs, where the match statement defines the application-list or the type of traffic to match, and the action statement defines the SLA action the WAN Edge devices must enforce for the specified traffic.
Reference:https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-application-aware-routing-deploy-guide.html
-> Therefore answer C is correct.
Answer E is not correct as it is not a benefit of SD-WAN.
Cisco SD-WAN is fully integrated with cloud-delivered Cisco Umbrella, which offers protection against security blind spots and cyberthreats. Powered by the Umbrella global network and Cisco Talos threat intelligence, it’s the easiest way to deliver protection to users anywhere they access the internet and cloud apps -> Answer B is correct.
Question 25
Which component does Cisco Threat Defense use to measure bandwidth, application performance, and utilization?
A. NetFlow
B. Cisco Umbrella
C. TrustSec
D. Advanced Malware Protection for Endpoints
Answer:A
Explanation
NetFlow was initially created to measure network traffic characteristics such as bandwidth, application performance, and utilization.
Reference:https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-0/design_guides/ctd_2-0_cvd_guide_jul15.pdf
Question 26
A customer has two Cisco WLCs that manage separate APs throughout a building. Each WLC advertises the same SSID but terminates on different interfaces. Users report that they drop their connections and change IP addresses when roaming. Which action resolves this issue?
A. Configure high availability.
B. Enable test roaming.
C. Enable client load balancing.
D. Configure mobility groups.
Answer:D
Question 28
A script contains the statement “while loop != 999:”. Which value terminates the loop?
A. A value less then or equal to 999
B. A value greater then or equal to 999
C. A value not equal to 999
D. A value equal to 999
Answer:D
Explanation
The “while {expression}” loop exits when the expression is false. Therefore only the expression “999 != 999” is false so this is the correct answer.
Note: “!=” means “is not equal to”.
