Part_9

Question 1

Question 1
Which IPv4 packet field carries the QoS IP classification marking?

A. ID

B. TTL

C. FCS

D. ToS

Answer 1

Answer:D

Question 2

Question 4
A customer transitions a wired environment to a Cisco SD-Access solution. The customer does not want to integrate the wireless network with the fabric. Which wireless deployment approach enables the two systems to coexist and meets the customer requirement?

A. Deploy a separate network for the wireless environment.

B. Implement a Cisco DNA Center to manage the two networks.

C. Deploy the wireless network over the top of the fabric.

D. Deploy the APs in autonomous mode.

Answer 2

Answer:C

Explanation

Customers with a wired network based on SD-Access fabric have two options for integrating wireless access:
+ SD-Access Wireless Architecture
+Cisco Unified Wireless Network Wireless Over the Top (OTT)
OTT basically involves running traditional wireless on top of a fabric wired network.
Why would you deploy Cisco Unified Wireless Network wireless OTT? There are two primary reasons:
…
2. Another reason for deploying wireless OTT could be that customer doesn’t want or cannot migrate to fabric for wireless.
Reference:https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/deploy-guide/cisco-dna-center-sd-access-wl-dg.pdf

Question 3

Question 5
Which two solutions are used for backing up a Cisco DNA Center Assurance database? (Choose two)

A. NFS share

B. local server

C. non-linux server

D. remote server

E. bare metal server

Answer 3

Answer:A D

Explanation

Cisco DNA Center creates the backup files and posts them to a remote server. Each backup is uniquely stored using the UUID as the directory name.
To support Assurance data backups, the server must be aLinux-based NFS serverthat meets the following requirements:
Support NFS v4 and NFS v3.
Cisco DNA Center stores backup copies of Assurance data on an external NFS device and automation data on an external remote sync (rsync) target location.
The remote share for backing up an Assurance database (NDP) must be anNFS share.
Reference:https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-1-2/admin_guide/b_cisco_dna_center_admin_guide_2_1_2/b_cisco_dna_center_admin_guide_2_1_1_chapter_0110.html

Question 4

Question 7
A customer wants to provide wireless access to contractors using a guest portal on Cisco ISE. The portal is also used by employees. A solution is implemented, but contractors receive a certificate error when they attempt to access the portal. Employees can access the portal without any errors. Which change must be implemented to allow the contractors and employees to access the portal?

A. Install a trusted third-party certificate on the Cisco ISE.

B. Install an internal CA signed certificate on the Cisco ISE.

C. Install a trusted third-party certificate on the contractor devices.

D. Install an internal CA signed certificate on the contractor devices.

Answer 4

Answer:A

Explanation

It is recommended to use the Company Internal CA for Admin and EAP certificates, and a publicly-signed certificate for Guest/Sponsor/Hotspot/etc portals. The reason is that if a user or guest comes onto the network and ISE portal uses a privately-signed certificate for the Guest Portal, they get certificate errors or potentially have their browser block them from the portal page. To avoid all that, use a publicly-signed certificate for Portal use to ensure better user experience. Additionally, Each deployment node(s)’s IP address should be added to the SAN field to avoid a certificate warning when the server is accessed via the IP address.
Reference:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

Question 5

Question 9
What is the API keys option for REST API authentication?

A. a predetermined string that is passed from client to server

B. a one-time encrypted token

C. a username that is stored in the local router database

D. a credential that is transmitted unencrypted

Answer 5

Answer:A

Explanation

In REST API Security – API keys are widely used in the industry and became some sort of standard, however, this method should not be considered a good security measure.
API Keys were created as somewhat of a fix to the early authentication issues of HTTP Basic Authentication and other such systems. In this method, a unique generated value is assigned to each first time user, signifying that the user is known. When the user attempts to re-enter the system, their unique key (sometimes generated from their hardware combination and IP data, and other times randomly generated by the server which knows them) is used to prove that they’re the same user as before.
Reference:https://blog.restcase.com/4-most-used-rest-api-authentication-methods/

Question 6

Question 16
Which definition describes JWT in regard to REST API security?

A. an encrypted JSON token that is used for authentication

B. an encrypted JSON token that is used for authorization

C. an encoded JSON token that is used to securely exchange information

D. an encoded JSON token that is used for authentication

Answer 6

Answer:C

Question 7

Question 18
What happens when a FlexConnect AP changes to standalone mode?

A. All controller dependent activities stops working except DFS

B. Only clients on central switching WLANs stay connected

C. All clients roaming continues to work

D. All clients on all WLANs are disconnected

Answer 7

Answer:A

Explanation

When a FlexConnect access point enters standalone mode, it disassociates all clients that are on centrally switched WLANs. Controller-dependent activities, such as network access control (NAC) and web authentication (guest access), are disabled.
However, a FlexConnect access point supports dynamic frequency selection (DFS) in standalone mode.
Reference:https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html

Question 8

Question 19
Which two Cisco SD-Access components provide communication between traditional network elements and controller layer? (Choose two)

A. network data platform

B. network underlay

C. fabric overlay

D. network control platform

E. partner ecosystem

Answer 8

Answer:B C

Question 9

Question 20
What is one difference between EIGRP and OSPF?

A. OSPF is a Cisco proprietary protocol, and EIGRP is an IETF open standard protocol.

B. EIGRP uses the DUAL distance vector algorithm, and OSPF uses the Dijkstra link-state algorithm

C. EIGRP uses the variance command lot unequal cost load balancing, and OSPF supports unequal cost balancing by default.

D. OSPF uses the DUAL distance vector algorithm, and EIGRP uses the Dijkstra link-state algorithm

Answer 9

Answer:B

Question 10

Question 21
Which function does a fabric wireless LAN controller perform in a Cisco SD-Access deployment?

A. performs the assurance engine role for both wired and wireless clients

B. coordinates configuration of autonomous nonfabric access points within the fabric

C. manages fabric-enabled APs and forwards client registration and roaming information to the Control Plane Node

D. is dedicated to onboard clients in fabric-enabled and nonfabric-enabled APs within the fabric

Answer 10

Answer:C

Explanation
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric.

Question 11

Question 24
How must network management traffic be treated when defining QoS policies?

A. as delay-sensitive traffic in a low latency queue

B. using minimal bandwidth guarantee

C. using the same marking as IP routing

D. as best effort

Answer 11

Answer:A

Question 12

Question 26
What are the main components of Cisco TrustSec?
A. Cisco ISE and Enterprise Directory Services
B. Cisco ISE, network switches, firewalls, and routers
C. Cisco ISE and TACACS+
D. Cisco ASA and Cisco Firepower Threat Defense

Answer 12

Answer:B

Explanation

The key componentof Cisco TrustSec is theCisco Identity Services Engine. It is typical for theCisco ISE to provision switches with TrustSec Identities and Security Group ACLs (SGACLs), thoughthese may be configured manually.
Reference:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/trustsec.pdf

Question 13

Question 28
What is a TLOC in a Cisco SD-WAN deployment?

A. value that identifies a specific tunnel within the Cisco SD-WAN overlay

B. identifier that represents a specific service offered by nodes within the Cisco SD-WAN overlay

C. attribute that acts as a next hop for network prefixes

D. component set by the administrator to differentiate similar nodes that offer a common service

Answer 13

Answer:C

Explanation

TLOCs serve another important function besides data plane connectivity. In OMP terms (the routing protocol used over the SD-WAN Fabric), the TLOC serves as a next-hop for route advertisements. OMP is very similar to BGP in many ways, and just as the next-hop must be resolvable for BGP to install a route, the same is true of OMP.
Reference:https://carpe-dmvpn.com/2019/12/14/tlocs-cisco-sd-wan/

Question 14

Question 29
Which Cisco FlexConnect state allows wireless users that are connected to the network to continue working after the connection to the WLC has been lost?

A. Authentication Down/Switching Down

B. Authentication-Central/Switch-Local

C. Authentication-Down/Switch-Local

D. Authentication-Central/Switch-Central

Answer 14

Answer:C

Explanation

A FlexConnect WLAN, depending on its configuration and network connectivity, is classified as being in one of the following defined states.
+Authentication-Central/Switch-Central: This state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, or web. User traffic is sent to the WLC via CAPWAP (Central switching). This state is supported only when FlexConnect is in connected mode.
+Authentication Down/Switching Down: Central switched WLANs no longer beacon or respond to probe requests when the FlexConnect AP is in standalone mode. Existing clients are disassociated.
+Authentication-Central/Switch-Local: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when the FlexConnect AP is in connected mode.
+Authentication-Down/Switch-Local: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session time-out if configured.The WLAN continues to beacon and respond to probes until there are no more existing users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
+Authentication-local/switch-local: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes. Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

Question 15

Question 32
How do EIGRP metrics compare to OSPF metrics?

A. The EIGRP administrative distance for external routes is 170, and the OSPF administrative distance for external routes is 110

B. EIGRP uses the Dijkstra algorithm, and OSPF uses The DUAL algorithm

C. The EIGRP administrative distance for external routes is 170, and the OSPF administrative distance for external routes is undefined

D. EIGRP metrics are based on a combination of bandwidth and packet loss, and OSPF metrics are based on interface bandwidth

Answer 15

Answer:A

Question 16

Question 33
A network engineer is configuring OSPF on a router. The engineer wants to prevent having a route to 177.16.0.0/16 learned via OSPF in the routing table and configures a prefix list using the command
ip prefix-list OFFICE seq 5 deny 172.16.0.0/16.
Which two identical configuration commands must be applied to accomplish the goal? (Choose two)

A. distribute-list prefix OFFICE in under the OSPF process

B. ip prefix-list OFFICE seq 10 permit 0.0.0.0/0 le 32

C. ip prefix-list OFFICE seq 10 permit 0.0.0.0/0 ge 32

D. distribute-list OFFICE out under the OSPF process

E. distribute-list OFFICE in under the OSPF process

Answer 16

Answer:A B

Question 17

Question 34
Which two features does the Cisco SD-Access architecture add to a traditional campus network? (Choose two)

A. private VLANs

B. software-defined segmentation

C. SD-WAN

D. identity services

E. modular QoS

Answer 17

Answer:B D

Explanation

SD-Access uses logic blocks called fabrics which leverage virtual network overlays that are driven through programmability and automation to create mobility, segmentation, and visibility. Network virtualization becomes easy to deploy throughsoftware-defined segmentationand policy for wired and wireless campus networks.
Reference:https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/SD-Access-Distributed-Campus-Deployment-Guide-2019JUL.html

Question 18

Question 35
Which feature is used to propagate ARP broadcast, and link-local frames across a Cisco SD-Access fabric to address connectivity needs for silent hosts that require reception of traffic to start communicating?

A. Native Fabric Multicast

B. Layer 2 Flooding

C. SOA Transit

D. Multisite Fabric

Answer 18

Answer:B

Explanation

Cisco SD-Access fabric provides many optimizations to improve unicast traffic flow, and to reduce the unnecessary flooding of data such as broadcasts. But, for some traffic and applications, it may be desirable to enable broadcast forwarding within the fabric.
By default, this is disabled in the Cisco SD-Access architecture. If broadcast, Link local multicast and Arp flooding is required, it must be specifically enabled on a per-subnet basis using Layer 2 flooding feature.
Layer 2 flooding can be used to forward broadcasts for certain traffic and application types which may require leveraging of Layer 2 connectivity, such as silent hosts, card readers, door locks, etc.

Question 19

Question 36
An engineer must configure a new loopback interface on a router and advertise the interface as a /24 in OSPF. Which command set accomplishes this task?

A. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf 100 area 0

B. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf network broadcast
R2(config-if)#ip ospf 100 area 0

C. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf network point-to-multipoint
R2(config-if)#router ospf 100
R2(config-router)#network 172.22.2.0 0.0.0.255 area 0

D. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf network point-to-point
R2(config-if)#ip ospf 100 area 0

Answer 19

Answer:D

Explanation

Although the configured loopback address is 172.22.2.1/24 but by
default OSPF will advertise this route to loopback0 as 172.22.2.1/32 (most specific route to that loopback). In order to override this, we have to change the network type to point-to-point. After this OSPF will advertise the address to loopback as 172.22.2.0/24.

Question 20

Question 37
What is one characteristic of the Cisco SD-Access control plane?

A. It stores remote routes in a centralized database server

B. Each router processes every possible destination and route

C. It allows host mobility only in the wireless network

D. It is based on VXLAN technology

Answer 20

Answer:A

Explanation
Control plane: based on Locator Identity Separator Protocol (LISP). LISP simplifies routing by removing destination information from the routing table and moving it to a centralized mapping system.

Question 21

Question 39
Refer to the exhibit.

restconf
!
ip http server
ip http authentication local
ip http secure-server
!

Which command must be configured for RESTCONF to operate on port 8888?

A. ip http port 8888

B. restconf port 8888

C. ip http restconf port 8888

D. restconf http port 8888

Answer 21

Answer:A

Question 22

Question 40
If the maximum power level assignment for global TPC 802.11a/n/ac is configured to 10 dBm, which power level effectively doubles the transmit power?

A. 13dBm

B. 14dBm

C. 17dBm

D. 20dBm

Answer 22

Answer:A

Explanation
3 dB of gain =+3 dB = doubles signal strength(Let’s say, the base is P. So 10log10(P/P) = 10log101 = 0 dB and 10log10(2P/P) = 10log10(2) = 3dB -> double signal)

Question 23

Question 41
Which benefit is realized by implementing SSO?

A. IP first-hop redundancy

B. communication between different nodes for cluster setup

C. physical link redundancy

D. minimal network downtime following an RP switchover

Answer 23

Answer:D

Question 24

Question 42
What is a characteristic of a type 2 hypervisor?

A. ideal for client/end-user system

B. complicated deployment

C. ideal for data center

D. referred to as bare-metal

Answer 24

Answer:A

Explanation
There are two types of hypervisors: type 1 and type 2 hypervisor.
In type 1 hypervisor (or native hypervisor), the hypervisor is installed directly on the physical server. Then instances of an operating system (OS) are installed on the hypervisor. Type 1 hypervisor has direct access to the hardware resources. Therefore they are more efficient than hosted architectures. Some examples of type 1 hypervisor are VMware vSphere/ESXi, Oracle VM Server, KVM and Microsoft Hyper-V.
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. A big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows).

Question 25

Question 44
Refer to the exhibit.

An engineer must allow R1 to advertise the 192.168.1.0/24 network to R2. R1 must perform this action without sending OSPF packets to SW1. Which command set should be applied?

A. R1(config)#router ospf 1
R1(config-router)#no passive-interface gig0/0

B. R1(config)#interface gig0/0
R1(config-if)#ip ospf hello-interval 0

C. R1(config)#router ospf 1
R1(config-router)#passive-interface gig0/0

D. R1(config)#interface gig0/0
R1(config-if)#ip ospf hello-interval 65535

Answer 25

Answer:C

Question 26

Question 45
What is an OVF?

A. a package of files that is used to describe a virtual machine or virtual appliance

B. an alternative form of an ISO that is used to install the base operating system of a virtual machine

C. the third step in a P2V migration

D. a package that is similar to an IMG and that contains an OVA file used to build a virtual machine

Answer 26

Answer:A

Explanation
Open Virtualization Format (OVF) is an open-source standard for packaging and distributing software applications for virtual machines (VM). An OVF package contains multiple files in a single directory.

Question 27

Question 46

How do stratum levels relate to the distance from a time source?

A. Stratum 1 devices are connected directly to an authoritative time source

B. Stratum 15 devices are an authoritative time source

C. Stratum 0 devices are connected directly to an authoritative time source

D. Stratum 15 devices are connected directly to an authoritative time source

Answer 27

Answer:A

Explanation
NTP uses the concept of a stratum to describe how many hops (routers) away a machine is from an authoritative time source, usually a reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

Question 28

Question 47
What is one main REST security design principle?

A. confidential algorithms

B. separation of privilege

C. OAuth

D. password hashing

Answer 28

Answer:B

Explanation

REST Security Design Principles
…
Separation of Privilege: Granting permissions to an entity should not be purely based on a single condition, a combination of conditions based on the type of resource is a better idea.
Reference:https://restfulapi.net/security-essentials/

Question 29

Question 48
Refer to the exhibit.
https://192.168.43.103/restconf/data/ietf-interfaces/interfaces/interface-Loopback100
What does the response “204 No Content” mean for the REST API request?

A. Interface loopback 100 is removed from the configuration.

B. Interface loopback 100 is not removed from the configuration.

C. The DELETE method is not supported.

D. Interface loopback 100 is not found in the configuration.

Answer 29

Answer:A

Explanation
The 204 status code means that the request was received and understood, but that there is no need to send any data back. The server has fulfilled the request but does not need to return an entity-body, and might want to return updated meta information.
Note: HTTP status code of 2xx means “Success”, which indicates that the client’s request was accepted successfully.

Question 30

Question 49
Which LISP component decapsulates messages and forwards them to the map server responsible for the egress tunnel routers?

A. Map Resolver

B. Router Locator

C. Proxy ETR

D. Ingress Tunnel Router

Answer 30

Answer:A

Explanation
The function of the LISP Map Resolver (MR) is to accept encapsulated Map-Request messages from ingress tunnel routers (ITRs), decapsulate those messages, andthen forward the messages to the MS responsible for the egress tunnel routers(ETRs) that are authoritative for the requested EIDs.
Reference:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-mt/irl-15-mt-book/irl-overview.pdf
In the example below, R3 works as aMap-resolver(MR) to receive and process the EID-to-RLOC mapping lookup queries and provides the mappings to requester.

MS & MR functions are often included in a single device, which is referred to as an MR/MS device. If MS and MR are two separate devices, MR is responsible to forward the Map-Request messages to the correct MS.

Question 31

Question 50
Which character formatting is required for DHCP Option 43 to function with current AP models?

A. MD5

B. ASCII

C. Hex

D. Base64

Answer 31

Answer:C

Question 32

Question 51
Where are operations related to software images located in the Cisco DNA Center GUI?

A. Provisioning

B. Services

C. Design

D. Assurance

Answer 32

Answer:C

Explanation
Cisco DNA Center stores all of the software images, software maintenance updates (SMUs), subpackages, ROMMON images, and so on for the devices in your network. Image Repository provides the following functions:
Image Repository: Cisco DNA Center stores all the unique software images according to image type and version.You can view, import, and delete software images.
In the Cisco DNA Center GUI, click the Menu icon () and chooseDesign> Image Repository.
Reference:https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_0100.html

Question 33

Question 52
Which benefit is provided by the Cisco DNA Center telemetry feature?

A. aids in the deployment network configurations

B. inventories network devices

C. improves the user experience

D. provides improved network security

Answer 33

Answer:B

Explanation
The categories of data collected in the product usage telemetry are the Cisco.com ID, system telemetry, feature usage telemetry andnetwork device (for example, switch or router) inventory, and license entitlement.
Reference:https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-data-sheet-cte-en.html#Productusagetelemetry

Question 34

Question 53
What is one requirement when mobility tunnels are used between WLCs?

A. There must not be a firewall between the WLCs.

B. The WLCs must use the same DHCP server.

C. WLC IP ranges must be on the same subnet.

D. Mobility tunnels must be created over Layer 3 networks.

Answer 34

Answer:D

Question 35

Question 54
Which two Cisco SD-WAN components exchange OMP information? (Choose two)

A. WAN Edge

B. vsmart

C. vBond

D. vAnalytics

E. vManage

Answer 35

Answer:A B

Question 36

Question 55
Which two prerequisites must be met before Cisco DNA Center can provision a device? (Choose two)

A. Cisco DNA Center must have the software image for the provisioned device in its image repository.

B. The provisioned device must be put into bootloader mode.

C. The provisioned device must be configured with cli and snmp credentials that are known to DNA center.

D. Cisco DNA Center must have IP connectivity to the provisioned device.

E. The provisioned device must recognize Cisco DNA Center as its LLDP neighbor.

Answer 36

Answer:C D

Explanation
Before using Plug and Play provisioning, do the following:
…
Ensure that Cisco network devices to be provisioned have asupported software releaseand are in a factory default state -> Answer A is not correct as Cisco DNA Center does not need to have the software image but only need to support that version.
Planned Provisioning
…
Define the device credentials (CLI and SNMP) for the devices you are deploying -> Answer C is correct.
Reference:https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_01101.html
Also it is obvious that the DNA Center must have IP connectivity to the provisioned device to manage it.

Question 37

Question 56
What are two benefits of implementing a traditional WAN instead of an SD-WAN solution? (Choose two)

A. simplified troubleshooting

B. comprehensive configuration standardization

C. faster fault detection

D. lower control plane abstraction

E. lower data plane overhead

Answer 37

Answer:D E

Question 38

Question 60
What is the recommended minimum SNR for data applications on wireless networks?

A. 10

B. 25

C. 15

D. 20

Answer 38

Answer:D

Explanation
Generally, a signal with an SNR value of 20 dB or more is recommended for data networks where as an SNR value of 25 dB or more is recommended for networks that use voice applications.

Question 39

Question 61
What does the destination MAC on the outer MAC header identify in a VXLAN packet?

A. the next hop

B. the remote spine

C. the remote switch

D. the leaf switch

Answer 39

Answer:A

Question 40

Question 62
What is one method for achieving REST API security?

A. using HTTPS and TLS encryption

B. using a MD5 hash to verify the integrity

C. using built-in protocols known as Web Services Security

D. using a combination of XML encryption and XML signatures

Answer 40

Answer:A

Question 41

Question 63
Which action occurs during a Layer 3 roam?

A. Client receives a new ip address after getting authenticated

B. The client is marked as “Foreign” on the original controller

C. Client database entry is moved from the old controller to the new controller

D. Client traffic is tunneled back to the original controller after a Layer 3 roam occurs

Answer 41

Answer:D

Explanation

In instances where the client roams between APs that are connected to different WLCs and the WLC WLAN is connected to a different subnet, a Layer 3 roam is performed, and there is an update between the new WLC (foreign WLC) and the old WLC (anchor WLC) mobility databases.
If this is the case, return traffic to the client still goes through its originating anchor WLC. The anchor WLC uses Ethernet over IP (EoIP) to forward the client traffic to the foreign WLC, to where the client has roamed.Traffic from the roaming client is forwarded out the foreign WLC interface on which it resides; it is not tunneled back. (-> Answer D is not correct). But this is contradict to what is said in the Official Cert Guide book:
“A Layer 3 intercontroller roam consists of an extra tunnel that is built between the client’s original controller and the controller it has roamed to. The tunnel carries data to and from the client as if it is still associated with the original controller and IP subnet.”

Question 42

Question 64
What is a characteristic of the overlay network in the Cisco SD-Access architecture?

A. It uses a traditional routed access design to provide performance and high availability to the network

B. It provides multicast support to enable Layer 2 flooding capability in the Underlay

C. It consists of a group of physical routers and switches that are used to maintain the network

D. It provides isolation among the virtual networks and independence from the physical network

Answer 42

Answer:D

Question 43

Question 65
What is one characteristic of Cisco DNA Center and vManage northbound APIs?

A. They push configuration changes down to devices.

B. They implement the RESTCONF protocol.

C. They exchange XML-formatted content.

D. They implement the NETCONF protocol.

Answer 43

Answer:C

Explanation

Answer A answer B and answer D are not correct as they are characteristics of southbound APIs, not northbound.

Answer C is the best choice as both DNA Center and vManage use REST APIs, which can use XML or JSON as data formats for exchanging information between the client and the server.

Question 44

Question 66
A company requires a wireless solution to support its main office and multiple branch locations. All sites have local Internet connections and a link to the main office for corporate connectivity. The branch offices are managed centrally. Which solution should the company choose?

A. Cisco DNA Spaces

B. Cisco Mobility Express

C. Cisco Unified Wireless Network

D. Cisco Catalyst switch with embedded controller

Answer 44

Answer:C

Question 45

Question 67
A system must validate access rights to all its resources and must not rely on a cached permission matrix. If the access level to a given resource is revoked but is not reflected in the permission matrix, the security is violated. Which term refers to this REST security design principle?

A. least common mechanism

B. separation of privilege

C. Economy mechanism

D. Complete mediation

Answer 45

Answer:D

Explanation

The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed.
Whenever a subject attempts to read an object, the operating system should mediate the action. First, it determines if the subject is allowed to read the object. If so, it provides the resources for the read to occur. If the subject tries to read the object again, the system should check that the subject is still allowed to read the object. Most systems would not make the second check. They would cache the results of the first check and base the second access on the cached results.
Reference:https://www.informit.com/articles/article.aspx?p=30487&seqNum=2

Question 46

Question 69

Which configuration enables a Cisco router to send information to a TACACS+ server for individual EXEC commands associated with privilege level 15?

A. Router(config)# aaa accounting exec default start-stop group tacacs+

B. Router(config)# aaa authorization exec default group tacacs+

C. Router(config)# aaa accounting commands 15 default start-stop group tacacs+

D. Router(config)# aaa authorization commands 15 default group tacacs+

Answer 46

Answer:C

Explanation

Authorization–Provides fine-grained control over user capabilities for the duration of the user’s session, including but not limited to setting autocommands, access control, session duration, or protocol support. You can also enforce restrictions on what commands a user may execute with the TACACS+ authorization feature.
Accounting–Collects and sends information used for billing, auditing, and reporting to the TACACS+ daemon. Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing. Accounting records include user identities, start and stop times,executed commands(such as PPP), number of packets, and number of bytes.
Reference:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16/sec-usr-tacacs-xe-16-book/sec-cfg-tacacs.html

Question 47

Question 70
An engineer must configure the wireless endpoints to authenticate using Active Directory credentials in an encrypted tunnel in addition to using a hashed password. Which action is required?

A. Configure PEAP with GTC

B. Configure EAP-TLS with MSCHAP v2

C. Configure PEAP with MSCHAP v2

D. Configure EAP-TLS with GTC

Answer 47

Answer:C

Explanation

EAP-Transport Layer Security (EAP-TLS) requires an exchange of proof of identities through public key cryptography (such as digital certificates). EAP-TLS secures this exchange with anencrypted TLS tunnel, which helps to resist dictionary or other attacks.
EAP-PEAP is a protocol that creates an encrypted (and more secure) channel before the password-based authentication occurs. The PEAP authentication creates anencrypted SSL/TLS tunnelbetween client and authentication server.
-> Therefore both PEAP and EAP-TLS can be used to create an encrypted tunnel so both of them are correct.
Generic Token Card (GTC) enables the exchange of clear-text authentication credentials across the network -> Answers with “GTC” are not correct.
Reference:https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Auth/AuthMethod_eap-gtc.htm
If you use EAP-MSCHAPv2, it means that your clients doesn’t need to have a certificate, but your authentication server (NPS) has a certificate.Passwords from the clients are send using hashes to the authentication server.
You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. (-> Therefore answer C is correct). You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client.
Reference:https://social.technet.microsoft.com/Forums/Lync/en-US/7962d24d-7aa2-4413-97da-4f03793f2405/very-confused-on-authenciation-concepts-eap-peap-eapmschapv2-?forum=winserversecurity

Question 48

Question 78
An engineer must design a wireless network to primarily support 5-GHz clients. The clients do not support the UNII-2c portion of the 5-GHz band. Due to application bandwidth requirements, the engineer uses 40-MHz channels. Which design consideration must be made in this scenario?

A. There are 12 overlapping channels available.

B. There are four non overlapping channel available.

C. There are 25 overlapping channels available.

D. There are six non-overlapping channels available.

Answer 48

Answer:B

Explanation

5 Ghz offers significantly more bandwidth than 2.4 GHz. All of the 5 GHz channels offered support at least 20MHz channel width without overlap.
When using 5 GHz, it is recommended to use at least 40 MHz channel width, as some client devices may not prefer 5 GHz unless it offers a greater channel width than 2.4 GHz.
If using 40 MHz channel width, the bandwidth of the following channel is used:
36 – 40
44 – 48
149 – 153
157 – 161
Note: There are 6 non-overlapping channels but 2 channels are reserved for DFS.
“However, due to the coexistence of both radar and Wi-Fi networks in the same area of spectrum, the Wi-Fi standard (IEEE 802.11) was designed to incorporate a spectrum sharing mechanism on 5GHz to ensure that Wi-Fi networks do not operate on frequencies (hence causing interference) that are used by nearby radar stations. This mechanism is known as Dynamic Frequency Selection (DFS) and is designed to mitigate interference to 5GHz radar by WLANs.”

Question 49

Question 80
What is a characteristic of a Type 1 hypervisor?

A. It is installed on an operating system and supports other operating systems above it.

B. It is completely independent of the operating system.

C. Problems in the base operating system can affect the entire system.

D. It is referred to as a hosted hypervisor.

Answer 49

Answer:B

Question 50

Question 87
What is a characteristics of a vSwitch?

A. enables VMs to communicate with each other within a virtualized server

B. supports advanced Layer 3 routing protocols that are not offered by a hardware switch

C. has higher performance than a hardware switch

D. operates as a hub and broadcasts the traffic toward all the vPorts

Answer 50

Answer:A

Explanation

Hypervisors providevirtual switch(vSwitch) that Virtual Machines (VMs) use to communicate with other VMs on the same host. The vSwitch may also be connected to the host’s physical NIC to allow VMs to get layer 2 access to the outside world.
Each VM is provided with avirtual NIC (vNIC)that is connected to the virtual switch. Multiple vNICs can connect to a single vSwitch, allowing VMs on a physical host to communicate with one another at layer 2 without having to go out to a physical switch.

Although vSwitch does not run Spanning-tree protocol but vSwitch implements other loop prevention mechanisms. For example, a frame that enters from one VMNIC is not going to go out of the physical host from a different VMNIC card.

Question 51

Question 88
Refer to the exhibit.

event manager applet config-alert
event cli pattern “conf t.*” sync yes

A network engineer must be notified when a user switches to configuration mode. Which script should be applied to receive an SNMP trap and a critical-level log message?

A. action 1.0 snmp-trap strdata “Configuration change alarm”
action 2.0 syslog msg “Configuration change alarm”

B. action 1.0 snmp-trap strdata “Configuration change critical alarm”

C. action 1.0 snmp-trap strdata “Configuration change alarm”
action 1.0 syslog priority critical msg “Configuration change alarm”

D. action 1.0 snmp-trap strdata “Configuration change alarm”
action 1.1 syslog priority critical msg “Configuration change alarm”

Answer 51

Answer:D

Explanation

We need to create critical-level log so our action must include “priority critical”. Also we need to define two different action (1.0 and 1.1).

Question 52

Question 92
Which component transports data plane traffic across a Cisco SD-WAN network?

A. vSmart

B. vManage

C. cEdge

D. vBond

Answer 52

Answer:C

Question 53

Question 93
Which type of tunnel is required between two WLCs to enable intercontroller roaming?

A. mobility

B. LWAPP

C. iPsec

D. CAPWAP

Answer 53

Answer:A

Explanation

There are two types of intercontroller roaming: Intercontroller Layer 2 Roaming and Intercontroller Layer 3 Roaming. But the first one does not require tunnel between two WLCs. The second one requires mobility tunnel:

Question 54

Question 95
Refer to the exhibit.

ip sla 100
udp-echo 10.10.10.15 6336
frequency 30

An engineer has configured an IP SLA for UDP echo’s. Which command is needed to start the IP SLA to test every 30 seconds and continue until stopped?

A. ip sla schedule 100 life forever

B. ip sla schedule 30 start-time now life forever

C. ip sla schedule 100 start-time now life 30

D. ip sla schedule 100 start-time now life forever

Answer 54

Answer:D

Question 55

Question 96
Which two characteristics apply to the endpoint security aspect of the Cisco Threat Defense architecture? (Choose two)

A. outbound URL analysis and data transfer controls

B. detect and block ransomware in email attachments

C. cloud-based analysis of threats

D. blocking of fileless malware in real time

E. user context analysis

Answer 55

Answer:A D

Explanation

The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can help facilitate the discovery, containment, and remediation of threats once they have penetrated into the network interior.
Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its objectives:
..
* Content Security Appliances and Services
– Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
– Dynamic threat control for web traffic
–Outbound URL analysis and data transfer controls
– Detection of suspicious web activity
– Cisco Email Security Appliance (ESA)
– Dynamic threat control for email traffic
– Detection of suspicious email activity
* Cisco Identity Services Engine (ISE)
– User and device identity integration with Lancope StealthWatch
– Remediation policy actions using pxGrid
Reference:https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-0/design_guides/ctd_2-0_cvd_guide_jul15.pdf

Question 56

Question 97
What is a characteristics of traffic policing?

A. lacks support for marking or remarking

B. can be applied in both traffic directions

C. must be applied only to outgoing traffic

D. queues out-of-profile packets until the buffer is full

Answer 56

Answer:B

Explanation

Policing: is used to control the rate of traffic flowing across an interface. During a bandwidth exceed (crossed the maximum configured rate), the excess traffic is generally dropped or remarked. The result of traffic policing is an output rate that appears as a saw-tooth with crests and troughs. Traffic policing can be applied to inbound and outbound interfaces. Unlike traffic shaping, QoS policing avoids delays due to queuing. Policing is configured in bytes.

Question 57

Question 98
How does NETCONF YANG represent data structures?

A. in an XML tree format

B. as strict data structures defined by RFC 6020

C. in an HTML format

D. as modules within a tree

Answer 57

Answer:A

Question 58

Question 100
Which VXLAN component is used to encapsulate and decapsulate Ethernet frames?

A. VTEP

B. GRE

C. EVPN

D. VNI

Answer 58

Answer:A

Explanation

VTEPs connect between Overlay and Underlay network and they are responsible for encapsulating frame into VXLAN packets to send across IP network (Underlay) then decapsulating when the packets leaves the VXLAN tunnel.

Question 59

Question 101
A Cisco DNA Center REST API sends a PUT to the /dna/intent/api/v1/network-device endpoint. A response code of 504 is received. What does the code indicate?

A. The response timed out based on a configured interval

B. The user does not have authorization to access this endpoint

C. The username and password are not correct

D. The web server is not available

Answer 59

Answer:A

Explanation
This error response (504) is given when the server is acting as a gateway and cannot get a response in time.

Question 60

Question 103
A large campus network has deployed two wireless LAN controllers to manage the wireless network. WLC1 and WLC2 have been configured as mobility peers. A client device roams from AP1 on WLC1 to AP2 on WLC2, but the controller’s client interfaces are on different VLANs. How do the wireless LAN controllers handle the inter-subnet roaming?

A. WLC2 marks the client with a foreign entry in its own database. The database entry is copied to the new controller and marked with an anchor entry on WLC1

B. WLC2 marks the client with an anchor entry in its own database. The database entry is copied to the new controller and marked with a foreign entry on WLC1

C. WLC1 marks the client with a foreign entry in its own database. The database entry is copied to the new controller and marked with an anchor entry on WLC2

D. WLC1 marks the client with an anchor entry in its own database. The database entry is copied to the new controller and marked with a foreign entry on WLC2

Answer 60

Answer:D

Explanation
In instances where the client roams between APs that are connected to different WLCs and the WLC WLAN is connected to a different subnet, a Layer 3 roam is performed, and there is an update between the new WLC (foreign WLC) and the old WLC (anchor WLC) mobility databases.
If this is the case, return traffic to the client still goes through its originating anchor WLC. The anchor WLC uses Ethernet over IP (EoIP) to forward the client traffic to the foreign WLC, to where the client has roamed. Traffic from the roaming client is forwarded out the foreign WLC interface on which it resides; it is not tunneled back.

The client begins with a connection to AP B on WLC 1. This creates anANCHORentry in the WLC client database. As the client moves away from AP B and makes an association with AP C, WLC 2 sends a mobility announcement to peers in the mobility group looking for the WLC with the client MAC address. WLC 1 responds to the announcement, handshakes, and ACKs. Next the client database entry for the roaming client is copied to WLC 2, and marked asFOREIGN. Included PMK data (master key data from the RADIUS server) is also copied to WLC 2. This provides fast roam times for WPA2/802.11i clients because there is no need to re-authenticate to the RADIUS server.
After a simple key exchange between the client and AP, the client is added to the WLC 2 database and is similar, except that it is marked asFOREIGN.
Reference:https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/TechArch.html

Question 61

Question 108
The Gig0/0 interface of two routers is directly connected with a 1G Ethernet link. Which configuration must be applied to the interface of both routers to establish an OSPF adjacency without maintaining a DR/BDR relationship?

A. interface Gig0/0
ip ospf network point-to-multipoint

B. interface Gig0/0
ip ospf network non-broadcast

C. interface Gig0/0
ip ospf network broadcast

D. interface Gig0/0
ip ospf network point-to-point

Answer 61

Answer:D

Question 62

Which option works with a DHCP server to return at least one WLAN management interface IP address during the discovery phase and is dependent upon the VCI of the AP?
A. Option 43
B. Option 42
C. Option 125
D. Option 15

Answer 62

Answer:A