New ENCOR Questions Part 1
New ENCOR Questions Part 1
New ENCOR Questions Part 1
• A. two-tier
• B. Layer 2 access
• C. three-tier
• D. routed access
Explanation
Question 2
When a wired client connects to an edge switch in an SDA fabric, which component
decides whether the client has access to the network?
Question 3
Which algorithms are used to secure REST API from brute attacks and minimize the
impact?
Explanation
One of the best practices to secure REST APIs is using password hash. Passwords must
always be hashed to protect the system (or minimize the damage) even if it is
compromised in some hacking attempts. There are many such hashing algorithms which
can prove really effective for password security e.g. PBKDF2, bcrypt and scrypt
algorithms.
Other ways to secure REST APIs are: Always use HTTPS, Never expose information on
URLs (Usernames, passwords, session tokens, and API keys should not appear in the
URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation.
Reference: https://restfulapi.net/security-essentials/
We should not use MD5 or any SHA (SHA-1, SHA-256, SHA-512…) algorithm to hash
password as they are not totally secure.
Question 4
An engineer is describing QoS to a client. Which two facts apply to traffic policing?
(Choose two)
Explanation
Traffic policing propagates bursts. When the traffic rate reaches the configured maximum
rate (or committed information rate), excess traffic is dropped (or remarked). The result is
an output rate that appears as a saw-tooth with crests and troughs.
Classification (which includes traffic policing, traffic shaping and queuing techniques)
should take place at the network edge. It is recommended that classification occur as
close to the source of the traffic as possible.
Also according to this Cisco link, “policing traffic as close to the source as possible”.
Question 5
Drag and drop the LISP components from the left onto the function they perform on the
right. Not all options are used.
Note: For the unused option, please match it with "None" on the right to get point for this
question.
ITR is the function that maps the destination EID to a destination RLOC and then
encapsulates the original packet with an additional header that has the source IP address
of the ITR RLOC and the destination IP address of the RLOC of an Egress Tunnel Router
(ETR). After the encapsulation, the original packet become a LISP packet.
ETR is the function that receives LISP encapsulated packets, decapsulates them and
forwards to its local EIDs. This function also requires EID-to-RLOC mappings so we
need to point out an “map-server” IP address and the key (password) for authentication.
A LISP proxy ETR (PETR) implements ETR functions on behalf of non-LISP sites.
answer '' PETR is typically used when a LISP site needs to send traffic to non-LISP sites
but the LISP site is connected through a service provider that does not accept nonroutable
EIDs as packet sources. PETRs act just like ETRs but for EIDs that send traffic to
destinations at non-LISP sites.
Map Server (MS) processes the registration of authentication keys and EID-to-RLOC
mappings. ETRs sends periodic Map-Register messages to all its configured Map
Servers.
Map Resolver (MR): a LISP component which accepts LISP Encapsulated Map
Requests, typically from an ITR, quickly determines whether or not the destination IP
address is part of the EID namespace
Question 6
• A. SNMP
• B. RESTCONF
• C. REST
• D. NX-API
Explanation
YANG (Yet Another Next Generation) is a data modeling language for the definition of
data sent over network management protocols such as the NETCONF and RESTCONF.
Question 7
What are two reasons why broadcast radiation is caused in the virtual machine
environment? (Choose two)
• A. vSwitch must interrupt the server CPU to process the broadcast packet
• B. Virtual machines communicate primarily through broadcast mode
• C. Communication between vSwitch and network switch is multicast based
• D. The Layer 2 domain can be large in virtual machine environments
• E. Communication between vSwitch and network switch is broadcast based
Explanation
Broadcast radiation refers to the processing that is required every time a broadcast is
received on a host. Although IP is very efficient from a broadcast perspective when
compared to traditional protocols such as Novell Internetwork Packet Exchange (IPX)
Service Advertising Protocol (SAP), virtual machines and the vswitch implementation
require special consideration. Because the vswitch is software based, as broadcasts are
received the vswitch must interrupt the server CPU to change contexts to enable the
vswitch to process the packet. After the vswitch has determined that the packet is a
broadcast, it copies the packet to all the VMNICs, which then pass the broadcast packet
up the stack to process. This processing overhead can have a tangible effect on overall
server performance if a single domain is hosting a large number of virtual machines.
Note: This overhead effect is not a limitation of the vswitch implementation. It is a result
of the software-based nature of the vswitch embedded in the ESX hypervisor.
Reference: https://www.cisco.com/c/en/us/solutions/collateral/data-center-
virtualization/net_implementation_white_paper0900aecd806a9c05.html
----------------------------------------------------------------
Hypervisors provide virtual switch (vSwitch) that Virtual Machines (VMs) use to
communicate with other VMs on the same host. The vSwitch may also be connected to
the host's physical NIC to allow VMs to get layer 2 access to the outside world.
Each VM is provided with a virtual NIC (vNIC) that is connected to the virtual switch.
Multiple vNICs can connect to a single vSwitch, allowing VMs on a physical host to
communicate with one another at layer 2 without having to go out to a physical switch.
Although vSwitch does not run Spanning-tree protocol but vSwitch implements other
loop prevention mechanisms. For example, a frame that enters from one VMNIC is not
going to go out of the physical host from a different VMNIC card.
Question 8
When a wireless client roams between two different wireless controllers, a network
connectivity outage is experience for a period of time. Which configuration issue would
cause this problem?
• A. All of the controllers in the mobility group are using the same mobility group
name
• B. Not all of the controllers in the mobility group are using the same mobility
group name
• C. Not all of the controllers within the mobility group are using the same virtual
interface IP address
• D. All of the controllers within the mobility group are using the same virtual
interface IP address
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-
guide/b_cg85/mobility_groups.html
Answer 'Not all of the controllers in the mobility group are using the same mobility group
name' is not correct because when the client moves to a different mobility group (with
different mobility group name), that client would be connected (provided that the new
connected controller had information about this client in its mobility list already) or drop
(if the new connected controller have not had information about this client in its mobility
list). For more information please read the note below.
Note:
A mobility group is a set of controllers, identified by the same mobility group name, that
defines the realm of seamless roaming for wireless clients. By creating a mobility group,
you can enable multiple controllers in a network to dynamically share information and
forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers in
the same mobility group can share the context and state of client devices as well as their
list of access points so that they do not consider each other’s access points as rogue
devices.
Let’s take an example:
The controllers in the ABC mobility group share access point and client information with
each other. The controllers in the ABC mobility group do not share the access point or
client information with the XYZ controllers, which are in a different mobility group.
Therefore if a client from ABC mobility group moves to XYZ mobility group, and the
new connected controller does not have information about this client in its mobility
list, that client will be dropped.
Note: Clients may roam between access points in different mobility groups if the
controllers are included in each other’s mobility lists.
Question 9
Which configuration restricts the amount of SSH that a router accepts 100 kbps?
Option A Option B
class-map match-all CoPP_SSH class-map match-all CoPP_SSH
match access-group name CoPP_SSH match access-group name CoPP_SSH
! !
policy-map CoPP_SSH policy-map CoPP_SSH
class CoPP_SSH class CoPP_SSH
police cir 100000 police cir CoPP_SSH
exceed-action drop exceed-action drop
! !
! !
! !
interface GigabitEthernet0/1 interface GigabitEthernet0/1
ip address 209.165.200.225 255.255.255.0 ip address 209.165.200.225 255.255.255.0
ip access-group CoPP_SSH out ip access-group CoPP_SSH out
duplex auto duplex auto
speed auto speed auto
media-type rj45 media-type rj45
service-policy input CoPP_SSH service-policy input CoPP_SSH
! !
ip access-list extended CoPP_SSH ip access-list extended CoPP_SSH
permit tcp any any eq 22 deny tcp any any eq 22
! !
Option C Option D
class-map match-all CoPP_SSH class-map match-all CoPP_SSH
match access-group name CoPP_SSH match access-group name CoPP_SSH
! !
policy-map CoPP_SSH policy-map CoPP_SSH
class CoPP_SSH class CoPP_SSH
police cir 100000 police cir 100000
exceed-action drop exceed-action drop
! !
! !
! !
control-plane control-plane transit
service-policy input CoPP_SSH service-policy input CoPP_SSH
! !
ip access-list extended CoPP_SSH ip access-list extended CoPP_SSH
permit tcp any any eq 22 permit tcp any any eq 22
! !
• A. Option A
• B. Option B
• C. Option
• D. Option D
Explanation
CoPP protects the route processor on network devices by treating route processor
resources as a separate entity with its own ingress interface (and in some
implementations, egress also). CoPP is used to police traffic that is destined to the route
processor of the router such as:
+ Routing protocols like OSPF, EIGRP, or BGP.
+ Gateway redundancy protocols like HSRP, VRRP, or GLBP.
+ Network management protocols like telnet, SSH, SNMP, or RADIUS.
Therefore we must apply the CoPP to deal with SSH because it is in the management
plane. CoPP must be put under “control-plane” command. But we cannot name the
control-plane (like "transit").
Question 10
Drag and Drop the descriptions from the left onto the routing protocol they describe on
the right.
Please type the corresponding numbers of each item on the left to the blank below and
arrange them ascendingly. For example: 1324 (which means 13 for first group, 24 for
second group)
Unlike OSPF where we can summarize only on ABR or ASBR, in EIGRP we can
summarize anywhere.
Question 11
Which two namespaces does the LISP network architecture and protocol use? (Choose
two)
• A. TLOC
• B. EID
• C. DNS
• D. VTEP
• E. RLOC
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-overview.html
Question 12
• A. The RP acts as a control-plane node and does not receive or forward multicast
packets
• B. The RP is the multicast that is the root of the PIM-SM shared multicast
distribution tree
• C. The RP responds to the PIM join messages with the source of requested
multicast group
• D. The RP maintains default aging timeouts for all multicast streams requested by
the receivers
Question 13
What are two device roles in Cisco SD-Access fabric? (Choose two)
• A. access switch
• B. border node
• C. edge node
• D. core switch
• E. vBond controller
Explanation
Question 14
• A. m.freeze(target=’running’)
• B. m.lock(config=’running’)
• C. m.freeze(config=’running’)
• D. m.lock(target=’running’)correct
Explanation
Question 15
An engineer must ensure that all traffic leaving AS 200 will choose Link 2 as the exit
point. Assuming that all BGP neighbor relationships have been formed and that the
attributes have not been changed on any of the routers, which configuration accomplish
task?
Explanation
Local preference is an indication to the AS about which path has preference to exit the
AS in order to reach a certain network. answer 'R4(config-router)#bgp default local-
preference 200' path with a higher local preference is preferred. The default value for
local preference is 100.
Unlike the weight attribute, which is only relevant to the local router, local preference is
an attribute that routers exchange in the same AS. The local preference is set with the
“bgp default local-preference value” command.
In this case, both R3 & R4 have exit links but R4 has higher local-preference so R4 will
be chosen as the preferred exit point from AS 200.
(Reference:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtm
l#localpref)
Question 16
Which First Hop Redundancy Protocol should be used to meet a design requirements for
more efficient default bandwidth usage across multiple devices?
• A. LCAP
• B. GLBP
• C. HSRP
• D. VRRP
Explanation
The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the
active gateway and used to forward traffic whilst the rest are unused until the active one
fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and
performs the similar function to HSRP and VRRP but it supports load balancing among
members in a GLBP group.
Question 17
Explanation
Traffic shaping retains excess packets in a queue and then schedules the excess for
later transmission over increments of time. The result of traffic shaping is a smoothed
packet output rate.
Question 18
Explanation
PIM dense mode (PIM-DM) uses a push model to flood multicast traffic to every corner
of the network. This push model is a brute-force method of delivering data to the
receivers. This method would be efficient in certain deployments in which there are
active receivers on every subnet in the network. PIM-DM initially floods multicast traffic
throughout the network. Routers that have no downstream neighbors prune the unwanted
traffic. This process repeats every 3 minutes.
PIM Sparse Mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network
segments with active receivers that have explicitly requested the data receive the traffic.
PIM-SM distributes information about active sources by forwarding data packets on the
shared tree. Because PIM-SM uses shared trees (at least initially), it requires the use of an
RP. The RP must be administratively configured in the network.
Answer 'PIM sparse mode uses receivers to register with the RP' seems to be correct but
it is not, PIM spare mode uses sources (not receivers) to register with the RP. Sources
register with the RP, and then data is forwarded down the shared tree to the receivers.
What NTP stratum level is a server that is connected directly to an authoritative time
source?
• A. Stratum 14
• B. Stratum 1
• C. Stratum 0
• D. Stratum 15
Explanation
The stratum levels define the distance from the reference clock. answer 'Stratum 0'
reference clock is a stratum 0 device that is assumed to be accurate and has little or no
delay associated with it. Stratum 0 servers cannot be used on the network but they are
directly connected to computers which then operate as stratum-1 servers. answer 'Stratum
0' stratum 1 time server acts as a primary network time standard.
NTP uses the concept of a stratum to describe how many NTP hops away a machine is
from an authoritative time source. A stratum 1 time server typically has an
authoritative time source (such as a radio or atomic clock, or a Global Positioning
System (GPS) time source) directly attached, a stratum 2 time server receives its time via
NTP from a stratum 1 time server, and so on.
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/bsm/16-6-1/b-
bsm-xe-16-6-1-asr920/bsm-time-calendar-set.html
Question 20
A network engineer is configuring OSPF between router R1 and router R2. The engineer
must ensure that a DR/BDR election does not occur on the Gigabit Ethernet interfaces in
area 0. Which configuration set accomplishes this goal?
• A. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf database-filter all out
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf database-filter all out
• B. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf priority 1
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf priority 1
• C. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf network point-to-point
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf network point-to-point
• D. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf network broadcast
R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf network broadcast
Explanation
Broadcast and Non-Broadcast networks elect DR/BDR while Point-to-point/multipoint
do not elect DR/BDR. Therefore we have to set the two Gi0/0 interfaces to point-to-point
or point-to-multipoint network to ensure that a DR/BDR election does not occur.
Question 1
Why is an AP joining a different WLC than the one specified through option 43?
Question 2
• A. Ansible pushes the configuration to the client. Chef client pulls the
configuration from the server
• B. Ansible lacks redundancy support for the master server. Chef runs two masters
in an active/active mode
• C. The Ansible server can run on Linux, Unix or Windows. The Chef server must
run on Linux or Unix
• D. Ansible uses Ruby to manage configurations. Chef uses YAML to manage
configurations
Explanation
Ansible works by connecting to your nodes and pushing out small programs, called
“Ansible modules” to them. These programs are written to be resource models of the
desired state of the system. Ansible then executes these modules (over SSH by default),
and removes them when finished.
Chef is a much older, mature solution to configure management. Unlike Ansible, it does
require an installation of an agent on each server, named chef-client. Also, unlike
Ansible, it has a Chef server that each client pulls configuration from.
Question 3
What does the LAP send when multiple WLCs respond to the CISCO_CAPWAP-
CONTROLLER.localdomain hostname during the CAPWAP discovery and join process?
Which devices does Cisco Center configure when deploying an IP-based access control
policy?
Explanation
When you click Deploy, Cisco DNA Center requests the Cisco Identity Services Engine
(Cisco ISE) to send notifications about the policy changes to the network devices.
Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-3-1-
0/user_guide/b_cisco_dna_center_ug_1_3_1_0/b_cisco_dna_center_ug_1_3_1_0_chapte
r_01011.html
Question 5
• A. directional patch
• B. multidirectional
• C. omnidirectional
• D. Yagi
Explanation
A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipole-like
antenna, and shaping the beam using a well-chosen series of non-driven elements whose
length and spacing are tightly controlled.
Reference: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-
accessories/prod_white_paper0900aecd806a1a3e.html
Question 6
In a Cisco SD-WAN solution, how is the health of a data plane tunnel monitored?
• A. using BFD
• B. with IP SLA
• C. with OMP
• D. ARP probing
Explanation
The BFD (Bidirectional Forwarding Detection) is a protocol that detects link failures as
part of the Cisco SD-WAN (Viptela) high availability solution, is enabled by default on
all vEdge routers, and you cannot disable it.
Question 7
Which access point mode allows a supported AP to function like a WLAN client would,
associating and identifying client connectivity issues?
• A. SE-connect mode
• B. client mode
• C. sensor mode
• D. sniffer mode
Explanation
An lightweight AP (LAP) operates in one of six different modes:
+ Local mode (default mode): measures noise floor and interference, and scans for
intrusion detection (IDS) events every 180 seconds on unused channels
+ FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode: allows
data traffic to be switched locally and not go back to the controller. The FlexConnect AP
can perform standalone client authentication and switch VLAN traffic locally even when
it’s disconnected to the WLC (Local Switched). FlexConnect AP can also tunnel (via
CAPWAP) both user wireless data and control traffic to a centralized WLC (Central
Switched).
+ Monitor mode: does not handle data traffic between clients and the infrastructure. It
acts like a sensor for location-based services (LBS), rogue AP detection, and IDS
+ Rogue detector mode: monitor for rogue APs. It does not handle data at all.
+ Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular
channel to a remote machine where you can use protocol analysis tool (Wireshark,
Airopeek, etc) to review the packets and diagnose issues. Strictly used for
troubleshooting purposes.
+ Bridge mode: bridge together the WLAN and the wired infrastructure together.
Question 8
aaa new-model
aaa authentication login default local group tacacs+
What is the process of password checks when a login attempt is made to the device?
Explanation
The “aaa authentication login default local group tacacs+” command is broken down as
follows:
Question 9
Which tool is used in Cisco DNA Center to build generic configurations that are able to
be applied on device with similar network settings?
• A. Template Editor
• B. Authentication Template
• C. Application Policies
• D. Command Runner
Explanation
Cisco DNA Center provides an interactive editor called Template Editor to author CLI
templates. Template Editor is a centralized CLI management tool to help design a set of
device configurations that you need to build devices in a branch. When you have a site,
office, or branch that uses a similar set of devices and configurations, you can use
Template Editor to build generic configurations and apply the configurations to one or
more devices in the branch.
Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-
3/user_guide/b_cisco_dna_center_ug_1_3/b_cisco_dna_center_ug_1_3_chapter_0111.ht
ml
Question 10
Drag and drop the REST API authentication method from the left to the description on
the right.
When Secure Vault is not in use, all information stored in its container is encrypted.
When a user wants to use the files and notes stored within the app, they have to first
decrypt the database. This happens by filling in a previously determined Security Lock –
which could be a PIN or a password of the user’s choosing.
When a user leaves the app, it automatically encrypts everything again. This way all data
stored in Secure Vault is decrypted only while a user is actively using the app. In all other
instances, it remains locked to any attacker, malware or spyware trying to access the data.
OAuth is an open standard for authorization used by many APIs and modern
applications. The simplest example of OAuth is when you go to log onto a website and it
offers one or more opportunities to log on using another website’s/service’s logon. You
then click on the button linked to the other website, the other website authenticates you,
and the website you were originally connecting to logs you on itself afterward using
permission gained from the second website.
Question 11
The inside and outside interfaces in the NAT configuration of this device have been
correctly identified. What is the effect of this configuration?
• A. dynamic NAT
• B. NAT64
• C. PATcorrect
• D. static NAT
Explanation
The command “ip nat inside source list 1 interface gigabitethernet0/0 overload” translates
all source addresses that pass access list 1, which means 172.16.1.0/24 subnet, into an
address assigned to gigabitethernet0/0 interface. Overload keyword allows to map
multiple IP addresses to a single registered IP address (many-to-one) by using different
ports so it is called Port Address Translation (PAT).
Question 12
A client device roams between access points located on different floors in an atrium. The
access points joined to the same controller and configuration in local mode. The access
points are in different IP addresses, but the client VLAN in the group same. What type of
roam occurs?
• A. intra-controller
• B. inter-subnet
• C. intra-VLAN
• D. inter-controller
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDAT
ED_chapter_01100.html
Question 13
Question 14
• A. vEdge
• B. vSmart
• C. vBond
• D. vManage
Explanation
+ Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge
routers into the SD-WAN overlay. The vBond controller, or orchestrator, authenticates
and authorizes the SD-WAN components onto the network. The vBond orchestrator takes
an added responsibility to distribute the list of vSmart and vManage controller
information to the WAN Edge routers. vBond is the only device in SD-WAN that
requires a public IP address as it is the first point of contact and authentication for all SD-
WAN components to join the SD-WAN fabric. All other components need to know the
vBond IP or DNS information.
Question 15
Which method of account authentication does OAuth 2.0 within REST APIs?
Explanation
The most common implementations of OAuth (OAuth 2.0) use one or both of these
tokens:
+ access token: sent like an API key, it allows the application to access a user’s data;
optionally, access tokens can expire.
+ refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access
token if they have expired. OAuth2 combines Authentication and Authorization to allow
more sophisticated scope and validity control.
Question 16
Which DHCP option helps lightweight APs find the IP address of a wireless LAN
controller?
• A. Option 43
• B. Option 60
• C. Option 150
• D. Option 67
Question 17
vlan 222
remote-span
!
vlan 223
remote-span
!
monitor session 1 source interface FastEthernet0/1 tx
monitor session 1 source interface FastEthernet0/2 rx
monitor session 1 source interface port-channel 5
monitor session 1 destination remote vlan 222
!
What is the result when a technician adds the monitor session 1 destination remote vlan
233 command?
Question 18
Explanation
VTEPs connect between Overlay and Underlay network and they are responsible for
encapsulating frame into VXLAN packets to send across IP network (Underlay) then
decapsulating when the packets leaves the VXLAN tunnel.
Question 19
Drag and drop the QoS mechanisms from the left to the correct descriptions on the right.
shaping bandwidth management technique which delays datagrams
mechanism to create a scheduler for packets prior to forwarding
policy map
To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or
a VC that will be used as the service policy for the interface or VC, use the service-
policy command in the appropriate configuration mode.
Class of Service (CoS) is a 3 bit field within an Ethernet frame header when we use
802.1q which supports virtual LANs on an Ethernet network. This field specifies a
priority value which is between 0 and 63 inclusive which can be used in the Quality of
Service (QoS) to differentiate traffic.
The Differentiated Services Code Point (DSCP) is a 6-bit field in the IP header for the
classification of packets. Differentiated Services is a technique which is used to classify
and manage network traffic and it helps to provide QoS for modern Internet networks. It
can provide services to all kinds of networks.
Traffic policing is also known as rate limiting as it propagates bursts. When the traffic
rate reaches the configured maximum rate (or committed information rate), excess traffic
is dropped (or remarked). The result is an output rate that appears as a saw-tooth with
crests and troughs.
Traffic shaping retains excess packets in a queue and then schedules the excess for later
transmission over increments of time -> It causes delay.
Question 20
Question 21
Explanation
Question 22
An engineer must protect their company against ransom ware attacks. Which solution
allows the engineer to block the execution stage and prevent file encryption?
• A. Use Cisco AMP deployment with the Exploit Prevention engine enabled
• B. Use Cisco Firepower with Intrusion Policy and snort rules blocking SMB
exploitation
• C. Use Cisco AMP deployment with the Malicious Activity Protection engineer
enabled
• D. Use Cisco Firepower and block traffic to TOR networks
Explanation
Ransomware are malicious software that locks up critical resources of the users.
Ransomware uses well-established public/private key cryptography which leaves the only
way of recovering the files being the payment of the ransom, or restoring files from
backups.
Cisco Advanced Malware Protection (AMP) for Endpoints Malicious Activity Protection
(MAP) engine defends your endpoints by monitoring the system and identifying
processes that exhibit malicious activities when they execute and stops them from
running. Because the MAP engine detects threats by observing the behavior of the
process at run time, it can generically determine if a system is under attack by a new
variant of ransomware or malware that may have eluded other security products and
detection technology, such as legacy signature-based malware detection. The first release
of the MAP engine targets identification, blocking, and quarantine of ransomware attacks
on the endpoint.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-for-
endpoints/white-paper-c11-740980.pdf
Question 23
Which component of the Cisco Cyber Threat Defense solution provides user and flow
context analysis?
Explanation
The goal of the Cyber Threat Defense solution is to introduce a design and architecture
that can help facilitate the discovery, containment, and remediation of threats once they
have penetrated into the network interior.
Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its
objectives:
Reference:
https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-
0/design_guides/ctd_2-0_cvd_guide_jul15.pdf
Question 24
Explanation
+ Control plane (vSmart) builds and maintains the network topology and make
decisions on the traffic flows. The vSmart controller disseminates control plane
information between WAN Edge devices, implements control plane policies and
distributes data plane policies to network devices for enforcement.
Question 25
What does the Cisco DNA Center use to enable the delivery of applications through a
network and to yield analytics for innovation?
• A. process adapters
• B. intent-based APIs
• C. domain adapters
• D. Command Runner
Explanation
The Cisco DNA Center open platform for intent-based networking provides 360-degree
extensibility across multiple components, including:
+ Intent-based APIs leverage the controller to enable business and IT applications to
deliver intent to the network and to reap network analytics and insights for IT and
business innovation. These enable APIs that allow Cisco DNA Center to receive input
from a variety of sources, both internal to IT and from line-of-business applications,
related to application policy, provisioning, software image management, and assurance.
…
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-
management/dna-center/nb-06-dna-cent-plat-sol-over-cte-en.html
Question 26
• A. supported systems
• B. storage capacity
• C. efficient scalability
• D. virtualization
Question 27
Explanation
+ Fabric edge node: This fabric device (for example, access or distribution layer device)
connects wired endpoints to the SDA fabric.
Question 28
A server running Linux is providing support for virtual machines along with DNS and
DHCP services for a small business. Which technology does this represent?
• A. Type 2 hypervisor
• B. container
• C. Type 1 hypervisor
• D. hardware pass-through
Explanation
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of
an operating system and not the physical hardware directly. A big advantage of Type 2
hypervisors is that management console software is not required. Examples of type 2
hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or
Microsoft Virtual PC (only runs on Windows).
Question 29
An engineer must deny Telnet traffic from the loopback interface of router R3 to the
loopback interface of router R2 during the weekend hours. All other traffic between the
loopback interfaces of routers R3 and R2 must be allowed at all times. Which command
accomplish this task?
• A. R1(config)#time-range WEEKEND
R1(config-time-range)#periodic Friday Sunday 00:00 to 00:00
R1(config)#interface Gi0/1
R1(config-if)#ip access-group 150 in
• B. R3(config)#time-range WEEKEND
R3(config-time-range)#periodic weekend 00:00 to 23:59
R3(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range
WEEKEND
R3(config)#access-list 150 permit ip any any time-range WEEKEND
R3(config)#interface Gi0/1
R3(config-if)#ip access-group 150 out
• C. R1(config)#time-range WEEKEND
R1(config-time-range)#periodic weekend 00:00 to 23:59
R1(config)#interface Gi0/1
R1(config-if)#ip access-group 150 in
• D. R3(config)#time-range WEEKEND
R3(config-time-range)#periodic Saturday Sunday 00:00 to 23:59
R3(config)#interface Gi0/1
R3(config-if)#ip access-group 150 out
Explanation
We cannot filter traffic that is originated from the local router (R3 in this case) so we can
only configure the ACL on R1 or R2. “Weekend hours” means from Saturday morning
through Sunday night so we have to configure: “periodic weekend 00:00 to 23:59”.
Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23
and the minutes range from 0 to 59.
Question 30
Wireless users report frequent disconnections from the wireless network. While
troubleshooting a network engineer finds that after the user a disconnect, the connection
reestablishes automatically without any input required. The engineer also notices these
message logs.
• A. increase BandSelect
• B. enable coverage hole detection
• C. increase the AP heartbeat timeout
• D. increase the dynamic channel assignment interval
Explanation
These message logs inform that the radio channel has been reset (and the AP must be
down briefly). With dynamic channel assignment (DCA), the radios can frequently
switch from one channel to another but it also makes disruption. The default DCA
interval is 10 minutes, which is matched with the time of the message logs. By increasing
the DCA interval, we can reduce the number of times our users are disconnected for
changing radio channels.
Question 1
Explanation
Portfast feature should only be used on edge ports (ports directly connected to end
stations). Neither edge ports or PortFast enabled ports generate topology changes when
the link toggles so we cannot say Portfast reduces the STP convergence time.
PortFast causes a switch or trunk port to enter the spanning tree forwarding state
immediately, bypassing the listening and learning states so answer 'It immediately puts
the port into the forwarding state when the switch is reloaded ' is the best choice.
Question 2
What is calculated using the numerical values of the transmitter power level, cable loss
and antenna gain?
• A. SNR
• B. RSSI
• C. dBi
• D. EIRP
Explanation
Once you know the complete combination of transmitter power level, the length of cable,
and the antenna gain, you can figure out the actual power level that will be radiated from
the antenna. This is known as the effective isotropic radiated power (EIRP), measured in
dBm.
Suppose a transmitter is configured for a power level of 10 dBm (10 mW). answer 'SNR'
cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The
resulting EIRP of the system is 10 dBm – 5 dB + 8 dBi, or 13 dBm.
You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an
isotropic antenna (dBi), and decibel (dB) values. Even though the units appear to be
differrent, you can safely combine them because they are all in the dB “domain”.
Question 3
Which two security features are available when implementing NTP? (Choose two)
Explanation
The time kept on a machine is a critical resource and it is strongly recommend that you
use the security features of NTP to avoid the accidental or malicious setting of incorrect
time. The two security features available are an access list-based restriction scheme
and an encrypted authentication mechanism.
Reference: https://www.cisco.com/c/en/us/support/docs/availability/high-
availability/19643-ntpm.html
Question 4
An engineer reconfigures the port-channel between SW1 and SW2 from an access port to
a trunk and immediately notices this error in SW1’s log.
Company policy restricts VLAN 10 to be allowed only on SW1 and SW2. All other
VLANs can be on all three switches. An administrator has noticed that VLAN 10 has
propagated to SW3. Which configuration corrects the issue?
• A. SW2(config)#interface gi1/2
SW2(config)#switchport trunk allowed vlan 10
• B. SW1(config)#interface gi1/1
SW1(config)#switchport trunk allowed vlan 1-9,11-4094
• C. SW2(config)#interface gi1/1
SW2(config)#switchport trunk allowed vlan 10
• D. SW2(config)#interface gi1/2
SW2(config)#switchport trunk allowed vlan 1-9,11-4094
Question 6
An engineer must establish eBGP peering between router R3 and router R4. Both routers
should use their loopback interfaces as the BGP router ID. Which configuration set
accomplishes this task?
Question 7
A network architect has partially configured static NAT. which commands should be
asked to complete the configuration?
• A. R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat outside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip pat inside
• B. R1(config)#interface GigabitEthernet0/0
R1(config)#ip nat outside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip nat inside
• C. R1(config)#interface GigabitEthernet0/0
R1(config)#ip nat inside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip nat outside
• D. R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat inside
R1(config)#interface GigabitEthernet0/1
R1(config)#ip pat outside
Question 8
Explanation
The established keyword is only applicable to TCP access list entries to match TCP
segments that have the ACK and/or RST control bit set (regardless of the source and
destination ports), which assumes that a TCP connection has already been established in
one direction only. Let’s see an example below:
Note:
Suppose hostA wants to start communicating with hostB using TCP. Before they can
send real data, a three-way handshake must be established first. Let’s see how this
process takes place:
1. First hostA will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with hostB. This
message includes a sequence (SEQ) number for tracking purpose. This sequence number
can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.
2. After receiving SYN message from hostA, hostB replies with SYN-ACK message
(some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for
ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any
relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we
represent it with “x+1”. It means “I received your part. Now send me the next part (x +
1)”.
The SYN-ACK message indicates hostB accepts to talk to hostA (via ACK part). And
ask if hostA still wants to talk to it as well (via SYN part).
3. After Host answer 'TCP traffic with the DF bit set is allowed' received the SYN-ACK
message from hostB, it sends an ACK message with ACK number “y+1” to hostB. This
confirms hostA still wants to talk to hostB.
Question 9
Refer to exhibit.
MTU has been configured on the underlying physical topology, and no MTU command
has been configured on the tunnel interfaces. What happens when a 1500-byte IPv4
packet traverses the GRE tunnel from host X to host Y, assuming the DF bit is cleared?
Explanation
If the DF bit is set to clear (not set), routers can fragment packets regardless of the
original DF bit setting.
1. The sender sends a 1500-byte packet (20 byte IPv4 header + 1480 bytes of TCP
payload).
2. Since the MTU of the GRE tunnel is 1476, the 1500-byte packet is broken into two
IPv4 fragments of 1476 and 44 bytes, each in anticipation of the additional 24 byes of
GRE header.
3. The 24 bytes of GRE header is added to each IPv4 fragment. Now the fragments are
1500 (1476 + 24) and 68 (44 + 24) bytes each.
4. The GRE + IPv4 packets that contain the two IPv4 fragments are forwarded to the
GRE tunnel peer router.
5. The GRE tunnel peer router removes the GRE headers from the two packets.
6. This router forwards the two packets to the destination host.
7. The destination host reassembles the IPv4 fragments back into the original IPv4
datagram.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html (Scenario 5)
Question 10
• A. dBi
• B. EIRP
• C. mW
• D. dBm
Explanation
Question 11
Drag and drop the characteristics from the left onto the correct infrastructure deployment
types on the right.
Please type the corresponding numbers of each item on the left to the blank below and
arrange them ascendingly. For example: 13524 (which means 135 for first group, 24 for
second group)