Question 1

A company plans to implement intent-based networking in its campus infrastructure.

Which design facilities a migrate from a traditional campus design to a programmer
fabric designer?

• A. two-tier
• B. Layer 2 access
• C. three-tier
• D. routed access

Explanation

Intent-based Networking (IBN) transforms a hardware-centric, manual network into a

controller-led network that captures business intent and translates it into policies that can
be automated and applied consistently across the network. The goal is for the network to
continuously monitor and adjust network performance to help assure desired business
outcomes. IBN builds on software-defined networking (SDN). SDN usually uses spine-
leaf architecture, which is typically deployed as two layers: spines (such as an
aggregation layer), and leaves (such as an access layer).

Question 2

When a wired client connects to an edge switch in an SDA fabric, which component
decides whether the client has access to the network?

• A. Identity Service Engine

• B. edge node
 • C. RADIUS server
• D. control-plane node

Question 3

Which algorithms are used to secure REST API from brute attacks and minimize the
impact?

• A. SHA-1, SHA-256, and SHA-512

• B. PBKDF2, BCrypt, and SCrypt
• C. SHA-512 and SHA-384
• D. MD5 algorithm-128 and SHA-384

Explanation

One of the best practices to secure REST APIs is using password hash. Passwords must
always be hashed to protect the system (or minimize the damage) even if it is
compromised in some hacking attempts. There are many such hashing algorithms which
can prove really effective for password security e.g. PBKDF2, bcrypt and scrypt
algorithms.

Other ways to secure REST APIs are: Always use HTTPS, Never expose information on
URLs (Usernames, passwords, session tokens, and API keys should not appear in the
URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation.

Reference: https://restfulapi.net/security-essentials/

We should not use MD5 or any SHA (SHA-1, SHA-256, SHA-512…) algorithm to hash
password as they are not totally secure.

Note: answer 'SHA-512 and SHA-384' brute-force attack is an attempt to discover a

password by systematically trying every possible combination of letters, numbers, and
symbols until you discover the one correct combination that works.

Question 4

An engineer is describing QoS to a client. Which two facts apply to traffic policing?
(Choose two)

• A. Policing adapts to network congestion by queuing excess traffic

• B. Policing should be performed as close to the destination as possible
• C. Policing typically delays the traffic, rather than drops it
• D. Policing drops traffic that exceeds the defined rate
• E. Policing should be performed as close to the source as possible

Explanation
Traffic policing propagates bursts. When the traffic rate reaches the configured maximum
rate (or committed information rate), excess traffic is dropped (or remarked). The result is
an output rate that appears as a saw-tooth with crests and troughs.

Unlike traffic shaping, traffic policing does not cause delay.

Classification (which includes traffic policing, traffic shaping and queuing techniques)
should take place at the network edge. It is recommended that classification occur as
close to the source of the traffic as possible.

Also according to this Cisco link, “policing traffic as close to the source as possible”.

Question 5

Drag and drop the LISP components from the left onto the function they perform on the
right. Not all options are used.

Note: For the unused option, please match it with "None" on the right to get point for this
question.

LISP map resolver accepts LISP encapsulated map requests

LISP route
none (please match with unused option on the left)
reflector
receives traffic from LISP sites and sends it to non-LISP
LISP proxy ETR
sites
LISP ITR receives packets from site-facing interfaces
LISP map server learns of EID prefix mapping entries from an ETR
Explanation

ITR is the function that maps the destination EID to a destination RLOC and then
encapsulates the original packet with an additional header that has the source IP address
of the ITR RLOC and the destination IP address of the RLOC of an Egress Tunnel Router
(ETR). After the encapsulation, the original packet become a LISP packet.

ETR is the function that receives LISP encapsulated packets, decapsulates them and
forwards to its local EIDs. This function also requires EID-to-RLOC mappings so we
need to point out an “map-server” IP address and the key (password) for authentication.

A LISP proxy ETR (PETR) implements ETR functions on behalf of non-LISP sites.
answer '' PETR is typically used when a LISP site needs to send traffic to non-LISP sites
but the LISP site is connected through a service provider that does not accept nonroutable
EIDs as packet sources. PETRs act just like ETRs but for EIDs that send traffic to
destinations at non-LISP sites.

Map Server (MS) processes the registration of authentication keys and EID-to-RLOC
mappings. ETRs sends periodic Map-Register messages to all its configured Map
Servers.

Map Resolver (MR): a LISP component which accepts LISP Encapsulated Map
Requests, typically from an ITR, quickly determines whether or not the destination IP
address is part of the EID namespace

Question 6

Which protocol infers that a YANG data model is being used?

• A. SNMP
• B. RESTCONF
• C. REST
• D. NX-API

Explanation

YANG (Yet Another Next Generation) is a data modeling language for the definition of
data sent over network management protocols such as the NETCONF and RESTCONF.

Question 7

What are two reasons why broadcast radiation is caused in the virtual machine
environment? (Choose two)

• A. vSwitch must interrupt the server CPU to process the broadcast packet
• B. Virtual machines communicate primarily through broadcast mode
• C. Communication between vSwitch and network switch is multicast based
• D. The Layer 2 domain can be large in virtual machine environments
• E. Communication between vSwitch and network switch is broadcast based

Explanation

Broadcast radiation refers to the processing that is required every time a broadcast is
received on a host. Although IP is very efficient from a broadcast perspective when
compared to traditional protocols such as Novell Internetwork Packet Exchange (IPX)
Service Advertising Protocol (SAP), virtual machines and the vswitch implementation
require special consideration. Because the vswitch is software based, as broadcasts are
received the vswitch must interrupt the server CPU to change contexts to enable the
vswitch to process the packet. After the vswitch has determined that the packet is a
broadcast, it copies the packet to all the VMNICs, which then pass the broadcast packet
up the stack to process. This processing overhead can have a tangible effect on overall
server performance if a single domain is hosting a large number of virtual machines.

Note: This overhead effect is not a limitation of the vswitch implementation. It is a result
of the software-based nature of the vswitch embedded in the ESX hypervisor.

Reference: https://www.cisco.com/c/en/us/solutions/collateral/data-center-
virtualization/net_implementation_white_paper0900aecd806a9c05.html

----------------------------------------------------------------

Note about the structure of virtualization in a hypervisor:

Hypervisors provide virtual switch (vSwitch) that Virtual Machines (VMs) use to
communicate with other VMs on the same host. The vSwitch may also be connected to
the host's physical NIC to allow VMs to get layer 2 access to the outside world.

Each VM is provided with a virtual NIC (vNIC) that is connected to the virtual switch.
Multiple vNICs can connect to a single vSwitch, allowing VMs on a physical host to
communicate with one another at layer 2 without having to go out to a physical switch.

Although vSwitch does not run Spanning-tree protocol but vSwitch implements other
loop prevention mechanisms. For example, a frame that enters from one VMNIC is not
going to go out of the physical host from a different VMNIC card.

Question 8

When a wireless client roams between two different wireless controllers, a network
connectivity outage is experience for a period of time. Which configuration issue would
cause this problem?
 • A. All of the controllers in the mobility group are using the same mobility group
name
• B. Not all of the controllers in the mobility group are using the same mobility
group name
• C. Not all of the controllers within the mobility group are using the same virtual
interface IP address
• D. All of the controllers within the mobility group are using the same virtual
interface IP address

Explanation

A prerequisite for configuring Mobility Groups is “All controllers must be configured

with the same virtual interface IP address”. If all the controllers within a mobility group
are not using the same virtual interface, inter-controller roaming may appear to work, but
the handoff does not complete, and the client loses connectivity for a period of time. ->
Answer 'Not all of the controllers within the mobility group are using the same virtual
interface IP address' is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-
guide/b_cg85/mobility_groups.html

Answer 'Not all of the controllers in the mobility group are using the same mobility group
name' is not correct because when the client moves to a different mobility group (with
different mobility group name), that client would be connected (provided that the new
connected controller had information about this client in its mobility list already) or drop
(if the new connected controller have not had information about this client in its mobility
list). For more information please read the note below.

Note:

A mobility group is a set of controllers, identified by the same mobility group name, that
defines the realm of seamless roaming for wireless clients. By creating a mobility group,
you can enable multiple controllers in a network to dynamically share information and
forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers in
the same mobility group can share the context and state of client devices as well as their
list of access points so that they do not consider each other’s access points as rogue
devices.
Let’s take an example:

The controllers in the ABC mobility group share access point and client information with
each other. The controllers in the ABC mobility group do not share the access point or
client information with the XYZ controllers, which are in a different mobility group.
Therefore if a client from ABC mobility group moves to XYZ mobility group, and the
new connected controller does not have information about this client in its mobility
list, that client will be dropped.

Note: Clients may roam between access points in different mobility groups if the
controllers are included in each other’s mobility lists.

Question 9

Which configuration restricts the amount of SSH that a router accepts 100 kbps?

Option A Option B
class-map match-all CoPP_SSH class-map match-all CoPP_SSH
match access-group name CoPP_SSH match access-group name CoPP_SSH
! !
policy-map CoPP_SSH policy-map CoPP_SSH
class CoPP_SSH class CoPP_SSH
police cir 100000 police cir CoPP_SSH
exceed-action drop exceed-action drop
! !
! !
! !
interface GigabitEthernet0/1 interface GigabitEthernet0/1
ip address 209.165.200.225 255.255.255.0 ip address 209.165.200.225 255.255.255.0
ip access-group CoPP_SSH out ip access-group CoPP_SSH out
duplex auto duplex auto
speed auto speed auto
media-type rj45 media-type rj45
service-policy input CoPP_SSH service-policy input CoPP_SSH
! !
ip access-list extended CoPP_SSH ip access-list extended CoPP_SSH
permit tcp any any eq 22 deny tcp any any eq 22
! !
Option C Option D
class-map match-all CoPP_SSH class-map match-all CoPP_SSH
match access-group name CoPP_SSH match access-group name CoPP_SSH
! !
policy-map CoPP_SSH policy-map CoPP_SSH
class CoPP_SSH class CoPP_SSH
police cir 100000 police cir 100000
exceed-action drop exceed-action drop
! !
! !
! !
control-plane control-plane transit
service-policy input CoPP_SSH service-policy input CoPP_SSH
! !
ip access-list extended CoPP_SSH ip access-list extended CoPP_SSH
permit tcp any any eq 22 permit tcp any any eq 22
! !

• A. Option A
• B. Option B
• C. Option
• D. Option D

Explanation

CoPP protects the route processor on network devices by treating route processor
resources as a separate entity with its own ingress interface (and in some
implementations, egress also). CoPP is used to police traffic that is destined to the route
processor of the router such as:
+ Routing protocols like OSPF, EIGRP, or BGP.
+ Gateway redundancy protocols like HSRP, VRRP, or GLBP.
+ Network management protocols like telnet, SSH, SNMP, or RADIUS.
Therefore we must apply the CoPP to deal with SSH because it is in the management
plane. CoPP must be put under “control-plane” command. But we cannot name the
control-plane (like "transit").

Question 10

Drag and Drop the descriptions from the left onto the routing protocol they describe on
the right.

Please type the corresponding numbers of each item on the left to the blank below and
arrange them ascendingly. For example: 1324 (which means 13 for first group, 24 for
second group)

Please type your answer here: 2413

Explanation

Unlike OSPF where we can summarize only on ABR or ASBR, in EIGRP we can
summarize anywhere.

Manual summarization can be applied anywhere in EIGRP domain, on every router, on

every interface via the ip summary-address eigrp as-number address mask
[administrative-distance ] command (for example: ip summary-address eigrp 1
192.168.16.0 255.255.248.0). Summary route will exist in routing table as long as at least
one more specific route will exist. If the last specific route will disappear, summary route
also will fade out. The metric used by EIGRP manual summary route is the minimum
metric of the specific routes.

Question 11

Which two namespaces does the LISP network architecture and protocol use? (Choose
two)

• A. TLOC
• B. EID
• C. DNS
• D. VTEP
• E. RLOC

Explanation

Locator ID Separation Protocol (LISP) is a network architecture and protocol that

implements the use of two namespaces instead of a single IP address:
+ Endpoint identifiers (EIDs)—assigned to end hosts.
+ Routing locators (RLOCs)—assigned to devices (primarily routers) that make up the
global routing system.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-overview.html

Question 12

What is the role of the RP in PIM sparse mode?

• A. The RP acts as a control-plane node and does not receive or forward multicast
packets
• B. The RP is the multicast that is the root of the PIM-SM shared multicast
distribution tree
 • C. The RP responds to the PIM join messages with the source of requested
multicast group
• D. The RP maintains default aging timeouts for all multicast streams requested by
the receivers

Question 13

What are two device roles in Cisco SD-Access fabric? (Choose two)

• A. access switch
• B. border node
• C. edge node
• D. core switch
• E. vBond controller

Explanation

There are five basic device roles in the fabric overlay:

+ Control plane node: This node contains the settings, protocols, and mapping tables to
provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects
external Layer 3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device)
connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless
endpoints to the SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not
provide any sort of SD-Access fabric role other than underlay services.
Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide

Question 14

A network administrator is preparing a Python script to configure a Cisco IOS XE-based

device on the network. The administrator is worried that colleagues will make changes to
the device while the script is running. Which operation of the client manager in prevent
colleague making changes to the device while the script is running?

• A. m.freeze(target=’running’)
• B. m.lock(config=’running’)
• C. m.freeze(config=’running’)
• D. m.lock(target=’running’)correct

Explanation

The example below shows the usage of lock command:

def demo(host, user, names):

with manager.connect(host=host, port=22, username=user) as m:
 with m.locked(target=’running’):
for n in names:
m.edit_config(target=’running’, config=template % n)

the command “m.locked(target=’running’)” causes a lock to be acquired on the running

datastore.

Question 15

Refer to the exhibit.

An engineer must ensure that all traffic leaving AS 200 will choose Link 2 as the exit
point. Assuming that all BGP neighbor relationships have been formed and that the
attributes have not been changed on any of the routers, which configuration accomplish
task?

• A. R3(config-router)#neighbor 10.1.1.1 weight 200

• B. R4(config-router)#bgp default local-preference 200
• C. R4(config-router)#neighbor 10.2.2.2 weight 200
• D. R3(config-router)#bgp default local-preference 200

Explanation

Local preference is an indication to the AS about which path has preference to exit the
AS in order to reach a certain network. answer 'R4(config-router)#bgp default local-
preference 200' path with a higher local preference is preferred. The default value for
local preference is 100.
Unlike the weight attribute, which is only relevant to the local router, local preference is
an attribute that routers exchange in the same AS. The local preference is set with the
“bgp default local-preference value” command.

In this case, both R3 & R4 have exit links but R4 has higher local-preference so R4 will
be chosen as the preferred exit point from AS 200.

(Reference:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtm
l#localpref)

Question 16

Which First Hop Redundancy Protocol should be used to meet a design requirements for
more efficient default bandwidth usage across multiple devices?

• A. LCAP
• B. GLBP
• C. HSRP
• D. VRRP

Explanation

The main disadvantage of HSRP and VRRP is that only one gateway is elected to be the
active gateway and used to forward traffic whilst the rest are unused until the active one
fails. Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol and
performs the similar function to HSRP and VRRP but it supports load balancing among
members in a GLBP group.

Question 17

How does QoS traffic shaping alleviate network congestion?

• A. It drops packets randomly from lower priority queues.

• B. It fragments large packets and queues them for delivery.
• C. It buffers and queue packets above the committed rate.
• D. It drops packets when traffic exceeds a certain bitrate.

Explanation

Traffic shaping retains excess packets in a queue and then schedules the excess for
later transmission over increments of time. The result of traffic shaping is a smoothed
packet output rate.
Question 18

What mechanism does PIM use to forward multicast traffic?

• A. PIM dense mode uses a pull model to deliver multicast traffic

• B. PIM sparse mode uses receivers to register with the RP
• C. PIM sparse mode uses a flood and prune model to deliver multicast traffic
• D. PIM sparse mode uses a pull model to deliver multicast traffic

Explanation

PIM dense mode (PIM-DM) uses a push model to flood multicast traffic to every corner
of the network. This push model is a brute-force method of delivering data to the
receivers. This method would be efficient in certain deployments in which there are
active receivers on every subnet in the network. PIM-DM initially floods multicast traffic
throughout the network. Routers that have no downstream neighbors prune the unwanted
traffic. This process repeats every 3 minutes.

PIM Sparse Mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network
segments with active receivers that have explicitly requested the data receive the traffic.
PIM-SM distributes information about active sources by forwarding data packets on the
shared tree. Because PIM-SM uses shared trees (at least initially), it requires the use of an
RP. The RP must be administratively configured in the network.

Answer 'PIM sparse mode uses receivers to register with the RP' seems to be correct but
it is not, PIM spare mode uses sources (not receivers) to register with the RP. Sources
register with the RP, and then data is forwarded down the shared tree to the receivers.

Reference: Selecting MPLS VPN Services Book, page 193

Question 19

What NTP stratum level is a server that is connected directly to an authoritative time
source?

• A. Stratum 14
• B. Stratum 1
• C. Stratum 0
• D. Stratum 15

Explanation

The stratum levels define the distance from the reference clock. answer 'Stratum 0'
reference clock is a stratum 0 device that is assumed to be accurate and has little or no
delay associated with it. Stratum 0 servers cannot be used on the network but they are
directly connected to computers which then operate as stratum-1 servers. answer 'Stratum
0' stratum 1 time server acts as a primary network time standard.

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is

connected to the stratum 2 server and so on. answer 'Stratum 0' stratum 2 server gets its
time via NTP packet requests from a stratum 1 server. answer 'Stratum 0' stratum 3 server
gets its time via NTP packet requests from a stratum-2 server… answer 'Stratum 0'
stratum server may also peer with other stratum servers at the same level to provide more
stable and robust time for all devices in the peer group (for example a stratum 2 server
can peer with other stratum 2 servers).

NTP uses the concept of a stratum to describe how many NTP hops away a machine is
from an authoritative time source. A stratum 1 time server typically has an
authoritative time source (such as a radio or atomic clock, or a Global Positioning
System (GPS) time source) directly attached, a stratum 2 time server receives its time via
NTP from a stratum 1 time server, and so on.

Reference:
https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/bsm/16-6-1/b-
bsm-xe-16-6-1-asr920/bsm-time-calendar-set.html
Question 20

Refer to the exhibit.

A network engineer is configuring OSPF between router R1 and router R2. The engineer
must ensure that a DR/BDR election does not occur on the Gigabit Ethernet interfaces in
area 0. Which configuration set accomplishes this goal?

• A. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf database-filter all out

R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf database-filter all out

• B. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf priority 1

R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf priority 1

• C. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf network point-to-point

R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf network point-to-point

• D. R1(config-if)#interface Gi0/0
R1(config-if)#ip ospf network broadcast

R2(config-if)#interface Gi0/0
R2(config-if)#ip ospf network broadcast

Explanation
Broadcast and Non-Broadcast networks elect DR/BDR while Point-to-point/multipoint
do not elect DR/BDR. Therefore we have to set the two Gi0/0 interfaces to point-to-point
or point-to-multipoint network to ensure that a DR/BDR election does not occur.

Question 1

Why is an AP joining a different WLC than the one specified through option 43?

• A. The WLC is running a different software version

• B. The AP multicast traffic unable to reach the WLC through Layer 3
• C. The APs broadcast traffic is unable to reach the WLC through Layer 2
• D. The API is joining a primed WLC

Question 2

Which characteristic distinguishes Ansible from Chef?

• A. Ansible pushes the configuration to the client. Chef client pulls the
configuration from the server
• B. Ansible lacks redundancy support for the master server. Chef runs two masters
in an active/active mode
• C. The Ansible server can run on Linux, Unix or Windows. The Chef server must
run on Linux or Unix
• D. Ansible uses Ruby to manage configurations. Chef uses YAML to manage
configurations

Explanation

Ansible works by connecting to your nodes and pushing out small programs, called
“Ansible modules” to them. These programs are written to be resource models of the
desired state of the system. Ansible then executes these modules (over SSH by default),
and removes them when finished.

Chef is a much older, mature solution to configure management. Unlike Ansible, it does
require an installation of an agent on each server, named chef-client. Also, unlike
Ansible, it has a Chef server that each client pulls configuration from.

Question 3

What does the LAP send when multiple WLCs respond to the CISCO_CAPWAP-
CONTROLLER.localdomain hostname during the CAPWAP discovery and join process?

• A. unicast discovery request to each WLC

• B. Unicast discovery request to the first WLC that resolves the domain name
• C. broadcast discover request
• D. join request to all the WLCs
Question 4

Which devices does Cisco Center configure when deploying an IP-based access control
policy?

• A. all wired devices

• B. All devices integrating with ISE
• C. selected individual devices
• D. all devices in selected sites

Explanation

When you click Deploy, Cisco DNA Center requests the Cisco Identity Services Engine
(Cisco ISE) to send notifications about the policy changes to the network devices.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-3-1-
0/user_guide/b_cisco_dna_center_ug_1_3_1_0/b_cisco_dna_center_ug_1_3_1_0_chapte
r_01011.html

Question 5

Which type of antenna does the radiation pattern represent?

• A. directional patch
• B. multidirectional
• C. omnidirectional
• D. Yagi

Explanation
A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipole-like
antenna, and shaping the beam using a well-chosen series of non-driven elements whose
length and spacing are tightly controlled.

Reference: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-
accessories/prod_white_paper0900aecd806a1a3e.html

=================== This is the end of the update =================

Question 6

In a Cisco SD-WAN solution, how is the health of a data plane tunnel monitored?

• A. using BFD
• B. with IP SLA
• C. with OMP
• D. ARP probing

Explanation

The BFD (Bidirectional Forwarding Detection) is a protocol that detects link failures as
part of the Cisco SD-WAN (Viptela) high availability solution, is enabled by default on
all vEdge routers, and you cannot disable it.

Question 7

Which access point mode allows a supported AP to function like a WLAN client would,
associating and identifying client connectivity issues?

• A. SE-connect mode
• B. client mode
• C. sensor mode
• D. sniffer mode

Explanation
An lightweight AP (LAP) operates in one of six different modes:
+ Local mode (default mode): measures noise floor and interference, and scans for
intrusion detection (IDS) events every 180 seconds on unused channels
+ FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode: allows
data traffic to be switched locally and not go back to the controller. The FlexConnect AP
can perform standalone client authentication and switch VLAN traffic locally even when
it’s disconnected to the WLC (Local Switched). FlexConnect AP can also tunnel (via
CAPWAP) both user wireless data and control traffic to a centralized WLC (Central
Switched).
+ Monitor mode: does not handle data traffic between clients and the infrastructure. It
acts like a sensor for location-based services (LBS), rogue AP detection, and IDS
+ Rogue detector mode: monitor for rogue APs. It does not handle data at all.
+ Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular
channel to a remote machine where you can use protocol analysis tool (Wireshark,
Airopeek, etc) to review the packets and diagnose issues. Strictly used for
troubleshooting purposes.
+ Bridge mode: bridge together the WLAN and the wired infrastructure together.

Question 8

A network administrator applies the following configuration to an IOS device.

aaa new-model
aaa authentication login default local group tacacs+

What is the process of password checks when a login attempt is made to the device?

• A. A local database is checked first. If that check fails, a TACACS+server is

checked
• B. A TACACS+ server is checked first. If that check fail, a database is checked
• C. A local database is checked first. If that fails, a TACACS+server is checked, if
that check fails, a RADIUS server is checked
• D. A TACACS+ server is checked first. If that check fail, a RADIUS server is
checked. If that check fail, a local database is checked

Explanation

The “aaa authentication login default local group tacacs+” command is broken down as
follows:

+ The ‘aaa authentication’ part is simply saying we want to configure authentication

settings.
+ The ‘login’ is stating that we want to prompt for a username/password when a
connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty,
console and aux). If we use this keyword, we don’t need to configure anything else under
tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s)
we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local
database (the first method). If the credentials are not found on the local database, then the
TACACS+ server is used (the second method).

Question 9

Which tool is used in Cisco DNA Center to build generic configurations that are able to
be applied on device with similar network settings?

• A. Template Editor
• B. Authentication Template
• C. Application Policies
• D. Command Runner

Explanation

Cisco DNA Center provides an interactive editor called Template Editor to author CLI
templates. Template Editor is a centralized CLI management tool to help design a set of
device configurations that you need to build devices in a branch. When you have a site,
office, or branch that uses a similar set of devices and configurations, you can use
Template Editor to build generic configurations and apply the configurations to one or
more devices in the branch.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-
3/user_guide/b_cisco_dna_center_ug_1_3/b_cisco_dna_center_ug_1_3_chapter_0111.ht
ml

Question 10

Drag and drop the REST API authentication method from the left to the description on
the right.

secure vault public API resource

HTTP basic authentication username and password in an encoded string
OAuth API-dependent secret
token-based authentication authorization through identity provider
Explanation

When Secure Vault is not in use, all information stored in its container is encrypted.
When a user wants to use the files and notes stored within the app, they have to first
decrypt the database. This happens by filling in a previously determined Security Lock –
which could be a PIN or a password of the user’s choosing.
When a user leaves the app, it automatically encrypts everything again. This way all data
stored in Secure Vault is decrypted only while a user is actively using the app. In all other
instances, it remains locked to any attacker, malware or spyware trying to access the data.

How token-based authentication works: Users log in to a system and – once

authenticated – are provided with a token to access other services without having to enter
their username and password multiple times. In short, token-based authentication adds a
second layer of security to application, network, or service access.

OAuth is an open standard for authorization used by many APIs and modern
applications. The simplest example of OAuth is when you go to log onto a website and it
offers one or more opportunities to log on using another website’s/service’s logon. You
then click on the button linked to the other website, the other website authenticates you,
and the website you were originally connecting to logs you on itself afterward using
permission gained from the second website.

Question 11

Refer to the exhibit.

access-list 1 permit 172.16.1.0 0.0.0.255

ip nat inside source list 1 interface gigabitethernet0/0 overload

The inside and outside interfaces in the NAT configuration of this device have been
correctly identified. What is the effect of this configuration?

• A. dynamic NAT
• B. NAT64

• C. PATcorrect
• D. static NAT

Explanation

The command “ip nat inside source list 1 interface gigabitethernet0/0 overload” translates
all source addresses that pass access list 1, which means 172.16.1.0/24 subnet, into an
address assigned to gigabitethernet0/0 interface. Overload keyword allows to map
multiple IP addresses to a single registered IP address (many-to-one) by using different
ports so it is called Port Address Translation (PAT).

Question 12

A client device roams between access points located on different floors in an atrium. The
access points joined to the same controller and configuration in local mode. The access
points are in different IP addresses, but the client VLAN in the group same. What type of
roam occurs?

• A. intra-controller
• B. inter-subnet
• C. intra-VLAN
• D. inter-controller

Explanation

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association

seamlessly from one access point to another securely and with as little latency as
possible. Three popular types of client roaming are:

Intra-Controller Roaming: Each controller supports same-controller client roaming

across access points managed by the same controller. This roaming is transparent to the
client as the session is sustained, and the client continues using the same DHCP-assigned
or client-assigned IP address.

Inter-Controller Roaming: Multiple-controller deployments support client roaming

across access points managed by controllers in the same mobility group and on the same
subnet. This roaming is also transparent to the client because the session is sustained and
a tunnel between controllers allows the client to continue using the same DHCP- or
client-assigned IP address as long as the session remains active.

Inter-Subnet Roaming: Multiple-controller deployments support client roaming across

access points managed by controllers in the same mobility group on different subnets.
This roaming is transparent to the client because the session is sustained and a tunnel
between the controllers allows the client to continue using the same DHCP-assigned or
client-assigned IP address as long as the session remains active.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDAT
ED_chapter_01100.html

Question 13

Refer to the exhibit.

Assuming the WLC’s interfaces are not in the same subnet as the RADIUS server, which
interface would the WLC use as the source for all RADIUS-related traffic?

• A. the controller virtual interface

• B. any interface configured on the WLC
• C. the controller management interface
• D. the interface specified on the WLAN configuration

Question 14

Which component handles the orchestration plane of the Cisco SD-WAN?

• A. vEdge
• B. vSmart
• C. vBond
• D. vManage

Explanation

+ Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge
routers into the SD-WAN overlay. The vBond controller, or orchestrator, authenticates
and authorizes the SD-WAN components onto the network. The vBond orchestrator takes
an added responsibility to distribute the list of vSmart and vManage controller
information to the WAN Edge routers. vBond is the only device in SD-WAN that
requires a public IP address as it is the first point of contact and authentication for all SD-
WAN components to join the SD-WAN fabric. All other components need to know the
vBond IP or DNS information.

Question 15

Which method of account authentication does OAuth 2.0 within REST APIs?

• A. basic signature workflow

• B. access tokens
• C. cookie authentication
• D. username/role combination

Explanation

The most common implementations of OAuth (OAuth 2.0) use one or both of these
tokens:
+ access token: sent like an API key, it allows the application to access a user’s data;
optionally, access tokens can expire.
+ refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access
token if they have expired. OAuth2 combines Authentication and Authorization to allow
more sophisticated scope and validity control.

Question 16

Which DHCP option helps lightweight APs find the IP address of a wireless LAN
controller?

• A. Option 43
• B. Option 60
• C. Option 150
• D. Option 67

Question 17

Refer to the exhibit.

vlan 222
remote-span
!
vlan 223
remote-span
!
monitor session 1 source interface FastEthernet0/1 tx
monitor session 1 source interface FastEthernet0/2 rx
monitor session 1 source interface port-channel 5
monitor session 1 destination remote vlan 222
!

What is the result when a technician adds the monitor session 1 destination remote vlan
233 command?

• A. An error is flagged for configuring two destinations

• B. The RSPAN VLAN is replaced by VLAN 223
• C. RSPAN traffic is split between VLANs 222 and 223
• D. RSPAN traffic is sent to VLANs 222 and 223

Question 18

Which action is a function of VTEP in VXLAN?

• A. allowing encrypted communication on the local VXLAN Ethernet segment

• B. encapsulating and de-encapsulating VXLAN Ethernet frames
• C. tunneling traffic from IPv4 to IPv6 VXLANs
• D. tunneling traffic from IPv6 to IPv4 VXLANs

Explanation

VTEPs connect between Overlay and Underlay network and they are responsible for
encapsulating frame into VXLAN packets to send across IP network (Underlay) then
decapsulating when the packets leaves the VXLAN tunnel.

Question 19

Drag and drop the QoS mechanisms from the left to the correct descriptions on the right.
 shaping bandwidth management technique which delays datagrams
mechanism to create a scheduler for packets prior to forwarding
policy map

DSCP portion of the IP header used to classify packets

service
mechanism to apply a QoS policy to an interface
policy
policing tool to enforce rate-limiting on ingress/egress
CoS portion of the 802.1Q header used to classify packets
Explanation

To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or
a VC that will be used as the service policy for the interface or VC, use the service-
policy command in the appropriate configuration mode.

Class of Service (CoS) is a 3 bit field within an Ethernet frame header when we use
802.1q which supports virtual LANs on an Ethernet network. This field specifies a
priority value which is between 0 and 63 inclusive which can be used in the Quality of
Service (QoS) to differentiate traffic.

The Differentiated Services Code Point (DSCP) is a 6-bit field in the IP header for the
classification of packets. Differentiated Services is a technique which is used to classify
and manage network traffic and it helps to provide QoS for modern Internet networks. It
can provide services to all kinds of networks.

Traffic policing is also known as rate limiting as it propagates bursts. When the traffic
rate reaches the configured maximum rate (or committed information rate), excess traffic
is dropped (or remarked). The result is an output rate that appears as a saw-tooth with
crests and troughs.

Traffic shaping retains excess packets in a queue and then schedules the excess for later
transmission over increments of time -> It causes delay.

Question 20

What function does VXLAN perform in an SD-Access deployment?

• A. systems management and orchestration

• B. control plane forwarding
• C. policy plane forwarding
• D. data plane forwarding

Question 21

Which two entities are Type 1 hypervisors? (Choose two)

 • A. Microsoft Virtual PC
• B. VMware server
• C. Microsoft Hyper-V
• D. Oracle VM VirtualBox
• E. VMware ESX

Explanation

A bare-metal hypervisor (Type 1) is a layer of software we install directly on top of a

physical server and its underlying hardware. There is no software or any operating system
in between, hence the name bare-metal hypervisor. answer 'Oracle VM VirtualBox' Type
1 hypervisor is proven in providing excellent performance and stability since it does not
run inside Windows or any other operating system. These are the most common type 1
hypervisors:

+ VMware vSphere with ESX/ESXi

+ KVM (Kernel-Based Virtual Machine)
+ Microsoft Hyper-V
+ Oracle VM
+ Citrix Hypervisor (formerly known as Xen Server)

Question 22

An engineer must protect their company against ransom ware attacks. Which solution
allows the engineer to block the execution stage and prevent file encryption?

• A. Use Cisco AMP deployment with the Exploit Prevention engine enabled
• B. Use Cisco Firepower with Intrusion Policy and snort rules blocking SMB
exploitation
• C. Use Cisco AMP deployment with the Malicious Activity Protection engineer
enabled
• D. Use Cisco Firepower and block traffic to TOR networks

Explanation

Ransomware are malicious software that locks up critical resources of the users.
Ransomware uses well-established public/private key cryptography which leaves the only
way of recovering the files being the payment of the ransom, or restoring files from
backups.

Cisco Advanced Malware Protection (AMP) for Endpoints Malicious Activity Protection
(MAP) engine defends your endpoints by monitoring the system and identifying
processes that exhibit malicious activities when they execute and stops them from
running. Because the MAP engine detects threats by observing the behavior of the
process at run time, it can generically determine if a system is under attack by a new
variant of ransomware or malware that may have eluded other security products and
detection technology, such as legacy signature-based malware detection. The first release
of the MAP engine targets identification, blocking, and quarantine of ransomware attacks
on the endpoint.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-for-
endpoints/white-paper-c11-740980.pdf

Question 23

Which component of the Cisco Cyber Threat Defense solution provides user and flow
context analysis?

• A. Cisco Firepower and FireSIGHT

• B. Cisco Web Security Appliance
• C. Advanced Malware Protection
• D. Cisco Stealthwatch system

Explanation

The goal of the Cyber Threat Defense solution is to introduce a design and architecture
that can help facilitate the discovery, containment, and remediation of threats once they
have penetrated into the network interior.

Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its
objectives:

* NetFlow and the Lancope StealthWatch System

– Broad visibility
– User and flow context analysis
– Network behavior and anomaly detection
– Incident response and network forensics

* Cisco FirePOWER and FireSIGHT

– Real-time threat management
– Deeper contextual visibility for threats bypassing the perimeters
– URL control

* Advanced Malware Protection (AMP)

– Endpoint control with AMP for Endpoints
– Malware control with AMP for networks and content

* Content Security Appliances and Services

– Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
– Dynamic threat control for web traffic
– Outbound URL analysis and data transfer controls
– Detection of suspicious web activity
– Cisco Email Security Appliance (ESA)
– Dynamic threat control for email traffic
– Detection of suspicious email activity

* Cisco Identity Services Engine (ISE)

– User and device identity integration with Lancope StealthWatch
– Remediation policy actions using pxGrid

Reference:
https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-
0/design_guides/ctd_2-0_cvd_guide_jul15.pdf

Question 24

What is the role of the vsmart controller in a Cisco SD-WAN environment?

• A. It is the centralized network management system.

• B. It manages the control plane.
• C. IT performs authentication and authorization
• D. It manages the data plane.

Explanation

+ Control plane (vSmart) builds and maintains the network topology and make
decisions on the traffic flows. The vSmart controller disseminates control plane
information between WAN Edge devices, implements control plane policies and
distributes data plane policies to network devices for enforcement.

Question 25

What does the Cisco DNA Center use to enable the delivery of applications through a
network and to yield analytics for innovation?

• A. process adapters
• B. intent-based APIs
• C. domain adapters
• D. Command Runner

Explanation

The Cisco DNA Center open platform for intent-based networking provides 360-degree
extensibility across multiple components, including:
+ Intent-based APIs leverage the controller to enable business and IT applications to
deliver intent to the network and to reap network analytics and insights for IT and
business innovation. These enable APIs that allow Cisco DNA Center to receive input
from a variety of sources, both internal to IT and from line-of-business applications,
related to application policy, provisioning, software image management, and assurance.
…

Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-
management/dna-center/nb-06-dna-cent-plat-sol-over-cte-en.html

Question 26

Which benefit is offered by a cloud infrastructure deployment but is lacking in an on-

premises deployment?

• A. supported systems
• B. storage capacity
• C. efficient scalability
• D. virtualization

Question 27

In an SD-Access solution what is the role of a fabric edge node?

• A. to advertise fabric IP address space to external network

• B. to connect wired endpoint to the SD-Access fabric
• C. to connect the fusion router to the SD-Access fabric
• D. to connect external Layer 3- network to the SD-Access fabric

Explanation

+ Fabric edge node: This fabric device (for example, access or distribution layer device)
connects wired endpoints to the SDA fabric.
Question 28

A server running Linux is providing support for virtual machines along with DNS and
DHCP services for a small business. Which technology does this represent?

• A. Type 2 hypervisor
• B. container
• C. Type 1 hypervisor
• D. hardware pass-through

Explanation

In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of
an operating system and not the physical hardware directly. A big advantage of Type 2
hypervisors is that management console software is not required. Examples of type 2
hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or
Microsoft Virtual PC (only runs on Windows).
Question 29

Refer to the exhibit.

An engineer must deny Telnet traffic from the loopback interface of router R3 to the
loopback interface of router R2 during the weekend hours. All other traffic between the
loopback interfaces of routers R3 and R2 must be allowed at all times. Which command
accomplish this task?

• A. R1(config)#time-range WEEKEND
R1(config-time-range)#periodic Friday Sunday 00:00 to 00:00

R1(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range

WEEKEND
R1(config)#access-list 150 permit ip any any

R1(config)#interface Gi0/1
R1(config-if)#ip access-group 150 in

• B. R3(config)#time-range WEEKEND
R3(config-time-range)#periodic weekend 00:00 to 23:59
 R3(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range
WEEKEND
R3(config)#access-list 150 permit ip any any time-range WEEKEND

R3(config)#interface Gi0/1
R3(config-if)#ip access-group 150 out

• C. R1(config)#time-range WEEKEND
R1(config-time-range)#periodic weekend 00:00 to 23:59

R1(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range

WEEKEND
R1(config)#access-list 150 permit ip any any

R1(config)#interface Gi0/1
R1(config-if)#ip access-group 150 in

• D. R3(config)#time-range WEEKEND
R3(config-time-range)#periodic Saturday Sunday 00:00 to 23:59

R3(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range

WEEKEND
R3(config)#access-list 150 permit ip any any time-range WEEKEND

R3(config)#interface Gi0/1
R3(config-if)#ip access-group 150 out

Explanation

We cannot filter traffic that is originated from the local router (R3 in this case) so we can
only configure the ACL on R1 or R2. “Weekend hours” means from Saturday morning
through Sunday night so we have to configure: “periodic weekend 00:00 to 23:59”.

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23
and the minutes range from 0 to 59.

Question 30

Wireless users report frequent disconnections from the wireless network. While
troubleshooting a network engineer finds that after the user a disconnect, the connection
reestablishes automatically without any input required. The engineer also notices these
message logs.

AP ‘AP2’ is down Reason: Radio channel set. 6:54:04 PM

AP ‘AP4’ is down Reason: Radio channel set. 6:44:49 PM
AP ‘AP7’ is down Reason: Radio channel set. 6:34:32 PM
Which action reduces the user impact?

• A. increase BandSelect
• B. enable coverage hole detection
• C. increase the AP heartbeat timeout
• D. increase the dynamic channel assignment interval

Explanation

These message logs inform that the radio channel has been reset (and the AP must be
down briefly). With dynamic channel assignment (DCA), the radios can frequently
switch from one channel to another but it also makes disruption. The default DCA
interval is 10 minutes, which is matched with the time of the message logs. By increasing
the DCA interval, we can reduce the number of times our users are disconnected for
changing radio channels.

Question 1

What is the primary effect of the spanning-tree portfast command?

• A. It enables BPDU messages

• B. It minimizes spanning-tree convergence time
• C. It immediately puts the port into the forwarding state when the switch is
reloaded
• D. It immediately enables the port in the listening state

Explanation

Portfast feature should only be used on edge ports (ports directly connected to end
stations). Neither edge ports or PortFast enabled ports generate topology changes when
the link toggles so we cannot say Portfast reduces the STP convergence time.

PortFast causes a switch or trunk port to enter the spanning tree forwarding state
immediately, bypassing the listening and learning states so answer 'It immediately puts
the port into the forwarding state when the switch is reloaded ' is the best choice.

=================== New Questions (added on 5th-July-2020)

=================

Question 2

What is calculated using the numerical values of the transmitter power level, cable loss
and antenna gain?

• A. SNR
• B. RSSI
 • C. dBi
• D. EIRP

Explanation

Once you know the complete combination of transmitter power level, the length of cable,
and the antenna gain, you can figure out the actual power level that will be radiated from
the antenna. This is known as the effective isotropic radiated power (EIRP), measured in
dBm.

EIRP is a very important parameter because it is regulated by governmental agencies in

most countries. In those cases, a system cannot radiate signals higher than a maximum
allowable EIRP. To find the EIRP of a system, simply add the transmitter power level to
the antenna gain and subtract the cable loss.

EIRP = Tx Power – Tx Cable + Tx Antenna

Suppose a transmitter is configured for a power level of 10 dBm (10 mW). answer 'SNR'
cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The
resulting EIRP of the system is 10 dBm – 5 dB + 8 dBi, or 13 dBm.

You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an
isotropic antenna (dBi), and decibel (dB) values. Even though the units appear to be
differrent, you can safely combine them because they are all in the dB “domain”.

Reference: CCNA Wireless 640-722 Official Cert Guide

Question 3

Which two security features are available when implementing NTP? (Choose two)

• A. encrypted authentication mechanism

• B. dock offset authentication
 • C. broadcast association mode
• D. access list based restriction scheme
• E. symmetric server passwords

Explanation

The time kept on a machine is a critical resource and it is strongly recommend that you
use the security features of NTP to avoid the accidental or malicious setting of incorrect
time. The two security features available are an access list-based restriction scheme
and an encrypted authentication mechanism.

Reference: https://www.cisco.com/c/en/us/support/docs/availability/high-
availability/19643-ntpm.html

Question 4

Refer to the exhibit.

An engineer reconfigures the port-channel between SW1 and SW2 from an access port to
a trunk and immediately notices this error in SW1’s log.

%PM-SP-4-ERR_DISABLE: bpduguard error detected on Gi0/0, putting Gi0/0 in err-

disable state.

Which command set resolves this error?

• A. Sw1(config)# interface G0/0

Sw1(config-if)# no spanning-tree bpduguard enable
Sw1(config-if)# shut
Sw1(config-if)# no shut
• B. Sw1(config)# interface G0/0
Sw1(config-if)# spanning-tree bpduguard enable
Sw1(config-if)# shut
Sw1(config-if)# no shut
• C. Sw1(config)# interface G0/1
Sw1(config-if)# spanning-tree bpduguard enable
Sw1(config-if)# shut
Sw1(config-if)# no shut
• D. Sw1(config)# interface G0/0
Sw1(config-if)# no spanning-tree bpdufilter
Sw1(config-if)# shut
Sw1(config-if)# no shut
Question 5

Company policy restricts VLAN 10 to be allowed only on SW1 and SW2. All other
VLANs can be on all three switches. An administrator has noticed that VLAN 10 has
propagated to SW3. Which configuration corrects the issue?

• A. SW2(config)#interface gi1/2
SW2(config)#switchport trunk allowed vlan 10
• B. SW1(config)#interface gi1/1
SW1(config)#switchport trunk allowed vlan 1-9,11-4094
• C. SW2(config)#interface gi1/1
SW2(config)#switchport trunk allowed vlan 10
• D. SW2(config)#interface gi1/2
SW2(config)#switchport trunk allowed vlan 1-9,11-4094

Question 6

Refer to the exhibit.

An engineer must establish eBGP peering between router R3 and router R4. Both routers
should use their loopback interfaces as the BGP router ID. Which configuration set
accomplishes this task?

• A. R3(config)#router bgp 200

R3(config-router)#neighbor 10.24.24.4 remote-as 100
R3(config-router)#bgp router-id 10.3.3.3

R4(config)#router bgp 100

R4(config-router)#neighbor 10.24.24.3 remote-as 200
R4(config-router)#bgp router-id 10.4.4.4

• B. R3(config)#router bgp 200

R3(config-router)#neighbor 10.4.4.4 remote-as 100
R3(config-router)#neighbor 10.4.4.4 update-source loopback0
 R4(config)#router bgp 100
R4(config-router)#neighbor 10.3.3.3 remote-as 200
R4(config-router)#neighbor 10.3.3.3 update-source loopback0

• C. R3(config)#router bgp 200

R3(config-router)#neighbor 10.24.24.4 remote-as 100
R3(config-router)#neighbor 10.24.24.4 update-source loopback0

R4(config)#router bgp 100

R4(config-router)#neighbor 10.24.24.3 remote-as 200
R4(config-router)#neighbor 10.24.24.3 update-source loopback0

Question 7

Refer to the exhibit.

R1(config)# ip nat inside source static 10.70.5.1 10.45.1.7

A network architect has partially configured static NAT. which commands should be
asked to complete the configuration?

• A. R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat outside

R1(config)#interface GigabitEthernet0/1
R1(config)#ip pat inside

• B. R1(config)#interface GigabitEthernet0/0
R1(config)#ip nat outside

R1(config)#interface GigabitEthernet0/1
R1(config)#ip nat inside

• C. R1(config)#interface GigabitEthernet0/0
R1(config)#ip nat inside

R1(config)#interface GigabitEthernet0/1
R1(config)#ip nat outside
 • D. R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat inside

R1(config)#interface GigabitEthernet0/1
R1(config)#ip pat outside

Question 8

What is the result of applying this access control list?

ip access-list extended STATEFUL

10 permit tcp any any established
20 deny ip any any

• A. TCP traffic with the DF bit set is allowed

• B. TCP traffic with the SYN bit set is allowed
• C. TCP traffic with the ACK bit set is allowed
• D. TCP traffic with the URG bit set is allowed

Explanation

The established keyword is only applicable to TCP access list entries to match TCP
segments that have the ACK and/or RST control bit set (regardless of the source and
destination ports), which assumes that a TCP connection has already been established in
one direction only. Let’s see an example below:

Suppose you only want to

allow the hosts inside your company to telnet to an outside server but not vice versa, you
can simply use an “established” access-list like this:

access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note:
Suppose hostA wants to start communicating with hostB using TCP. Before they can
send real data, a three-way handshake must be established first. Let’s see how this
process takes place:

1. First hostA will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with hostB. This
message includes a sequence (SEQ) number for tracking purpose. This sequence number
can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.

2. After receiving SYN message from hostA, hostB replies with SYN-ACK message
(some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for
ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any
relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we
represent it with “x+1”. It means “I received your part. Now send me the next part (x +
1)”.

The SYN-ACK message indicates hostB accepts to talk to hostA (via ACK part). And
ask if hostA still wants to talk to it as well (via SYN part).

3. After Host answer 'TCP traffic with the DF bit set is allowed' received the SYN-ACK
message from hostB, it sends an ACK message with ACK number “y+1” to hostB. This
confirms hostA still wants to talk to hostB.

Question 9

Refer to exhibit.
MTU has been configured on the underlying physical topology, and no MTU command
has been configured on the tunnel interfaces. What happens when a 1500-byte IPv4
packet traverses the GRE tunnel from host X to host Y, assuming the DF bit is cleared?

• A. The packet arrives on router C without fragmentation.

• B. The packet is discarded on router A
• C. The packet is discarded on router B
• D. The packet arrives on router C fragmented.

Explanation

If the DF bit is set to clear (not set), routers can fragment packets regardless of the
original DF bit setting.

Whenever we create tunnel interfaces, the GRE IP MTU is automatically configured 24

bytes less than the outbound physical interface MTU. Ethernet interfaces have an MTU
value of 1500 bytes so tunnel interfaces by default will have 1476 bytes MTU, which is
24 bytes less the physical interface. The process of sending a 1500-byte IPv4 packet
(with DF bit set to clear) is shown below:

1. The sender sends a 1500-byte packet (20 byte IPv4 header + 1480 bytes of TCP
payload).
2. Since the MTU of the GRE tunnel is 1476, the 1500-byte packet is broken into two
IPv4 fragments of 1476 and 44 bytes, each in anticipation of the additional 24 byes of
GRE header.
3. The 24 bytes of GRE header is added to each IPv4 fragment. Now the fragments are
1500 (1476 + 24) and 68 (44 + 24) bytes each.
4. The GRE + IPv4 packets that contain the two IPv4 fragments are forwarded to the
GRE tunnel peer router.
5. The GRE tunnel peer router removes the GRE headers from the two packets.
6. This router forwards the two packets to the destination host.
7. The destination host reassembles the IPv4 fragments back into the original IPv4
datagram.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html (Scenario 5)
Question 10

What is used to measure the total output energy of a Wi-Fi device?

• A. dBi
• B. EIRP
• C. mW
• D. dBm

Explanation

Output power is measured in mW (milliwatts). answer 'dBi' milliwatt is equal to one

thousandth (10−3) of a watt.

Question 11

Drag and drop the characteristics from the left onto the correct infrastructure deployment
types on the right.

Please type the corresponding numbers of each item on the left to the blank below and
arrange them ascendingly. For example: 13524 (which means 135 for first group, 24 for
second group)

Please type your answer here: 15(on premises) 234 (cloud)