Ccnpnuevo

Question 1
Which two security mechanisms are used by Cisco Threat Defense to gain visibility into the most
dangerous cyber threats? (Choose two)
A. dynamic enforce policy

B. file reputation
C. virtual private networks
D. Traffic Telemetry
E. VLAN segmentation
Answer: B D
Explanation
Threat defense: It is important to have visibility into the most dangerous cyber threats. Threat
defense provides this visibility through network traffic telemetry, file reputation, and contextual
information (such as device types, locations, users, identities, roles, privileges levels, login
status, posture status, and so on). It enables assessment of the nature and the potential risk of
suspicious activity so that the correct next steps for cyber threats can be taken.
Question 2
Drag and drop the code snippets from the bottom onto the blanks in the code to construct a
request that configures a deny rule on an access list.
Answer:
1. access-list-seq-rule
2. deny
3. ip
4. dst-any
Explanation
We can find a similar solution here but written in

xml: https://github.com/CiscoDevNet/clus2017_iosxe_demo_booth/blob/master/
demo_StreamingTelemetry/ietf_client_ncc.py
Question 3
Which is a fact about Cisco EAP-FAST?
A. It does not require a RADIUS server certificate

B. It requires a client certificate
C. It is an IETF standard.
D. It operates in transparent mode
Answer: A
Explanation
The EAP-FAST protocol is a publicly accessible IEEE 802.1X EAP type that Cisco developed to
support customers that cannot enforce a strong password policy and want to deploy an 802.1X
EAP type that does not require digital certificates.
EAP-FAST is also designed for simplicity of deployment since it does not require a certificate on
the wireless LAN client or on the RADIUS infrastructure yet incorporates a built-in provisioning
mechanism.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/
72788-CSSC-Deployment-Guide.html
Question 4
Which two operations are valid for RESTCONF? (Choose two)
A. HEAD
B. REMOVE
C. PULL
D. GET
E. ADD
F. PUSH
Answer: A D
Explanation
RESTCONF operations include OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE.
RESTCONF Description
OPTIONS Determine which methods are supported by the server.
GET Retrieve data and metadata about a resource.
HEAD The same as GET, but only the response headers are returned.
POST Create a resource or invoke an RPC operation.
PUT Create or replace a resource.
PATCH Create or update (but not delete) various resources.
DELETE Sent by a client to delete a target resource.
Question 5
Refer to the exhibit.

A network administrator must configure router B to allow traffic only from network 10.100.2.0 to
networks outside of router B. Which configuration must be applied?
Option A Option B
RouterB(config)# access-list 101 permit ip RouterB(config)# access-list 101 permit ip

10.100.2.0 0.0.0.255 any 10.100.3.0 0.0.0.255 any
RouterB(config)# access-list 101 deny any RouterB(config)# access-list 101 deny any
!
RouterB(config)# int g0/0/0 RouterB(config)# int g0/0/0
RouterB(config-if)# ip access-group 101 out RouterB(config-if)# ip access-group 101 out
!
RouterB(config)# int g0/0/1
RouterB(config-if)# ip access-group 101 out
Option C Option D
RouterB(config)# access-list 101 permit ip RouterB(config)# access-list 101 permit ip

10.100.2.0 0.0.0.255 any 10.100.2.0 0.0.0.255 any
RouterB(config)# access-list 101 deny any RouterB(config)# int g0/0/0
! RouterB(config-if)# ip access-group 101 out
RouterB(config)# int g0/0/2 !
RouterB(config-if)# ip access-group 101 in RouterB(config)# int g0/0/1
RouterB(config-if)# ip access-group 101 out
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
Explanation
There are two interfaces that are connected to networks “outside” of router B, which are Gi0/0/0
& Gi0/0/1 so we have to apply the ACL to both interfaces with outbound direction.
Question 6
Drag and drop the Cisco SD-Access solution areas from the left onto the protocols they use on
the right.
Answer:
CTS: Fabric Security Policy

LISP: Fabric control Plane
VXLAN: Fabric data plane
BGP: external connectivity from fabric
Explanation
Note: CTS is short for Cisco Trust Security
Question 7
Drag and drop the code snippets from the bottom onto the blanks in the script to convert a
Python object into a compact JSON object by removing space characters. Not all options are
used.
Answer:
1. “dumps”
2. data
3. separators=(‘,’, ‘:’)
Explanation
json.dumps() adds spaces in the JSON object. For example:
{'key1': 'default', 'key2': 'none'}
We can create a compact JSON object by removing spaces with “dumps”. It helps save some
bytes when sending over the wire:
Question 8
Which configuration restricts the amount of SSH that a router accepts to 100 kbps?
Option A Option B
class-map match-all CoPP_SSH class-map match-all CoPP_SSH
match access-group name CoPP_SSH match access-group name CoPP_SSH
! !
policy-map CoPP_SSH policy-map CoPP_SSH
class CoPP_SSH class CoPP_SSH
police cir 100000 police cir CoPP_SSH
exceed-action drop exceed-action drop
! !
! !
! !
interface GigabitEthernet0/1 interface GigabitEthernet0/1
ip address 209.165.200.225 ip address 209.165.200.225
255.255.255.0 255.255.255.0
ip access-group CoPP_SSH out ip access-group CoPP_SSH out
duplex auto duplex auto
speed auto speed auto
media-type rj45 media-type rj45
service-policy input CoPP_SSH service-policy input CoPP_SSH
! !
ip access-list extended CoPP_SSH ip access-list extended CoPP_SSH
permit tcp any any eq 22 deny tcp any any eq 22
! !
Option C Option D
class-map match-all CoPP_SSH class-map match-all CoPP_SSH
match access-group name CoPP_SSH match access-group name CoPP_SSH
! !
policy-map CoPP_SSH policy-map CoPP_SSH
class CoPP_SSH class CoPP_SSH
police cir 100000 police cir 100000
exceed-action drop exceed-action drop
! !
! !
! !
control-plane control-plane transit
service-policy input CoPP_SSH service-policy input CoPP_SSH
! !
ip access-list extended CoPP_SSH ip access-list extended CoPP_SSH
permit tcp any any eq 22 permit tcp any any eq 22
! !
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
Explanation
CoPP protects the route processor on network devices by treating route processor resources as a
separate entity with its own ingress interface (and in some implementations, egress also). CoPP
is used to police traffic that is destined to the route processor of the router such as:
+ Routing protocols like OSPF, EIGRP, or BGP.
+ Gateway redundancy protocols like HSRP, VRRP, or GLBP.
+ Network management protocols like telnet, SSH, SNMP, or RADIUS.
Therefore we must apply the CoPP to deal with SSH because it is in the management plane.
CoPP must be put under “control-plane” command. But we cannot name the control-plane (like
“transit”) -> Only Option C is correct.
Question 9

A company has an internal wireless network with a hidden SSID and RADIUS-based client
authentication for increased security. An employee attempts to manually add the company
network to a laptop, but the laptop does not attempt to connect to the network. The regulatory
domains of the access points and the laptop are identical. Which action resolves this issue?
A. Ensure that the “Connect even if this network is not broadcasting” option is selected.
B. Limit the enabled wireless channels on the laptop to the maximum channel range that is
supported by the access points.
C. Change the security type to WPA2-Personal AES.
D. Use the empty string as the hidden SSID network name.
Answer: A
Question 10
restconf
!
ip http server
ip http authentication local
ip http secure-server
!
Which command must be configured for RESTCONF to operate on port 8888?
A. ip http port 8888

B. restconf port 8888
C. ip http restconf port 8888
D. restconf http port 8888
Answer: A
Question 11
What is one primary REST security design principle?
A. password hash
B. fail-safe defaults
C. adding a timestamp in requests
D. OAuth
Answer: B
Explanation
The paper “The Protection of Information in Computer Systems” by Jerome Saltzer and Michael
Schroeder, put forth eight design principles for securing information in computer systems, as
described in the following sections:
+ Least Privilege: An entity should only have the required set of permissions to perform the
actions for which they are authorized, and no more. Permissions can be added as needed and
should be revoked when no longer in use.
+ Fail-Safe Defaults: A user’s default access level to any resource in the system should be
“denied” unless they’ve been granted a “permit” explicitly.
+ The economy of Mechanism: The design should be as simple as possible. All the component
interfaces and the interactions between them should be simple enough to understand.
+ Complete Mediation: A system should validate access rights to all its resources to ensure that
they’re allowed and should not rely on the cached permission matrix. If the access level to a
given resource is being revoked, but that isn’t reflected in the permission matrix, it would violate
the security.
+ Open Design: This principle highlights the importance of building a system in an open manner
—with no secret, confidential algorithms.
+ Separation of Privilege: Granting permissions to an entity should not be purely based on a
single condition, a combination of conditions based on the type of resource is a better idea.
+ Least Common Mechanism: It concerns the risk of sharing state among different components.
If one can corrupt the shared state, it can then corrupt all the other components that depend on
it.
+ Psychological Acceptability: It states that security mechanisms should not make the resource
more difficult to access than if the security mechanisms were not present. In short, security
should not make worse the user experience.
Reference: https://restfulapi.net/security-essentials/
Question 12
What is the responsibility of a secondary WLC?
A. It shares the traffic load of the LAPs with the primary controller.
B. It avoids congestion on the primary controller by sharing the registration load on the LAPs.
C. It registers the LAPs if the primary controller fails.
D. It enables Layer 2 and Layer 3 roaming between itself and the primary controller.
Answer: C
Explanation
When the primary controller (WLC-1) goes down, the APs automatically get registered with the
secondary controller (WLC-2). The APs register back to the primary controller when the primary
controller comes back on line.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/
69639-wlc-failover.html
Question 13
Which action is a LISP ITR responsible for?
A. responding to map-request messages

B. finding EID-to-RLOC mappings
C. accepting registration requests from ETRs
D. forwarding user data traffic
Answer: B
Explanation
Ingress Tunnel Router (ITR) is the device (or function) that is responsible for finding EID-to-
RLOC mappings for all traffic destined for LISP-capable sites. After the encapsulation, the
original packet become a LISP packet.
Question 14
An engineer modifies the existing ISE guest portal URL to use a static FQDN. Users immediately
report that they receive certificate errors when they are redirected to the new page. Which two
additional configuration steps are needed to implement the change? (Choose two)
A. Create and sign a new CSR that contains the static FQDN entry
B. Add the FQDN entry under the WLC virtual interface
C. Manually configure the hosts file on each user device
D. Disable HTTPS on the WLC under the Management menu
E. Add a new DNS record to resolve the FQDN to the PSN IP address
Answer: B E
Question 15
In a Cisco Catalyst switch equipped with two supervisor modules an administrator must
temporally remove the active supervisor from the chassis to perform hardware maintenance on
it. Which mechanism ensure that the active supervisor removal is not disruptive to the network
operation?
A. NSF/NSR
B. SSO
C. HSRP
D. VRRP
Answer: B
Explanation
Stateful Switchover (SSO) provides protection for network edge devices with dual Route
Processors (RPs) that represent a single point of failure in the network design, and where an
outage might result in loss of service for customers.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/
configuration/guide/sy_swcg/stateful_switchover.html
Question 16
Which JSON script is properly formatted?
Option A Option B
{ "truck":[
"car":[ {
{ "type":"Dodge",
"type":"Ford", "color":"blue",
"color":"red", "year":"2015"
"year":"1998" }
} ]
]
}
Option C Option D
[ { "device":
"book":{ {[
"title":"Engineering", "type":"switch,
"grade":"11", "model":"Catalyst",
"edition":"4". "mac":"00:46:10:06:93:55",
} ]
] }
}
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation
A JSON script should start with “{” -> Only Option A and Option D are correct. But Option D is
surely not correct as the “switch is written without closing quote. Also another error in Option D
is: square bracket [ can only hold a group of values or objects, separated by comma. For
example:
"sports": ["volley-ball","badminton"] -> This [] holds a group of values
or
"book": [
{
"id": "01",
"language": "Java",
"edition": "third"
},
{
"id": "02",
"language": "C++",
"edition": "second"
} -> This [] holds a group of objects
But in Option D we see square bracket holds key/value pair which is not correct. Therefore only
Option A is correct.
Question 17
Which encryption hashing algorithm does NTP use for authentication?
A. SSL
B. AES256
C. AES128
D. MD5
Answer: D
Explanation
An example of configuring NTP authentication is shown below:
Router1(config)#ntp authentication-key 2 md5 digitaltut

Router1(config)#ntp authenticate
Router1(config)#ntp trusted-key 2
Question 18
An engineer configures the trunk and proceeds to configure an ESPAN session to monitor VLANs
10, 20, and 30. Which command must be added to complete this configuration?
A. Device(config-mon-erspan-src-dst)# mtu 1460

B. Device(config-mon-erspan-src-dst)# no vrf 1
C. Device(config-mon-erspan-src-dst)# erspan id 6
D. Device(config-mon-erspan-src)# no filter vlan 30
Answer: D
Explanation
The command “filter vlan 30” limits to monitor only VLAN 30 so we will not see any traffic for
VLAN 10 and 20. Therefore we must remove this command.
Question 19
An engineer must provide wireless converge in a square office. The engineer has only one AP
and believes that it should be placed it in the middle of the room. Which antenna type should the
engineer use?
A. directional
B. polarized
C. Yagi
D. omnidirectional
Answer: D
Explanation
Types of external antennas:

+ Omnidirectional: Provide 360-degree coverage. Ideal in houses and office areas
+ Directional: Focus the radio signal in a specific direction. Examples are the Yagi and parabolic
dish
+ Multiple Input Multiple Output (MIMO) – Uses multiple antennas (up to eight) to increase
bandwidth
An omnidirectional antenna is designed to provide a 360-degree radiation pattern. This type of

antenna is used when coverage in all directions from the antenna is required.
Omnidirectional Antenna Radiation Pattern

Question 20
Drag and drop the snippets onto the blanks within the code to create an EEM script that adds an
entry to a locally stored text file with a timestamp when a configuration change is made. Not all
options are used.
Answer:
1. event syslog pattern

2. “enable”
3. | append flash
Explanation
The command “show clock | append flash:ConfSave.txt” means that we want to write the output
of the “show clock” command to a file on the flash memory.
Question 21
A customer requires their wireless data traffic to egress at the switch port of the access point.
Which access point mode supports this?
A. FlexConnect
B. Sniffer
C. Bridge
D. Monitor
Answer: A
Explanation
FlexConnect AP mode enables switching traffic between an SSID and a VLAN locally if the
CAPWAP to the WLC is down, even when the AP is at a remote site. It can also be configured to
egress at the access point’s LAN port.
Reference: https://study-ccnp.com/cisco-wireless-access-point-ap-modes-explained/
Question 22
Which command when applied to the Atlanta router reduces type 3 LSA flooding into the
backbone area and summarizes the inter-area routes on the Dallas router?
A. Atlanta(config-route)#area 0 range 192.168.0.0 255.255.252.0
B. Atlanta(config-route)#area 1 range 192.168.0.0 255.255.252.0
C. Atlanta(config-route)#area 0 range 192.168.0.0 255.255.248.0
D. Atlanta(config-route)#area 1 range 192.168.0.0 255.255.248.0
Answer: B
Question 23
for x in range(5):
print(x)
What is output by this code?
A. 0 5
B. 0 1 2 3 4 5
C. 0 1 2 3 4
D. (0,5)
Answer: C
Explanation
The range() function returns a sequence of numbers, starting from 0 by default, and increments
by 1 (by default), and stops before a specified number.
Question 24
Which type of antenna does the radiation pattern represent?
A. Yagi
B. multidirectional
C. directional patch
D. omnidirectional
Answer: A
Explanation
A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipole-like antenna,
and shaping the beam using a well-chosen series of non-driven elements whose length and
spacing are tightly controlled.
Reference: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-
accessories/prod_white_paper0900aecd806a1a3e.html
Question 25
What is a benefit of YANG modules?
A. tightly coupled models with encoding to improve performance

B. easier multivendor interoperability provided by common or industry models
C. avoidance of ecosystem fragmentation by having fixed modules that cannot be changed
D. single protocol and model coupling to simplify maintenance and support
Answer: B
Question 26
Which configuration change ensures that R1 is the active gateway whenever it is in a functional
state for the 172.30.110.0/24 network?
Option A Option B
R1 R1
standby 1 preempt standby 1 preempt
R2 R2
standby 1 priority 90 standby 1 priority 100
Option C Option D
R2 R2
standby 1 priority 100 standby 1 priority 110
standby 1 preempt standby 1 preempt
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation
By default, HSRP does not have preemption enabled so we have to enable it on R1 so that R1
can take the active role of R2. We also need to lower the priority of R2 (to 90) than that of R1
(the default HSRP priority is 100) so that R1 can take the active role.
Question 27
What is contained in the VXLAN header?
A. VXLAN network identifier

B. source and destination RLOC ID
C. endpoint ID
D. original Layer 2 VLAN ID
Answer: A
Explanation
The key fields for the VXLAN packet in each of the protocol headers are:
+ Outer MAC header (14 bytes with 4 bytes optional) – Contains the MAC address of the
source VTEP and the MAC address of the next-hop router. Each router along the packet’s path
rewrites this header so that the source address is the router’s MAC address and the destination
address is the next-hop router’s MAC address.
+ Outer IP header (20 bytes)- Contains the IP addresses of the source and destination VTEPs.
+ (Outer) UDP header (8 bytes)- Contains source and destination UDP ports:
– Source UDP port: The VXLAN protocol repurposes this standard field in a UDP packet header.
Instead of using this field for the source UDP port, the protocol uses it as a numeric identifier for
the particular flow between VTEPs. The VXLAN standard does not define how this number is
derived, but the source VTEP usually calculates it from a hash of some combination of fields from
the inner Layer 2 packet and the Layer 3 or Layer 4 headers of the original frame.
– Destination UDP port: The VXLAN UDP port. The Internet Assigned Numbers Authority (IANA)
allocates port 4789 to VXLAN.
+ VXLAN header (8 bytes)- Contains the 24-bit VXLAN Network Identifiers (VNI).
+ Original Ethernet/L2 Frame – Contains the original Layer 2 Ethernet frame.
Note: In fact this question has two correct answer, which are: VXLAN network
identifier and original Layer 2 VLAN ID. But we believe the first answer is better.
Question 28
Refer to the exhibit. What is displayed when the code is run?
A. The answer is 25
B. The answer is 70
C. The answer is 5
D. The answer is 100
Answer: A
Explanation
The “magic” function receives a number, which is 5 from main() in this question. This function
returns a result of 5 + 2*10 = 25 and the str() function converts it into a string (“25”) before
printing to the terminal.
Question 29
Which two steps are required for a complete Cisco DNA Center upgrade? (Choose two)
A. golden image selection

B. automation backup
C. proxy configuration
D. application updates
E. system update
Answer: D E
Explanation
A complete Cisco DNA Center upgrade includes “System Update” and “Appplication Updates”
Question 30
Which function is performed by vSmart in the Cisco SD-WAN architecture?
A. redistribution between OMP and other routing protocols

B. facilitation of NAT detection and traversal
C. distribution of centralized policies
D. execution of localized policies
Answer: C
Explanation
Answer A is not correct as it is the role of vEdges. But by default, vEdges do not automatically
redistribute OMP routes into any legacy routing protocol. We must explicitly enable the
redistribution for each particular local protocol on each vEdge router.
Answer B mentions about vBond while answer D mentions about vEdge.
Question 31

Why does the OSPF neighborship fail between the two interfaces?
A. The IP subnet mask is not the same.

B. There is a mismatch in the OSPF interface network type.
C. The OSPF timers are different.
D. The MTU is nor the same.
Answer: A
Explanation
OSPF forms neighbor relationship with other OSPF routers on the same segment by exchanging
hello packets. The hello packets contain various parameters. Some of them should match
between neighboring routers. These include:
+ Hello and Dead intervals

+ Area ID
+ Authentication type and password
+ Stub Area flag
+ Subnet ID and Subnet mask
In this question we see the subnet mask between two neighbors are not matched (/30 & /29) so
the OSPF neighborship failed.
Question 32
Clients are reporting an issue with the voice traffic from the branch site to the central site. What
is the cause of this issue?
A. The voice traffic is using the link with less available bandwidth
B. There is a high delay on the WAN links
C. There is a routing loop on the network
D. Traffic is load-balancing over both links, causing packets to arrive out of order
Answer: D
Explanation
From the traceroute output, we learn the second link (172.16.250.5) has greater latency than
the first link (172.16.250.1) so the packets will arrive out of order when traffic is load-balancing
over both links.
Note: Latency (also known as delay) refers to the time it takes a voice packet to reach its
destination. Latency is measured in milliseconds (ms) (or thousandths of a second). Latency of
150ms or less (one-way) is generally acceptable. Latency greater than 150ms (again, one way)
adversely affects the call quality experience.
Question 33
An engineer must deny HTTP traffic from host A to host B while allowing all other communication
between the hosts. Which command set accomplishes this task?
Option A Option B
SW1(config)# ip access-list extended DENY- SW1(config)# mac access-list extended

HTTP HOST-A-B
SW1(config-ext-nacl)#permit tcp host SW1(config-ext-macl)# permit host
10.1.1.10 host 10.1.1.20 eq www aaaa.bbbb.cccc aaaa.bbbb.dddd
SW1(config)# ip access-list extended SW1(config)# ip access-list extended DENY-

MATCH_ALL HTTP
SW1(config-ext-nacl)# permit ip any any SW1(config-ext-nacl)#permit tcp host
10.1.1.10 host 10.1.1.20 eq www
SW1(config)# vlan access-map HOST-A-B
10 SW1(config)# vlan access-map DROP-MAC
SW1(config-access-map)# match ip address 10
DENY-HTTP SW1(config-access-map)# match mac
SW1(config-access-map)# action drop address HOST-A-B
SW1(config)# vlan access-map HOST-A-B SW1(config-access-map)# action forward
20 SW1(config)# vlan access-map HOST-A-B
SW1(config-access-map)# match ip address 20
MATCH_ALL SW1(config-access-map)# match ip address
SW1(config-access-map)# action forward DENY-HTTP
SW1 (config-access-map)# action drop
SW1(config)# vlan filter HOST-A-B vlan 10 SW1(config)# vlan filter HOST-A-B vlan 10
Option C Option D
SW1(config)# mac access-list extended SW1(config)# ip access-list extended DENY-

HOST-A-B HTTP
SW1(config-ext-macl)# permit host SW1(config-ext-nacl)#deny tcp host
aaaa.bbbb.cccc aaaa.bbbb.dddd 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# ip access-list extended DENY- SW1(config)# ip access-list extended

HTTP MATCH_ALL
SW1(config-ext-nacl)#deny tcp host SW1(config-ext-nacl)# permit ip any any
10.1.1.10 host 10.1.1.20 eq www
SW1(config)# vlan access-map HOST-A-B
SW1(config)# vlan access-map DROP-MAC 10
10 SW1(config-access-map)# match ip address
SW1(config-access-map)# match mac DENY-HTTP
address HOST-A-B SW1(config-access-map)# action drop
SW1(config-access-map)# action drop SW1(config)# vian access-map HOST-A-B
SW1(config)# vlan access-map HOST-A-B 20
20 SW1(config-access-map)# match ip address
SW1(config-access-map)# match ip address MATCH_ALL
DENY-HTTP SW1(config-access-map)# action forward
SW1(config-access-map)# action drop
SW1(config)# vlan filter HOST-A-B vlan 10
SW1(config)# vlan filter HOST-A-B vlan 10
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation
In this case we need to configure a VLAN access-map to deny HTTP traffic and apply it to VLAN
10. To do it, first create an access-list, by which interesting traffic will be matched. The principle
of VLAN access-map config is similar to the route-map principle.
After this we’ll create a vlan access-map, which has two main parameters: action and match.
Match: by this parameter the interesting traffic is matched and here RACL or MAC ACL can be
applied as well.
Action: what to do with matched traffic. Two main parameters exist: Drop and Forward. In case
of Drop, matched traffic will be dropped, and in case of forward, matched traffic will be allowed.
A good reference and example can be found at https://www.networkstraining.com/vlan-access-

map-example-configuration/
In this question, we have to permit both ACL because the matched traffic will be decided by the
VLAN Access map below (forward or drop).
Question 34
Which virtualization component creates VMs and performs hardware abstraction that allows
multiple VMs to run at the same time?
A. rkt
B. Docker
C. container
D. hypervisor
Answer: D
Explanation
Hypervisors support the creation and management of virtual machines (VMs) by abstracting a
computer’s software from its hardware.
Question 35

A network engineer must log in to the router via the console, but the RADIUS servers are not
reachable. Which credentials allow console access?
A. the username “cisco” and the password “cisco123”

B. no username and only the password “test123”
C. no username and only the password “cisco123”
D. the username “cisco” and the password “cisco”
Answer: C
Explanation
We tested with GNS3 and the router only requires password “cisco123” configured under line
console to authenticate. So we can deduce the “password” command under line interface is
preferred over “login authentication” command.
Question 36
Drag and drop the LISP components from the left onto the function they perform on the right.
Not all options are used.
Answer:
+ accepts LISP encapsulated map requests: LISP map resolver

+ learns of EID prefix mapping entries from an ETR: LISP map server
+ receives traffic from LISP sites and sends it to non-LISP sites: LISP proxy ETR
+ receives packets from site-facing interfaces: LISP ITR
Explanation
ITR is the function that maps the destination EID to a destination RLOC and then encapsulates
the original packet with an additional header that has the source IP address of the ITR RLOC and
the destination IP address of the RLOC of an Egress Tunnel Router (ETR). After the
encapsulation, the original packet become a LISP packet.
ETR is the function that receives LISP encapsulated packets, decapsulates them and forwards to
its local EIDs. This function also requires EID-to-RLOC mappings so we need to point out an
“map-server” IP address and the key (password) for authentication.
A LISP proxy ETR (PETR) implements ETR functions on behalf of non-LISP sites. A PETR is
typically used when a LISP site needs to send traffic to non-LISP sites but the LISP site is
connected through a service provider that does not accept nonroutable EIDs as packet sources.
PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites.
Map Server (MS) processes the registration of authentication keys and EID-to-RLOC mappings.
ETRs sends periodic Map-Register messages to all its configured Map Servers.
Map Resolver (MR): a LISP component which accepts LISP Encapsulated Map Requests,
typically from an ITR, quickly determines whether or not the destination IP address is part of the
EID namespace
Question 37
Drag and drop the characteristics from the left onto the correct places on the right.
Answer:
MAC Address table

+ used to make layer 2 forwarding decisions
+ records MAC address, port of arrival, vlan and timestamps
TCAM table
+ used to build IP Routing tables
+ stores ACL, QOS and other upper layer information
Question 38
Which technology is used to provide Layer 2 and Layer 3 logical networks in the Cisco SD-Access
architecture?
A. underlay network
B. overlay network
C. VPN routing/forwarding
D. easy virtual network
Answer: B
Explanation
An overlay network creates a logical topology used to virtually connect devices that are built
over an arbitrary physical underlay topology.
An overlay network is created on top of the underlay network through virtualization (virtual
networks). The data plane traffic and control plane signaling are contained within each
virtualized network, maintaining isolation among the networks and an independence from the
underlay network.
SD-Access allows for the extension of Layer 2 and Layer 3 connectivity across the overlay
through the services provided by through LISP.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-
guide.html
Question 39
Drag and drop the snippets onto the blanks within the code to construct a script that advertises
the network prefix 192.168.5.0/24 into a BGP session. Not all options are used.
Answer: 1-A; 2-C; 3-B
Question 40

An SSID is configured and both clients can reach their gateways on the Layer 3 switch, but they
cannot communicate with each other. Which action resolves this issue?
A. Set the P2P Blocking Action to Forward-UpStream.

B. Set the P2P Blocking Action to Disabled
C. Set the WMM Policy to Required.
D. Set the WMM Policy to Allowed.
Answer: B
Explanation
Wi-Fi Multimedia (WMM) is used to prioritize different types of traffic -> It cannot block traffic so
it is not a problem of this question.
Peer to peer (P2P) blocking is applied to individual WLANs. You can have traffic bridged locally
within the controller, dropped by the controller, or forwarded to the upstream VLAN.
Choose one of the following options from the P2P Blocking drop-down list:
+ Disabled – Disables peer-to-peer blocking and bridges traffic locally within the controller
whenever possible.This is the default value.
Note: Traffic is never bridged across VLANs in the controller.
+ Drop – Causes the controller to discard the packets.
+ Forward-UpStream – Causes the packets to be forwarded on the upstream VLAN. The
device above the controller decides what action to take regarding the packets.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-
guide/b_cg75/b_cg75_chapter_01001011.pdf
-> In this question two laptops are in the same VLAN so answer A is not correct. Only answer B
is correct.
Question 41
What does Call Admission Control require the client to send in order to reserve the bandwidth?
A. SIP flow information

B. Wi-Fi multimedia
C. traffic specification
D. VoIP media session awareness
Answer: C
Explanation
The application residing on Device 1 originates an RSVP message called Path, which is sent to
the same destination IP address as the data flow for which a reservation is requested (that is,
10.60.60.60) and is sent with the “router alert” option turned on in the IP header. The Path
message contains, among other things, the following objects:
–The “sender T-Spec” (traffic specification) object, which characterizes the data flow for which
a reservation will be requested. The T-Spec basically defines the maximum IP bandwidth
required for a call flow using a specific codec. The T-Spec is typically defined using values for the
data flow’s average bit rate, peak rate, and burst size.
Reference: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/9x/uc9x/
cac.html
Question 42
Which network devices secure API platform?
A. next-generation intrusion detection systems

B. Layer 3 transit network devices
C. content switches
D. web application firewalls
Answer: D
Explanation
Cisco Secure Web Application Firewall (WAF) and bot protection defends your online presence
and ensures that website, mobile applications, and APIs are secure, protected, and “always on.”
Reference: https://www.cisco.com/c/en/us/products/collateral/security/advanced-waf-bot-
aag.pdf
Question 43
Where is the wireless LAN controller located in a mobility express deployment?
A. There is no wireless LAN controller in the network.

B. The wireless LAN controller is embedded into the access point.
C. The wireless LAN controller exists in the cloud.
D. The wireless LAN controller exists in a server that is dedicated for this purpose.
Answer: B
Explanation
Mobility Express is the ability to use an access point (AP) as a controller instead of a real WLAN
controller. But this solution is only suitable for small to midsize, or multi-site branch locations
where you might not want to invest in a dedicated WLC. A Mobility Express WLC can support up
to 100 APs.
Question 44
What is a characteristic of VXLAN?
A. It uses TCP for transport.

B. It has a 12-byte packet header.
C. It extends Layer 2 and Layer 3 overlay networks over a Layer 2 underlay.
D. It is a multi-tenant solution.
Answer: D
Explanation
VXLAN header consists of 8 bytes and contains the 24-bit VNI -> Answer B is not correct.
VXLAN uses UDP, not TCP -> Answer A is not correct.
VXLAN is often described as an overlay technology because it allows to stretch Layer 2

connections over an intervening Layer 3 network -> Answer C is not correct.
Therefore only answer D is left.
Question 45
An engineer is configuring Local WebAuth on a Cisco Wireless LAN Controller. According to RFC
5737, which virtual IP address must be used in this configuration?
A. 1.1.1.1
B. 192.168.0.1
C. 192.0.2.1
D. 172.20.10.1
Answer: C
Question 46
A large campus network has deployed two wireless LAN controllers to manage the wireless
network. WLC1 and WLC2 have been configured as mobility peers. A client device roams from
AP1 on WLC1 to AP2 on WLC2, but the controller’s client interfaces are on different VLANs. How
do the wireless LAN controllers handle the inter-subnet roaming?
A. WLC2 marks the client with a foreign entry in its own database. The database entry is copied
to the new controller and marked with an anchor entry on WLC1
B. WLC2 marks the client with an anchor entry in its own database. The database entry is copied
to the new controller and marked with a foreign entry on WLC1
C. WLC1 marks the client with a foreign entry in its own database. The database entry is copied
to the new controller and marked with an anchor entry on WLC2
D. WLC1 marks the client with an anchor entry in its own database. The database entry is copied
to the new controller and marked with a foreign entry on WLC2
Answer: D
Explanation
In instances where the client roams between APs that are connected to different WLCs and the
WLC WLAN is connected to a different subnet, a Layer 3 roam is performed, and there is an
update between the new WLC (foreign WLC) and the old WLC (anchor WLC) mobility databases.
If this is the case, return traffic to the client still goes through its originating anchor WLC. The
anchor WLC uses Ethernet over IP (EoIP) to forward the client traffic to the foreign WLC, to
where the client has roamed. Traffic from the roaming client is forwarded out the foreign WLC
interface on which it resides; it is not tunneled back.
The client begins with a connection to AP B on WLC 1. This creates an ANCHOR entry in the
WLC client database. As the client moves away from AP B and makes an association with AP C,
WLC 2 sends a mobility announcement to peers in the mobility group looking for the WLC with
the client MAC address. WLC 1 responds to the announcement, handshakes, and ACKs. Next the
client database entry for the roaming client is copied to WLC 2, and marked as FOREIGN.
Included PMK data (master key data from the RADIUS server) is also copied to WLC 2. This
provides fast roam times for WPA2/802.11i clients because there is no need to re-authenticate
to the RADIUS server.
After a simple key exchange between the client and AP, the client is added to the WLC 2
database and is similar, except that it is marked as FOREIGN.
Reference: https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/
TechArch.html
Question 47
What is the function of the fabric control plane node in a Cisco SD-Access deployment?
A. It is responsible for policy application and network segmentation in the fabric.

B. It performs traffic encapsulation and security profiles enforcement in the fabric.
C. It holds a comprehensive database that tracks endpoints and networks in the fabric.
D. It provides integration with legacy nonfabric-enabled environments.
Answer: C
Explanation
Fabric control plane node (C): One or more network elements that implement the LISP Map-
Server (MS) and Map-Resolver (MR) functionality. The control plane node’s host tracking
database keep track of all endpoints in a fabric site and associates the endpoints to fabric nodes
in what is known as an EID-to-RLOC binding in LISP.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-macro-
segmentation-deploy-guide.html
Question 48
Which capability does a distributed virtual switch have?
A. use floating static routes

B. provide configuration consistency across the hosts
C. run dynamic routing protocols
D. use advanced IPsec encryption algorithms
Answer: B
Explanation
Virtual switches are used to connect virtual network controllers of VMs to networks on the
second layer of the OSI model.
Standard vSwitches are configured on each ESXi host manually. However, in large virtual
environments, virtual switches usually have the same vSwitch configuration, including for port
groups, VLANs, connected networks, etc. If you need to add a new port group associated with
VLAN to connect VMs on ESXi hosts to that VLAN, you have to configure vSwitch on each ESXi
host the same way manually. This is a time-consuming process.
To address this, VMware allows you to use the distributed virtual switch, a logical switch that can
be configured on vCenter Server once for several hosts. This means that you don’t have to
configure standard virtual switches on each ESXi host manually.
Reference: https://www.nakivo.com/blog/vmware-distributed-switch-configuration/
Question 49
#! /usr/bin/env python3
from env_lab import dnac
import json
import requests
import urllib3
from requests.auth import HTTPBasicAuth
from prettytable import PrettyTable
dnac_devices = PrettyTable(['Hostname','Platform Id','Software Type','Software

Version','Up Time' ])
dnac_devices.padding_width = 1
headers = {
'content-type': "application/json",
'x-auth-token': ""
}
def dnac_login(host, username, password):

url = "https://{}/api/system/v1/auth/token".format(host)
response = requests.request("POST", url, auth=HTTPBasicAuth(username,
password),
headers=headers,verify=False)
return response.json()["Token"]
def network_device_list(dnac, token):

url = "https://{}/api/v1/network-device".format(dnac['host'])
headers["x-auth-token"] = token
response = requests.get(url, headers=headers, verify=False)
data = response.json()
for item in data['response']:
dnac_devices.add_row([item["hostname"],item["platformId"],item["softwareType"],
item["softwareVersion"],item["upTime"]])
Option A
Option B
Option C
Option D
Which code results in the working Python script displaying a list of network devices from the
Cisco DNA center?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation
This code is used in the “CCNP and CCIE Enterprise Core” book (page 1537) and we post the full
script here for your reference:
#! /usr/bin/env python3
from env_lab import dnac
import json
import requests
import urllib3
from requests.auth import HTTPBasicAuth
from prettytable import PrettyTable
dnac_devices = PrettyTable(['Hostname','Platform Id','Software Type','Software

Version','Up Time' ])
dnac_devices.padding_width = 1
# Silence the insecure warning due to SSL Certificate

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
headers = {
'content-type': "application/json",
'x-auth-token': ""
}
def dnac_login(host, username, password):

url =
"https://{}/api/system/v1/auth/token".format(host)
response = requests.request("POST", url,
auth=HTTPBasicAuth(username, password),headers=headers,verify=False)
return response.json()["Token"]
def network_device_list(dnac, token):
url = "https://{}/api/v1/networkdevice".format(dnac['host'])
headers["x-auth-token"] = token
response = requests.get(url, headers=headers, verify=False)
data = response.json()
for item in data['response']:
dnac_devices.add_row([item["hostname"],item["platformId"],item["softwareType"],
item["soft. wareVersion"],item["upTime"]])
login = dnac_login(dnac["host"], dnac["username"], dnac["password"])

network_device_list(dnac, login)
print(dnac_devices)
Note: We broke some long lines so the Python format is not correct.
Question 50
Which two methods are used to assign security group tags to the user in a Cisco Trust Sec
architecture? (Choose two)
A. modular QoS
B. policy routing
C. web authentication
D. DHCP
E. IEEE 802.1x
Answer: C E
Explanation
Cisco ISE assigns the SGT tags to users or devices that are successfully authenticated and
authorized through 802.1x, MAB, or WebAuth.
Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide
Question 51
interface GigabitEthernet1
ip address 10.10.10.1 255.255.255.0
!
access-list 10 permit 10.10.10.1
!
monitor session 10 type erspan-source
source interface Gi1
destination
erspan-id 10
ip address 192.168.1.1
Which command filters the ERSPAN session packets only to interface GigabitEthernet1?
A. source ip 10.10.10.1
B. source interface gigabitethernet1 ip 10.10.10.1
C. filter access-group 10
D. destination ip 10.10.10.1
Answer: C
Question 52
A network engineer configures a WLAN controller with increased security for web access. There
is IP connectivity with the WLAN controller, but the engineer cannot start a management session
from a web browser. Which action resolves the issue?
A. Use a private or incognito session.

B. Disable Adobe Flash Player
C. Disable JavaScript on the web browser
D. Use a browser that supports 128-bit or larger ciphers.
Answer: D
Explanation
Enable or disable secure web mode with increased security by entering this command:
config network secureweb cipher-option high {enable | disable}
This command allows users to access the controller GUI using “https://ip-address” but only from
browsers that support 128-bit (or larger) ciphers. With Release 8.10, this command is, by
default, in enabled state.
When high ciphers is enabled, SHA1, SHA256, SHA384 keys continue to be listed and TLSv1.0 is
disabled. This is applicable to webauth and webadmin but not for NMSP.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/
b_cg85/administration_of_cisco_wlc.html
Question 53
A customer has recently implemented a new wireless infrastructure using WLC-5520S at a site
directly next to a large commercial airport Users report that they intermittently lose Wi-Fi
connectivity, and troubleshooting reveals it is due to frequent channel changes. Which two
actions fix this issue? (Choose two)
A. Remove UNII-2 and Extended UNII-2 channels from the 5 GHz channel list
B. Restore the DCA default settings because this automatically avoids channel interference
C. Disable DFS channels to prevent interference with Doppler radar
D. Enable DFS channels because they are immune to radar interference
E. Configure channels on the UNII-2 and the Extended UNII-2 sub-bands of the 5 GHz band only
Answer: A C
Explanation
In the 5GHz spectrum some of the channels used by 802.11 are subject to Dynamic Frequency
Selection (DFS) requirements. This is due to our clients coexistence with other RF technologies
such as Maritime, Aviation and Weather RADAR.
Dynamic Frequency Selection (DFS) is the process of detecting radar signals that must be
protected against interference from 5.0 GHz (802.11a/h) radios, and upon detection switching
the operating frequency of the 5.0 GHz (802.11a/h) radio to one that is not interfering with the
radar systems.
Reference: https://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/
RadioChannelDFS.pdf
Although DFS helps reduce interference with radar systems but “DFS channels” refer to the
5GHz channels that require DFS check. In other words, DFS channels are channels that may
interfere with radar signal. Therefore we should disable these DFS channels -> Answer C is
correct.
UNII-2 (5.250-5.350 GHz and 5.470-5.725 GHz) which contains channels 52, 56, 60, 64, 100,
104, 108, 112, 116, 120, 124, 128, 132, 136, and 140 are permitted in the United States, but
shared with radar systems. Therefore, APs operating on UNII-2 channels are required to use
Dynamic Frequency Selection (DFS) to avoid interfering with radar signals. If an AP detects a
radar signal, it must immediately stop using that channel and randomly pick a new channel.
Reference: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/
Channel_Planning_Best_Practices
-> Therefore we should remove UNII-2 channels from 5GHz channel list.
Question 54
R1
interface GigabitEthernet0/0
ip address 192.168.250.2 255.255.255.0
standby 20 ip 192.168.250.1
standby 20 priority 120
R2
interface GigabitEthernet0/0
ip address 192.168.250.3 255.255.255.0
standby 20 ip 192.168.250.1
standby 20 priority 110
What are two effects of this configuration? (Choose two)
A. R1 becomes the active router

B. R1 becomes the standby router
C. If R2 goes down, R1 becomes active but reverts to standby when R2 comes back online
D. If R1 goes down, R2 becomes active but reverts to standby when R1 comes back online
E. If R1 goes down, R2 becomes active and remains the active device when R1 comes back
online
Answer: A E
Question 55
Drag and drop the automation characteristics from the left onto the corresponding tools on the
right.
Answer:
Ansible
+ all functions are performed over SSH
+ YAML configuration language
+ based on Python
Chef
+ Ruby syntax in configuration files
Explanation
We made a comparison list of Ansible, Puppet and Chef automation tool here:
Question 56
Which two features does the Cisco SD-Access architecture add to a traditional campus network?
(Choose two)
A. private VLANs
B. software-defined segmentation
C. SD-WAN
D. identity services
E. modular QoS
Answer: B D
Explanation
SD-Access uses logic blocks called fabrics which leverage virtual network overlays that are
driven through programmability and automation to create mobility, segmentation, and visibility.
Network virtualization becomes easy to deploy through software-defined segmentation and
policy for wired and wireless campus networks.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/SD-Access-
Distributed-Campus-Deployment-Guide-2019JUL.html
Question 57
What is a benefit of using segmentation with TrustSec?
A. Integrity checks prevent data from being modified in transit.

B. Packets sent between endpoints on a LAN are encrypted using symmetric key cryptography.
C. Security group tags enable network segmentation.
D. Firewall rules are streamlined by using business-level profiles.
Answer: C
Explanation
Benefits of Segmentation with TrustSec
Security Group Tagging transforms segmentation by simplifying administration:

+ Security group tags allow organizations to segment their networks without having to redesign
to accommodate more VLANs and subnets.
+ Firewall rules are dramatically streamlined by using an intuitive business-level profile method.
+ Policy enforcement is automated, assisting compliance and increasing security efficacy.
+ Security auditing becomes much easier, as Qualified Security Assessors can more easily
validate that rules are being enforced to meet compliance.
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/
trustsec/trustsec_pci_validation.pdf
In fact this question has two correct answers.
Question 58
The login method is configured on the VTY lines of a router with these parameters.
– The first method for authentication is TACACS
– If TACACS is unavailable, login is allowed without any provided credentials
Which configuration accomplishes this task?
A. R1#sh run | include aaa

aaa new-model
aaa authentication login VTY group tacacs+ none
aaa session-id common
R1#sh run | section vty

line vty 0 4
password 7 0202039485748
R1#sh run | include username

R1#
B. R1#sh run | include aaa

aaa new-model
aaa authentication login default group tacacs+

line vty 0 4
transport input none
R1#
C. R1#sh run | include aaa

aaa new-model
aaa authentication login default group tacacs+ none
line vty 0 4
password 7 0202039485748
D. R1#sh run | include aaa

aaa new-model
aaa authentication login telnet group tacacs+ none

line vty 0 4
R1#sh run | include username

R1#
Answer: C
Explanation
According to the requirements (first use TACACS+, then allow login with no authentication), we
have to use “aaa authentication login … group tacacs+ none” for AAA command.
The next thing to check is the if the “aaa authentication login default” or “aaa authentication
login list-name” is used. The ‘default’ keyword means we want to apply for all login connections
(such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything
else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which
line(s) we want to apply the authentication feature.
From above information, we can find out answer C is correct. Although the “password 7
0202039485748” line under “line vty 0 4” is not necessary.
If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS
Tutorial – Part 2.
For your information, answer D would be correct if we add the following command under vty line
(“line vty 0 4”): “login authentication telnet” (“telnet” is the name of the AAA list above)
Question 59
Which resource must a hypervisor make available to the virtual machines?
A. bandwidth
B. IP address
C. processor
D. secure access
Answer: C
Question 60
An engineer is working with the Cisco DNA Center API. Drag and drop the methods from the left
onto the actions that they are used for on the right.
Answer:
+ remove an element using the API: DELETE

+ extract information from the API: GET
+ update an element: PUT
+ create an element: POST
Explanation
A RESTful API uses existing HTTP methodologies defined by the RFC 2616 protocol, such as:
+ GET to retrieve a resource;

+ PUT to change the state of or update a resource, which can be an object, file or block
+ POST to create that resource
+ DELETE to remove it.
Question 61
What is the differences between TCAM and the MAC address table?
A. Router prefix lookups happens in CAM. MAC address table lookups happen in TCAM
B. The MAC address table supports partial matches. TCAM requires an exact match
C. The MAC address table is contained in CAM. ACL and QoS information is stored in TCAM
D. TCAM is used to make Layer 2 forwarding decisions. CAM is used to build routing tables
Answer: C
Explanation
When using Ternary Content Addressable Memory (TCAM) inside routers it’s used for faster
address lookup that enables fast routing.
In switches Content Addressable Memory (CAM) is used for building and lookup of mac
address table that enables L2 forwarding decisions.
Besides Longest-Prefix Matching, TCAM in today’s routers and multilayer Switch devices are used
to store ACL, QoS and other things from upper-layer processing.
Question 62
Drag and drop the characteristic from the left onto the orchestration tools that they describe on
the right.
Answer:
Ansible:
+ uses playbooks
+ prodedural
Puppet:
+ uses a pull model
+ declarative
Explanation
In Ansible, Playbooks are files that provide actions and logic about what Ansible should do.
Ansible playbooks are files that contain tasks to configure hosts. Ansible playbooks are written in
YAML format.
Puppet is based on a Pull deployment model, where the nodes check in regularly after every
1800 seconds with the Master to see if anything needs to be updated in the agent. If anything
needs to be updated the agent pulls the necessary Puppet codes from the Master and performs
required actions.
Chef and Ansible encourage a procedural style where you write code that specifies, step-by-step,
how to to achieve some desired end state. Terraform, SaltStack, and Puppet all encourage a
more declarative style where you write code that specifies your desired end state, and the IAC
tool itself is responsible for figuring out how to achieve that state.
Question 63

An engineer must configure a Cisco WLC with WPA2 Enterprise mode and avoid global server
lists. Which action is required?
A. Select a RADIUS authentication server

B. Disable the RADIUS server accounting interim update
C. Enable EAP parameters
D. Apply CISCO ISE default settings
Answer: A
Explanation
The “interim update” option is intended to periodically send the accounting data to the RADIUS
server (e.g every 60 seconds) -> Answer B is not correct.
If we scroll up a bit in the “AAA Servers” tab, we will see the message “Select AAA servers below
to override use of default servers on this WLAN” so we can choose the AAA server in the boxes
to avoid default/global server lists -> Answer A is correct.
Question 64
Which IPv4 packet field carries the QoS IP classification marking?
A. ID
B. TTL
C. FCS
D. ToS
Answer: D
Question 65
flow record v4Talkers

match ipv4 source address
match ipv4 destination address
collect counter bytes long
!
flow record v6Talkers
match ipv6 source address
match ipv6 destination address
collect counter bytes long
!
flow monitor v4Talkers
record v4Talkers
!
flow monitor v6Talkers
record v6Talkers
An administrator must collect basic statistics about the approximate amount of IPv4 and IPv6
flows entering Gi0/0 using NetFlow. However, the administrator is concerned that NetFlow
processing during periods of high utilization on Gi0/0 will overwhelm the router CPU. Which
configuration minimizes CPU impact and keeps the data flows across Gi0/0 intact?
Option A Option B
interface Gi0/0 policy-map Talkers

load-interval 600 class class-default
ip flow monitor v4Talkers police cir percent 50
ipv6 flow monitor v6Talkers conform-action
transmit
exceed-action drop
!
interface Gi0/0
service-policy input
Talkers
ip flow monitor
v4Talkers
ipv6 flow monitor
v6Talkers
Option C Option D
sampler R-1-1024 interface Gi0/0

mode random 1 out-of 1024 no ip route-cache
! ip flow monitor
interface Gi0/0 v4Talkers
ip flow monitor v4Talkers sampler R-1-1024 ipv6 flow monitor
input v6Talkers
ipv6 flow monitor v6Talkers sampler R-1-
1024 input
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
Explanation
Flow samplers are created as separate components in a router’s configuration. Flow samplers
are used to reduce the load on the device that is running Flexible NetFlow by limiting the number
of packets that are selected for analysis.
Question 66
Device#configure terminal
Device(config)#netconf ssh acl 1
Device(config)#netconf lock-time 100
Device(config)#netconf max-sessions 1
Device(config)#netconf max-message 10
A network engineer must configure NETCONF. After creating the configuration, the engineer gets
output from the command show line, but not from show running-config. Which command
completes the configuration?
A. Device(config)# no netconf ssh acl 1

B. Device(config)# netconf max-sessions 100
C. Device(config)# netconf lock-time 500
D. Device(config)# netconf max-message 1000
Answer: D
Explanation
If we use the “no netconf ssh acl 1” then the whole NETCONF function will be disabled so the
best answer should be “netconf max-message 1000” as it will increase the maximum size of
messages received in a NETCONF session to 1000KB (~1MB).
Note:
+ The valid range for the netconf lock-time seconds is 1 to 300 so 500 is not a valid value.
+ The valid range for the netconf max-sessions number is 4 to 16 so 100 is not a valid value.
Question 67
An engineer must configure a multicast UDP jitter operation. Which configuration should be
applied?
A. Router(config)#ip sla 1
Router(config)#udp jitter 10.0.0.1 source-ip 192.168.1.1
B. Router(config)#ip sla 1
Router(config)#udp-jitter 192.0.2.115 65051 num-packets 20
C. Router(config)#ip sla 1
Router(config)#udp-jitter 192.0.2.115 65051
D. Router(config)#ip sla 1
Router(config)#udp jitter 239.1.1.1 65051 end-point list List source-ip 192.168.1.1
Answer: D
Explanation
The command “udp jitter 239.1.1.1 65051 end-point list List source-ip 192.168.1.1” configures
the IP SLAs operation as a multicast UDP jitter operation and enters multicast UDP jitter
configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_mcast_suppt.html
Note: In fact the correct command should be “Router(config-ip-sla)# udp-jitter 239.1.1.1 65051
endpoint-list List source-ip 192.168.1.1”. Maybe they are unintended typos of this question.
Question 68
Which two mechanisms are used with OAuth 2.0 for enhanced validation? (Choose two)
A. authorization
B. custom headers
C. request management
D. authentication
E. accounting
Answer: A D
Question 69

How does the router handle traffic after the CoPP policy is configured on the router?
A. Traffic coming to R1 that does not match access list SNMP is dropped.
B. Traffic generated by R1 that matches access list SNMP is policed.
C. Traffic passing through R1 that matches access list SNMP is policed.
D. Traffic coming to R1 that matches access list SNMP is policed.
Answer: D
Question 70
Which two characteristics apply to the endpoint security aspect of the Cisco Threat Defense
architecture? (Choose two)
A. outbound URL analysis and data transfer controls

B. detect and block ransomware in email attachments
C. cloud-based analysis of threats
D. blocking of fileless malware in real time
E. user context analysis
Answer: A D
Explanation
The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can
help facilitate the discovery, containment, and remediation of threats once they have penetrated
into the network interior.
Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its
objectives:
..
* Content Security Appliances and Services
– Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
– Dynamic threat control for web traffic
– Outbound URL analysis and data transfer controls
– Detection of suspicious web activity
– Cisco Email Security Appliance (ESA)
– Dynamic threat control for email traffic
– Detection of suspicious email activity
* Cisco Identity Services Engine (ISE)

– User and device identity integration with Lancope StealthWatch
– Remediation policy actions using pxGrid
Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-0/
design_guides/ctd_2-0_cvd_guide_jul15.pdf
Question 71
Drag and drop the characteristics from the left onto the routing protocols they describe on the
right.
Answer:
EIGRP
+ It is an Advanced Distance Vector routing protocol
+ It relies on the Diffused Update Algorithm to calculate the shortest path to a destination
+ It requires an Autonomous System number to create a routing instance for exchanging routing
information
OSPF
+ The default Administrative Distance is equal to 110
+ It requires a process ID that is local to the router
+ It uses virtual links to connect two parts of a partitioned backbone through a non-backbone
area
Question 72
Which activity requires access to Cisco DNA Center CLI?
A. provisioning a wireless LAN controller

B. creating a configuration template
C. upgrading the Cisco DNA Center software
D. graceful shutdown of Cisco DNA Center
Answer: D
Explanation
The Cisco DNA Center GUI can creates a configuration template by clicking on Menu icon and
choose Tools > Template Editor -> Answer B is not correct.
The Cisco DNA Center GUI can also upgrade the Cisco DNA Center software by clicking the menu
icon and choose System > Software Updates -> Answer C is not correct.
Between the two answers left, answer D is the best choice. We can shutdown the DNA Center
with the “sudo shutdown -h now” command.
Question 73
How does EIGRP differ from OSPF?
A. EIGRP is more prone to routing loops than OSPF

B. EIGRP supports equal or unequal path cost, and OSPF supports only equal path cost.
C. EIGRP has a full map of the topology, and OSPF only knows directly connected neighbors
D. EIGRP uses more CPU and memory than OSPF
Answer: B
Explanation
Both EIGRP and OSPF is not susceptible to routing loops and EIGRP is not more prone to routing
loops than OSPF -> Answer A is not correct.
Both EIGRP and OSPF has a full map of the topology -> Answer C is not correct.
OSPF maintains information about all the networks and running routers in its area. Each time
there is a change within the area, all routers need to re-sync their database and then run SPF
again. This process makes it more CPU intensive. EIGRP, on the other hand, has triggered and
incremental updates. Therefore EIGRP is more efficient in terms of CPU usage and memory.
Question 74
What is the function of vBond in a Cisco SDWAN deployment?
A. onboarding of SDWAN routers into the SD-WAN overlay

B. pushing of configuration toward SD-WAN routers
C. initiating connections with SD-WAN routers automatically
D. gathering telemetry data from SD-WAN routers
Answer: A
Explanation
Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge routers
into the SD-WAN overlay. The vBond controller, or orchestrator, authenticates and authorizes
the SD-WAN components onto the network. The vBond orchestrator takes an added
responsibility to distribute the list of vSmart and vManage controller information to the WAN
Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the
first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric.
All other components need to know the vBond IP or DNS information.
Question 75
#!/usr/bin/python3
import requests
requests.urllib3.disable_warnings()
AuthURL="https://dna-center/dna/system/api/v1/auth/token"
USER="admin"
PASSWORD="SomePassword"
Response = requests.post(AuthURL, auth=(USER, PASSWORD), verify=False)

if Response.status_code < 200 or Response.status_code > 299:
print(f"Aborting; received status code {Response.status_code}")
exit ()
<...removed...>
admin@linux:~$ ./fetch.py
Aborting; received status code 401
An administrator writes a script to fetch the list of devices that are registered with Cisco DNA
Center. Why does the execution abort?
A. The “dna-center” hostname cannot be resolved to an IP address

B. The username or the password is incorrect
C. The TLS certificate of DNA Center is invalid
D. The authentication URL is incorrect
Answer: B
Explanation
From the last line, we see the returned code was 401.
The 401 Unauthorized Error is an HTTP status code error that represented the request sent by
the client to the server that lacks valid authentication credentials. It may be represented as 401
Unauthorized, Authorization required, HTTP error 401- Unauthorized. It represents that the
request could not be authenticated.
Question 76
When is GLBP preferred over HSRP?
A. When encrypted helm are required between gateways h a single group

B. When the traffic load needs to be shared between multiple gateways using a single virtual IP
C. When the gateway routers are a mix of Cisco and non-Cisco routers
D. When clients need the gateway MAC address lo Be the same between multiple gateways
Answer: B
Explanation
An advantage of GLBP over HSRP, VRRP is GLBP can load-balance traffic without any trick.
Question 77
A network engineer wants to configure console access to a router without using AAA so that the
privileged exec mode is entered directly after a user provide the correct login credentials. Which
action achieves this goal?
A. Configure login authentication privileged on line con 0

B. Configure a local username with privilege level 15
C. Configure privilege level 15 on line con 0
D. Configure a RADIUS or TACACS+ server and use it to send the privilege level
Answer: C
Explanation
Putting the privilege-level 15 on the console is one way to work around the issue. And it works
– as long as you are comfortable with the fact that everyone who logs in on the console will be
immediately placed directly into privilege/enable mode.
Reference: https://community.cisco.com/t5/network-access-control/privileged-exec-at-line-con-
0/td-p/1705892
We also tested both “login authentication privileged” and “privilege level 15” commands. Only
the latter exists:
Question 78
Which TLV value must be added to Option 43 when DHCP is used to ensure that APs join the
WLC?
A. 642
B. 0x77
C. 0xf1
D. AAA
Answer: C
Explanation
“TLV values for the Option 43 suboption: Type + Length + Value. Type is always the suboption
code 0xf1.
Question 79
An engineer must create an EEM applet that sends a syslog message in the event a change
happens in the network due to trouble with an OSPF process. Which action should the engineer
use?
A. action 1 syslog msg “OSPF ROUTING ERROR”

B. action 1 syslog send “OSPF ROUTING ERROR”
C. action 1 syslog pattern “OSPF ROUTING ERROR”
D. action 1 syslog write “OSPF ROUTING ERROR”
Answer: A
Question 80
Which method does Cisco DNA Center use to allow management of non-Cisco devices through
southbound protocols?
A. It creates device packs through the use of an SDK

B. It obtains MIBs from each vendor that details the APIs available.
C. It uses an API call to interrogate the devices and register the returned data.
D. It imports available APIs for the non-Cisco device in a CSV format.
Answer: A
Explanation
Cisco DNA Center allows customers to manage their non-Cisco devices through the use of a
Software Development Kit (SDK) that can be used to create Device Packages for third-party
devices.
Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platform-
overview/multivendor-support-southbound
Question 81
What does a YANG model provide?
A. standardized data structure independent of the transport protocols

B. creation of transport protocols and their interaction with the OS
C. user access to interact directly with the CLI of the device to receive or modify network
configurations
D. standardized data structure that can be used only with NETCONF or RESTCONF transport
protocols
Answer: A
Explanation
YANG (Yet Another Next Generation) is protocol independent, and YANG data models can be
used independent of the transport or RPC protocol and can be converted into any encoding
format supported by the network configuration protocol.
Reference: https://www.juniper.net/documentation/us/en/software/junos/netconf/topics/
concept/netconf-yang-overview.html
Currently YANG can be used by NETCONF, RESTCONF and gRPC.
Question 82

Which commands are required to allow SSH connection to the router?
Option A Option B
Router(config)#access-list 10 permit tcp any Router(config)#access-list 100 permit udp

eq 22 any any any eq 22
Router(config)#class-map class-ssh Router(config)#access-list 101 permit tcp
Router(config-cmap)#match access-group any any eq 22
10 Router(config)#class-map class-ssh
Router(config)#policy-map CoPP Router(config-cmap)#match access-group
Router(config-pmap)#class class-ssh 101
Router(config-pmap-c)#police 100000 Router(config)#policy-map CoPP
conform-action transmit Router(config-pmap)#police 100000
conform-action transmit
Option C Option D
Router(config)#access-list 100 permit tcp Router(config)#access-list 100 permit tcp

any eq 22 any any any eq 22
Router(config)#class-map class-ssh Router(config)#access-list 101 permit tcp
Router(config-cmap)#match access-group any any eq 22
10 Router(config)#class-map class-ssh
Router(config)#policy-map CoPP Router(config-cmap)#match access-group
Router(config-pmap)#class class-ssh 101
Router(config-pmap-c)#police 100000 Router(config)#policy-map CoPP
conform-action transmit Router(config-pmap)#class class-ssh
Router(config-pmap-c)#police 100000
conform-action transmit
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
Question 83
R1
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 209.165.201.1 255.255.255.224
ip nat outside
!
ip nat pool Busi 209.165.201.1 209.165.201.2 netmask 255.255.255.252
ip nat inside source list 1 pool Busi
!
access-list permit 10.1.1.0 0.0.0.255
!
R1#show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic, 0 extended)
Outside Interfaces:
Inside Interfaces:
Ethernet0/0
Hits: 119 Misses: 1
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 1 pool Busi refcount 1
pool fred: netmask 255.255.255.252
start 209.165.201.1 end 209.165.201.2
type generic, total addresses 2, allocated 1 (50%), misses 0
A network engineer configures NAT on R1 and enters the show command to verify the
configuration. What does the output confirm?
A. R1 is configured with NAT overload parameters

B. The first packet triggered NAT to add on entry to NAT table
C. A Telnet from 160.1.1.1 to 10.1.1.10 has been initiated
D. R1 to configured with PAT overload parameters
Answer: B
Question 84
Router#show run | b vty

line vty 0 4
session-timeout 30
exec-timeout 120 0
session-limit 30
login local
line vty 5 15
session-timeout 30
exec-timeout 30 0
session-limit 30
login local
Only administrators from the subnet 10.10.10.0/24 are permitted to have access to the router.
A secure protocol must be used for the remote access and management of the router instead of
clear-text protocols. Which configuration achieves this goal?
Option A Option B
access-list 23 permit 10.10.10.0 access-list 23 permit 10.10.10.0

0.0.0.255 0.0.0.255
line vty 0 4 line vty 0 15
access-class 23 in access-class 23 in
transport input ssh transport input ssh
Option C Option D
access-list 23 permit 10.10.10.0 access-list 23 permit 10.10.10.0

0.0.0.255 255.0.0.0
line vty 0 15 line vty 0 15
access-class 23 out access-class 23 in
transport input all transport input ssh
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Question 85
Which two operational models enable an AP to scan one or more wireless channels for rouge
access points and at the same time provide wireless services to clients? (Choose two)
A. Sniffer
B. Rouge detector
C. Local
D. FlexConnect
E. Monitor
Answer: C D
Explanation
An LAP operates in one of six different modes:

+ Local mode (default mode): measures noise floor and interference, and scans for intrusion
detection (IDS) events every 180 seconds on unused channels
+ FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode: allows data traffic
to be switched locally and not go back to the controller. The FlexConnect AP can perform
standalone client authentication and switch VLAN traffic locally even when it’s disconnected to
the WLC (Local Switched). FlexConnect AP can also tunnel (via CAPWAP) both user wireless data
and control traffic to a centralized WLC (Central Switched).
+ Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like
a sensor for location-based services (LBS), rogue AP detection, and IDS
+ Rogue detector mode: monitor for rogue APs. It does not handle data at all.
+ Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular
channel to a remote machine where you can use protocol analysis tool (Wireshark, Airopeek,
etc) to review the packets and diagnose issues. Strictly used for troubleshooting purposes.
+ Bridge mode: bridge together the WLAN and the wired infrastructure together.
+ Sensor mode: this is a special mode which is not listed in the books but you need to know. In
this mode, the device can actually function much like a WLAN client would associating and
identifying client connectivity issues within the network in real time without requiring an IT or
technician to be on site.
Although Monitor and Rogue detector mode can detect rough APs but they do not handle
data so they are not correct.
Rogue Detection
A rogue is essentially any device that shares your spectrum, but is not in your control. This
includes rogue Access Points, wireless router, rogue clients, and rogue ad-hoc networks. The
Cisco UWN uses a number of methods to detect Wi-Fi-based rogue devices such as off-channel
scanning and dedicated monitor mode capabilities. Cisco Spectrum Expert can also be used to
identify rogue devices not based on the 802.11 protocol, such as Bluetooth bridges.
Off-Channel Scanning
This operation is performed by Local and Flex-Connect (in connected mode) mode APs and
utilizes a time-slicing technique which allows client service and channel scanning with the usage
of the same radio.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/112045-handling-rogue-cuwn-00.html
Question 86
What are two benefits of implementing a Cisco SD-WAN architecture? (Choose two)
A. It provides resilient and effective traffic flow using MPLS

B. It improves endpoint protection by integrating embedded and cloud security features
C. It allows configuration of application-aware policies with real time enforcement
D. It simplifies endpoint provisioning through standalone router management
E. It enforces a single, scalable, hub-and-spoke topology
Answer: B C
Explanation
The top SD-WAN benefits are:

+ Increased bandwidth at a lower cost
+ Centralized management across branch networks
+ Full visibility into the network
+ Providing organizations with more connection type options and vendor selection when building
a network.
Reference: https://www.sdxcentral.com/networking/sd-wan/definitions/sd-wan-technology/
-> We can provision endpoints (vEdges) through a centralized router vManage, but not
standalone router management -> Answer D is not correct.
Answer A is not correct as we can use different kind of connections on SD-WAN: MPLS, LTE, 4G,
xDSL, Internet connections…
Application-Aware Routing policy is configured in vManage as a centralized data policy that

maps the service-side application(s) to specific SLA requirements. The centralized policies
provisioned in vSmart controller is pushed to relevant WAN Edge devices for enforcement. The
defined policy consists of match-action pairs, where the match statement defines the
application-list or the type of traffic to match, and the action statement defines the SLA action
the WAN Edge devices must enforce for the specified traffic.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-
application-aware-routing-deploy-guide.html
-> Therefore answer C is correct.
Answer E is not correct as it is not a benefit of SD-WAN.
Cisco SD-WAN is fully integrated with cloud-delivered Cisco Umbrella, which offers protection
against security blind spots and cyberthreats. Powered by the Umbrella global network and Cisco
Talos threat intelligence, it’s the easiest way to deliver protection to users anywhere they access
the internet and cloud apps -> Answer B is correct.
Question 87

Which two facts does the device output confirm? (Choose two)
A. The device is using the default HSRP hello timer

B. The standby device is configured with the default HSRP priority
C. The device’s HSRP group uses the virtual IP address 10.0.3.242
D. The device is configured with the default HSRP priority
E. The device sends unicast messages to its peers
Answer: A B
Explanation
From the output above, we see the local router is the active HSRP router with priority 110 while
the default priority is 100 -> Answer D is not correct.
From the line “Standby router is 10.0.3.242, priority 100”, we learn that standby router is
configured with default priority -> Answer B is correct.
HSRP default hello and hold timers are 3 seconds and 10 seconds, respectively so answer A is
correct.
==================== New Questions (added on 20th-Oct-2023)

====================
Question 88
R1(config)# ip nat inside source static 10.70.5.1

10.45.1.7
A network architect has partially configured static NAT. which commands should be asked to
complete the configuration?
A.
R1(config)#interface GigabitEthernet0/0
R1(config)#ip pat outside
R1(config)#ip pat inside
B.
R1(config)#ip nat outside
R1(config)#ip nat inside
C.
R1(config)#ip nat inside
R1(config)#ip nat outside
D.
R1(config)#ip pat inside
R1(config)#ip pat outside
Answer: B
Explanation
The syntax of NAT command is ip nat inside source static local-ip global-ip so we can deduce
the first IP address is the local IP address where we apply “ip nat inside” command and the
second IP address is the global IP address where we apply “ip nat outside” command.
Question 89
Which Python library is used to work with YANG data models via NETCONF?
A. Postman
B. requests
C. ncclient
D. cURL
Answer: C
Explanation
In order to work with NETCONF, we have a library called ncclient. It’s a Python library that
facilitates client-side scripting and application development around the NETCONF protocol.
Reference: https://blog.wimwauters.com/networkprogrammability/2020-03-30-
netconf_python_part1/
Question 90

Which two configurations enable R1 and R2 to advertise routes into OSPF? (Choose two)
A. R2
router ospf 0
network 172.16.1.0 255.255.255.0 area 0
network 172.16.2.0 255.255.255.0 area 0
B. R2
router ospf 0
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 255.255.255.0 area 0
C. R1
router ospf 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
D. R2
router ospf 0
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
E. R1
router ospf 0
network 192.168.1.0 255.255.255.0 area 0
network 192.168.2.0 255.255.255.0 area 0
Answer: C D
Question 91
Which two functions is an edge node responsible for? (Choose two)
A. provides multiple entry and exit points for fabric traffic

B. provides the default exit point for fabric traffic
C. provides the default entry point for fabric traffic
D. provides a host database that maps endpoint IDs to a current location
E. authenticates endpoints
Answer: A E
Explanation
From below reference, we learn that answer D is not correct as the Control node (not Edge
node) is a simple Host Database that maps Endpoint IDs to a current Location, along with other
attributes.
Also from below reference, we can see the functions of Edge Node (page 34):
Edge Node provides first-hop services for Users / Devices connected to a Fabric
+ Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active
Directory) -> Answer E is correct
+ Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)
+ Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge
nodes)
+ Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKCRS-2818.pdf
Also from above reference, we also learn Border Node is the “default” exit if no entry is available
in Control-Plane (“Gateway of Last Resort” for any unknown destinations) -> Answer B and
answer C are not correct.
Therefore only answer A is left.
Question 92
A network engineer is troubleshooting an issue with the file server based on reports of slow file
transmissions. Which two commands or command sets are required in switch SW1 to analyze
the traffic from the file server with a packet analyzer? (Choose two)
A. SW1#show monitor
B. SW1(config)#monitor session 1 source interface gigabitethernet0/3

SW1(config)#monitor session 1 destination interface gigabitethernet0/1 encapsulation replicate
C. SW1#show ip route
D. SW1#show vlan
Answer: A B
Question 93
Which configuration filters out DOT1X messages in the format shown below from being sent
toward Syslog server 10.15.20.33?
Nov 20 13:47:32.553: %DOT1X-5-FAIL: Authentication failed for client (e04f.438e.de4f) on
Interface Gi1/0/1 AuditSessionID OAQB50A5000004543910739E
A. logging discriminator DOT1X facility drops DOT1X

logging host 10.15.20.33 discriminator DOT1X
B. logging discriminator DOT1X msg-body drops DOTX

logging host 10.15.20.33 discriminator DOTX
C. logging discriminator DOT1X mnemonics includes DOTX

logging host 10.15.20.33 discriminator DOT1X
D. logging discriminator DOT1X mnemonics includes DOT1X

logging host 10.15.20.33 discriminator DOTX
Answer: A
Explanation
The “logging discriminator DOT1X facility drops DOT1X” command creates a logging message
filter that drops log messages with a specific facility of “DOT1X”.
Here’s a breakdown of the command:
+ logging discriminator DOT1X: This command creates a logging message discriminator

named “DOT1X” which can be used to filter specific types of log messages.
+ facility drops DOT1X: This option tells the discriminator to drop log messages that have a
facility of “DOT1X”. Facilities are used to group log messages based on the type of device or
process that generated them.
Overall, this command creates a logging message filter that drops log messages with a facility of
“DOT1X”. Any log messages that have this facility will not be saved to the router’s log buffer.
This command could be useful in situations where a large number of log messages are generated
by the 802.1X authentication process and these messages are not required for troubleshooting
or auditing purposes. By dropping these messages, the router’s log buffer can be conserved and
the visibility of other log messages can be improved.
Reference: https://community.cisco.com/t5/network-management/filtering-of-logging-
messages-to-a-syslog-server-on-a-catalyst/td-p/2585566
Question 94
A customer has a pair of Cisco 5520 WLCs set up in an SSO cluster to manage all APs. Guest
traffic is anchored to a Cisco 3504 WLC located in a DMZ. Which action is needed to ensure that
the EoIP tunnel remains in an UP state in the event of failover on the SSO cluster?
A. Configure back-to-back connectivity on the RP ports

B. Use the mobility MAC when the mobility peer is configured
C. Enable default gateway reachability check
D. Use the same mobility domain on all WLCs
Answer: B
Explanation
In order to keep the mobility network stable without any manual intervention and in the event of
failure or switchover, the back-and-forth concept of Mobility MAC has been introduced.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/
High_Availability_DG.html
Question 95
What is one difference between Saltstack and Ansible?
A. SaltStack uses an API proxy agent to program Cisco boxes on agent mode, whereas Ansible
uses a Telnet connection
B. SaltStack uses the Ansible agent on the box, whereas Ansible uses a Telnet server on the box
C. SaltStack is constructed with minion, whereas Ansible is constructed with YAML
D. SaltStack uses SSH to interact with Cisco devices, whereas Ansible uses an event bus
Answer: C
Explanation
– Saltstack uses YAML (Python) same as Ansible.

– Saltstack uses the push model for executing commands via the SSH protocol
– Ansible only uses SSH, not Telnet.
In SaltStack architecture, there is a core component called Salt-minion, which is a system that is
being controlled by a Salt master.
Question 96
Which protocol is used to encrypt control plane traffic between SD-WAN controllers and SD-WAN
endpoints?
A. DTLS
B. IPsec
C. PGP
D. HTTPS
Answer: A
Explanation
DTLS protocol is used to encrypt control plane traffic between vSmart (controllers) and other
SD-WAN endpoints.
Question 97
BR(config)#interface tunnel1
BR(config-if)#keepalive 5 3
HQ(config)#interface tunnel1
HQ(config-if)#keepalive 5 3
What is the effect of these commands on the BR and HQ tunnel interfaces?
A. The tunnel line protocol goes down when the keepalive counter reaches 6
B. The keepalives are sent every 5 seconds and 3 retries
C. The keepalives are sent every 3 seconds and 5 retries.
D. The tunnel line protocol goes down when the keepalive counter reaches 5
Answer: B
Explanation
The syntax of keepalive command is: keepalive {seconds retries} so R1 will send keepalive
message every 5 seconds and retry 3 times. If all of the keepalive messages are failed, R1
concludes the tunnel was broken.
Question 98

An engineer is troubleshooting an issue with client devices triggering excessive power changes
on APs in the 2.4 GHz band. Which action resolves this issue?
A. Disable Coverage Hole Detection

B. Disable Aironet IE
C. Set the 802.11 b/g/n DTIM interval to 0
D. Enable MFP Client Protection
Answer: A
Explanation
Coverage Hole Detection is a feature that detects areas with poor wireless coverage and may
trigger power changes on APs to improve coverage. Disabling it would prevent the APs from
making these adjustments, which could stabilize the power levels.
MFP Client Protection is used to protect against clients connecting to a rogue access point only -
> Answer D is not correct.
From the exhibit, we see that DTIM Period ranges from 1 to 255 so we cannot set it to 0 ->
Answer C is not correct.
“Aironet IE” option means “Aironet IE Extension”. This extension help clients choose the best
access point. But it does not relate to our question.
Question 99
Drag and drop the solutions that comprise Cisco Cyber Threat Defense from the left onto the
objectives they accomplish on the right.
Answer:
+ detects suspicious web activity: Web Security Appliance

+ analyzes network behavior and detects anomalies: StealthWatch
+ uses pxGrid to remediate security threats: Identity Services Engine
Explanation
Cisco ISE collects dynamic contextual data from throughout the network and uses Cisco pxGrid
technology, a robust context-sharing platform, to share that deeper level of contextual data
about connected users and devices with external and internal ecosystem partner solutions.
Through the use of a single API, Cisco ISE network and security partners use this data in order
to improve their own network access capabilities and accelerate their solutions’ capabilities to
identify, mitigate, and remediate network threats.
StealthWatch: performs security analytics by collecting network flows via NetFlow
Question 100
ip access-list extended 101

10 deny ip any any
!
event manager applet Block_Users
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "ip access-group 101 in"
action 5.0 cli command "ip access-group 101 out"
An engineer builds an EEM script to apply an access list. Which statement must be added to
complete the script?
A. event none
B. action 2.1 cli command “ip action 3.1 cli command 101”
C. action 6.0 cli command ”ip access-list extended 101”
D. action 6.0 cli command ”ip access-list extended 101″
Answer: A
Explanation
The “event none” means this EEM applet is manually triggered. Notice that even we entered the
“event none” command at the bottom of the EEM but it will be put on the top:
Question 101
Which two new security capabilities are introduced by using a next-generation firewall at the
Internet edge? (Choose two)
A. DVPN
B. NAT
C. stateful packet inspection
D. application-level inspection
E. integrated intrusion prevention
Answer: D E
Explanation
Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond
port/protocol inspection and blocking to add application-level inspection, intrusion prevention,
and bringing intelligence from outside the firewall.
Reference: https://www.gartner.com/en/information-technology/glossary/next-generation-
firewalls-ngfws
Question 102
Why would a small or mid-size business choose a cloud solution over an on-premises solution?
A. Cloud provides lower upfront cost than on-premises.

B. Cloud provides more control over the implementation process than on-premises.
C. Cloud provides greater ability for customization than on-premises.
D. Cloud provides higher data security than on-premises.
Answer: A
Question 103
Why does the vBond orchestrator have a public IP?

A. to allow for global reachability from all WAN Edges in the Cisco SD-WAN and to facilitate NAT
traversal
B. to provide access to Cisco Smart Licensing servers for license enablement
C. to enable vBond to learn the public IP of WAN Edge devices that are behind NAT gateways or
in private address space
D. to facilitate downloading and distribution of operational and security patches
Answer: A
Explanation
SD-WAN Validator – This software-based component performs the initial authentication of WAN
Edge devices and orchestrates SD-WAN Controller, Manager, and WAN Edge connectivity. It also
has an important role in enabling the communication between devices that sit behind Network
Address Translation (NAT).
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-
guide.html
The major components of the Cisco SD-WAN Validator are:
NAT traversal: The Cisco SD-WAN Validator facilitates the initial orchestration between edge
routers and Cisco SD-WAN Controllers when one or both of them are behind NAT devices.
Reference: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-
book/system-overview.html
Note: Cisco SD-WAN has been rebranded to Cisco Catalyst SD-WAN. As part of this rebranding,
the vManage name has been changed to SD-WAN Manager, the vSmart name has been changed
to SD-WAN Controller, and the vBond name has been changed to SD-WAN Validator.
Question 104
An engineer must export the contents of the devices object in JSON format. Which statement
must be use?
A. json.print(Devices)
B. json.loads(Devices)
C. json.dumps(Devices)
D. json.repr(Devices)
Answer: C
Explanation
json.loads() takes in a string and returns a json object while json.dumps() takes in a json
object and returns a string. In this question, “Devices” is a ‘list’, not a string so we have to
“dumps” it first to convert it into a string before printing it out.
Try printing with “loads”:
Note: JSON does not have attributes “print” or “repr” so we cannot use them.

Ccnpnuevo

Uploaded by

Copyright:

Available Formats

Ccnpnuevo

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccnpnuevo

Uploaded by

Copyright:

Available Formats

Question 1

A. dynamic enforce policy

We can find a similar solution here but written in

Which is a fact about Cisco EAP-FAST?

A. It does not require a RADIUS server certificate

Which two operations are valid for RESTCONF? (Choose two)

OPTIONS Determine which methods are supported by the server.

GET Retrieve data and metadata about a resource.

POST Create a resource or invoke an RPC operation.

PUT Create or replace a resource.

PATCH Create or update (but not delete) various resources.

DELETE Sent by a client to delete a target resource.

Refer to the exhibit.

RouterB(config)# access-list 101 permit ip RouterB(config)# access-list 101 permit ip

RouterB(config)# access-list 101 permit ip RouterB(config)# access-list 101 permit ip

CTS: Fabric Security Policy

Note: CTS is short for Cisco Trust Security

json.dumps() adds spaces in the JSON object. For example:

{'key1': 'default', 'key2': 'none'}

Refer to the exhibit.

Refer to the exhibit.

Which command must be configured for RESTCONF to operate on port 8888?

A. ip http port 8888

What is one primary REST security design principle?

What is the responsibility of a secondary WLC?

Which action is a LISP ITR responsible for?

A. responding to map-request messages

Which JSON script is properly formatted?

"sports": ["volley-ball","badminton"] -> This [] holds a group of values

Which encryption hashing algorithm does NTP use for authentication?

An example of configuring NTP authentication is shown below:

Router1(config)#ntp authentication-key 2 md5 digitaltut

Refer to the exhibit.

A. Device(config-mon-erspan-src-dst)# mtu 1460

Types of external antennas:

An omnidirectional antenna is designed to provide a 360-degree radiation pattern. This type of

Omnidirectional Antenna Radiation Pattern

1. event syslog pattern

Refer to the exhibit.

Refer to the exhibit.

What is output by this code?

Which type of antenna does the radiation pattern represent?

What is a benefit of YANG modules?

A. tightly coupled models with encoding to improve performance

Refer to the exhibit.

What is contained in the VXLAN header?

A. VXLAN network identifier

Refer to the exhibit. What is displayed when the code is run?

A. golden image selection

Which function is performed by vSmart in the Cisco SD-WAN architecture?

A. redistribution between OMP and other routing protocols

Answer B mentions about vBond while answer D mentions about vEdge.

Refer to the exhibit.

A. The IP subnet mask is not the same.

+ Hello and Dead intervals

Refer to the exhibit.

Refer to the exhibit.

SW1(config)# ip access-list extended DENY- SW1(config)# mac access-list extended

SW1(config)# ip access-list extended SW1(config)# ip access-list extended DENY-