Question 1

Drag and drop the solutions that comprise Cisco Cyber Threat Defense from the left onto the
objectives they accomplish on the right.

Answer:

+ detects suspicious web activity: Web Security Appliance

+ analyzes network behavior and detects anomalies: StealthWatch
+ uses pxGrid to remediate security threats: Identity Services Engine

Explanation

Cisco ISE collects dynamic contextual data from throughout the network and uses Cisco pxGrid
technology, a robust context-sharing platform, to share that deeper level of contextual data
about connected users and devices with external and internal ecosystem partner solutions.
Through the use of a single API, Cisco ISE network and security partners use this data in order
to improve their own network access capabilities and accelerate their solutions’ capabilities to
identify, mitigate, and remediate network threats.

StealthWatch: performs security analytics by collecting network flows via NetFlow

Question 2

What are two characteristics of Cisco SD-Access elements? (Choose two)

A. Fabric endpoints are connected directly to the border node

B. The border node is required for communication between fabric and nonfabric devices
C. The control plane node has the full RLOC-to-EID mapping database
D. Traffic within the fabric always goes through the control plane node
E. The border node has the full RLOC-to-EID mapping database

Answer: B C

Explanation

There are five basic device roles in the fabric overlay:

+ Control plane node: This node contains the settings, protocols, and mapping tables to provide
the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay.
+ Fabric border node: This fabric device (for example, core layer device) connects external Layer
3 networks to the SDA fabric.
+ Fabric edge node: This fabric device (for example, access or distribution layer device)
connects wired endpoints to the SDA fabric.
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the
SDA fabric.
+ Intermediate nodes: These are intermediate routers or extended switches that do not provide
any sort of SD-Access fabric role other than underlay services.
Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide

Question 3

Refer to the exhibit.

Current configuration: 142 bytes

vrf definition STAFF
!
!
interface GigabitEthernet1
vrf forwarding STAFF
no ip address
negotiation auto
no mop enabled
no mop sysid
end

An engineer must assign an IP address of 192.168.1.1/24 to the GigabitEthemet1 interface.

Which two commands must be added to the existing configuration to accomplish this task?
(Choose two)

A. Router(config-vrf)#address-family ipv6
B. Router(config-if)#ip address 192.168.1.1 255.255.255.0
C. Router(config-vrf)#ip address 192.168.1.1 255.255.255.0
D. Router(config-if)#address-family ipv4
E. Router(config-vrf)#address-family ipv4

Answer: B E

Explanation

In fact we only need to assign IP address to Gi1 with the command “Router(config-if)#ip address
192.168.1.1 255.255.255.0”. The command “Router(config-vrf)#address-family ipv4” is
unnecessary unless we have other configurations.

Question 4

What is the data policy in a Cisco SD-WAN deployment?

A. list of ordered statements that define node configurations and authentication used within the
SD-WAN overlay
B. Set of statements that defines how data is forwarded based on IP packet information and
specific VPNs
C. detailed database mapping several kinds of addresses with their corresponding location
D. group of services tested to guarantee devices and links liveliness within the SD-WAN overlay

Answer: B

Explanation

Data policy operates on the data plane in the Cisco SD-WAN overlay network and affects how
data traffic is sent among Cisco SD-WAN devices in the network. The Cisco SD-WAN architecture
defines two types of data policy, centralized data policy, which controls the flow of data traffic
based on the IP header fields in the data packets and based on network segmentation, and
localized data policy, which controls the flow of data traffic into and out of interfaces and
interface queues on the devices.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/tech_notes/sda_fabric_troubleshooting/
b_cisco_sda_fabric_troubleshooting_guide.html

Question 5

Refer to the exhibit.

Which action resolves the EtherChannel issue between SW2 and SW3?

A. Configure switchport mode trunk on SW2

B. Configure switchport nonegotiate on SW3
C. Configure channel-group 1 mode desirable on both interfaces
D. Configure channel-group 5 mode active on both interfaces

Answer: C

Explanation

From the output we learn that SW2 is running PAgP while Sw3 is running LACP so they cannot
form Etherchannel. Therefore we need to configure only LACP (active mode) or PAgP (desirable
mode) on both switches. But we have to configure on the existing “channel-group 1”, not group
5.
Question 6

Refer to the exhibit.

A network engineer configures OSPF and reviews the router configuration. Which interface or
interfaces are able to establish OSPF adjacency?

A. GigabitEthemet0/1 and GigabitEthernet0/1.40

B. Gigabit Ethernet0/0 and GigabitEthemet0/1
C. only GigabitEthernet0/0
D. only GigabitEthernet0/1

Answer: C

Explanation

This is the output of command “show ip ospf interface”. From the line “No hellos (Passive
interface)”, we learn that interface Gi0/1 was configured passive interface -> It cannot establish
OSPF adjacency. Only Gi0/0 established OSPF adjacency.

Note: DROTHER is just a sign of FULL state in OSPF but this router is not a DR or BDR. Therefore
DROTHER means interface was established adjacency successfully with the neighbor interface.

Question 7

Refer to the exhibit.

What step resolves the authentication issue?

A. restart the vsmart host

B. target 192.168.100.82 in the URI
C. change the port to 12446
D. use basic authentication

Answer: B

Explanation

The first figure is the output of the “show control connections” command. From this figure we
learned that the vManage IP address is 192.168.100.82 so we need to connect to this IP address
(not 192.168.100.80).

Question 8

Refer to the exhibit.

A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using
IPsec profiles. Which two configuration changes accomplish this? (Choose two)

A. Apply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode
ipsec ipv4
B. Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL 100
C. Remove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to
10.20.0.0/24
D. Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel
interface

Answer: B D
Explanation

In this question, we have to grasp the difference between the old configuration of GRE over
IPSec with crypto map versus the new configuration of Tunnel Protection (or IPsec Profile).

In the old method, an extended ACL must be defined to match which traffic will be encrypted,
since we configure GRE as the encapsulation protocol for all IP packet, traditionally we used an
ACL (100, in our case) to match the GRE packet sourced from 209.165.201.1 and destined to
209.165.201.6 because all traffic that goes through the tunnel will encapsulated with the Public
IP header defined in the tunnel source and tunnel destination command under the tunnel
interface.

Then after setting this ACL, we need the crypto map for phase 2 IPsec. Under the crypto map,
we put in the peer address, transform-set and the above ACL. Finally we apply the crypto map
on the physical interface. There are many duplicated configuration in this old method! For
example, we need to define the same source and destination addresses in the ACL and the
interface tunnel. Or use the same destination address in “set peer” command under crypto map
and “tunnel destination” command under interface tunnel.

In the new IPSec Profile configuration, we only need to create an IPsec Profile, associate the
transform-set and apply the IPsec Profile on the Tunnel interface and that’s all! There are is no
need of ACL or crypto map. All the information (including source and destination IP addresses)
are already there in the tunnel interface.

An example of configuring IPSec over GRE Tunnel with IPSec Profile is shown below:

crypto isakmp policy 2

encrypt aes 256
authentication pre-share
group 2
!
crypto isakmp key ****** address 200.16.1.5
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-
hmac
!
crypto ipsec profile VTI
set transform-set ESP-AES-256-SHA
set pfs group2
!
interface tunnel 1
ip address 2.2.2.1 255.255.255.254
tunnel mode ipsec ipv4
tunnel destination 200.16.1.5
tunnel protection ipsec profile VTI

Reference: https://ipdemystify.com/2020/11/16/ipsec-crypto-map-vs-tunnel-protection-
demystified/

Question 9

Which encryption hashing algorithm does NTP use for authentication?

A. SSL
B. AES256
C. AES128
D. MD5

Answer: D
Explanation

An example of configuring NTP authentication is shown below:

Router1(config)#ntp authentication-key 2 md5 9tut

Router1(config)#ntp authenticate
Router1(config)#ntp trusted-key 2

Question 10

What is a VPN in a Cisco SD-WAN deployment?

A. virtual channel used to carry control plane information

B. attribute to identify a set of services offered in specific places in the SD-WAN fabric
C. common exchange point between two different services
D. virtualized environment that provides traffic isolation and segmentation in the SD-WAN fabric

Answer: D

Question 11

Drag and drop the characteristic from the left onto the orchestration tools that they describe on
the right.

Answer:

Ansible:
+ uses playbooks
+ prodedural

Puppet:
+ uses a pull model
+ declarative

Explanation

In Ansible, Playbooks are files that provide actions and logic about what Ansible should do.
Ansible playbooks are files that contain tasks to configure hosts. Ansible playbooks are written in
YAML format.
Puppet is based on a Pull deployment model, where the nodes check in regularly after every
1800 seconds with the Master to see if anything needs to be updated in the agent. If anything
needs to be updated the agent pulls the necessary Puppet codes from the Master and performs
required actions.

Chef and Ansible encourage a procedural style where you write code that specifies, step-by-step,
how to to achieve some desired end state. Terraform, SaltStack, and Puppet all encourage a
more declarative style where you write code that specifies your desired end state, and the IAC
tool itself is responsible for figuring out how to achieve that state.

Question 12

Refer to the exhibit.

Communication between London and New York is down. Which command set must be applied to
resolve this issue?

Option A Option B
NewYork(config)#int f0/1 NewYork(config)#int f0/1
NewYork(config)#switchport nonegotiate NewYork(config)#switchport trunk encap
NewYork(config)#end dot1q
NewYork# NewYork(config)#end
NewYork#

Option C Option D
NewYork(config)#int f0/1 NewYork(config)#int f0/1
NewYork(config)#switchport mode dynamic NewYork(config)#switchport mode trunk
desirable NewYork(config)#end
NewYork(config)#end NewYork#
NewYork#

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

From the output line “TOT/TAT/TNT: NATIVE/ISL/NATIVE”, we see interface f0/1 of NewYork
router is hard coded ISL which is mismatched with 802.1Q so we have to change trunking
encapsulation on NewYork router to 802.1Q.

Note: The TOS/TAS/TNS of “ACCESS/AUTO/ACCESS” shows it is currently operating as an

Access Port, in Dynamic Auto mode, and its negotiated to be an Access Port (but it can be
negotiated to become a trunk port).

Good reference: https://loopedback.com/2017/08/26/dtp-dynamic-trunking-protocol-the-exam-

information-and-a-lot-of-live-cli-output-to-demonstrate-behaviors-of-dtp/
Note:

TOS = Trunk Operational Status

TAS = Trunk Administrative Status
TNS = Trunk Negotiation Status
TOT = Trunk Operational Type
TAT = Trunk Administrative Type
TNT = Trunk Negotiation Type

Question 13

What is an emulated machine that has dedicated compute, memory, and storage resources and
a fully installed operating system?

A. host
B. virtual machine
C. container
D. mainframe

Answer: B

Question 14

Which two methods are used to reduce the AP coverage area? (Choose two)

A. Reduce AP transmit power

B. Increase minimum mandatory data rate
C. Reduce channel width from 40 MHz to 20 MHz
D. Enable Fastlane
E. Disable 2.4 GHz and use only 5 GHz

Answer: A B

Explanation

The transmit power of an AP affects the wireless coverage area and the maximum
achievable signal-to-noise ratio. Proper configuration of transmit power is important for ensuring
a wireless network is operating at its highest capacity.

Reference: https://documentation.meraki.com/MR/Radio_Settings/
Transmit_Power_and_Antenna_Configuration

According to this Cisco link, there are two ways to reduce the AP coverage area (or the cell
size):
+ Tuning Cell Size with Transmit Power
+ Tuning Cell Size with Data Rates

Setting the transmit power level is a simplistic approach to defining the cell size, but that is not
the only variable involved. The cell size of an AP is actually a compromise between its transmit
power and the data rates that it offers.

To design a wireless LAN for best performance, you would most likely need to disable some of
the lower data rates. For example, you could disable the 1, 2, and 5.5 Mbps rates to force
clients to use higher rates and better modulation and coding schemes. That would improve
throughput for individual clients and would also benefit the BSS as a whole by eliminating the
slower rates that use more time on a channel.
-> Therefore increasing minimum mandatory data rate would reduce coverage area but enhance
performance.

Note: Disable 2.4 GHz band is not a good action as this band is very popular. Moreover, many
dual-band modems are capable of receiving and transmitting on both 2.4 GHz and 5 GHz
frequencies at the same time. This provides two independent and dedicated networks which
allows more flexibility and bandwidth.

Question 15

Which data is properly formatted with JSON?

Option A Option B

Option C Option D
A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

Option A is missing commas.

Option B is missing one comma behind “age”:25 and the trailing comma needs to be removed.
Option C needs to remove the trailing comma.

Question 16

Drag and drop the descriptions of the VSS technology from the left to the right. Not all options
are used.

Answer:

VSS:
+ supported on the Cisco 4500 and 6500 series
+ combines exactly two devices
+ supports devices that are geographically separated

Explanation

The following characteristics are correct for StackWise (but not VSS):
+ can be connected in up to 9 devices
+ is supported only on line 3750 and (2960/3650/3850/3750+)
+ uses proprietary cable for connection

Question 17

Refer to the exhibit.

All switches are configured with the default port priority value. Which two commands ensure that
traffic from PC1 is forwarded over Gi1/3 trunk port between DWS1 and DSW2? (Choose two)

A. DWS1(config-if)#spanning-tree port-priority 0
B. DSW2(config-if)#spanning-tree port-priority 16
C. DSW1(config-if)#interface gi1/3
D. DSW2(config-if)#interface gi1/3
E. DSW2(config-if)#spanning-tree port-priority 128

Answer: B D

Explanation

In this topology, DSW2 is the root bridge because of lowest Bridge Priority (24576) so all of its
ports are in forwarding state. DSW1 needs to block one of its ports to DSW2 to avoid a bridging
loop between the two switches. Unfortunately, DSW blocked port Gi1/3. But how does DSW1
select its blocked port? Well, the answer is based on the BPDUs it receives from DSW2. A BPDU
is superior than another if it has:
1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by DSW2
have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID.
The only parameter left to select the best one is the Sending Port ID (Port ID = port priority +
port index). And the port index of Gi1/2 is lower than the port index of Gi1/3 so the link between
two Gi1/2 interfaces has been chosen as the primary link.

Therefore we must change the port priority to change the primary link. The lower numerical
value of port priority, the higher priority that port has. In other words, we must change the port-
priority on Gi1/3 of DSW2 (not on Gi1/3 of DSW1) to a lower value than that of Gi1/2 (the
default port-priority value is 128).

Question 18
In a three-tier hierarchical campus network design, which action is a design best-practice for the
core layer?

A. provide QoS prioritization services such as marking, queueing, and classification for critical
network traffic
B. provide advanced network security features such as 802. IX, DHCP snooping, VACLs, and port
security
C. provide redundant Layer 3 point-to-point links between the core devices for more predictable
and faster convergence
D. provide redundant aggregation for access layer devices and first-hop redundancy protocols
such as VRRP

Answer: C

Explanation

The core should be highly available and redundant. The core aggregates the traffic from all the
distribution layer devices, so it must be capable of forwarding large amounts of data quickly.

Considerations at the core layer include

– Providing high-speed switching (i.e., fast transport)
– Providing reliability and fault tolerance
– Scaling by using faster, and not more, equipment
– Avoiding CPU-intensive packet manipulation caused by security, inspection, quality of service
(QoS) classification, or other processes

Reference: https://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

Question 19

Which two network problems indicate a need to implement QoS in a campus network? (Choose
two)

A. port flapping
B. misrouted network packets
C. excess jitter
D. bandwidth-related packet loss
E. duplicate IP addresses

Answer: C D

Question 20

In a Cisco SD-Access solution, what is the role of the Identity Services Engine?

A. It provides GUI management and abstraction via apps that share context.
B. It is leveraged for dynamic endpoint to group mapping and policy definition.
C. It is used to analyze endpoint to app flows and monitor fabric status.
D. It manages the LISP EID database.

Answer: B

Explanation

DNA Controller – Enterprise SDN Controller (e.g. DNA Center) provides GUI management and
abstraction via Apps that share context
Identity Services – External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to
Group mapping and Policy definition
Analytics Engine – External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to
App flows and monitor fabric status

Reference: https://www.cisco.com/c/dam/global/da_dk/assets/training/seminaria-materials/
Software_Defined_Access_2017.pdf

Question 21

A customer has completed the installation of a Wi-Fi 6 greenfield deployment at their new
campus. They want to leverage Wi-Fi 6 enhanced speeds on the trusted employee WLAN. To
configure the employee WLAN, which two Layer 2 security policies should be used? (Choose two)

A. WPA (AES)
B. WPA2 (AES) + WEP
C. 802.1X
D. OPEN

Answer: C D

Explanation

Wi-Fi 6 (IEEE 802.11ax)

In greenfield we don’t need to use any security policy to reduce the wasting time of
encryption/decryption.

Wi-Fi 6 does not support WPA with AES while WPA2 (AES) would slow down the connection ->
Only 802.1X is the best choice left.

Question 22

Which outcome is achieved with this Python code?

client.connect (ip, port=22,username=usr,password=pswd)

stdin,stdout,stderr = client.exec_command('show ip bgp 192.168.10.100 bestpath\
n')
print(stdout)

A. displays the output of the show command in a formatted way

B. connects to a Cisco device using SSH and exports the routing table information
C. connects to a Cisco device using Telnet and exports the routing table information
D. connects to a Cisco device using SSH and exports the BGP table for the prefix

Answer: D

Question 23

What is YANG used for?

A. scraping data via CLI

B. providing a transport for network configuration data between client and server
C. processing SNMP read-only polls
D. describing data models

Answer: D

Explanation

YANG is used to model each protocol based on RFC 6020.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/datamodels/configuration/xe-
16/data-models-xe-16-book/yang-netconf.html

Question 24

Refer to the exhibit.

Which configuration change ensures that R1 is the active gateway whenever it is in a functional
state for the 172.30.110.0/24 network?

Option A Option B
R1 R1
standby 1 preempt standby 1 preempt
R2 R2
standby 1 priority 90 standby 1 priority 100

Option C Option D
R2 R2
standby 1 priority 100 standby 1 priority 110
standby 1 preempt standby 1 preempt
A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

By default, HSRP does not have preemption enabled so we have to enable it on R1 so that R1
can take the active role of R2. We also need to lower the priority of R2 (to 90) than that of R1
(the default HSRP priority is 100) so that R1 can take the active role.

Question 25

Refer to the exhibit.

 Person#1:
First Name is Johnny
Last Name is Table
Hobbies are:
• Running
• Video games

Person#2
First Name is Billy
Last Name is Smith
Hobbies are:
• Napping
• Reading

Which JSON syntax is derived from this data?

Option A Option B
{‘Person’: [{‘First Name’: ‘Johnny’, ‘Last {[{‘First Name’: ‘Johnny’, ‘Last Name’: ‘Table’,
Name’: ‘Table’, ‘Hobbies’: [‘Running’, ‘Hobbies’: ‘Running’,’Hobbies’: ‘Video games’},
‘Video games’]}, {‘First Name’: ‘Billy’, {‘First Name’: ‘Billy’, ‘Last Name’: ‘Smith’,
‘Last Name’: ‘Smith’, ‘Hobbies’: ‘Hobbies’: ‘Napping’, ‘Hobbies’: Reading’}]}
[‘Napping’, ‘Reading’]}]}

Option C Option D
{‘Person’: [{‘First Name’:’Johnny’, ‘Last {[{‘First Name’: ‘Johnny’, ‘Last Name’: ‘Table’,
Name’: ‘Table’, ‘Hobbies’: ‘Running’, ‘Hobbies’: [‘Running’, ‘Video games’]}, {‘First
‘Video games’}, {‘First Name’: ‘Billy’, Name’: ‘Billy’, ‘Last Name’: ‘Smith’, ‘Hobbies’:
‘Last Name’: ‘Smith’, ‘Hobbies’: [‘Napping’,’Reading’]}]}
‘Napping’, ‘Reading’}]}
A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

Option B and Option D are not correct because the first square bracket in “{[{” should not be
there.

Option C “Hobbies” should be an array, not “‘Hobbies’: ‘Running’, ‘Video games'”

Option A is correct and we also format it in a more comprehensive way below:

{
"Person":[
{
"First Name":"Johnny",
"Last Name":"Table",
"Hobbies":[
"Running",
"Video games"
]
 },
{
"First Name":"Billy",
"Last Name":"Smith",
"Hobbies":[
"Napping",
"Reading"
]
}
]
}

Question 26

An engineer creates the configuration below. Drag and drop the authentication methods from the
left into the order of priority on the right. Not all options are used.

R1#sh run | i aaa

aaa new-model
aaa authentication login default group ACE group AAA_RADIUS local-case
aaa session-id common
R1#

Answer:

Step 1: AAA servers of ACE group

Step 2: AAA servers of AAA_RADIUS group
Step 3: local configured username in case-sensitive format
Step 4: If no method works, then deny login

Explanation

The “aaa authentication login default group ACE group AAA_RADIUS local-case” command is
broken down as follows:

+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/password when a connection is
made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and
aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux
lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the
authentication feature.
+ The ‘group ACE group AAA_RADIUS” means all users are authenticated using group ACE
(the first method). If the credentials are not found on this group, then the group AAA_RADIUS is
used (the second method).
+ The ‘local-case‘ option uses case-sensitive local usernames.

Question 27

Refer to the exhibit.

Which two facts does the device output confirm? (Choose two)

A. The device is using the default HSRP hello timer

B. The standby device is configured with the default HSRP priority
C. The device’s HSRP group uses the virtual IP address 10.0.3.242
D. The device is configured with the default HSRP priority
E. The device sends unicast messages to its peers

Answer: A B

Explanation

From the output above, we see the local router is the active HSRP router with priority 110 while
the default priority is 100 -> Answer D is not correct.

From the line “Standby router is 10.0.3.242, priority 100”, we learn that standby router is
configured with default priority -> Answer B is correct.

HSRP default hello and hold timers are 3 seconds and 10 seconds, respectively so answer A is
correct.

Question 28

Based on the output below, which Python code shows the value of the “upTime” key?

{
“response”: [{
“family”: “Routers”,
“type”: “Cisco ASR 1001-X Router”,
 “errorCode”: null,
“location”: null,
“macAddress”: “00:c8:8b:80:bb:00”,
“hostname”: “asr1001-x.abc.inc”,
“role”: “BORDER ROUTER”,
“lastUpdateTime”: 1577391299537,
“serialNumber”: “FXS1932Q1SE”,
“softwareVersion”: “16.3.2”,
“locationName”: null,
“upTime”: “49 days, 13:43:44:13”,
“lastUpdated”: “2019-12-22
16:35:21”
}]
}

Option A Option B
json_data = response.json() json_data = response_json()
print(json_data[response][0][upTime]) print(json_data[‘response’][‘family’][‘upTime’])

Option C Option D
json_data = response.json() json_data = json.loads(response.text)
print(json_data[‘response’][0][‘upTime’]) print(json_data[‘response’][‘family’][‘upTime’])
A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

You can test this question in Python and see the output below:
Note: We need to call the first element “[0]” in “json_data[‘response’][0][‘upTime’])” command
because “response” is an array with only one element.

Question 29

Which two actions, when applied in the LAN network segment, will facilitate Layer 3 CAPWAP
discovery for lightweight AP? (Choose two)

A. Utilize DHCP option 17

B. Utilize DHCP option 43
C. Configure WLC IP address on LAN switch
D. Enable port security on the switch port
E. Configure an ip helper-address on the router interface

Answer: B E

Explanation

In a Cisco Unified Wireless network, the LAPs must first discover and join a WLC before they can
service wireless clients.
However, this presents a question: how did the LAPs find the management IP address of the
controller when it is on a different subnet?
If you do not tell the LAP where the controller is via DHCP option 43, DNS resolution of “Cisco-
capwap-controller.local_domain”, or statically configure it, the LAP does not know where in the
network to find the management interface of the controller.

Reference: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-
controllers/119286-lap-notjoin-wlc-tshoot.html

Question 30

Refer to the exhibit.

R2:
vrf definition hotel
address-family ipv4
exit-address-family

vrf definition bank

address-family ipv4
exit-address-family

interface Ethernet0/0
vrf forwarding bank
ip address 172.16.0.4 255.255.0.0

interface Ethernet0/1
vrf forwarding hotel
ip address 172.1.0.5 255.255.0.0

router ospf 42 vrf bank

router-id 1.1.1.1
network 172.16.0.0 0.0.255.255 area 0

router ospf 43 vrf hotel

router-id 3.3.3.3
network 172.16.0.0 0.0.255.255 area 0

R1:
vrf definition bank
!
 address-family ipv4
exit-address-family

Which configuration must be applied to R1 to enable R1 to reach the server at 172.16.0.1?

Option A Option B
interface Ethernet0/0 interface Ethernet0/0
ip address 172.16.0.7 255.255.0.0 vrf forwarding bank
! ip address 172.16.0.7 255.255.0.0
router ospf 44 vrf hotel !
network 172.16.0.0 0.0.255.255 router ospf 44 vrf bank
network 172.16.0.0 0.0.255.255 area
0

Option C Option D
interface Ethernet0/0 interface Ethernet0/0
vrf forwarding hotel ip address 172.16.0.7 255.255.0.0
ip address 172.16.0.7 255.255.0.0 !
! router ospf 44 vrf bank
router ospf 44 vrf hotel network 172.16.0.0 255.255.0.0
network 172.16.0.0 0.0.255.255 area
0
A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Question 31

The following system log message is presented after a network administrator configures a GRE
tunnel:

%TUN-RECURDOWN: Interface Tunnel 0 temporarily disabled due to recursive routing.

Why is Tunnel 0 disabled?

A. Because the tunnel cannot reach its tunnel destination

B. Because the best path to the tunnel destination is through the tunnel itself
C. Because dynamic routing is not enabled
D. Because the router cannot recursively identify its egress forwarding interface

Answer: B

Explanation

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

error message means that the generic routing encapsulation (GRE) tunnel router has discovered
a recursive routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address
using the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/22327-gre-flap.html
 ======================= New Questions (added on 9th-Mar-2020)
=======================

Question 32

What is provided by the Stealthwatch component of the Cisco Cyber Threat Defense solution?

A. real-time threat management to stop DDoS attacks to the core and access networks
B. real-time awareness of users, devices and traffic on the network
C. malware control
D. dynamic threat control for web traffic

Answer: B

Explanation

Cisco Stealthwatch is a comprehensive, network telemetry-based, security monitoring and

analytics solution that streamlines incident response through behavioral analysis; detecting
denial of service attacks, anomalous behaviour, malicious activity and insider threats. Based on
a scalable enterprise architecture, Stealthwatch provides near real-time situational awareness of
all users and devices on the network.

Reference: https://www.endace.com/cisco-stealthwatch-solution-brief.pdf

Note: Although answer A seems to be correct but in fact, Stealthwatch does not provide real-
time protection for DDoS attack. It just helps detect DDoS attack only.

Stealthwatch aggregates observed network activity and performs behavioral and policy driven
analytics against what it sees in order to surface problematic activities. While we don’t position
our self as a DDOS solution, we’re going to leverage our analytical capabilities to identify a DDoS
attack against an internal host using the WebUI.

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2016/pdf/LTRSEC-8421-LG.pdf

Question 33

How does Protocol Independent Multicast function?

A. It uses unicast routing information to perform the multicast forwarding function.

B. It uses the multicast routing table to perform the multicast forwarding function.
C. In sparse mode it establishes neighbor adjacencies and sends hello messages at 5-second
intervals.
D. It uses broadcast routing information to perform the multicast forwarding function.

Answer: A

Explanation

Although PIM is called a multicast routing protocol, it actually uses the unicast routing
table to perform the reverse path forwarding (RPF) check function instead of building up a
completely independent multicast routing table. Unlike other routing protocols, PIM does not
send and receive routing updates between routers.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/xe-
16/imc-pim-xe-16-book/imc-tech-oview.html

Question 34

Under which network conditions is an outbound QoS policy that is applied on a router WAN
interface most beneficial?
A. under all network conditions
B. under network convergence conditions
C. under interface saturation conditions
D. under traffic classification and marking conditions

Answer: C

Explanation

Traffic classification and marking should only be done near the sources with an inbound QoS
policy before entering our networks. When the packets are sent to a WAN interface (to ISP), we
should make sure the ISP does not drop our packets, especially in saturation conditions.

Question 35

Which technology does VXLAN use to provide segmentation for Layer 2 and Layer 3 traffic?

A. bridge domain
B. VLAN
C. VRF
D. VNI

Answer: D

Explanation

VXLAN has a 24-bit VXLAN network identifier (VNI), which allows for up to 16 million (= 2 24)
VXLAN segments to coexist within the same infrastructure. This surely solve the small number of
traditional VLANs.

Question 36

A company has an existing Cisco 5520 HA cluster using SSO. An engineer deploys a new single
Cisco Catalyst 9800 WLC to test new features. The engineer successfully configures a mobility
tunnel between the 5520 cluster and 9800 WLC. Clients connected to the corporate WLAN roam
seamlessly between access points on the 5520 and 9800 WLC. After a failure on the primary
5520 WLC, all WLAN services remain functional; however clients cannot roam between the 5520
and 9800 controllers without dropping their connection. Which feature must be configured to
remedy the issue?

A. mobility MAC on the 5520 cluster

B. mobility MAC on the 9800 WLC
C. new mobility on the 5520 cluster
D. new mobility on the 9800 WLC

Answer: B

Question 37

What are two methods of ensuring that the multicast RPF check passes without changing the
unicast routing table? (Choose two)

A. disabling BGP routing protocol

B. implementing static mroutes
C. disabling the interface of the router back to the multicast source
D. implementing MBGP
E. implementing OSPF routing protocol
Answer: B D

Question 38

What is the result when an active route processor fails in a design that combines NSF with SSO?

A. An NSF-aware device immediately updates the standby route processor RIB without churning
the network
B. The standby route processor temporarily forwards packets until route convergence is
complete
C. An NSF-capable device immediately updates the standby route processor RIB without
churning the network
D. The standby route processor immediately takes control and forwards packets along known
routes

Answer: D

Explanation

The forwarding can continue despite the loss of routing protocols peering sessions with other
peering routers. The now active route processor (which was the standby) will initially have no
active routing session(s) with any peers (no neighbors, link-state database, BGP table …),
however it has an identical FIB and Adjacency information synced from the former Active route
processor. Routing information is recovered dynamically, in the background, while packet
forwarding proceeds uninterrupted using the FIB and Adjacency information synced from the
former Active router processor.

Reference: https://www.networkers-online.com/blog/2008/11/cisco-and-nonstop-forwarding/

=========================== New Questions (added on 28th-Mar-2021)

===========================

Question 39

What is a benefit of a virtual machine when compared with a physical server?

A. Deploying a virtual machine is technically less complex than deploying a physical server.
B. Virtual machines increase server processing performance.
C. The CPU and RAM resources on a virtual machine cannot be affected by other virtual
machines.
D. Multiple virtual servers can be deployed on the same physical server without having to buy
additional hardware.

Answer: D

Question 40

What is the wireless received signal strength indicator?

A. The value of how strong the wireless signal is leaving the antenna using transmit power, cable
loss, and antenna gain
B. The value given to the strength of the wireless signal received compared to the noise level
C. The value of how much wireless signal is lost over a defined amount of distance
D. The value of how strong a wireless signal is received, measured in dBm

Answer: D

Explanation
RSSI, or “Received Signal Strength Indicator,” is a measurement of how well your device can
hear a signal from an access point or router. It’s a value that is useful for determining if you
have enough signal to get a good wireless connection.

This value is measured in decibels (dBm) from 0 (zero) to -120 (minus 120). The closer to 0
(zero) the stronger the signal is which means it’s better, typically voice networks require a -65db
or better signal level while a data network needs -80db or better.

Question 41

Which controller is capable of acting as a STUN server during the onboarding process of Edge
devices?

A. vManage
B. vSmart
C. vBond
D. PNP server

Answer: C

Explanation

An additional vBond is deployed on the Internet and acts as a STUN server for WAN Edge
devices with Internet access and redirects them to the private controller IP addresses.

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-
guide.html

Note: Session Traversal Utilities for NAT (STUN) is a standardized set of methods, including a
network protocol, for traversal of network address translator (NAT) gateways in applications of
real-time voice, video, messaging, and other interactive communications.

Question 42

What is the process for moving a virtual machine from one host machine to another with no
downtime?

A. live migration
B. disaster recovery
C. high availability
D. multisite replication

Answer: A

Explanation

Live migration refers to the process of moving a running virtual machine or application between
different physical machines without disconnecting the client or application. Memory, storage, and
network connectivity of the virtual machine are transferred from the original guest machine to
the destination. An example of live migration tool is VMware vSphere vMotion.

Question 43

What are two features of NetFlow flow monitoring? (Choose two)

A. Can track ingress and egress information

B. Include the flow record and the flow importer
C. Copies all ingress flow information to an interface
D. Does not required packet sampling on interfaces
E. Can be used to track multicast, MPLS, or bridged traffic
Answer: A E

Explanation

The following are restrictions for Flexible NetFlow:

+ Traditional NetFlow (TNF) accounting is not supported.
+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is
supported.
+ Both ingress and egress NetFlow accounting is supported.
+ Microflow policing feature shares the NetFlow hardware resource with FNF.
+ Only one flow monitor per interface and per direction is supported.

Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/
3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_011010.html

When configuring NetFlow, follow these guidelines and restrictions:

+ Except in PFC3A mode, NetFlow supports bridged IP traffic. PFC3A mode does not support
NetFlow bridged IP traffic.
+ NetFlow supports multicast IP traffic.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/netflow.html

The Flexible NetFlow – MPLS Egress NetFlow feature allows you to capture IP flow information
for packets that arrive on a router as Multiprotocol Label Switching (MPLS) packets and are
transmitted as IP packets. This feature allows you to capture the MPLS VPN IP flows that are
traveling through the service provider backbone from one site of a VPN to another site of the
same VPN

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-
15-mt-book/cfg-mpls-netflow.html

Question 44

Which method should an engineer use to deal with a long-standing contention issue between any
two VMs on the same host?

A. Adjust the resource reservation limits

B. Reset the host
C. Reset the VM
D. Live migrate the VM to another host

Answer: A

Question 45

What is the recommended MTU size for a Cisco SD-Access Fabric?

A. 4464
B. 9100
C. 1500
D. 17914

Answer: B

Question 46

What does the number in an NTP stratum level represent?

A. The number of hops it takes to reach the master time server.

B. The amount of drift between the device clock and true time.
C. The amount of offset between the device clock and true time.
D. The number of hops it takes to reach the authoritative time source.

Answer: D

Explanation

NTP uses the concept of a stratum to describe how many hops (routers) away a machine is from
an authoritative time source, usually a reference clock. A reference clock is a stratum 0 device
that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers
cannot be used on the network but they are directly connected to computers which then operate
as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

Question 47

Refer to the exhibit.

R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet1/0
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2

After implementing the configuration 172.20.20.2 stops replaying to ICMP echoes, but the
default route fails to be removed. What is the reason for this behavior?

A. The source-interface is configured incorrectly.

B. The destination must be 172.30.30.2 for icmp-echo
C. The default route is missing the track feature
D. The threshold value is wrong
Answer: C

Explanation

The last command should be “R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10”.

Question 48

Refer to the exhibit.

Which type of antenna is show on the radiation patterns?

A. Dipole
B. Yagi
C. Patch
D. Omnidirectional

Answer: A

Explanation

A dipole antenna most commonly refers to a half-wavelength (λ/2) dipole. The physical antenna
(not the package that it is in) is constructed of conductive elements whose combined length is
about half of a wavelength at its intended frequency of operation. This is a simple antenna that
radiates its energy out toward the horizon (perpendicular to the antenna). The patterns shown
are those resulting from a perfect dipole formed with two thin wires oriented vertically along the
z-axis.
Reference: https://www.industrialnetworking.com/pdf/Antenna-Patterns.pdf

Question 49

Drag and drop characteristics of PIM dense mode from the left to the right.

Answer:

PIM Dense Mode:

+ builds source-based distribution trees
+ uses a push model to distribute multicast traffic
+ uses prune mechanisms to stop unwanted multicast traffic

Explanation

PIM-DM supports only source trees – that is, (S,G) entries–and cannot be used to build a shared
distribution tree.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/xe-
16-5/imc-pim-xe-16-5-book/imc-tech-oview.html

PIM dense mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the
network. This push model is a brute-force method of delivering data to the receivers. This
method would be efficient in certain deployments in which there are active receivers on every
subnet in the network. PIM-DM initially floods multicast traffic throughout the network. Routers
that have no downstream neighbors prune the unwanted traffic. This process repeats every 3
minutes.

A rendezvous point (RP) is required only in networks running Protocol Independent Multicast
sparse mode (PIM-SM).

In PIM dense mode (PIM-DM), multicast traffic is initially flooded to all segments of the network.
Routers that have no downstream neighbors or directly connected receivers prune back the
unwanted traffic.

Question 50

Refer to the exhibit.

Edge-01 Edge-02

track 10 interface GigabitEthernet0/0 line- interface GigabitEthernet0/1

protocol ip address 10.104.110.3
! 255.255.255.0
interface GigabitEthernet0/1 vrrp 10 ip 10.104.110.100
ip address 10.104.110.2 255.255.255.0
vrrp 10 ip 10.104.110.100
vrrp 10 priority 120

Object tracking has been configured for VRRP enabled routers Edge-01 and Edge-02. Which
commands cause Edge-02 to preempt Edge-01 in the event that interface G0/0 goes down on
Edge-01?

Option A Option B

Edge-01(config)#interface G0/1 Edge-02(config)#interface G0/1

Edge-01(config-if)#vrrp 10 track 10 Edge-02(config-if)#vrrp 10 track 10
decrement 10 decrement 30
 Option C Option D

Edge-02(config)#interface G0/1 Edge-01(config)#interface G0/1

Edge-02(config-if)#vrrp 10 track 10 Edge-01(config-if)#vrrp 10 track 10
decrement 10 decrement 30

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Question 51

Which protocol is implemented to establish secure control plane adjacencies between Cisco SD-
WAN nodes?

A. IKE
B. DTLS
C. IPsec
D. ESP

Answer: B

Explanation

The Cisco SD-WAN control plane has been designed with network and device security in mind.
The foundation of the control plane is one of two security protocols derived from SSL (Secure
Sockets Layer)—the Datagram Transport Layer Security (DTLS) protocol and the Transport Layer
Security (TLS) protocol.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/
vedge/security-book/security-overview.html

Question 52

Refer to the exhibit.

flow monitor FLOW-MONITOR-1

 record netflow ipv6 original-input
exit
!
sampler SAMPLER-1
mode deterministic 1 out-of 2
exit
!
ip cef
ipv6 cef
!
interface GigabitEthernet0/0/0
ipv6 address 2001:DB8:2:ABCD::2/48
ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

What is the effect of introducing the sampler feature into the Flexible NetFlow configuration on
the router?

A. NetFlow updates to the collector are sent 50% less frequently.

B. Every second IPv4 packet is forwarded to the collector for inspection.
C. CPU and memory utilization are reduced when compared with what is required for full
NetFlow.
D. The resolution of sampling data increases, but it requires more performance from the router.

Answer: C

Explanation

According to ” CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide” book:

“There are trade-offs in using sampled NetFlow data. The biggest one is that there is a reduced
load on the device in terms of memory and CPU. However, by sampling NetFlow data only at
specific intervals, something could be missed as the accuracy goes down with sampling
compared to when gathering all data” -> Answer C is correct.

The NetFlow sampler does not specify the frequency of NetFlow updates sent to the collector (->
Therefore answer A is not correct). We can define the rate of flow records sent to the collector in
the flow exporter. For example:

Router(config)#ip flow-cache timeout active 1 //export flow records every minute.

The example above shows how to configure and enable deterministic sampling for IPv6 input
traffic. Also NetFlow exporter sends flow records to the collector every 30 minutes, not every
second -> Answer B is not correct.

Answer D is not correct because “1 out-of 2” mode will only sample 1 out of 2 packets, thus the
resolution of sampling data will decrease (not increase)

Note:

There is three sampling modes:

– deterministic: select each N-th observed flow
– random: select randomly one out of N flows.
– hash: select hash-randomly one out of N flows.

Question 53

When does a stack master lose its role?

A. When the priority value of a stack member is changed to a higher value
B. When a switch with a higher priority is added to the stack
C. When the stack master is reset
D. When a stack member fails

Answer: C

Explanation

A stack master retains its role unless one of these events occurs:
+ The switch stack is reset.*
+ The stack master is removed from the switch stack.
+ The stack master is reset or powered off -> Answer C is correct.
+ The stack master fails.
+ The switch stack membership is increased by adding powered-on standalone switches or
switch stacks.*

In the events marked by an asterisk (*), the current stack master might be reelected based on
the listed factors.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/
release/3e/ha_stack_manager/configuration_guide/b_stack_ha_3e_3650_cg/
b_hastck_3se_3650_cg_chapter_010.html

Question 54

What is the calculation that is used to measure the radiated power of a signal after it has gone
through the radio, antenna cable, and antenna?

A. dBi
B. mW
C. dBm
D. EIRP

Answer: D

Explanation

Once you know the complete combination of transmitter power level, the length of cable, and
the antenna gain, you can figure out the actual power level that will be radiated from the
antenna. This is known as the effective isotropic radiated power (EIRP), measured in dBm.

EIRP is a very important parameter because it is regulated by governmental agencies in most

countries. In those cases, a system cannot radiate signals higher than a maximum allowable
EIRP. To find the EIRP of a system, simply add the transmitter power level to the antenna gain
and subtract the cable loss.
EIRP = Tx Power – Tx Cable + Tx Antenna

Suppose a transmitter is configured for a power level of 10 dBm (10 mW). A cable with 5-dB loss
connects the transmitter to an antenna with an 8-dBi gain. The resulting EIRP of the system is
10 dBm – 5 dB + 8 dBi, or 13 dBm.

You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an isotropic
antenna (dBi), and decibel (dB) values. Even though the units appear to be different, you can
safely combine them because they are all in the dB “domain”.

Reference: CCNA Wireless 640-722 Official Cert Guide