200-301 (1).pdf
Document Details
Uploaded by SelfDeterminationFallingAction2891
Cisco
Tags
Related
- CCNAv7_questions.pdf
- CISCO 1-9 REVIEWER PDF
- Introduction to Networks Companion Guide (CCNAv7) by Cisco Networking Academy (z-lib.org)(1) (1).pdf
- CCNP SCOR 350-701 Exam Questions PDF
- Cisco Networking Academy Routing Concepts PDF
- Cisco Networking Academy Implementing the Cisco Adaptive Security Appliance PDF
Full Transcript
Cisco 200-301 Implementing and Administering Cisco Solutions (CCNA) Version: 1.0 Cisco 200-301 Exam QUESTION NO: 1 DRAG DROP Drag the Cisco SDA term on the left to its description on the right. Use all terms. Each t...
Cisco 200-301 Implementing and Administering Cisco Solutions (CCNA) Version: 1.0 Cisco 200-301 Exam QUESTION NO: 1 DRAG DROP Drag the Cisco SDA term on the left to its description on the right. Use all terms. Each term can be used only once. Answer: Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 2 Cisco 200-301 Exam A Software-Defined Networking (SDN) controller uses two different sets of Application Programming Interfaces (APIs): one set to communicate with applications and another set to communicate with devices in the data plane. Northbound APIs enable an SDN controller to communicate with applications in the application plane. Applications use northbound APIs to send requests or instructions to the SDN controller, which uses that information to modify and manage network flow. Southbound APIs enable an SDN controller to communicate with devices in the data plane. In both Software-Defined Access (SDA) and SDN deployments, the controller communicates with devices by using a southbound API. Communication with applications and user interfaces is accomplished by using a northbound API. Cisco SDA is a Cisco-developed SDN for building local area networks (LANs) by using policies and automation. The Cisco Digital Network Architecture (DNA) controller, which is similar to an SDN controller, is the central component of a Cisco SDA network. Cisco DNA is a software-centric network architecture that uses a combination of APIs and a graphical user interface (GUI) to simplify network operations. The overlay network creates Virtual Extensible LAN (VXLAN) tunnels between Cisco SDA switches. The tunnels send and receive traffic between fabric endpoints. The underlay network, on the other hand, is a more traditional network configuration of switches. It is a collection of devices, interfaces, and media that comprises the Internet Protocol (IP) network that connects each fabric node. The underlay network is part of a dynamic discovery process that is involved in creating the overlay network's VXLAN tunnels. When an endpoint in a Cisco SDA network sends traffic to another endpoint, the traffic flows from the endpoint through the overlay network's VXLAN tunnels. The fabric is the entirety of the overlay network and the underlay network in a Cisco SDA network. QUESTION NO: 2 "Pass Any Exam. Any Time." - www.actualtests.com 3 Cisco 200-301 Exam Which of the following DTP modes actively negotiates a trunk connection with a neighboring interface? A. desirable B. off C. auto D. on Answer: A Explanation: Dynamic Trunking Protocol (DTP) desirable mode actively negotiates a trunk connection with a neighboring interface. There are two dynamic modes of operation for a switch port: auto – operates in access mode unless the neighboring interface actively negotiates to operate as a trunk desirable – operates in access mode unless it can actively negotiate a trunk connection with a neighboring interface The default dynamic mode is dependent on the hardware platform. In general, departmental-level or wiring closet-level switches default to auto mode, whereas backbone-level switches default to desirable mode. Because a switch port in auto mode does not actively negotiate to operate in trunk mode, it will form a trunk link only if negotiations are initiated by the neighboring interface. A neighboring interface will initiate negotiations only if it is configured to operate in trunk mode or desirable mode. By contrast, a switch port in desirable mode will actively negotiate to operate in trunk mode and will form a trunk link with a neighboring port that is configured to operate in trunk, desirable, or auto mode. Off and on are not DTP modes. They are static operating modes. The Mode column in the output of the show interfaces interface slot/number trunk command indicates the switchport mode configured for a particular interface. The possible values of the Mode column are the following: off – indicates that the port has been statically configured to operate in access mode on – indicates that the port has been statically configured to operate in trunk mode auto – indicates that the port will dynamically determine its operating mode; the port operates in access mode unless the neighboring interface actively negotiates to operate as a trunk "Pass Any Exam. Any Time." - www.actualtests.com 4 Cisco 200-301 Exam desirable – indicates that the port will dynamically determine its operating mode; the port operates in access mode unless it can actively negotiate a trunk connection with a neighboring interface Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12- 2_55_se/configuration/guide/scg_2960/swvlan.html#pgfId-1096213 CCNA 200-301 Official Cert Guide, Volume 1, Chapter 8: Implementing Ethernet Virtual LANs, VLAN Trunking Configuration QUESTION NO: 3 You want to create a user account named oson with the password eX$1mM©x on a router. The password should be converted to an MD5 hash and stored on the router. Which of the following commands should you issue on the router? A. username oson secret 5 eX$1mM@x B. username oson secret eX$1mM@x C. username oson eX$1mM@x D. username oson password eX$1mM@x Answer: B Explanation: To create a user account named oson with a Message Digest 5 (MD5)-hashed password of eX$1mM©x, you should issue the username oson secret eX$1mM@x command on the router. The username command creates a new user and adds the user to the local user database on a router. The local user database on a router contains a list of users that have been added to the router; these users can access the router. When using the username command to create a new user on a router, you can configure the user's password to be stored as plain text or as an MD5 hash. To configure a user name with a plain-text password, you should use the username user- name password password command. Using the secret keyword instead of the password keyword ensures that the password is stored as an MD5 hash. Thus the command username oson secret eX$1mM@x creates a user named oson and stores the password as an MD5 hash value. In the output of the show running-config command, the hash value of the password rather than the actual password would be displayed, similar to the following: "Pass Any Exam. Any Time." - www.actualtests.com 5 Cisco 200-301 Exam username oson secret 5 $%A*mNXYz0@1976gtr The 5 indicates that the password was encrypted with MD5. Issuing the username oson password eX$1mM@x command creates the oson user account and adds the user account to the local user database. However, the password is stored as plain text instead of an MD5 hash because the password keyword is used instead of the secret keyword. If you know the hash value of the password, you can use the MD5 hash value of a password manually instead of assigning a plain-text password to be converted into a hash by the IOS. This is accomplished by issuing the username user-name secret 5 hash-value command. The 5 parameter indicates that the assigned value is already in MD5 hash form. The scenario indicates that the password should be converted to an MD5 hash, so you should not issue the username oson secret 5 eX$1mM@x command. The username oson eX$1mM@x command is an invalid Cisco command because it does not contain the password keyword. Either password or secret is required when the username command is issued. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15- mt/sec-usr-cfg-15-mt-book/sec-cfg-sec-4cli.html#GUID-F9DC0F7A-84B0-45A5-BED7- 9740E5A1D886 QUESTION NO: 4 DRAG DROP Select the 802.11 MAC frame components, and drag them to their appropriate position within the 802.11 MAC frame format. Use all descriptors. Answer: "Pass Any Exam. Any Time." - www.actualtests.com 6 Cisco 200-301 Exam Explanation: An Institute of Electrical and Electronics Engineers (IEEE) 802.11 Media Access Control (MAC) frame is generally comprised of nine fields, as shown in the following diagram: The Frame Control (FC) field is used to identify the type of 802.11 frame, and its 2 bytes of data are subdivided into 11 related fields of information, such as wireless protocol, frame type, and frame subtype. The Duration (DUR) field is a 2-byte field that is used mainly by control frames to indicate transmission timers. However, this field is also used by the Power Save (PS) Poll control frame to indicate the association identity (AID) of a client. The address fields, Address 1 (ADD1), Address 2 (ADD2), Address 3 (ADD3), and Address 4 (ADD4), are 6-byte fields used to convey MAC address and Basic Service Set Identifier (BSSID) information. What information resides in which address field is entirely dependent on the type of frame. However, ADD1, ADD2, and ADD3 typically contain a source MAC address, destination MAC address, and BSSID with the order being dependent on whether the frame is entering the distribution system (DS), leaving the DS, or passing directly between acl-hoc wireless devices. The ADD4 field is only present for frames passing between devices in the DS, such as from one access point (AP) to another AP. The Sequence (SEQ) field is a 2-byte field that is subdivided to store two related pieces of information: the fragment number and sequence number of each frame. The DATA portion of a frame varies in size and contains the frame's payload. For data frames, the payload is user data. However, for other frames, such as management frames, this portion of the frame might contain information such as supported data rates and cipher suites. Finally, the Frame Check Sequence (FCS) field contains a 4-byte cyclic redundancy check (CRC) value calculated from all the 802.11 header fields, including the data portion of the frame. This value is used by the receiving station to determine whether the frame was corrupted during transit. "Pass Any Exam. Any Time." - www.actualtests.com 7 Cisco 200-301 Exam Reference: https://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf (PDF) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server- 2003/cc757419(v=ws.10) QUESTION NO: 5 Which of the following combinations represents a single-factor authentication method? A. a password and a PIN B. a smart card, a password, and a PIN C. a password, a fingerprint, and a smart card D. a fingerprint, a retina scan, and a password Answer: A Explanation: Of the available options, the combination of a password and a personal identification number (PIN) represents a single-factor authentication method. A single-factor authentication method refers to the use of only one of the three common methods to verify a user's identity. The three authentication factors are something you know, something you have, and something you are. A password and a PIN are knowledge factor access control methods, which are pieces of information that you know. Because a password and a PIN are both something you know, when the two are used in combination with each other they represent a single-factor authentication method. Two-factor, or dual-factor, authentication refers to the use of two different factors to authenticate a user. For example, a password and a code that is automatically generated at the time of authentication by a device or token is two-factor authentication because it requires both knowledge of the password and possession of the device. The combination of a fingerprint, a retina scan, and a password is also an example of a two-factor authentication method. The fingerprint and retina scanners are both biometric, which are inherent factor access control methods, and the password is something the user knows. An inherent factor is an attribute that is part of the user, such as fingerprints, retinal patterns, and voice patterns. "Pass Any Exam. Any Time." - www.actualtests.com 8 Cisco 200-301 Exam Biometric scanners are used to obtain a scan of a user's physical attributes and are considered the most effective method of securing physical access to network infrastructure. An authentication system compares the scan to a previously stored scan; if the scans match, the user will be authenticated. The combination of a smart card, a password, and a PIN is also a two-factor authentication method. A smart card is a physical item a user possesses, which is an ownership factor access control method, and a password and a PIN are both something the user knows. A smart card contains a memory chip that is encoded with a unique digital identifier. The digital code stored on a smart card is read by a smart card reader and compared to the list of authorized users. If the digital signature matches a user on the list, the user will be authenticated. Multifactor authentication refers to the use of two or three factors to authenticate a user. Therefore, dual-factor authentication is also sometimes known as multifactor authentication. QUESTION NO: 6 Which of the following APIs are typically used to enable communication between an SDN controller and the application plane? (Choose two.) A. OpenFlow B. OnePK C. OpFlex D. OSGi E. NETCONF F. REST Answer: D,F Explanation: Of the available choices, only Representational State Transfer (REST) and Java Open Services Gateway initiative (OSGi) are the Application Programming Interfaces (APIs) typically used to enable communication between a Software-Defined Networking (SDN) controller and the application plane. SDN is an intelligent network architecture in which a software controller "Pass Any Exam. Any Time." - www.actualtests.com 9 Cisco 200-301 Exam assumes the control plane functionality for all network devices. A northbound API, which is sometimes called a northbound interface (NBI), enables an SDN controller to communicate with applications in the application plane. REST is a northbound API architecture that uses Hypertext Transfer Protocol (HTTP) or HTTP Secure (HTTPS) to enable external resources to access and make use of programmatic methods that are exposed by the API. REST APIs typically return data in either Extensible Markup Language (XML) or JavaScript Object Notation (JSON) format. OSGi is a Java-based northbound API framework that is intended to enable the development of modular programs. OSGi also allows the use of the Python programming language as a means of extended controller functions. For transport, OSGi deployments often rely on HTTP. A southbound API, which is sometimes called a southbound interface (SBI), enables an SDN controller to communicate with devices on the network data plane. NETCONF, OnePK, OpenFlow, and OpFlex are all examples of southbound APIs. NETCONF uses Extensible Markup Language (XML) and Remote Procedure Calls (RPCs) to configure network devices. XML is used for both data encoding and protocol messages. NETCONF typically relies on Secure Shell (SSH) for transport. OpFlex uses a declarative SDN model in which the instructions that are sent to the controller are not so detailed. The controller allows the devices in the data plane to make more network decisions about how to implement the policy. OpenFlow uses an imperative SDN model in which detailed instructions are sent to the SDN controller when a new policy is to be configured. The SDN controller manages both the network and the policies applied to the devices. The OnePK API is a Cisco-proprietary API. It uses Java, C, or Python to configure network devices. It can use either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data in transit. Reference: https://www.cisco.com/c/en/us/td/docs/ios- xml/ios/prog/configuration/1611/b_1611_programmability_cg/configuring_yang_datamodel.pdf (PDF) https://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy- infrastructure-controller-apic/tsd-products-support-series-home.html https://www.cisco.com/c/en/us/td/docs/ios- xml/ios/prog/configuration/1611/b_1611_programmability_cg/OpenFlow.html#id_91847 https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5- "Pass Any Exam. Any Time." - www.actualtests.com 10 Cisco 200-301 Exam 1/sysman/configuration/guide/b-sysman-cg51xasr9k/b-sysman- cg51xasr9k_chapter_01101.html#concept_5F71C8F6159F44639D5441E91298EC84 https://www.cisco.com/c/dam/assets/events/i/interop-ny-Cisco-XNC.pdf#page=2 (PDF) QUESTION NO: 7 You are configuring security on a new WLAN by using the WLC GUI. Which of the following security settings are you most likely to configure by using the Layer 3 Security drop-down list box on the Layer 3 tab? A. VPN Pass-Through B. Web Passthrough C. WPA+WPA2 D. Web Authentication Answer: A Explanation: When you are configuring a new wireless local area network (WLAN), you are most likely to configure the VPN Pass-Through setting by using the Layer 3 Security drop-down list box on the Layer 3 tab of the Cisco Wireless LAN Controller (WLC) graphical user interface (GUI). There are two types of WLANs that you can configure by using the WLC GUI: a WLAN and a Guest LAN. The VPN Pass-Through setting is only available when you are configuring a WLAN. When you configure a new WLAN by using the WLC GUI, you can configure security settings by clicking the new WLAN's Security tab. By default, the Layer 2 tab is selected when you click the Security tab. However, it is not possible to configure Layer 2 security on a Guest LAN. On the Layer 2 tab of the Security tab, you can select one of the following Layer 2 wireless security features from the Layer 2 Security drop-down list box: None, which disables Layer 2 security and allows open authentication to the WLAN "Pass Any Exam. Any Time." - www.actualtests.com 11 Cisco 200-301 Exam WPA+WPA2, which enables Layer 2 security by using Wi-Fi Protected Access (WPA) or the more secure WPA2 802.1X, which enables Layer 2 security by using Extensible Authentication Protocol (EAP) authentication combined with a dynamic Wired Equivalent Privacy (WEP) key Static WEP, which enables Layer 2 security by using a static shared WEP key Static WEP + 802.1X, which enables Layer 2 security by using either a static shared WEP key or EAP authentication CKIP, which enables Layer 2 security by using the Cisco Key Integrity Protocol (CKIP) None + EAP Passthrough, which enables Layer 2 security by using open authentication combined with remote EAP authentication There are two different sets of Layer 3 security features that you can configure on a Cisco WLC: one set for a WLAN and one set for a Guest LAN. Depending on which type of WLAN you create and which Layer 2 security options you have selected, you can select one of the following Layer 3 wireless security features from the Layer 3 Security drop-down list box on the Layer 3 tab of the Security tab in the WLC GUI: None, which disables Layer 3 security no matter which Layer 2 security option is configured and regardless of whether you are configuring IPSec, which enables Layer 3 security for WLANs by using Internet Protocol Security (IPSec) VPN Pass-Through, which enables Layer 3 security for WLANs by allowing a client to establish a connection with a specific virtual private Web Authentication, which enables Layer 3 security for Guest LANs by prompting for a user name and password when a client connects Web Passthrough, which enables direct access to the network for Guest LANs without prompting for a user name and password Not every Layer 3 security mechanism is compatible with every Layer 2 security mechanism. It is therefore important to first configure Layer 2 security options before you attempt to configure Layer 3 security options. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan- controllers/106082-wlc-compatibility-matrix.html#matrix https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/olh/wlc-olh-81/wlansc.html CCNA 200-301 Official Cert Guide, Volume 1, Chapter 29: Building a Wireless LAN, Configuring WLAN Security "Pass Any Exam. Any Time." - www.actualtests.com 12 Cisco 200-301 Exam QUESTION NO: 8 You issue the ip ospf network non-broadcast command on an interface. Which of the following statements is correct regarding how OSPF operates on the interface? A. Multicast updates are sent. B. DR and BDR elections are not performed. C. The Hello timer is set to 10 seconds, and the dead timer is set to 40 seconds. D. The neighbor command is required to establish adjacencies. Answer: D Explanation: The neighbor command is required to establish adjacencies on Open Shortest Path First (OSPF) nonbroadcast networks. There are five OSPF network types: Broadcast Nonbroadcast Point-to-point Point-to-multipoint broadcast Point-to-multipoint nonbroadcast Nonbroadcast and point-to-multipoint nonbroadcast networks do not allow multicast packets. To configure OSPF to send unicast updates, you must configure neighbor routers with the neighbor command. Broadcast, point-to-point, and point-to-multipoint broadcast networks allow multicast packets, so manual configuration of neighbor routers with the neighbor command is not required. On broadcast networks, designated router (DR) and backup designated router (BDR) elections are performed. By default, the Hello timer is set to 10 seconds and the dead timer is set to 40 seconds. To configure an OSPF broadcast network, you should issue the ip ospf network broadcast command. The OSPF broadcast network type is enabled by default on Fiber "Pass Any Exam. Any Time." - www.actualtests.com 13 Cisco 200-301 Exam Distributed Data Interface (FDDI) and Ethernet interfaces, including Fast Ethernet and Gigabit Ethernet interfaces. On nonbroadcast networks, DR and BDR elections are performed. By default, the Hello timer is set to 30 seconds and the dead timer is set to 120 seconds. To configure an OSPF nonbroadcast network, which is also called a nonbroadcast multiaccess (NBMA) network, you should issue the ip ospf network non-broadcast command. On point-to-point networks, DR and BDR elections are not performed. By default, the Hello timer is set to 10 seconds and the dead timer is set to 40 seconds. To configure an OSPF point-to-point network, you should issue the ip ospf network point-to-point command. The OSPF point-to- point network type is enabled by default on High-Level Data Link Control (HDLC) and Point-to- Point Protocol (PPP) serial interfaces. OSPF point-to-multipoint broadcast networks operate just like OSPF point-to-point networks except the Hello timer is set to 30 seconds and the dead timer is set to 120 seconds by default. To configure an OSPF point-to-multipoint broadcast network, you should issue the ip ospf network point-to-multipoint command. OSPF point-to-multipoint nonbroadcast networks operate just like OSPF point-to-multipoint broadcast networks except that multicasts cannot be sent; therefore, manual configuration of neighbor routers with the neighbor command is required so that OSPF sends unicast updates. To configure an OSPF point-to-multipoint nonbroadcast network, you should issue the ip ospf network point-to-multipoint non-broadcast command. Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13687- 15.html https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/7039-1.html#t24 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-cr-book/ospf- i1.html#wp3564440872 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16/iro-xe-16- book/iro-cfg.html QUESTION NO: 9 "Pass Any Exam. Any Time." - www.actualtests.com 14 Cisco 200-301 Exam Refer to the exhibit. Which of the following commands should you issue in interface configuration mode on the Catalyst 2950 switch to make the IP phone trust the CoS priority of incoming data packets generated by the attached host? A. mls qos trust cos B. switchport priority extend trust C. switchport priority extend cos D. mis qos trust extend Answer: B Explanation: You should issue the switchport priority extend trust command in interface configuration mode to cause the switch to instruct the Internet Protocol (IP) phone to trust the Class of Service (CoS) priority of incoming data packets. Because voice traffic is vulnerable to degradation and deterioration if the traffic is sent unevenly, IP phones support Quality of Service (QoS) that is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.1p CoS standard. QoS uses the CoS priority value to prioritize the forwarding of voice and data packets in a predictable "Pass Any Exam. Any Time." - www.actualtests.com 15 Cisco 200-301 Exam fashion. Because data packets from the host computer and voice packets from the IP phone share a physical link to the switch, a method to prioritize the transmission of the voice packets over the data packets is required. A problem occurs when the data packets that are transmitted by the host have a higher CoS priority value than the voice packets that are generated by the IP phone. If this happens, the data packets could take precedence over the voice packets and cause unacceptable degradation of the voice call. By default, an IP phone is configured to override the CoS priority value assigned by the host and reassign the lowest CoS priority value of 0 to the data packets. Under certain circumstances, such as when the data that is transmitted by the host is mission- critical, you might want the IP phone to trust the host-generated CoS priority value that is assigned to the data packets. If you issue the switchport priority extend trust command, the IP phone will not override the CoS values from the host but will accept the existing CoS value as valid and will forward unchanged data packets to the switch. You can also configure the switch to instruct the IP phone to reclassify the CoS priority value that the host assigns to its data packets. To do this, you should issue the switchport priority extend cos value command. The CoS value ranges from 0 through 7, with 7 being the highest priority. If you issue the switchport priority extend cos value command, the value overrides the CoS priority value assigned by the host and tags the data packet with a CoS of 0, which is the default value and is lower than the CoS value of 5 that the IP phone tags its voice packets with. Overriding the CoS priority value ensures that voice packets will have a higher priority than the data packets and the voice packets will be given preference over the data packets as they are processed by the switch. The mls qos trust cos command moves the trust boundary from the switch to the IP phone, which lets the switch accept the IP phone voice traffic as having come from a trusted source. The mls qos trust cos command does not instruct the IP phone to trust or override the CoS priority value of the data packets received from the attached host. The mls qos trust extend command does not cause the switch to instruct the IP phone to trust the CoS priority of incoming data packets, because it is a valid command for Catalyst 6500 series switches only. Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12- 2_52_se/configuration/guide/3560scg/swvoip.html#wp1033848 CCNA 200-301 Official Cert Guide, Volume 1, Chapter 8: Implementing Ethernet Virtual LANs, Implementing Interfaces Connected to Phones QUESTION NO: 10 An administrator has generated the following MD5 hash from a plain-text password: $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. "Pass Any Exam. Any Time." - www.actualtests.com 16 Cisco 200-301 Exam The administrator wants to configure the password so that it will be used to access enable mode on a Cisco router. The no service password-encryption command has been issued on the router. Which of the following commands should the administrator issue? A. password 0 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. B. password 7 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. C. enable secret 0 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. D. enable secret 5 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. E. enable password 5 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. Answer: D Explanation: The administrator should issue the enable secret 5 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command to configure the Message Digest 5 (MD5) hash generated from a plain-text password so that it will be used to access enable mode on a Cisco router in this scenario. The no service password-encryption command has been issued in this scenario. This command disables the automatic encryption of new passwords when they are created by an administrator. If the service password-encryption command had been issued in this scenario, all current and future passwords in the running configuration would be encrypted automatically. Thus, of the available choices, the enable secret 5 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command is the only option in this scenario that enables the administrator to store a previously encrypted password that allows access to enable mode on a Cisco router. In some Cisco IOS versions prior to 15.3(3), the enable secret command by default stores an encrypted password in the device's configuration file by using a Secure Hash Algorithm (SHA) 256-bit hash. As of Cisco IOS 15.3(3), Type 4 passwords have been deprecated because of a security flaw in their implementation. The syntax for the enable secret command is enable secret [level level] {password | [encryption-type] encrypted-password}, where password is a string of characters that represents the clear-text password. Instead of supplying a clear-text password, you can specify an encryption-type value of 0, 4, or 5 and an encrypted-password value of either a clear-text password, a SHA-256 hash, or an MD5 hash, respectively. Supplying a hash value requires that you have previously encrypted the value by using a hashing algorithm in the same fashion that IOS uses the algorithm. This command configures a password that is required in order to place the device into enable mode, which is also known as privileged EXEC mode. The device must, at a minimum, be placed into enable mode for the user to be able to display the running "Pass Any Exam. Any Time." - www.actualtests.com 17 Cisco 200-301 Exam configuration. The administrator should not issue the enable secret 0 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command in this scenario. Specifying an encryption-type value of 0 when you issue the enable secret command indicates that the string following the command is in clear-text format, not encrypted format. Because the router assumes the string is a clear-text password and the length of the hash is greater than 25 characters, issuing the enable secret 0 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command would cause the router to generate an error similar to the following: % Invalid Password length - must contain 1 to 25 characters. Password configuration failed If the already encrypted 1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. string was shorter than 25 characters, the command would encrypt that string and require anyone who is attempting to access enable mode to issue 1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. as the password instead of the original unencrypted value that the MD5 hash 1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. represents. The administrator should not issue the enable password 5 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command in this scenario. You can issue the enable password command to create a password that must be used to gain access to enable mode. The syntax of the enable password command is enable password [level level] {password | [encryption-type] encrypted-password}. The enable password command supports the encryption-type values of 0 and 7, not 5. The encryption-level value of 0 indicates that a clear-text password of 1 to 25 characters will follow. The MD5 hash in this scenario is longer than 25 characters. An encryption-level value of 7 indicates that a hidden password consisting of a Cisco-proprietary form of encryption will follow. Issuing the enable password 5 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command would result in the following error: Invalid encryption type: 5 In this scenario, the administrator should not issue the password 7 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command or the password 0 $1$cf6N$Ugo.y0CXMLffTfQtyO/Xt. command. The line console 0 command followed by the password command configures a password for accessing the router by using the console. Typically, the console is accessed by physically connecting a console cable between the router and a device that is running terminal software. Issuing the password for the console places the device into user EXEC mode. Both password commands in this scenario contain invalid syntax. The encryption-level value of 0 indicates that a clear-text password of 1 to 25 characters will follow. The MD5 hash in this scenario is longer than 25 characters. An encryption-level value of 7 indicates that a hidden password consisting of a Cisco-proprietary form of encryption will follow. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15- sy/sec-usr-cfg-15-sy-book/sec-cfg-sec-4cli.html#GUID-828B299A-35B1-4C7D-B50D- 7E2907D8A2DF "Pass Any Exam. Any Time." - www.actualtests.com 18 Cisco 200-301 Exam https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15- sy-book/sec-cfg-sec-4cli.html#GUID-3731A307-367C-42A3-ACA3-09D69B3BA120 CCNA 200-301 Official Cert Guide, Volume 2, Chapter 5: Securing Network Devices, Encoding the Enable Passwords with Hashes QUESTION NO: 11 You issue the following commands on SwitchA: SwitchA(config)#interface port-channel 1 SwitchA(config-if)#interface range fastethernet 0/5 - 6 SwitchA(config-if-range)#channel-protocol lacp SwitchA(config-if-range)#channel-group 1 mode on You then issue the following commands on SwitchB: SwitchB(config)#interface port-channel 1 SwitchB(config-if)#interface range fastethernet 0/5 - 6 SwitchB(config-if-range)#channel-protocol pagp SwitchB(config-if-range)#channel-group 1 mode on Which of the following statements is true about the resulting EtherChannel link between SwitchA and SwitchB? A. No link is formed. B. A link is formed using LACP because it was configured first and has priority. C. A link is formed without an aggregation protocol. D. A link is formed using PAgP because it was configured last and has priority. "Pass Any Exam. Any Time." - www.actualtests.com 19 Cisco 200-301 Exam Answer: A Explanation: An EtherChannel link is not formed in this scenario. EtherChannel is used to bundle two or more identical, physical interfaces into a single logical link between switches. An EtherChannel can be permanently established between switches, or it can be negotiated by using one of two aggregation protocols: the Cisco-proprietary Port Aggregation Protocol (PAgP) or the open- standard Institute of Electrical and Electronics Engineers (IEEE) 802.3ad protocol, which is also known as Link Aggregation Control Protocol (LACP). An EtherChannel can have up to eight active switch ports in the bundle that forms the logical link between switches. Every switch port in the bundle, which is also referred to as a channel group, must be configured with the same speed and duplex settings. To configure a switch port to use an aggregation protocol, you should use the channel-protocol { lacp | pagp} command. The EtherChannel aggregation protocol must match on each switch, or they will be unable to dynamically establish an EtherChannel link between them. In addition, if a channel protocol is explicitly configured, each local switch port in the EtherChannel bundle must be configured to operate in a mode that is compatible with the channel protocol or the switch will display an error message and refuse to bundle the offending interface. In this scenario, the channel protocol command on SwitchA specifies that LACP should be used to dynamically establish an EtherChannel; however, the channel-group command attempts to configure an incompatible operating mode. Because the channel-group command cannot override the configuration specified by the channel-protocol command, the channel-group command issued on SwitchA will produce an error message similar to the following sample output: Command rejected (Channel protocol mismatch for interface Fa0/5 in group 1): the interface can not be added to the channel group % Range command terminated because it failed on FastEthernet0/5 To configure a switch port to be a member of a particular channel group, you should issue the channel-group number mode {on | active | passive | {auto | desirable} [non-silent]} command. This command uses a number parameter to specify a particular channel group; the number value should correspond to the PortChannel interface being configured. The supported values for the number parameter vary depending on hardware platform and IOS revision. The following table displays the channel-group configurations that will establish an EtherChannel: "Pass Any Exam. Any Time." - www.actualtests.com 20 Cisco 200-301 Exam The on keyword configures the channel group to unconditionally create the channel with no LACP or PAgP negotiation. In the on mode, a functional EtherChannel exists only if a channel group that is in the on mode is connected to another channel group that is also in the on mode. If either side of the link is not in on mode, packet loss can occur. You can issue the show etherchannel summary command to verify the status of an EtherChannel link and to determine which aggregation protocol, if any, was used to establish the link. The following sample output indicates that no aggregation protocol was used: The auto, desirable, and non-silent keywords can be used only with PAgP. The desirable keyword configures the channel group to actively negotiate PAgP, and the auto keyword configures the channel group to listen for PAgP negotiation to be offered. Either or both sides of the link must be set to desirable to establish an EtherChannel over PAgP; setting both sides to auto will not establish an EtherChannel over PAgP. The optional non-silent keyword requires that a port receive PAgP packets before the port is added to the channel. The active and passive keywords can be used only with LACP. The active keyword configures the channel group to actively negotiate LACP, and the passive keyword configures the channel group to listen for LACP negotiation to be offered. Either or both sides of the link must be set to active to establish an EtherChannel over LACP; setting both sides to passive will not establish an EtherChannel over LACP. "Pass Any Exam. Any Time." - www.actualtests.com 21 Cisco 200-301 Exam Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12- 2_52_se/command/reference/3750cr/cli1.html#pgfId-11890010 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12- 2_52_se/command/reference/3750cr/cli1.html#pgfId-11890203 QUESTION NO: 12 You issue the show ip ospf interface fastethernet 0/1 command on Router1 and receive the following output: Which of the following statements is correct? A. Router1 is the DR for the segment. B. The BDR has a priority higher than 50. C. Router1 can establish adjacencies with only two routers on this interface. D. Router1 is connected to a point-to-multipoint network. E. Router1 is configured with incorrect timer settings. Answer: C "Pass Any Exam. Any Time." - www.actualtests.com 22 Cisco 200-301 Exam Explanation: Router1 can establish adjacencies with only two routers on this interface. The output of the show ip ospf interface fastethernet 0/1 command shows that Router1 is in the DROTHER state. A router in the DROTHER state can only establish adjacencies with the designated router (DR) and the backup designated router (BDR). Therefore, Router1 is neither the DR nor the BDR. The DR has a router ID of 10.0.0.7 and an IP address of 10.2.16.1, and the BDR has a router ID of 10.0.0.11 and an IP address of 10.2.16.17. Router1 is not connected to a point-to-multipoint network, because the network segment contains a DR and a BDR. A DR and a BDR are not elected on point-to-multipoint or point-to-point networks; they are elected only on multiaccess networks. The BDR might or might not have a priority higher than 50. If Router1 were started after the DR and BDR were elected, Router1 would not be eligible to become the DR or the BDR, regardless of the priority value of Router1, until the existing DR and BDR failed or were powered off. If Router1 were started at the same time as the existing DR and BDR, the BDR would have a priority of at least 50 because Router1 has a priority of 50. If the BDR and Router1 have the same priority, the BDR will be elected before Router1 because it has a higher router ID than Router1. Router1 is not configured with incorrect timer settings. The Hello timers and dead timers between two routers must match for the routers to establish a neighbor adjacency. Therefore, if Router1 were configured with incorrect timer settings, Router1 would not be able to establish adjacencies with the DR and the BDR. By default, the Hello timer is set to 10 seconds and the dead timer is set to 40 seconds on point-to-point and broadcast links. Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13689- 17.html QUESTION NO: 13 You are connecting two Catalyst 6500 switches with fiber-optic cable. When you boot SwitchA, you receive a SYS-3-TRANSCEIVER_NOTAPPROVED error. Which of the following is most likely the cause of the problem? A. There is a physical problem with the fiber cable. B. You have installed the SFP module upside down. "Pass Any Exam. Any Time." - www.actualtests.com 23 Cisco 200-301 Exam C. You have connected a cable to an incorrect port. D. You have installed a third-party SFP module. Answer: D Explanation: You have most likely installed a third-party Small Form-Factor Pluggable (SFP) transceiver module in SwitchA if you receive a SYS-3-TRANSCEIVER_NOTAPPROVED error when you boot SwitchA. An SFP module is a hot-pluggable device that enables a switch, router, or other device to accept connections from Fibre Channel (FC) or Gigabit Ethernet cables. Cisco devices do not support the use of third-party SFP modules. An SFP module that is installed in a Cisco device stores identifying information, such as the module serial number, vendor name, and security code. When a switch detects the insertion of an SFP module, the switch software attempts to read the identifying information stored on the SFP module. If the information is not valid or not present, the switch software will report the SYS-3- TRANSCEIVER_NOTAPPROVED error. The switch would not report a SYS-3-TRANSCEIVER_NOTAPPROVED error if you had connected a cable to an incorrect port. If you connected a cable to the wrong SFP module port, you would most likely notice that the ports on the switches are up, but the line protocol is down. The switch would not report a SYS-3-TRANSCEIVER_NOTAPPROVED error if there were a physical problem with the fiber cable. If the fiber cable were broken, you would notice that the port status light-emitting diodes (LEDs) on the SFP modules are not lit. The switch would not report a SYS-3-TRANSCEIVER_NOTAPPROVED error if you had installed the SFP module upside down. Instead, the switch would not recognize the SFP module, and the output from show commands would contain no information about the module. Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/system/messages/errbook. pdf (PDF) QUESTION NO: 14 Which of the following best describes an AP deployment that connects APs to a WLC that is housed within a switch stack? "Pass Any Exam. Any Time." - www.actualtests.com 24 Cisco 200-301 Exam A. embedded AP deployment B. autonomous AP deployment C. cloud-based AP deployment D. lightweight AP deployment Answer: A Explanation: Of the available choices, an embedded access point (AP) deployment typically connects APs to a Cisco wireless LAN controller (WLC) that is housed within a switch stack. An AP is a device that connects a wireless client to a wired network. The primary difference between this deployment and others is that the WLC is embedded within a stack of switching hardware instead of existing as a separate entity. APs can connect to the WLC by connecting to switches that are directly hosting the WLC or switch ports that are operating on the same virtual local area network (VLAN) as the WLC. A lightweight AP deployment can be an embedded AP deployment. However, a lightweight AP deployment does not always connect APs to a WLC that is housed within a switch stack. A lightweight AP deployment requires a separate wireless controller. Wireless clients connect to lightweight APs, which are capable of performing real-time wireless network functions but rely on a WLC for management functions. The connection between a lightweight AP and a WLC is created by using two tunnels established by the Control and Provisioning of Wireless Access Points (CAPWAP) tunneling protocol. Information sent between lightweight APs and the WLC is encapsulated in Internet Protocol (IP) packets. This process enables a lightweight AP and WLC to manage connectivity to the same wireless local area network (WLAN) yet be separated by both physical and logical means. This type of deployment is also known as a split-MAC architecture because the lightweight AP handles the frames while the WLC handles the management functions. An autonomous AP deployment does not connect APs to a WLC that is housed within a switch stack. An autonomous AP contains network interfaces for both wireless and wired networks; it is typically deployed as part of an autonomous AP architecture in which APs are connected directly to the access layer of the three-tier hierarchical network model. A cloud-based AP deployment does not connect APs to a WLC that is housed within a switch stack. Instead cloud-based APs connect to and are automatically configured by a WLC that is housed in a cloud-based system. For example, a Cisco Meraki AP provides wireless access by connecting to a centralized management system known as the Cisco Meraki Cloud. APs deployed at the access layer of the three-tier hierarchical network model contact the cloud in order to "Pass Any Exam. Any Time." - www.actualtests.com 25 Cisco 200-301 Exam automatically configure themselves. APs are managed through a cloud-based dashboard. QUESTION NO: 15 You are implementing common Layer 2 security measures on a Cisco switch. You create a new VLAN with an ID of 4. No devices operate on VLAN 4. Next, you issue the following commands on a switch interface: switchport access vlan 4 switchport nonegotiate Which of the following Layer 2 security measures are you implementing? (Choose two.) A. configuring the port mode manually B. disabling DTP on a port C. enabling port security on an access port D. moving the port to an unused VLAN E. disabling an unused port Answer: B,D Explanation: You are disabling Dynamic Trunking Protocol (DTP) on a port when you issue the switchport nonegotiate command while you are implementing common Layer 2 security measures on a Cisco switch. In addition, you are moving the port to an unused virtual local area network (VLAN) by issuing the switchport access vlan 4 command. By default, every network interface on a Cisco switch is an active port. Before you deploy a switch on a network, you should take steps to ensure that every trunk port and access port on the switch is secured and that every unused port on the switch is disabled. By default, all interfaces on a Cisco switch will use DTP to automatically negotiate whether an interface should be a trunk port or an access port. The transmission of DTP packets over an "Pass Any Exam. Any Time." - www.actualtests.com 26 Cisco 200-301 Exam interface can be exploited by a malicious user to obtain information about the network or to convert an interface that should be an access port into a trunked port. You should issue the switchport nonegotiate command on a manually configured port to prevent any attempts by the switch to negotiate by using DTP. Moving an unused port to an unused VLAN creates a logical barrier that prevents rogue devices from communicating on the network should such a device connect to the port. To move an access port to an unused VLAN, you should issue the switchport access vlan vlan-id command on the port, where vlan-id is the ID of the unused VLAN. When you move an unused port to an unused VLAN, you should also manually configure the port as an access port by issuing the switchport mode access command and shut down the port by issuing the shutdown command. You are not configuring the port mode manually by issuing the commands in this scenario. To manually configure a trunk port, you should first issue the switchport trunk encapsulation protocol command in interface configuration mode, where protocol is the trunk encapsulation protocol you want to use, and then issue the switchport mode trunk command in interface configuration mode. To manually configure an access port, you should issue the switchport mode access command in interface configuration mode. Manually configuring interfaces to use either trunk mode or access mode effectively disables DTP and ensures that the traffic on those ports is restricted to the intended purpose. Even so, you should issue the switchport nonegotiate command on a manually configured trunk port to prevent any attempts by the switch to negotiate by using DTP, because a manually configured trunk port will continue to send DTP frames. You are not disabling an unused port by issuing the commands in this scenario. Disabling an unused port creates a barrier that prevents rogue devices from communicating on the network should such a device connect to the port. To disable an unused port on a switch, you should issue the shutdown command on that port. To verify that a port is in the shutdown state, you should issue the show interfaces type number command, where type and number specify the interface you want to show. A port that has been shut down will be reported as administratively down by the show interfaces type number command. You are not enabling port security on an access port by issuing the commands in this scenario. To protect switch interfaces against Media Access Control (MAC) flooding attacks, you should enable port security on all access mode interfaces on the switch. Issuing the switchport port-security command in interface configuration mode enables port security with default settings. You can modify port security settings before you enable port security by issuing the switchport port- security mac-address mac-address command, the switchport port-security maximum maximum-number-of-mac-addresses command, and the switchport port-security violation [ protect | restrict | shutdown] command. When enabled with its default settings, port security will shut down a port on which a violation occurs. In addition, port security will allow only the first MAC address to connect to the port to access the port. Reference: "Pass Any Exam. Any Time." - www.actualtests.com 27 Cisco 200-301 Exam https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/EttF/EttFDIG/ch5_EttF.html#wp1009094 QUESTION NO: 16 You have enabled LAG on a WLC that contains eight distribution system ports. How many ports will be included in the LAG bundle by default? A. eight B. one C. four D. none Answer: A Explanation: By default, all eight ports will be included in the link aggregation (LAG) bundle if you have enabled LAG on a Cisco wireless LAN controller (WLC) that contains eight distribution system ports. A distribution system port is a data port that typically connects to a switch in Institute of Electrical and Electronics Engineers (IEEE) 802.1Q trunk mode. Similar to EtherChannel on switches, LAG enables multiple physical ports on a WLC to operate as one logical group. Thus, LAG enables load balancing across links between devices and redundancy. If one link fails, the other links in the LAG bundle will continue to function. LAG will bundle all eight ports in this scenario. However, LAG requires only one functional physical port in order to pass client traffic. Similar to EtherChannel, LAG enables redundancy. If one physical port fails in a LAG bundle, the other ports are capable of passing client traffic in that port's place. If all but one port in a LAG bundle fails, that port will pass client traffic for all of the failed ports. Distribution system ports can be configured to work in pairs or independently of each other if LAG is disabled. By default, a Cisco WLCs distribution system ports operate in 802.1Q trunk mode, forming a trunk link between each WLC distribution system port and the switch to which it is connected. When enabled, LAG modifies this configuration so that the ports are bundled and no longer operate as independent trunk links. "Pass Any Exam. Any Time." - www.actualtests.com 28 Cisco 200-301 Exam Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter _010100001.html#ID1363 CCNA 200-301 Official Cert Guide, Volume 1, Chapter 29: Building a Wireless LAN, Using WLC Ports QUESTION NO: 17 Which of the following tables is used by a switch to discover the relationship between the Layer 2 address of a device and the physical port used to reach the device? A. the adjacency table B. the ARP table C. the VLAN table D. the FIB table E. the CAM table Answer: E Explanation: The Content Addressable Memory (CAM) table is used by a switch to discover the relationship between the Open Systems Interconnection (050 Layer 2 address of a device and the physical port used to reach the device. Switches make forwarding decisions based on the destination MAC address contained in a frame's header. The switch first searches the CAM table for an entry that matches the frame's destination MAC address. If the frame's destination MAC address is not found in the table, the switch forwards the frame to all its ports, except the port from which it received the frame. If the destination MAC address is found in the table, the switch forwards the frame to the appropriate port. The source MAC address is also recorded if it did not previously exist in the CAM table. The Forwarding Information Base (FIB) is a table that contains all the prefixes from the Internet Protocol (IP) routing table and is structured in a way that is optimized for forwarding. The FIB and the adjacency table are the two main components of Cisco Express Forwarding (CEF), which is a hardware-based switching method that is implemented in all OSI Layer 3-capable Catalyst switches. The FIB is synchronized with the IP routing table and therefore contains an entry for "Pass Any Exam. Any Time." - www.actualtests.com 29 Cisco 200-301 Exam every IP prefix in the routing table. The IP prefixes are ordered so that when a Layer 3 address is compared against the FIB, the longest, most specific match will be found first; therefore, prefix lookup times are minimized. The adjacency table maintains the Layer 2 addressing information for the FIB. Each network prefix in the FIB is associated with a next-hop address and an outbound interface. The adjacency table contains the Layer 2 addressing information for each next-hop address listed in the FIB and is used to rewrite the Layer 2 header of each forwarded IP packet. You can issue the show adjacency command to display the contents of the adjacency table. The Address Resolution Protocol (ARP) table contains Layer 3 to Layer 2 address translations. Whenever the switch encounters a packet destined for a Layer 3 address that does not have an entry in the ARP table, the switch broadcasts an ARP request to query the network for the Layer 2 address. When the ARP reply is received, the switch enters the address pair into the ARP table for future reference. You can issue the show ip arp command to display the contents of the ARP table. The virtual local area network (VLAN) table contains a record of the VLAN definitions on the switch and a list of the interfaces associated with each VLAN. The VLAN table does not contain any Layer 3 information. You can issue the show vlan command to display the contents of the VLAN table. Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series- switches/71079-arp-cam-tableissues.html#backinfo CCNA 200-301 Official Cert Guide, Volume 1, Chapter 5: Analyzing Ethernet LAN Switching, Learning MAC Addresses QUESTION NO: 18 Which of the following statements is true regarding a floating static route? A. A floating static route is used to provide link redundancy. B. A floating static route is used to provide link load balancing. C. A router always prefers a floating static route to a dynamically learned route. D. A floating static route has a lower AD than a normal static route. "Pass Any Exam. Any Time." - www.actualtests.com 30 Cisco 200-301 Exam Answer: A Explanation: A floating static route is used to provide link redundancy. When multiple routes to a network exist and a more specific route is not available, a router will choose the route with the lowest administrative distance (AD). Because a normal static route has a default AD of 1, a router will always prefer a normal static route over any other type of route. You can manually assign a static route a higher AD than 1 to prevent a router from always choosing the normal static route as the best path to a destination network. By assigning a floating static route a higher AD than another route, you are able to create a static route that will be used only when routes with a lower AD are no longer available. For example, if a router's primary path to a remote office is a dynamically learned route and a floating static route with a higher AD is configured to use a specified exit interface as a backup path, the router will use only the primary route to reach the remote office. The dynamically learned route is preferred over the floating static route because the floating static route has a higher AD than the dynamically learned route. However, if the dynamically learned route becomes unavailable, the router will search its routing table for an available path with the lowest AD. In this example, the router will use the floating static route to forward packets destined to the remote office to the exit interface specified in the floating static route when the dynamically learned route becomes unavailable. A router will not always prefer a floating static route to a dynamically learned route. Because an administrator can arbitrarily assign an AD to a floating static route, a router will prefer a floating static route only if it has a lower AD than a dynamically learned route to the same destination network. Likewise, a router will not always prefer a dynamically learned route to a floating static route unless the dynamically learned route has an AD lower than a floating static route to the same destination network. A floating static route is not used for link load balancing. Load balancing is possible if multiple paths to a destination network exist with equal ADs and if cost values exist. Because a floating static route has a higher AD than the primary path to a destination network, a router will not use a floating static route unless the primary path becomes unavailable. Reference: https://www.cisco.com/c/en/us/support/docs/dial-access/dial-on-demand-routing- ddr/10213-backup-main.html#floating_static_routes https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/iri-xe-3s-book/ip6- route-static-xe.html#GUID-5B0C0DDF-5925-42DE-83CC-C3FEAC1A9595 QUESTION NO: 19 You want to decrease the amount of time that it takes for switch ports on SwitchA to begin forwarding. PortFast is not configured on any of the switch ports on SwitchA. You issue the "Pass Any Exam. Any Time." - www.actualtests.com 31 Cisco 200-301 Exam spanning-tree portfast default command from global configuration mode. Which of the ports on SwitchA will use PortFast? A. all access ports B. all ports C. no ports, because PortFast cannot be enabled globally D. all trunk ports Answer: A Explanation: All access ports on SwitchA will use PortFast. PortFast enables faster connectivity for hosts connected to an access-layer switch port. If PortFast is not enabled, a switch port transitions through the Spanning Tree Protocol (STP) listening and learning states before it enters the forwarding state. This process can take as long as 30 seconds if the default STP timers are used. In addition, port initialization could take as long as 50 seconds if Port Aggregation Protocol (PAgP) is enabled. PortFast transitions the port into the STP forwarding state without going through the STP listening and learning states. PortFast is a feature that should be used only on switch ports that are connected to end devices, such as user workstations or print devices. Because PortFast immediately transitions a port to the STP forwarding state, skipping over the listening and learning states, steps should be taken to ensure that a switch that is inadvertently or intentionally connected to the port cannot influence the STP topology or cause switching loops. Cisco recommends that switches should not be connected to access ports that are configured with PortFast; switches should always be connected by trunk ports. You can enable PortFast for specific ports by issuing the spanning-tree portfast command in interface configuration mode. However, you can also enable PortFast for all access ports on the switch by issuing the spanning-tree portfast default command in global configuration mode; trunk ports are not affected by the spanning-tree portfast default command. Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12- 2_52_se/configuration/guide/3560scg/swstpopt.html#wp1031380 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/command/lsw-cr-book/lsw- s2.html#wp4011168249 "Pass Any Exam. Any Time." - www.actualtests.com 32 Cisco 200-301 Exam CCNA 200-301 Official Cert Guide, Volume 1, Chapter 9: Spanning Tree Protocol Concepts, Optional STP Features QUESTION NO: 20 You issue the show vlan brief command on Switch1 and receive the following partial output: You issue the following commands on Switch1: Which of the following statements is true? A. Only GigabitEthernet 0/1 and GigabitEthernet 0/2 are trusted ports. B. DAI is not configured on GigabitEthernet 0/1 and GigabitEthernet 0/2. C. DAI is configured on only GigabitEthernet 0/1 and GigabitEthernet 0/2. D. Only GigabitEthernet 0/1 and GigabitEthernet 0/2 ports are untrusted ports. "Pass Any Exam. Any Time." - www.actualtests.com 33 Cisco 200-301 Exam Answer: B Explanation: Dynamic ARP Inspection (DAI) is not configured on GigabitEthernet 0/1 and GigabitEthernet 0/2 in this scenario. The ip arp inspection vlan 11-12,14 command does not include virtual local area network (VLAN) 1. In addition, neither the ip arp inspection command nor the ip arp inspection trust command has been issued on the GigabitEthernet interfaces. Therefore, DAI is not enabled on VLAN 1. The switchport access vlan 1 command that has been issued on both the GigabitEthernet 0/1 interface and the GigabitEthernet 0/2 interface in this scenario configures those ports to reside on VLAN 1 if the ports are operating access mode. The switchport mode access command configures the ports to operate in access mode. DAI can be enabled on a single VLAN or on multiple VLANs. To enable DAI, you should use the ip arp inspection vlan global configuration command. The syntax of the ip arp inspection vlan command is ip arp inspection vlan {vlan-ID | vlan-range}. A range of VLANs can be entered by using a comma-separated list and/or a dash-separated pair of VLAN numbers indicating the range of VLANs to include. For example, each of the following commands enables DAI on VLANs 2 through 4: ip arp inspection vlan 2,3,4 and ip arp inspection vlan 2-4. Configuring DAI on each VLAN ensures that traffic sent from each host is inspected. In addition, each port is by default an untrusted port. By default, a port is configured as an untrusted port when DAI is enabled on that port. Therefore, configuring VLANs 11, 12, and 14 with DAI by issuing the ip arp inspection vlan 11-12,14 command ensures that any port operating in those VLANs is automatically an untrusted port. When DAI is configured for an entire VLAN, you can override the default configuration for a given port by issuing the ip arp inspection trust command in interface configuration mode. In this scenario, however, VLAN 1 has not been globally configured to use DAI. QUESTION NO: 21 Which of the following VLANs is used by DTP to negotiate a trunk link when 802.1Q encapsulation is configured on the interface? A. the native VLAN B. 1 C. 0 "Pass Any Exam. Any Time." - www.actualtests.com 34 Cisco 200-301 Exam D. 4094 Answer: A Explanation: Dynamic Trunking Protocol (DTP) uses the native virtual local area network (VLAN) to negotiate a trunk link when Institute of Electrical and Electronics Engineers (IEEE) 802.1Q encapsulation is configured on the interface. Because DTP frames are always transmitted on the native VLAN, changing the native VLAN can have unexpected consequences. For example, if the native VLAN is not configured identically on both ends of a link, a trunk will not dynamically form. By default, all interfaces on a Cisco switch will use DTP to automatically negotiate whether an interface should be an IEEE 802.1Q trunk port or an access port. There are two dynamic modes of operation for a switch port: auto – operates in access mode unless the neighboring interface actively negotiates to operate as a trunk desirable – operates in access mode unless it can actively negotiate a trunk connection with a neighboring interface The default dynamic mode is dependent on the hardware platform. In general, departmental-level or wiring closet-level switches default to auto mode, whereas backbone-level switches default to desirable mode. Because a switch port in auto mode does not actively negotiate to operate in trunk mode, it will form a trunk link only if negotiations are initiated by the neighboring interface. A neighboring interface will initiate negotiations only if it is configured to operate in trunk mode or desirable mode. By contrast, a switch port in desirable mode will actively negotiate to operate in trunk mode and will form a trunk link with a neighboring port that is configured to operate in trunk, desirable, or auto mode. Although VLAN 1 is the default native VLAN on a Cisco switch, the native VLAN can be changed by issuing the switchport trunk native vlan vlan-id command from interface configuration mode. Because the configuration of the native VLAN in this scenario is not specified, you cannot be certain that VLAN 1 is still configured as the native VLAN. VLAN 0 is a special VLAN used by Internet Protocol (IP) phones to indicate to an upstream switch that it is sending frames that have a configured 802.1p priority but that should reside in the native VLAN. This VLAN is used if voice traffic and data traffic should be separated but do not require that a unique voice virtual VLAN be created. VLAN 4094 is an extended VLAN and is not used for DTP frames unless it has been configured as the native VLAN. VLAN IDs in the number range from 1006 through 4094 are available only on extended IOS images. A VLAN ID can be a value from 1 through 1005 or from 1 through 4094, "Pass Any Exam. Any Time." - www.actualtests.com 35 Cisco 200-301 Exam depending on the IOS image and switch model. VLANs 1002 through 1005 are reserved for Token Ring and Fiber Distributed Data Interface (FDDI) VLANs. VLANs in this reserved range, as well as the switch's native VLAN, can be modified but not deleted. Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12- 2_52_se/configuration/guide/3560scg/swvlan.html#wp1200245 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SX/configuration/guide/book/dot1qtnl.html#wp1006495 CCNA 200-301 Official Cert Guide, Volume 1, Chapter 8: Implementing Ethernet Virtual LANs, VLAN Trunking Configuration QUESTION NO: 22 DRAG DROP Select the following routes from the left, and drag them to the right, placing them in the order preferred by a router Answer: "Pass Any Exam. Any Time." - www.actualtests.com 36 Cisco 200-301 Exam Explanation: Route preference is based on the administrative distance (AD) of the connectivity method or the routing protocol used. When multiple routes to a network exist, a router prefers the routing protocol with the lowest AD. The following list contains the most commonly used ADs: "Pass Any Exam. Any Time." - www.actualtests.com 37 Cisco 200-301 Exam A directly connected route, which has an AD of 0, is preferred over any other route to the same network. If a link to a directly connected network goes down, the route with the next lowest AD will be used. Static routes, which have an AD of 1, are preferred after directly connected routes. You can create a static route to a network by issuing the ip route command. The basic syntax of the ip route command is ip route prefix mask {ip-address | interface}, where prefix is the network address, mask is the subnet mask of the destination network, ip-address is the Internet Protocol (IP) address of the next-hop router, and interface is the local interface to which the packets should be sent. Of the available choices, an internal Enhanced Interior Gateway Routing Protocol (EIGRP) route is the next most preferred route. Internal EIGRP routes have an AD of 90. Of the remaining choices, an Open Shortest Path First (OSPF) route is the next most preferred route. OSPF routes have an AD of 110. Of the remaining choices, an Intermediate System-to-Intermediate System (IS-IS) route is the next most preferred route. IS-IS routes have an AD of 115. Of the available choices, a Routing Information Protocol (RIP) route is the least preferred route. RIP routes have an AD of 120. You can configure the AD of routing protocols by issuing the distance command in router configuration mode. For example, to change the AD of OSPF from 110 to 80, you should issue the "Pass Any Exam. Any Time." - www.actualtests.com 38 Cisco 200-301 Exam following commands: RouterA(config)#router ospf 1 RouterA(config-router)#distance 80 You can view the AD of the best route to a network by issuing the show ip route command. The AD is the first number inside the brackets in the output. For example, the following router output shows an OSPF route with an AD of 110: Router#show ip route Gateway of last resort is 10.19.54.20 to network 10.140.0.0 O E2 172.150.0.0 [110/5] via 10.19.54.6, 0:01:00, Ethernet2 The 5 in brackets in the output above indicates the OSPF metric. OSPF uses cost as a metric and calculates cost based on the bandwidth of an interface: the higher the bandwidth, the lower the cost. When two OSPF paths exist to the same destination, the router will choose the OSPF path with the lowest cost. Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/15986- admin-distance.html QUESTION NO: 23 Which of the following statements best describe why WRED is useful for networks where the majority of traffic uses TCP? (Choose two.) A. TCP sources reduce traffic flow when congestion occurs. B. TCP packets that are dropped must be retransmitted. C. TCP packets cannot arrive out of sequence. D. "Pass Any Exam. Any Time." - www.actualtests.com 39 Cisco 200-301 Exam TCP packets have large header sizes. E. TCP packets must have priority over UDP packets. Answer: A,B Explanation: Weighted random early detection (WRED) is useful for networks where the majority of traffic uses Transmission Control Protocol (TCP) because TCP packets that are dropped must be retransmitted. Additionally, TCP sources reduce traffic flow when congestion occurs, thereby further slowing down the network. WRED is a congestion avoidance mechanism that addresses packet loss caused by tail drop, which occurs when new incoming packets are dropped because a router's queues are too full to accept them. Tail drop causes a problem called global TCP synchronization, whereby all of the TCP sources on a network reduce traffic flow during periods of congestion and then the TCP sources increase traffic flow when the congestion is reduced, which again causes congestion and dropped packets. When WRED is implemented, you can configure different tail drop thresholds for each IP precedence or Differentiated Services Code Point (DSCP) value so that lower-priority traffic is more likely to be dropped than higher-priority traffic, thereby avoiding global TCP synchronization. WRED does not address header size. To compress the header of TCP packets, you should implement TCP header compression. Because TCP header compression compresses only the header, not the entire packet, TCP header compression works best for packets with small payloads, such as those carrying interactive data. WRED does not address the order in which TCP packets arrive. TCP packets can arrive in any order because each packet is numbered with a sequence number. When the TCP packets arrive at their destination, TCP rearranges the packets into the correct order. Although it is possible for TCP packets to require a higher priority than User Datagram Protocol (UDP) packets, it is also possible for UDP packets to require a higher priority than TCP packets. UDP traffic that requires a high priority includes Voice over IP (VoIP) traffic and real-time multimedia traffic. You should avoid placing TCP and UDP traffic in the same traffic class, because doing so can cause TCP starvation. UDP traffic is not aware of packet loss due to congestion control mechanisms, so devices sending UDP traffic might not reduce their transmission rates. This behavior causes the UDP traffic to dominate the queue and prevent TCP traffic from resuming a normal flow. Reference: https://www.cisco.com/c/en/us/td/docs/ios/qos/configuration/guide/12_2sr/qos_12_2sr_book/cong estion_avoidance.html "Pass Any Exam. Any Time." - www.actualtests.com 40 Cisco 200-301 Exam QUESTION NO: 24 A REST API query returns the following output: Which of the following statements is true? A. The value of the lname key is a text value. B. The value of the fname key is equal to the lname key and its value. C. The value of the group key is an array. D. The value of the role key is an object. E. The value of the id key is an array. F. The value of the reacl-only key is a text value. Answer: A Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 41 Cisco 200-301 Exam Of the available choices, it is true that the value of the lname key in the Representational State Transfer (REST) Application Programming Interface (API) output above is a text value. REST is an API architecture that uses Hypertext Transfer Protocol (HTTP) or HTTP Secure (HTTPS) to enable external resources to access and make use of programmatic methods that are exposed by the API. The REST API that is being queried in this scenario has returned output in JavaScript Object Notation (JSON) format. JSON is a data modeling language that is commonly used by REST APIs. The JSON data modeling language returns data in the form of an object that contains key and value pairs. A single JSON object can contain multiple key and value pairs. Each key and value pair inside a JSON object is separated from the others by a comma (,). Furthermore, each pair's key is separated from its value by a colon (:). The element in quotation marks on the left side of each colon is the key. The element on the right side of each colon is the value, which might or might not be enclosed in quotation marks. There are several data value types that can be returned in JSON output: text, numeric, array, object, Boolean, and null. The value of the lname key, the value of the fname key, and the value of the role key are all text values in the JSON object in this scenario. JSON keys and JSON text values are always enclosed in quotation marks. Text values typically contain alphanumeric or Unicode characters. The value of the id key is numeric in the JSON object in this scenario. Numeric data is defined by digits that are not enclosed in quotation marks. If a string of digits is enclosed in quotation marks, it will be treated as text even if it contains only numeric characters. The numeric value of the id key in this scenario is 12345. The value of the group key in this scenario is another JSON object. A JSON object can be identified by the curly brackets that mark the beginning and the end of the object. A left curly bracket ({) marks the beginning of a JSON object. A right curly bracket (}) marks the end of a JSON object. JSON objects can be nested as values inside other JSON objects. In addition, JSON objects can be specified as values inside other JSON objects. In this scenario, the value of the group key in the primary JSON object is shown in the following JSON object: As previously mentioned, a JSON object is a group of key and value pairs. The JSON object above contains two key and value pairs. The role key contains a text value of Receivables. The reacl-only key, on the other hand, contains an array. "Pass Any Exam. Any Time." - www.actualtests.com 42 Cisco 200-301 Exam The value of the reacl-only key in this scenario is an array that contains two text values: Accounting Folder and Sales Folder. Unlike JSON objects, arrays contain values only. They do not contain key and value pairs. Arrays are typically contained within square brackets. A left square bracket ([) indicates the beginning of the array. A right square bracket (]) indicates the end of the array. Each value inside an array is separated from the others by a comma (,). Although the array in this scenario contains two text values enclosed in quotation marks, an array can contain any of the other JSON data types. For example, an array can include JSON objects or other arrays as values. In addition, a given array need not contain only a single data type. There are no Boolean or null values in the JSON output in this scenario. A given JSON key can be assigned a Boolean value of either true or false. Because these are Boolean values, not text values, they are typically not placed inside quotation marks. Null values technically have no value at all, although it is not exactly the same as a numeric value of 0. A given JSON key can be assigned a null value by specifying null without quotation marks. QUESTION NO: 25 You are attempting to configure OSPF between RouterA and RouterB on your network. However, the routers are unable to form an OSPF adjacency. You issue the show ip ospf interface fastethernet 0/0 command on each router and receive the following output: "Pass Any Exam. Any Time." - www.actualtests.com 43 Cisco 200-301 Exam Why are the routers unable to form an adjacency? (Choose two.) A. The cost must be higher than 1. B. The OSPF areas must match. C. The dead timer value must match the Hello timer value. D. The OSPF process IDs must match. E. The router IDs must not match. F. The IP addresses are configured with the wrong subnet mask. Answer: B,E "Pass Any Exam. Any Time." - www.actualtests.com 44 Cisco 200-301 Exam Explanation: The routers are unable to form an adjacency for two reasons: the Open Shortest Path First (OSPF) areas must match, and the router IDs must not match. Only OSPF routers in the same hierarchical area form adjacencies. To configure an OSPF area, you should issue the network address mask area area command in OSPF router configuration mode. Although you can configure a multiarea OSPF topology, the OSPF areas on neighboring interfaces must match in order for two OSPF routers to form an adjacency. In this scenario, RouterB's FastEthernet 0/0 interface is operating in Area 1 and is directly connected to RouterA's FastEthernet 0/0 interface, which is operating in Area 0. Area 0 is also known as the backbone area. If you are not using virtual links, any nonbackbone OSPF areas you configure must border Area 0. On smaller networks, single-area OSPF configurations also offer the benefit of generating fewer link-state advertisements (LSAs). Router IDs must be unique; a router will ignore Hello packets that are marked with its own router ID. To manually configure the router ID, you should issue the router-id ip-address command in router configuration mode, where ip-address is a 32-bit value in dotted decimal notation. If the router ID is not manually configured, the router ID will be the highest loopback Internet Protocol (IP) address configured on a router. If a loopback IP address is not configured, then the router ID will be the highest IP address among the configured interfaces on the router. Whereas Enhanced Interior Gateway Routing Protocol (EIGRP) process IDs must match when EIGRP is used, OSPF process IDs do not have to match when OSPF is used. The OSPF process ID is locally significant to the router and can be any positive integer in the range from 1 through 65535. You can specify the OSPF process ID by issuing the router ospf process-id command when you configure a router for OSPF. The cost does not have to be higher than 1. By default, OSPF uses the bandwidth of a link to determine the cost. The higher the bandwidth, the lower the cost. To calculate the cost, divide 100,000,000 by the bandwidth in bits per second (bps). The FastEthernet 100-megabits per seconds (Mbps) link between RouterA and RouterB would have a default cost of 1, because 100,000,000 : 100,000,000 = 1. To manually configure the OSPF cost of a link, you should issue the ip ospf cost cost command in interface configuration mode. The IP addresses for RouterA and RouterB are within the same subnet. Therefore, the subnet mask is correct, and the two routers should be able to communicate. A /30 subnet mask allows for two hosts per subnet. In this example, 10.1.1.12/30 is the network address, 10.1.1.13/30 and 10.1.1.14/30 are valid host addresses, and 10.1.1.15/30 is the broadcast address. The dead timer value should not match the Hello timer value. In order for OSPF routers to establish an adjacency, the dead timer on one router should match the dead timer on the other router and the Hello timer on one router should match the Hello timer on the other router. Both RouterA and RouterB are set to a hello interval of 10 seconds and a dead interval of 40 seconds, so the OSPF timers are configured correctly. The Hello timer is used to specify the amount of time "Pass Any Exam. Any Time." - www.actualtests.com 45 Cisco 200-301 Exam between sending Hello packets, and the dead timer is used to specify the amount of time to wait for Hello packets before declaring a neighbor to be down. By default, the Hello timer is set to 10 seconds on point-to-point and broadcast links and 30 seconds on nonbroadcast multiaccess (NBMA) links. The dead timer is set to four times the Hello timer value by default. To manually configure the Hello timer interval, you should issue the ip ospf hello-interval seconds command in interface configuration mode. To manually configure the dead timer interval, you should issue the ip ospf deacl-interval seconds command in interface configuration mode. Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13699- 29.html https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/7039-1.html https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13688-16.html QUESTION NO: 26 You want to establish an EtherChannel between SwitchA and SwitchB by using a Cisco- proprietary protocol. After you configure the ports on SwitchA with the correct channel protocol, you issue the channel-group 1 mode auto command on those ports. Which of the following commands should you issue on SwitchB? (Choose two.) A. channel-group 1 mode passive B. channel-protocol pagp C. channel-group 1 mode active D. channel-protocol lacp E. channel-group 1 mode auto "Pass Any Exam. Any Time." - www.actualtests.com 46 Cisco 200-301 Exam F. channel-group 1 mode desirable Answer: B,F Explanation: You should issue the channel-protocol pagp command and the channel-group 1 mode desirable command on SwitchB. EtherChannel is used to bundle two or more identical, physical interfaces into a single logical link between switches. An EtherChannel can be permanently established between switches, or it can be negotiated by using one of two aggregation protocols: the Cisco-proprietary Port Aggregation Protocol (PAgP) or the open-standard Institute of Electrical and Electronics Engineers (IEEE) 802.3ad protocol, which is also known as Link Aggregation Control Protocol (LACP). To configure a switch port to use a particular aggregation protocol, you should use the channel-protocol {lacp | pagp} command. You can issue the show etherchannel summary command to verify the status of an EtherChannel link and to determine which aggregation protocol, if any, was used to establish the link. The following sample output indicates that the PAgP protocol was used to successfully establish an EtherChannel link: An EtherChannel can have up to eight active switch ports in the bundle that forms the logical link between switches. Every switch port in the bundle, which is also referred to as a channel group, must be configured with the same speed and duplex settings. To configure a switch port to be a member of a particular channel group, you should issue the channel-group number mode {on | active | passive | {auto | desirable} [non-silent]) command. This command uses the number keyword to specify a particular channel group. The supported values for the number keyword vary depending on hardware platform and IOS revision. "Pass Any Exam. Any Time." - www.actualtests.com 47 Cisco 200-301 Exam The following table displays the channel-group configurations that will establish an EtherChannel: The on keyword configures the channel group to unconditionally create the channel with no LACP or PAgP negotiation. In the on mode, an EtherChannel exists only if a channel group that is in the on mode is connected to another channel group that is also in the on mode. The auto, desirable, and non-silent keywords can be used only with PAgP. The desirable keyword configures the channel group to actively negotiate PAgP, and the auto keyword configures the channel group to listen for PAgP negotiation to be offered. Either or both sides of the link must be set to desirable to establish an EtherChannel over PAgP; setting both sides to auto will not establish an EtherChannel over PAgP. The optional non-silent keyword requires that a port receive PAgP packets before the port is added to the channel. The active and passive keywords can be used only with LACP. The active keyword configures the channel group to actively negotiate LACP, and the passive keyword configures the channel group to listen for LACP negotiation to be offered. Either or both sides of the link must be set to active to establish an EtherChannel over LACP; setting both sides to passive will not establish an EtherChannel over LACP. Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12- 2_52_se/command/reference/3750cr/cli1.html#pgfId-11890010 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12- 2_52_se/command/reference/3750cr/cli1.html#pgfId-11890203 CCNA 200-301 Official Cert Guide, Volume 1, Chapter 10: RSTP and EtherChannel Configuration, Configuring Layer 2 EtherChannel QUESTION NO: 27 Which of the following devices cannot be connected to leaf nodes in the Cisco ACI architecture? A. "Pass Any Exam. Any Time." - www.actualtests.com 48 Cisco 200-301 Exam leaf nodes B. spine nodes C. EPGs D. application servers E. APICs Answer: A Explanation: In the Cisco Application Centric Infrastructure (ACI), leaf nodes cannot connect to each other. Cisco ACI is a data center technology that uses switches, categorized as spine and leaf nodes, to dynamically implement network application policies in response to application-level requirements. Network application policies are defined on a Cisco Application Policy Infrastructure Controller (APIC) and are implemented by the spine and leaf nodes. The spine and leaf nodes create a scalable network fabric that is optimized for east-west data transfer, which in a data center is typically traffic between an application server and its supporting data services, such as database or file servers. Each spine node requires a connection to each leaf node; however, spine nodes do not interconnect nor do leaf nodes interconnect. Despite its lack of fully meshed connections between spine nodes or between leaf nodes, this physical topology enables nonlocal traffic to pass from any ingress leaf interface to any egress leaf interface through a single, dynamically selected spine node. By contrast, local traffic is passed directly from an ingress interface on a leaf node to the appropriate egress interface on the same leaf node. Because a spine node has a connection to every leaf node, the scalability of the fabric is limited by the number of ports on the spine node, not by the number of ports on the leaf node. For example, if additional access ports are needed, a new leaf node can be added to the infrastructure as long as there is a sufficient number of ports remaining on the existing spine nodes to support the new leaf node. In addition, redundant connections between a spine and leaf pair are unnecessary because the nature of the topology ensures that each leaf has multiple connections to the network fabric. Therefore, each spine node requires only a single connection to each leaf node. Redundancy is also provided by the presence of multiple APICs, which are typically deployed as a cluster of three controllers. APICs are not directly involved in forwarding traffic and are therefore not required to connect to every spine or leaf node. Instead, the APIC cluster is connected to one or more leaf nodes in much the same manner that other endpoint groups (EPGs), such as application servers, are connected. Because APICs are not directly involved in forwarding traffic, the failure of an APIC does not affect the ability of the fabric to forward traffic. "Pass Any Exam. Any Time." - www.actualtests.com 49 Cisco 200-301 Exam Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci- fundamentals/b_ACI-Fundamentals/b_ACI- Fundamentals_chapter_010000.html#concept_4365C485B1C8403ABE9A0960ECA703DE CCNA 200-301 Official Cert Guide, Volume 2, Chapter 16: Introduction to Controller-Based Networking, ACI Physical Design: Spine and Leaf QUESTION NO: 28 DRAG DROP Select the Application layer protocols on the left, and drag them to the corresponding Transport layer protocol. All Application layer protocols will be used. Answer: "Pass Any Exam. Any Time." - www.actualtests.com 50 Cisco 200-301 Exam Explanation: Transmission Control Protocol (TCP) is a Transport layer protocol that is used for reliable, connection-oriented transfer of data. Data sent by TCP is ordered and checked for errors, and any lost packets are retransmitted. File Transfer Protocol (FTP), which is used to transfer files over a network, uses TCP ports 20 and 21. Hypertext Transfer Protocol (HTTP), which is used to transfer webpages over the Internet, uses TCP port 80. Simple Mail Transfer Protocol (SMTP), which is used to send email messages, uses TCP port 25. Other Application layer protocols that use TCP include Post Office Protocol 3 (POP3), which uses TCP port 110, and Telnet, which uses TCP port 23. User Datagram Protocol (UDP) is a Transport layer protocol that is used for unreliable, connectionless datagram transfer. Transmitted datagrams can appear out of sequence or can be dropped without notice. Dynamic Host Configuration Protocol (DHCP), which is used to assign Internet Protocol (IP) addressing information to clients, uses UDP ports 67 and 68. Simple Network Management Protocol (SNMP), which is used to monitor and manage network devices, uses UDP ports 161 and 162. Trivial File Transfer Protocol (TFTP), which is used to transfer files "Pass Any Exam. Any Time." - www.actualtests.com 51 Cisco 200-301 Exam over a network, uses UDP port 69. Other Application layer protocols that use UDP include Network Time Protocol (NTP), which uses UDP port 123, and Remote Authentication Dial-In User Service (RADIUS), which uses UDP ports 1812 and 1813. Domain Name System (DNS) uses both TCP and UDP for Transport layer communication over port 53. DNS is used to translate host names to IP addresses. Reference: https://www.iana.org/protocols CCNA 200-301 Official Cert Guide, Volume 2, Chapter 1: Introduction to TCP/IP Transport and Applications, Connection Establishment and Termination QUESTION NO: 29 What percentage of wireless coverage overlap is considered appropriate to ensure that wireless clients do not lose connectivity when roaming from one AP to another? A. 10 to 15 percent B. 40 to 50 percent C. 0 to 5 percent D. more than 50 percent E. 20 to 35 percent Answer: A Explanation: A wireless coverage overlap area of 10 to 15 percent is considered appropriate to ensure that wireless clients do not lose connectivity when roaming from one access point (AP) to another. Too little wireless coverage overlap often causes gaps in wireless coverage, which prevents roaming clients from being able to seamlessly transition from one AP to another. Providing more than 10 to 15 percent wireless coverage overlap would require you to purchase more APs than are necessary for adequate wireless coverage. In addition, too much wireless coverage overlap could introduce radio interference from neighboring APs. You should ensure that the APs on the network use nonoverlapping channels to avoid radio interference from neighboring APs. For example, although 802.11b can be configured to use 11 different channels in the United States and Canada, "Pass Any Exam. Any Time." - www.actualtests.com 52 Cisco 200-301 Exam only three nonoverlapping channels can be used: 1, 6, and 11. Using two or more APs with overlapping wireless coverage areas creates an Extended Service Set (ESS) topology. A single AP creates a Basic Service Set (BSS) topology. A wireless network created by wireless clients communicating without the use of an AP is called an Independent Basic Service Set (IBSS) topology. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/technology/ap1000/deployment/guide/hah_apdg/d g10ic.html CCNA 200-301 Official Cert Guide, Volume 1, Chapter 26: Fundamentals of Wireless Networks, Wireless