Cisco.350-401.vMar-2024.by_.Lian_.365q.pdf
Document Details
Uploaded by EnchantedVorticism
2024
Cisco
Tags
Full Transcript
Cisco.350-401.vMar-2024.by.Lian.365q Number: 350-401 Passing Score: 800...
Cisco.350-401.vMar-2024.by.Lian.365q Number: 350-401 Passing Score: 800 Time Limit: 120 Website: www.VCEplus.io File Version: 31.3 Twitter: https://twitter.com/VCE_Plus Exam Code: 350-401 Exam Name: Implementing Cisco Enterprise Network Core Technologies (ENCOR) IT Certification Exams - Questions & Answers | VCEplus.io Exam A QUESTION 1 What is a benefit of Type 1 hypervisors? A. Administrators are able to load portable virtual machine packages in OVA or QCOW2 formats. B. Network engineers are able to create virtual networks o interconnect virtual machines in Layer 2 topologies C. Operators are able to leverage orchestrators to manage workloads that run on multiple Type 1 hypervisors D. Storage engineers are able to leverage VMDK files to provide storage to virtual machine. Correct Answer: B Section: QUESTION 2 What is the wireless received signal strength indicator? A. The value given to the strength of the wireless signal received compared to the noise level B. The value of how strong the wireless signal Is leaving the antenna using transmit power, cable loss, and antenna gain C. The value of how much wireless signal is lost over a defined amount of distance D. The value of how strong a tireless signal is receded, measured in dBm Correct Answer: D Section: Explanation: www.VCEplus.io RSSI, or "Received Signal Strength Indicator," is a measurement of how well your device can hear a signal from an access point or router. It's a value that is useful for determining if you have enough signal to get a good wireless connection. This value is measured in decibels (dBm) from 0 (zero) to -120 (minus 120). The closer to 0 (zero) the stronger the signal is which means it's better, typically voice networks require a -65db or better signal level while a data network needs - 80db or better. QUESTION 3 Which technology is used as the basis for the cisco sd-access data plane? A. IPsec B. LISP C. VXLAN D. 802.1Q Correct Answer: C Section: Explanation: A virtual network identifier (VNI) is a value that identifies a specific virtual network in the data plane. QUESTION 4 What is YANG used for? IT Certification Exams - Questions & Answers | VCEplus.io A. scraping data via CLI B. processing SNMP read-only polls C. describing data models D. providing a transport for network configuration data between client and server Correct Answer: C Section: QUESTION 5 Which method does Cisco DNA Center use to allow management of non-Cisco devices through southbound protocols? A. It creates device packs through the use of an SDK B. It uses an API call to interrogate the devices and register the returned data. C. It obtains MIBs from each vendor that details the APIs available. D. It imports available APIs for the non-Cisco device in a CSV format. Correct Answer: A Section: Explanation: Cisco DNA Center allows customers to manage their non-Cisco devices through the use of a Software Development Kit (SDK) that can be used to create Device Packages for third-party devices. Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platformoverview/multivendor-support-southbound QUESTION 6 are needed per network device in the flexible NetFlow configuration? A. 1 www.VCEplus.io A network is being migrated from IPV4 to IPV6 using a dual-stack approach. Network management is already 100% IPV6 enabled. In a dual-stack network with two dual-stack NetFlow collections, how many flow exporters B. 2 C. 4 D. 8 Correct Answer: B Section: QUESTION 7 What are two considerations when using SSO as a network redundancy feature? (Choose two) A. both supervisors must be configured separately B. the multicast state is preserved during switchover C. must be combined with NSF to support uninterrupted Layer 2 operations D. must be combined with NSF to support uninterrupted Layer 3 operations E. requires synchronization between supervisors in order to guarantee continuous connectivity Correct Answer: D, E Section: Explanation: Cisco IOS Nonstop Forwarding(NSF) always runs with stateful switchover (SSO) and provides redundancy for Layer 3 traffic. IT Certification Exams - Questions & Answers | VCEplus.io Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_01101110.pdf QUESTION 8 www.VCEplus.io Refer to the exhibit. Which command is required to verify NETCONF capability reply messages? A. show netconf | section rpc-reply B. show netconf rpc-reply C. show netconf xml rpc-reply D. show netconf schema | section rpc-reply Correct Answer: D Section: QUESTION 9 Refer to the exhibit. Which type of antenna does the radiation pattern represent? IT Certification Exams - Questions & Answers | VCEplus.io A. Yagi B. multidirectional C. directional patch D. omnidirectional Correct Answer: A Section: QUESTION 10 Which new enhancement was implemented in Wi-Fi 6? A. Wi-Fi Protected Access 3 B. 4096 Quadrature Amplitude Modulation Mode C. Channel bonding D. Uplink and Downlink Orthogonal Frequency Division Multiple Access Correct Answer: D Section: QUESTION 11 Which cisco DNA center application is responsible for group-based accesss control permissions? A. B. C. Design Provision Assurance www.VCEplus.io D. Policy Correct Answer: D Section: QUESTION 12 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io Which JSON syntax is derived from this data? A. B. www.VCEplus.io C. D. Correct Answer: D Section: QUESTION 13 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io Which command when applied to the Atlanta router reduces type 3 LSA flooding into the backbone area and summarizes the inter-area routes on the Dallas router? A. Atlanta(config-route)#area 0 range 192.168.0.0 255.255.248.0 B. Atlanta(config-route)#area 0 range 192.168.0.0 255.255.252.0 C. Atlanta(config-route)#area 1 range 192.168.0.0 255.255.252.0 D. Atlanta(config-route)#area 1 range 192.168.0.0 255.255.248.0 Correct Answer: C Section: QUESTION 14 Refer to the exhibit. www.VCEplus.io An engineer is installing a new pair of routers in a redundant configuration. Which protocol ensures that traffic is not disrupted in the event of a hardware failure? A. HSRPv1 B. GLBP C. VRRP D. HSRPv2 Correct Answer: A Section: Explanation: IT Certification Exams - Questions & Answers | VCEplus.io The ?virtual MAC address? is 0000.0c07.acXX (XX is the hexadecimal group number) so it is using HSRPv1. Note: HSRP Version 2 uses a new MAC address which ranges from 0000.0C9F.F000 to 0000.0C9F.FFFF. QUESTION 15 Refer the exhibit. Which router is the designated router on the segment 192.168.0.0/24? A. B. www.VCEplus.io This segment has no designated router because it is a nonbroadcast network type. This segment has no designated router because it is a p2p network type. C. Router Chicago because it has a lower router ID D. Router NewYork because it has a higher router ID Correct Answer: B Section: QUESTION 16 Which Python code snippet must be added to the script to store the changed interface configuration to a local JSON-formatted file? IT Certification Exams - Questions & Answers | VCEplus.io A. Option A B. C. D. Option B Option C Option D www.VCEplus.io Correct Answer: B Section: QUESTION 17 Refer to the exhibit. Refer to the exhibit. Which configuration set implements Control plane Policing for SSH and Telnet? IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io A. Option A B. Option B C. Option C D. Option D Correct Answer: D Section: QUESTION 18 IT Certification Exams - Questions & Answers | VCEplus.io Refer to the Exhibit. Running the script causes the output in the exhibit. What should be the first line of the script? A. from ncclient import manager B. import manager C. from ncclient import * D. ncclient manager import Correct Answer: C Section: Explanation: QUESTION 19 DRAG DROP www.VCEplus.io Drag and drop the descriptions from the left onto the correct QoS components on the right. Select and Place: Correct Answer: IT Certification Exams - Questions & Answers | VCEplus.io Section: Explanation: QUESTION 20 The login method is configured on the VTY lines of a router with these parameters. The first method for authentication is TACACS If TACACS is unavailable, login is allowed without any provided credentials Which configuration accomplishes this task? A. R1#sh run | include aaa aaa new-model aaa authentication login VTY group tacacs+ none www.VCEplus.io aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 R1#sh run | include username R1# B. R1#sh run | include aaa aaa new-model aaa authentication login telnet group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 R1#sh run | include username R1# C. R1#sh run | include aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 D. R1#sh run | include aaa aaa new-model IT Certification Exams - Questions & Answers | VCEplus.io aaa authentication login default group tacacs+ aaa session-id common R1#sh run | section vty line vty 0 4 transport input none R1# Correct Answer: C Section: Explanation: According to the requirements (first use TACACS+, then allow login with no authentication), we have to use "aaa authentication login … group tacacs+ none" for AAA command. The next thing to check is the if the "aaa authentication login default" or "aaa authentication login list-name" is used. The 'default' keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don't need to configure anything else under tty, vty and aux lines. If we don't use this keyword then we have to specify which line(s) we want to apply the authentication feature. From above information, we can find out answer 'R1#sh run | include aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial – Part 2. For your information, answer 'R1#sh run | include aaa aaa new-model aaa authentication login telnet group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 R1#sh run | include username R1#' would be correct if we add the following command under vty line ("line vty 0 4"): "login authentication telnet" ("telnet" is the name of the AAA list above) QUESTION 21 An engineer must create an EEM script to enable OSPF debugging in the event the OSPF neighborship goes down. Which script must the engineer apply? www.VCEplus.io A. Option A B. Option B C. Option C D. Option D Correct Answer: C Section: QUESTION 22 IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit. Router BRDR-1 is configured to receive the 0.0.0.0/0 and 172.17.1.0/24 network via BGP and advertise them into OSPF are 0. An engineer has noticed that the OSPF domain is receiving only the 172.17.1.0/24 route and default route 0.0.0.0/0 is still missing. Which configurating must engineer apply to resolve the problem? www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io A. Option A B. Option B C. Option C D. Option D Correct Answer: D Section: QUESTION 23 www.VCEplus.io A network engineer must configure a router to send logging messages to a syslog server based on these requirements: uses syslog IP address: 10.10.10.1 uses a reliable protocol must not use any well-known TCP/UDP ports Which configuration must be used? A. logging host 10.10.10.1 transport tcp port 1024 B. logging origin-id 10.10.10.1 C. logging host 10.10.10.1 transport udp port 1023 D. logging host 10.10.10.1 transport udp port 1024 Correct Answer: A Section: QUESTION 24 Refer to the exhibit. A network engineer must configure NETCONF. After creating the configuration, the engineer gets output from the command show line, but not from show running-config. Which command completes the configuration? IT Certification Exams - Questions & Answers | VCEplus.io A. Option A B. Option B C. Option C D. Option D Correct Answer: C Section: QUESTION 25 An engineer is configuring a new SSID to present users with a splash page for authentication. Which WLAN Layer 3 setting must be configured to provide this functionally? A. CCKM B. WPA2 Policy C. D. Local Policy Web Policy www.VCEplus.io Correct Answer: D Section: QUESTION 26 Refer to the exhibit. After an engineer configures an EtherChannel between switch SW1 and switch SW2, this error message is logged on switch SW2. 09:45:32: %PM-4-ERR_DISABLE: channel-misconfig error detected on Gi0/0, putting Gi0/0 in err-disable state 09:45:32: %PM-4-ERR_DISABLE: channel-misconfig error detected on Gi0/1, putting Gi0/1 in err-disable state Based on the output from SW1 and the log message received on Switch SW2, what action should the engineer take to resolve this issue? A. Configure the same protocol on the EtherChannel on switch SW1 and SW2. IT Certification Exams - Questions & Answers | VCEplus.io B. Connect the configuration error on interface Gi0/1 on switch SW1. C. Define the correct port members on the EtherChannel on switch SW1. D. Correct the configuration error on interface Gi0/0 switch SW1. Correct Answer: A Section: Explanation: In this case, we are using your EtherChannel without a negotiation protocol. As a result, if the opposite switch is not also configured for EtherChannel operation on the respective ports, there is a danger of a switching loop. The EtherChannel Misconfiguration Guard tries to prevent that loop from occuring by disabling all the ports bundled in the EtherChannel. QUESTION 27 Which antenna type should be used for a site-to-site wireless connection? A. Omnidirectional B. dipole C. patch D. Yagi Correct Answer: D Section: QUESTION 28 Refer to the exhibit. www.VCEplus.io An engineer is troubleshooting an application running on Apple phones. The application Is receiving incorrect QoS markings. The systems administrator confirmed that ail configuration profiles are correct on the Apple devices. Which change on the WLC optimizes QoS for these devices? A. Enable Fastlane B. Set WMM to required C. Change the QoS level to Platinum D. Configure AVC Profiles IT Certification Exams - Questions & Answers | VCEplus.io Correct Answer: C Section: QUESTION 29 What is the function of the LISP map resolver? A. to send traffic to non-LISP sites when connected to a service provider that does not accept nonroutable ElDs as packet sources B. to connect a site to the LISP-capable part of a core network publish the EID-to-RLOC mappings for the site, and respond to map-request messages C. to decapsulate map-request messages from ITRs and forward the messages to the MS. D. to advertise routable non-LISP traffic from one address family to LISP sites in a different address family Correct Answer: C Section: Explanation: Map resolver (MR): The MR performs the following functions: Receives MAP requests, which are encapsulated by ITRs. Provides a service interface to the ALT router, de-encapsulates MAP requests, and forwards on the ALT topology. QUESTION 30 A network administrator applies the following configuration to an IOS device. What is the process of password checks when a login attempt is made to the device? A. B. C. www.VCEplus.io A TACACS+server is checked first. If that check fail, a database is checked? A TACACS+server is checked first. If that check fail, a RADIUS server is checked. If that check fail. a local database is checked. A local database is checked first. If that fails, a TACACS+server is checked, if that check fails, a RADUIS server is checked. D. A local database is checked first. If that check fails, a TACACS+server is checked. Correct Answer: D Section: QUESTION 31 What is the purpose of the LISP routing and addressing architecture? A. It creates two entries for each network node, one for Its identity and another for its location on the network. B. It allows LISP to be applied as a network visualization overlay though encapsulation. C. It allows multiple Instances of a routing table to co-exist within the same router. D. It creates head-end replication used to deliver broadcast and multicast frames to the entire network. Correct Answer: A Section: QUESTION 32 How does Cisco Trustsec enable more access controls for dynamic networking environments and data centers? A. classifies traffic based on advanced application recognition B. uses flexible NetFlow IT Certification Exams - Questions & Answers | VCEplus.io C. classifies traffic based on the contextual identity of the endpoint rather than its IP address correct D. assigns a VLAN to the endpoint Correct Answer: C Section: Explanation: The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without net-work redesign. QUESTION 33 Refer to the exhibit. www.VCEplus.io A network engineer configures a GRE tunnel and enters the show Interface tunnel command. What does the output confirm about the configuration? A. The keepalive value is modified from the default value. B. Interface tracking is configured. C. The tunnel mode is set to the default. D. The physical interface MTU is 1476 bytes. Correct Answer: C Section: QUESTION 34 "HTTP/1.1 204 content" is returned when cur –I –x delete command is issued. Which situation hasoccurred? A. The object could not be located at the URI path. B. The command succeeded in deleting the object C. The object was located at the URI, but it could not be deleted. D. The URI was invalid Correct Answer: B IT Certification Exams - Questions & Answers | VCEplus.io Section: Explanation: HTTP Status 204 (No Content) indicates that the server has successfully fulfilled the request and thatthere is no content to send in the response payload body. QUESTION 35 A company plans to implement intent-based networking in its campus infrastructure. Which design facilities a migrate from a traditional campus design to a programmer fabric designer? A. Layer 2 access B. three-tier C. two-tier D. routed access Correct Answer: C Section: QUESTION 36 When a wireless client roams between two different wireless controllers, a network connectivity outage is experience for a period of time. Which configuration issue would cause this problem? A. Not all of the controllers in the mobility group are using the same mobility group name. B. Not all of the controllers within the mobility group are using the same virtual interface IP address. C. All of the controllers within the mobility group are using the same virtual interface IP address. D. All of the controllers in the mobility group are using the same mobility group name. Correct Answer: B Section: QUESTION 37 www.VCEplus.io Refer to the exhibit. The IP SLA is configured in a router. An engineer must configure an EEM applet to shut down the interface and bring it back up when there is a problem with the IP SLA. Which configuration should the engineer use? A. event manager applet EEM_IP_SLA event track 10 state down B. event manager applet EEM_IP_SLA event track 10 state unreachable C. event manager applet EEM_IP_SLA event sla 10 state unreachable D. event manager applet EEM_IP_SLA event sla 10 state down Correct Answer: A Section: IT Certification Exams - Questions & Answers | VCEplus.io Explanation: The ?ip sla 10? will ping the IP 192.168.10.20 every 3 seconds to make sure the connection is still up. We can configure an EEM applet if there is any problem with this IP SLA via the command ?event track 10 state down?. Reference: https://www.theroutingtable.com/ip-sla-and-cisco-eem/ QUESTION 38 Which JSON syntax is valid? A. B. C. D. Correct Answer: C Section: Explanation: www.VCEplus.io This JSON can be written as follows: {' switch': { 'name': 'dist1', 'interfaces': ['gig1', 'gig2', 'gig3'] }} QUESTION 39 IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit. www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io An engineer must deny Telnet traffic from the loopback interface of router R3 to the loopback interface of router R2 during the weekend hours. All other traffic between the loopback interfaces of routers R3 and R2 must be allowed at all times. Which command accomplish this task? A. R3(config)#time-range WEEKEND R3(config-time-range)#periodic Saturday Sunday 00:00 to 23:59 R3(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND R3(config)#access-list 150 permit ip any any time-range WEEKEND R3(config)#interface G0/1 R3(config-if)#ip access-group 150 out B. R1(config)#time-range WEEKEND R1(config-time-range)#periodic weekend 00:00 to 23:59 R1(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND R1(config)#access-list 150 permit ip any any R1(config)#interface G0/1 R1(config-if)#ip access-group 150 in C. R3(config)#time-range WEEKEND R3(config-time-range)#periodic weekend 00:00 to 23:59 R3(config)#access-list 150 permit tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND R3(config)#access-list 150 permit ip any any time-range WEEKEND R3(config)#interface G0/1 R3(config-if)#ip access-group 150 out D. R1(config)#time-range WEEKEND R1(config-time-range)#periodic Friday Sunday 00:00 to 00:00 R1(config)#access-list 150 deny tcp host 10.3.3.3 host 10.2.2.2 eq 23 time-range WEEKEND R1(config)#access-list 150 permit ip any any R1(config)#interface G0/1 R1(config-if)#ip access-group 150 in www.VCEplus.io Correct Answer: C Section: Explanation: We cannot filter traffic that is originated from the local router (R3 in this case) so we can only configure the ACL on R1 or R2. "Weekend hours" means from Saturday morning through Sunday night so we have to configure: "periodic weekend 00:00 to 23:59". Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59. QUESTION 40 When configuration WPA2 Enterprise on a WLAN, which additional security component configuration is required? A. NTP server B. PKI server C. RADIUS server D. TACACS server Correct Answer: C Section: QUESTION 41 What is the differences between TCAM and the MAC address table? A. The MAC address table is contained in CAM ACL and QoS information is stored in TCAM IT Certification Exams - Questions & Answers | VCEplus.io B. The MAC address table supports partial matches. TCAM requires an exact match C. Router prefix lookups happens in CAM. MAC address table lookups happen in TCAM. D. TCAM is used to make Layer 2 forwarding decisions CAM is used to build routing tables Correct Answer: A Section: Explanation: https://community.cisco.com/t5/networking-documents/cam-content-addressable-memory-vstcam-ternary-content/ta-p/3107938When using Ternary Content Addressable Memory (TCAM) inside routers it's used for faster addresslookup that enables fast routing. In switches Content Addressable Memory (CAM) is used for building and lookup of mac address table that enables L2 forwarding decisions. Besides Longest-Prefix Matching, TCAM in today's routers and multilayer Switch devices are used to store ACL, QoS and other things from upper-layer processing. QUESTION 42 Which exhibit displays a valid JSON file? www.VCEplus.io A. Option A B. Option B IT Certification Exams - Questions & Answers | VCEplus.io C. Option C D. Option D Correct Answer: D Section: QUESTION 43 A server running Linux is providing support for virtual machines along with DNS and DHCP services for a small business. Which technology does this represent? A. container B. Type 1 hypervisor C. hardware pass-thru D. Type 2 hypervisor Correct Answer: D Section: Explanation: In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an operating system and not the physical hardware directly. A big advantage of Type 2 hypervisors is that management console software is not required. Examples of type 2 hypervisor are VMware Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on Windows). QUESTION 44 Refer to the exhibit. www.VCEplus.io After implementing the configuration 172.20.20.2 stops replaying to ICMP echoes, but the default route fails to be removed. What is the reason for this behavior? A. The source-interface is configured incorrectly. B. The destination must be 172.30.30.2 for icmp-echo C. The default route is missing the track feature D. The threshold value is wrong. Correct Answer: C IT Certification Exams - Questions & Answers | VCEplus.io Section: Explanation: The last command should be "R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10". QUESTION 45 How does Cisco Trustsec enable more flexible access controls for dynamic networking environments and data centers? A. uses flexible NetFlow B. assigns a VLAN to the endpoint C. classifies traffic based an the contextual identity of the endpoint rather than its IP address D. classifies traffic based on advanced application recognition Correct Answer: C Section: QUESTION 46 A client device roams between wireless LAN controllers that are mobility peers, Both controllers have dynamic interface on the same client VLAN which type of roam is described? A. intra-VLAN B. inter-controller C. intra-controller D. inter-subnet Correct Answer: B Section: QUESTION 47 www.VCEplus.io What is the responsibility of a secondary WLC? A. It shares the traffic load of the LAPs with the primary controller. B. It avoids congestion on the primary controller by sharing the registration load on the LAPs. C. It registers the LAPs if the primary controller fails. D. It enables Layer 2 and Layer 3 roaming between Itself and the primary controller. Correct Answer: C Section: QUESTION 48 Which two characteristics define the Intent API provided by Cisco DNA Center? (Choose two.) A. northbound API B. business outcome oriented C. device-oriented D. southbound API E. procedural Correct Answer: A, B IT Certification Exams - Questions & Answers | VCEplus.io Section: Explanation: The Intent API is a Northbound REST API that exposes specific capabilities of the Cisco DNA Center platform. The Intent API provides policy-based abstraction of business intent, allowing focus on an outcome rather than struggling with individual mechanisms steps. Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platformoverview/intent-api-northbound QUESTION 49 Which DHCP option provides the CAPWAP APs with the address of the wireless controller(s)? A. 43 B. 66 C. 69 D. 150 Correct Answer: A Section: QUESTION 50 www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit. Which configuration change will force BR2 to reach 209 165 201 0/27 via BR1? A. Set the weight attribute to 65.535 on BR1 toward PE1. B. Set the local preference to 150 on PE1 toward BR1 outbound C. Set the MED to 1 on PE2 toward BR2 outbound. D. Set the origin to igp on BR2 toward PE2 inbound. Correct Answer: C Section: Explanation: MED Attribute: + Optional nontransitive attribute (nontransitive means that we can only advertise MED to routers that are one AS away) + Sent through ASes to external BGP neighbors + Lower value is preferred (it can be considered the external metric of a route) + Default value is 0 QUESTION 51 Which two methods are used to reduce the AP coverage area? (Choose two) A. Reduce channel width from 40 MHz to 20 MHz B. Disable 2.4 GHz and use only 5 GHz. C. Reduce AP transmit power. D. Increase minimum mandatory data rate E. Enable Fastlane Correct Answer: C, D Section: www.VCEplus.io QUESTION 52 Refer to the exhibit. Security policy requires all idle-exec sessions to be terminated in 600 seconds. Which configuration achieves this goal? A. line vty 0 15 absolute-timeout 600 IT Certification Exams - Questions & Answers | VCEplus.io B. line vty 0 15 exec-timeout C. line vty 01 5 exec-timeout 10 0 D. line vty 0 4 exec-timeout 600 Correct Answer: C Section: QUESTION 53 Which two threats does AMP4E have the ability to block? (Choose two.) A. DDoS B. ransomware C. Microsoft Word macro attack D. SQL injection E. email phishing Correct Answer: B, C Section: Explanation: https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-for-endpoints/c11-742008- 00-cisco-amp-for-endpoints-wp-v2a.pdf QUESTION 54 www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io What does the cisco REST response indicate? A. Cisco DNA Center has the Incorrect credentials for cat3850-1 B. Cisco DNA Center is unable to communicate with cat9000-1 C. Cisco DNA Center has the incorrect credentials for cat9000-1 D. Cisco DNA Center has the Incorrect credentials for RouterASR-1 Correct Answer: C Section: QUESTION 55 Refer to the exhibit. www.VCEplus.io An engineer configures monitoring on SW1 and enters the show command to verify operation. What does the output confirm? A. SPAN session 1 monitors activity on VLAN 50 of a remote switch B. SPAN session 2 only monitors egress traffic exiting port FastEthernet 0/14. C. SPAN session 2 monitors all traffic entering and exiting port FastEthernet 0/15. D. RSPAN session 1 is incompletely configured for monitoring Correct Answer: D Section: Explanation: SW1 has been configured with the following commands: SW1(config)#monitor session 1 source remote vlan 50 SW1(config)#monitor session 2 source interface fa0/14 SW1(config)#monitor session 2 destination interface fa0/15 The session 1 on SW1 was configured for Remote SPAN (RSPAN) while session 2 was configured for local SPAN. For RSPAN we need to configure the destination port to complete the configuration. Note: In fact we cannot create such a session like session 1 because if we only configure ?Source RSPAN VLAN 50? (with the command ?monitor session 1 source remote vlan 50?) then we will receive a ?Type: Remote Source Session? (not ?Remote Destination Session?). QUESTION 56 IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit. A network engineer configures NAT on R1 and enters me show command to verity the configuration What does the output confirm? A. The first pocket triggered NAT to add on entry to NAT table B. R1 is configured with NAT overload parameters C. A Telnet from 160.1.1 1 to 10.1.1.10 has been initiated. D. R1 to configured with PAT overload parameters Correct Answer: A Section: QUESTION 57 An engineer is troubleshooting the Ap join process using DNS. Which FQDN must be resolvable on the network for the access points to successfully register to the WLC? A. wlcbostname.domain.com B. cisco-capwap-controller.domain.com C. ap-manager.domain.com D. primary-wlc.domain.com Correct Answer: B Section: Explanation: DNS: If you have configured your DHCP server to provide both option 006 (DNS server address) and option 015 (domain name) information, the AP can obtain WLC addresses from the DNS server. The process works as follows: 1. The AP gets its IP address from DHCP with options 6 and 15 configured. 2. The AP can obtain the IP address of the DNS server from the DHCP option. www.VCEplus.io 3. The AP uses this information to perform a hostname lookup using CISCO-CAPWAPCONTROLLER.< localdomain>, which resolves to available WLC management interface IP addresses (IPv4 or IPv6, or both). 4. The AP can then perform a directed message to associate to responsive WLCs. To prevent all APs from joining a single controller based on a DNS name resolution, the domain name may vary; this is what is done to dispatch APs to different controllers across the enterprise network, based on different domain names that are configured in their respective DNS scopes. QUESTION 58 Running the script causes the output in the exhibit. Which change to the first line of the script resolves the error? A. from ncclient import B. import manager C. from ncclient import* IT Certification Exams - Questions & Answers | VCEplus.io D. import ncclient manager Correct Answer: C Section: QUESTION 59 An engineer must configure HSRP group 300 on a Cisco IOS router. When the router is functional, it must be the must be the active HSRP router. The peer router has been configured using the default priority value. Which command set is required? A. B. C. www.VCEplus.io D. IT Certification Exams - Questions & Answers | VCEplus.io Correct Answer: B Section: QUESTION 60 www.VCEplus.io Refer to the exhibit. An engineer is investigating why guest users are able to access other guest user devices when the users are connected to the customer guest WLAN. What action resolves this issue? A. implement MFP client protection B. implement split tunneling C. implement P2P blocking D. implement Wi-Fi direct policy Correct Answer: C Section: Explanation: This control determines whether the Wireless LAN Controller is configured to prevent clients connected to the same Wireless Local Area Controller from communicating with each other. Wireless Client Isolation prevents wireless clients from communicating with each other over the RF. Packets that arrive on the wireless interface are forwarded only out the wired interface of an Access Point. One wireless client could potentially compromise another client sharing the same wireless network. QUESTION 61 Which characteristic distinguishes Ansible from Chef? A. Ansible lacs redundancy support for the master server. Chef runs two masters in an active/active mode. B. Ansible uses Ruby to manage configurations. Chef uses YAML to manage configurations. C. Ansible pushes the configuration to the client. Chef client pulls the configuration from the server. D. The Ansible server can run on Linux, Unix or Windows. The Chef server must run on Linux or Unix. IT Certification Exams - Questions & Answers | VCEplus.io Correct Answer: C Section: QUESTION 62 Refer to the exhibit. A. the interface specified on the WLAN configuration www.VCEplus.io Assuming the WLC's interfaces are not in the same subnet as the RADIUS server, which interface would the WLC use as the source for all RADIUS-related traffic? B. any interface configured on the WLC C. the controller management interface D. the controller virtual interface Correct Answer: A Section: QUESTION 63 In an SD-Access solution what is the role of a fabric edge node? A. to connect external Layer 3- network to the SD-Access fabric B. to connect wired endpoint to the SD-Access fabric C. to advertise fabric IP address space to external network D. to connect the fusion router to the SD-Access fabric Correct Answer: B Section: Explanation: + Fabric edge node: This fabric device (for example, access or distribution layer device) connects QUESTION 64 IT Certification Exams - Questions & Answers | VCEplus.io What is a benefit of a virtual machine when compared with a physical server? A. Multiple virtual servers can be deployed on the same physical server without having to buy additional hardware. B. Virtual machines increase server processing performance. C. The CPU and RAM resources on a virtual machine cannot be affected by other virtual machines. D. Deploying a virtual machine is technically less complex than deploying a physical server. Correct Answer: A Section: QUESTION 65 When using TLS for syslog, which configuration allows for secure and reliable transportation of messages to its default port? A. logging host 10.2.3.4 vrf mgmt transport tcp port 6514 B. logging host 10.2.3.4 vrf mgmt transport udp port 6514 C. logging host 10.2.3.4 vrf mgmt transport tcp port 514 D. logging host 10.2.3.4 vrf mgmt transport udp port 514 Correct Answer: A Section: Explanation: The TCP port 6514 has been allocated as the default port for syslog over Transport Layer Security (TLS). Reference: https://tools.ietf.org/html/rfc5425 QUESTION 66 At which Layer does Cisco DNA Center support REST controls? www.VCEplus.io A. EEM applets or scripts B. Session layer C. YMAL output from responses to API calls D. Northbound APIs Correct Answer: D Section: QUESTION 67 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io Which troubleshooting a routing issue, an engineer issues a ping from S1 to S2. When two actions from the initial value of the TTL? (Choose two.) A. B. The packet reaches R3, and the TTL expires R2 replies with a TTL exceeded message www.VCEplus.io C. R3 replies with a TTL exceeded message. D. The packet reaches R2 and the TTL expires E. R1 replies with a TTL exceeded message F. The packet reaches R1 and the TTL expires. Correct Answer: A, D Section: Explanation: Source MAC in the capture is VMWare, MAC is Cisco. Routers first check the TTL before any further process, subtract 1 at R1. Send to R2, subtract and you have ZERO. Discard packet and reply with ICMP Time Exceeded message from that point, don't even bother checking the Route table for further processing. QUESTION 68 Which technology provides a secure communication channel for all traffic at Layer 2 of the OSI model? A. MACsec B. IPsec C. SSL D. Cisco Trustsec Correct Answer: A Section: IT Certification Exams - Questions & Answers | VCEplus.io Explanation: MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using outofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the QUESTION 69 Refer to the exhibit. An engineer is configuring an EtherChannel between Switch1 and Switch2 and notices the console message on switch2. Based on the output, which action resolves this issue? A. B. C. Configure less member ports on Switch2. Configure the same port channel interface number on both switches Configure the same EtherChannel protocol on both switches www.VCEplus.io D. Configure more member ports on Switch1. Correct Answer: C Section: Explanation: In this case, we are using your EtherChannel without a negotiation protocol on Switch2. As a result, if the opposite switch is not also configured for EtherChannel operation on the respective ports, there is a danger of a switching loop. The EtherChannel Misconfiguration Guard tries to prevent that loop from occuring by disabling all the ports bundled in the EtherChannel. QUESTION 70 Which entity is responsible for maintaining Layer 2 isolation between segments In a VXLAN environment? A. switch fabric B. VTEP C. VNID D. host switch Correct Answer: C Section: Explanation: VXLAN uses an 8-byte VXLAN header that consists of a 24-bit VNID and a few reserved bits. The VXLAN header together with the original Ethernet frame goes in the UDP payload. The 24-bit IT Certification Exams - Questions & Answers | VCEplus.io VNID is used to identify Layer 2 segments and to maintain Layer 2 isolation between the segments. Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7- x/vxlan/configuration/guide/b_Cisco_Nexus_9000_Series_NXOS_VXLAN_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NXOS_VXLAN_Configuration_Guide_7x_chapter_010.html QUESTION 71 Which DHCP option helps lightweight APs find the IP address of a wireless LAN controller? A. Option 43 B. Option 60 C. Option 67 D. Option 150 Correct Answer: A Section: QUESTION 72 Refer the exhibit. www.VCEplus.io Which router is the designated router on the segment 192.168.0.0/24? A. This segment has no designated router because it is a nonbroadcast network type. B. This segment has no designated router because it is a p2p network type. C. Router Chicago because it has a lower router ID D. Router NewYork because it has a higher router ID Correct Answer: B Section: QUESTION 73 What are two differences between the RIB and the FIB? (Choose two.) IT Certification Exams - Questions & Answers | VCEplus.io A. The FIB is derived from the data plane, and the RIB is derived from the FIB. B. The RIB is a database of routing prefixes, and the FIB is the Information used to choose the egress interface for each packet. C. FIB is a database of routing prefixes, and the RIB is the information used to choose the egress interface for each packet. D. The FIB is derived from the control plane, and the RIB is derived from the FIB. E. The RIB is derived from the control plane, and the FIB is derived from the RIB. Correct Answer: B, E Section: QUESTION 74 Which algorithms are used to secure REST API from brute attacks and minimize the impact? A. SHA-512 and SHA-384 B. MD5 algorithm-128 and SHA-384 C. SHA-1, SHA-256, and SHA-512 D. PBKDF2, BCrypt, and SCrypt Correct Answer: D Section: Explanation: One of the best practices to secure REST APIs is using password hash. Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing algorithms which can prove really effective for password security e.g. PBKDF2, bcrypt and scrypt algorithms. Other ways to secure REST APIs are: Always use HTTPS, Never expose information on URLs Reference: https://restfulapi.net/security-essentials/ QUESTION 75 www.VCEplus.io (Usernames, passwords, session tokens, and API keys should not appear in the URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation. IT Certification Exams - Questions & Answers | VCEplus.io Which command must be applied to R2 for an OSPF neighborship to form? A. network 20.1.1.2.0.0.0.0 area 0 B. network 20.1.1.2 255.255.0.0. area 0 C. network 20.1.1.2.0.0.255.255 area 0 D. network 20.1.1.2 255.255.255 area 0 Correct Answer: A Section: Explanation: The ?network 20.0.0.0 0.0.0.255 area 0? command on R2 did not cover the IP address of Fa1/1 interface of R2 so OSPF did not run on this interface. Therefore we have to use the command ?network 20.1.1.2 0.0.255.255 area 0? to turn on OSPF on this interface. Note: The command ?network 20.1.1.2 0.0.255.255 area 0? can be used too so this answer is also correct but answer C is the best answer here. The ?network 0.0.0.0 255.255.255.255 area 0? command on R1 will run OSPF on all active QUESTION 76 Which two operations are valid for RESTCONF? (Choose two.) A. HEAD B. REMOVE C. PULL D. PATCH E. ADD F. PUSH Correct Answer: A, D www.VCEplus.io Section: Explanation: RESTCONF operations include OPTIONS, HEAD, GET, POST, PATCH, DELETE. QUESTION 77 Which devices does Cisco DNA Center configure when deploying an IP-based access control policy? A. All devices integrating with ISE B. selected individual devices C. all devices in selected sites D. all wired devices Correct Answer: C Section: Explanation: When you click Deploy, Cisco DNA Center requests the Cisco Identity Services Engine (Cisco ISE) to send notifications about the policy changes to the network devices. QUESTION 78 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io An engineer implemented several configuration changes and receives the logging message on switch1. Which action should the engineer take to resolve this issue? A. Change the VTP domain to match on both switches B. Change Switch2 to switch port mode dynamic auto C. Change Switch1 to switch port mode dynamic auto D. Change Switch1 to switch port mode dynamic desirable Correct Answer: A Section: QUESTION 79 www.VCEplus.io Which AP mode allows an engineer to scan configured channels for rogue access points? A. sniffer B. monitor C. bridge D. local Correct Answer: B Section: QUESTION 80 While configuring an IOS router for HSRP with a virtual IP of 10 1.1.1. an engineer sees this log message. Which configuration change must the engineer make? A. Change the HSRP group configuration on the local router to 1. B. Change the HSRP virtual address on the local router to 10.1.1.1. C. Change the HSRP virtual address on the remote router to 10.1.1.1. D. Change the HSRP group configuration on the remote router to 1. Correct Answer: B IT Certification Exams - Questions & Answers | VCEplus.io Section: QUESTION 81 What is the function of a fabric border node in a Cisco SD-Access environment? A. To collect traffic flow information toward external networks B. To connect the Cisco SD-Access fabric to another fabric or external Layer 3 networks C. To attach and register clients to the fabric D. To handle an ordered list of IP addresses and locations for endpoints in the fabric. Correct Answer: B Section: QUESTION 82 A network engineer configures BGP between R1 and R2. Both routers use BGP peer group CORP and are set up to use MD5 authentication. This message is logged to the console of router R1: “May 5 39:85:55.469: %TCP-6-BADAUTH” Invalid MD5 digest from 10.10.10.1 (29832) to 10.120.10.1 (179) tebleid -0 Which two configuration allow peering session to from between R1 and R2? Choose two.) A. R1(config-router)#neighbor 10.10.10.1 peer-group CORP R1(config-router)#neighbor CORP password Cisco B. R2(config-router)#neighbor 10.120.10.1 peer-group CORP R2(config-router)#neighbor CORP password Cisco C. R2(config-router)#neighbor 10.10.10.1 peer-group CORP R2(config-router)#neighbor PEER password Cisco D. R1(config-router)#neighbor 10.120.10.1 peer-group CORP R1(config-router)#neighbor CORP password Cisco E. R2(config-router)#neighbor 10.10.10.1 peer-group CORP R2(config-router)#neighbor CORP password Cisco Correct Answer: A, B Section: www.VCEplus.io QUESTION 83 Which two operational models enable an AP to scan one or more wireless channels for rouge access points and at the same time provide wireless services to clients? (Choose two.) A. Rouge detector B. Sniffer C. FlexConnect D. Local E. Monitor Correct Answer: D, E Section: QUESTION 84 Refer to Exhibit. IT Certification Exams - Questions & Answers | VCEplus.io MTU has been configured on the underlying physical topology, and no MTU command has been configured on the tunnel interfaces. What happens when a 1500-byte IPv4 packet traverses the GRE tunnel from host X to host Y, assuming the DF bit is cleared? A. The packet arrives on router C without fragmentation. B. The packet is discarded on router A C. The packet is discarded on router B D. The packet arrives on router C fragmented. Correct Answer: D Section: QUESTION 85 What is one benefit of implementing a VSS architecture? A. B. C. It uses GLBP to balance traffic between gateways. It provides a single point of management for improved efficiency. www.VCEplus.io It provides multiple points of management for redundancy and improved support D. It uses a single database to manage configuration for multiple switches Correct Answer: C Section: Explanation: Support Virtual Switching System (VSS) to provide resiliency, and increased operational efficiency with a single point of management; VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. – Single configuration file and node to manage. Removes the need to configure redundant switches twice with identical policies. QUESTION 86 What does Call Admission Control require the client to send in order to reserve the bandwidth? A. SIP flow information B. Wi-Fi multimedia C. traffic specification D. VoIP media session awareness Correct Answer: C Section: QUESTION 87 Which function in handled by vManage in the cisco SD-WAN fabric? IT Certification Exams - Questions & Answers | VCEplus.io A. Establishes BFD sessions to test liveliness of links and nodes. B. Distributes polices that govern data forwarding. C. Performs remote software upgrades for WAN Edge vSmart and vBond. D. Establishes iPsec tunnels with nodes Correct Answer: C Section: QUESTION 88 Where is radio resource management performed in a cisco SD-access wireless solution? A. DNA Center B. control plane node C. wireless controller D. Cisco CMX Correct Answer: C Section: Explanation: Fabric wireless controllers manage and control the fabric-mode APs using the same general model as the traditional local-mode controllers which offers the same operational advantages such as mobility control and radio resource management. A significant difference is that client traffic from wireless endpoints is not tunnelled from the APs to the wireless controller. Instead, communication from wireless clients is encapsulated in VXLAN by the fabric APs which build a tunnel to their first-hop fabric edge node. Wireless traffic it tunneled to the edge nodes as the edge nodes provide fabric services such as the Layer 3 Anycast Gateway, policy, and traffic enforcement. QUESTION 89 How does EIGRP differ from OSPF? www.VCEplus.io https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html A. EIGRP is more prone to routing loops than OSPF B. EIGRP supports equal or unequal path cost, and OSPF supports only equal path cost. C. EIGRP has a full map of the topology, and OSPF only knows directly connected neighbors D. EIGRP uses more CPU and memory than OSPF Correct Answer: B Section: QUESTION 90 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io Which HTTP JSON response does the python code output give? www.VCEplus.io A. NameError: name 'json' is not defined B. KeyError 'kickstart_ver_str' C. 7.61 D. 7.0(3)I7(4) Correct Answer: D Section: QUESTION 91 IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit. The connecting between SW1 and SW2 is not operational. Which two actions resolve the issue? (Choose two) A. configure switchport mode access on SW2 B. configure switchport nonegotiate on SW2 C. configure switchport mode trunk on SW2 D. configure switchport nonegotiate on SW1 E. configure switchport mode dynamic desirable on SW2 Correct Answer: C, E Section: QUESTION 92 Refer to the exhibit. An engineer is troubleshooting a connectivity issue and executes a traceoute. What does the result confirm? A. B. The destination server reported it is too busy The protocol is unreachable www.VCEplus.io C. The destination port is unreachable D. The probe timed out Correct Answer: D Section: Explanation: In Cisco routers, the codes for a traceroute command reply are: ! - success * - time out N - network unreachable H - host unreachable P - protocol unreachable A - admin denied Q - source quench received (congestion) ? - unknown (any other ICMP message)In Cisco routers, the codes for a traceroute command reply are: ! - success * - time out N - network unreachable H - host unreachable P - protocol unreachable A - admin denied Q - source quench received (congestion) ? - unknown (any other ICMP message) IT Certification Exams - Questions & Answers | VCEplus.io QUESTION 93 Which device makes the decision for a wireless client to roam? A. wireless client B. wireless LAN controller C. access point D. WCS location server Correct Answer: A Section: QUESTION 94 How is MSDP used to interconnect multiple PIM-SM domains? A. MSDP depends on BGP or multiprotocol BGP for mterdomam operation B. MSDP SA request messages are used to request a list of active sources for a specific group C. SDP allows a rendezvous point to dynamically discover active sources outside of its domain D. MSDP messages are used to advertise active sources in a domain Correct Answer: A Section: QUESTION 95 www.VCEplus.io Refer to the exhibit. A network engineer must configure a password expiry mechanism on the gateway router for all local passwords to expire after 60 days. What is required to complete this task? A. The password expiry mechanism is on the AAA server and must be configured there. B. Add the aaa authentication enable default Administrators command. C. Add the username admin privilege 15 common-criteria*policy Administrators password 0 Cisco13579! command. D. No further action Is required. The configuration is complete. Correct Answer: C Section: Explanation: Perform this task to create a password security policy and to apply the policy to a specific user profile. Device> enable Device# configure terminal Device(config)# aaa new-model IT Certification Exams - Questions & Answers | VCEplus.io Device(config)# aaa common-criteria policy policy1 Device(config-cc-policy)# char-changes 4 Device(config-cc-policy)# max-length 20 Device(config-cc-policy)# min-length 6 Device(config-cc-policy)# numeric-count 2 Device(config-cc-policy)# special-case 2 Device(config-cc-policy)# exit Device(config)# username user1 common-criteria-policy policy1 password password1 Device(config)# end QUESTION 96 Which action is the vSmart controller responsible for in an SD-WAN deployment? A. handle, maintain, and gather configuration and status for nodes within the SD-WAN fabric B. distribute policies that govern data forwarding performed within the SD-WAN fabric C. gather telemetry data from vEdge routers D. onboard vEdge nodes into the SD-WAN fabric Correct Answer: B Section: QUESTION 97 If the noise floor is -90 dBm and wireless client is receiving a signal of -75 dBm, what is the SNR? A. 15 B. C. D. 1.2 -165.83 www.VCEplus.io Correct Answer: A Section: QUESTION 98 Refer to the exhibit. An engineer must create a script that appends the output of the show process cpu sorted command to a file. A. action 4.0 syslog command "show process cpu sorted | append flash:high-cpu-file" B. action 4.0 publish-event "show process cpu sorted | append flash:high-cpu-file" C. action 4.0 ens-event "show process cpu sorted | append flash:high-cpu-file" D. action 4.0 cli command "show process cpu sorted | append flash:high-cpu-file" Correct Answer: D Section: QUESTION 99 Which two mechanisms are available to secure NTP? (Choose two.) IT Certification Exams - Questions & Answers | VCEplus.io A. IP prefix list-based B. IPsec C. TACACS-based authentication D. IP access list-based E. Encrypted authentication Correct Answer: D, E Section: QUESTION 100 What is the difference between CEF and process switching? A. CEF processes packets that are too complex for process switching to manage. B. CEF is more CPU-intensive than process switching. C. CEF uses the FIB and the adjacency table to make forwarding decisions, whereas process switching punts each packet. D. Process switching is faster than CEF. Correct Answer: C Section: QUESTION 101 Which AP mode allows an engineer to scan configured channels for rogue access points? A. B. sniffer monitor www.VCEplus.io C. bridge D. local Correct Answer: B Section: QUESTION 102 What is a characteristic of MACsec? A. 802.1AE provides encryption and authentication services B. 802.1AE is bult between the host and switch using the MKA protocol, which negotiates encryption keys based on the master session key from a successful 802.1X session C. 802.1AE is bult between the host and switch using the MKA protocol using keys generated via the Diffie-Hellman algorithm (anonymous encryption mode) D. 802.1AE is negotiated using Cisco AnyConnect NAM and the SAP protocol Correct Answer: B Section: Explanation: MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-ofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework. Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html IT Certification Exams - Questions & Answers | VCEplus.io QUESTION 103 Which method should an engineer use to deal with a long-standing contention issue between any two VMs on the same host? A. Adjust the resource reservation limits B. Live migrate the VM to another host C. Reset the VM D. Reset the host Correct Answer: A Section: QUESTION 104 Refer to the exhibit. A. Configure the channel-group mode on SW2 Gi0/1 and Gi0/1 to on. www.VCEplus.io The EtherChannel between SW2 and SW3 is not operational which action resolves this issue? B. Configure the channel-group mode on SW3 Gi0/1 to active C. Configure the mode on SW2 Gi0/0 to trunk D. Configure the mode on SW2 Gi0/1 to access. Correct Answer: B Section: QUESTION 105 Refer to the exhibit. Which action completes the configuration to achieve a dynamic continuous mapped NAT for all users? A. Configure a match-host type NAT pool B. Reconfigure the pool to use the 192.168 1 0 address range C. Increase the NAT pool size to support 254 usable addresses IT Certification Exams - Questions & Answers | VCEplus.io D. Configure a one-to-one type NAT pool Correct Answer: C Section: QUESTION 106 Refer to the exhibit. www.VCEplus.io SwitchC connects HR and Sales to the Core switch However, business needs require that no traffic from the Finance VLAN traverse this switch Which command meets this requirement? A. B. C. IT Certification Exams - Questions & Answers | VCEplus.io D. Correct Answer: D Section: QUESTION 107 An engineer configures HSRP group 37. The configuration does not modify the default virtual MAC address. Which virtual MAC address does the group use? A. C0:00:00:25:00:00 B. 00:00:0c:07:ac:37 C. C0:39:83:25:258:5 D. 00:00:0c:07:ac:25 Correct Answer: D Section: QUESTION 108 www.VCEplus.io An engineer has deployed a single Cisco 5520 WLC with a management IP address of 172.16.50.5/24. The engineer must register 50 new Cisco AIR-CAP2802I-E-K9 access points to the WLC using DHCP option 43. The access points are connected to a switch in VLAN 100 that uses the 172.16.100.0/24 subnet. The engineer has configured the DHCP scope on the switch as follows: The access points are failing to join the wireless LAN controller. Which action resolves the issue? A. configure option 43 Hex F104.AC10.3205 B. configure option 43 Hex F104.CA10.3205 C. configure dns-server 172.16.50.5 D. configure dns-server 172.16.100.1 Correct Answer: A Section: Explanation: The Option 43 hexadecimal string is assembled as a sequence of the TLV values for the Option 43 suboption: Type + Length + Value. Type is always the suboption code 0xf1. Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex. On this question, there is 1 controller with management interface IP addresses 172.16.50.5/24. The type is 0xf1. The length is 1 * 4 = 8 = 0x04. The mgmt IP addresses 172.16.50.5 translate to ac.10.32.05 (0xac103205). When the string is assembled, it yields f108c0a80a05c0a80a14. The Cisco IOS command that is added to the DHCP scope is: option 43 hex f104ac103205 QUESTION 109 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two). A. Create an IPsec profile, associate the transform-set ACL, and apply the profile to the tunnel interface. B. Apply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode ipsec ipv4. C. Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL. D. Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface. E. Remove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to 10.20.0.0/24. Correct Answer: C, D Section: QUESTION 110 How does a fabric AP fit in the network? A. It is in local mode and must be connected directly to the fabric border node B. It is in FlexConnect mode and must be connected directly to the fabric edge switch. C. It is in FlexConnect mode and must be connected directly to the fabric border node IT Certification Exams - Questions & Answers | VCEplus.io D. It is in local mode and must be connected directly to the fabric edge switch. Correct Answer: D Section: QUESTION 111 Refer to the exhibit. What is the result when a technician adds the monitor session 1 destination remote vlan 223 command1? A. The RSPAN VLAN is replaced by VLAN 223. B. RSPAN traffic is sent to VLANs 222 and 223 C. An error is flagged for configuring two destinations. D. RSPAN traffic is split between VLANs 222 and 223. Correct Answer: A Section: QUESTION 112 www.VCEplus.io How are map-register messages sent in a LISP deployment? A. egress tunnel routers to map resolvers to determine the appropriate egress tunnel router B. ingress tunnel routers to map servers to determine the appropriate egress tunnel router C. egress tunnel routers to map servers to determine the appropriate egress tunnel router D. ingress tunnel routers to map resolvers to determine the appropnate egress tunnel router Correct Answer: C Section: Explanation: During operation, an Egress Tunnel Router (ETR) sends periodic Map-Register messages to all its configured map servers. QUESTION 113 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io The trunk does not work over the back-to-back link between Switch1 interface Giq1/0/20 and Switch2 interface Gig1/0/20. Which configuration fixes the problem? A. B. C. IT Certification Exams - Questions & Answers | VCEplus.io D. Correct Answer: B Section: QUESTION 114 Based on the router's API output in JSON format below, which Python code will display the value of the "hostname" key? www.VCEplus.io A. B. IT Certification Exams - Questions & Answers | VCEplus.io C. D. Correct Answer: D Section: QUESTION 115 www.VCEplus.io Refer to the exhibit. An engineer attempts to bundle interface GiO/0 into the port channel, but it does not function as expected. Which action resolves the issue? A. Configure channel-group 1 mode active on interface Gi0/0. B. Configure no shutdown on interface Gi0/0 C. Enable fast LACP PDUs on interface Gi0/0. D. Set LACP max-bundle to 2 on interface Port-channeM Correct Answer: D Section: QUESTION 116 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io An engineer must permit traffic from these networks and block all other traffic An informational log message should be triggered when traffic enters from these prefixes Which access list must be used? A. access-list acl_subnets permit ip 10.0.32.0 0 0.0.255 log B. access-list acl_subnets permit ip 10.0.32.0 0.0.7.255 log C. access-list acl_subnets permit ip 10.0.32.0 0.0.7.255 access-list acl_subnets deny ip any log D. access-list acl_subnets permit ip 10.0.32.0 255.255.248.0 log Correct Answer: B Section: QUESTION 117 www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit. www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io After the code is run on a Cisco IOS-XE router, the response code is 204. www.VCEplus.io IT Certification Exams - Questions & Answers | VCEplus.io What is the result of the script? A. The configuration fails because another interface is already configured with IP address 10.10.10.1/24. B. The configuration fails because interface GigabitEthernet2 is missing on the target device. C. The configuration is successfully sent to the device in cleartext. D. Interface GigabitEthernet2 is configured with IP address 10.10.10.1/24 Correct Answer: D Section: QUESTION 118 www.VCEplus.io Refer to the exhibit. PC-1 must access the web server on port 8080. To allow this traffic, which statement must be added to an access control list that is applied on SW2 port G0/0 in the inbound direction? A. permit host 172.16.0.2 host 192.168.0.5 eq 8080 B. permit host 192.168.0.5 host 172.16.0.2 eq 8080 C. permit host 192.168.0.5 eq 8080 host 172.16.0.2 D. permit host 192.168.0.5 it 8080 host 172.16.0.2 Correct Answer: C Section: Explanation: The inbound direction of G0/0 of SW2 only filter traffic from Web Server to PC-1 so the source IP address and port is of the Web Server. QUESTION 119 Refer to the exhibit. What is the effect of these commands on the BR and HQ tunnel interfaces? IT Certification Exams - Questions & Answers | VCEplus.io A. The tunnel line protocol goes down when the keepalive counter reaches 6 B. The keepalives are sent every 5 seconds and 3 retries C. The keepalives are sent every 3 seconds and 5 retries D. The tunnel line protocol goes down when the keepalive counter reaches 5 Correct Answer: B Section: QUESTION 120 What is the function of cisco DNA center in a cisco SD-access deployment? A. It is responsible for routing decisions inside the fabric B. It is responsible for the design, management, deployment, provisioning and assurance of the fabric network devices. C. It possesses information about all endpoints, nodes and external networks related to the fabric D. www.VCEplus.io It provides integration and automation for all nonfabric nodes and their fabric counterparts. Correct Answer: B Section: QUESTION 121 A network administrator is implementing a routing configuration change and enables routing debugs to track routing behavior during the change. The logging output on the terminal is interrupting the command typing process. Which two actions can the network administrator take to minimize the possibility of typing commands incorrectly? (Choose two.) A. Configure the logging synchronous global configuration command B. Configure the logging delimiter feature C. Configure the logging synchronous command under the vty D. Press the TAB key to reprint the command in a new line E. increase the number of lines on the screen using the terminal length command Correct Answer: C, D Section: QUESTION 122 How cloud deployments differ from on-prem deployments? A. Cloud deployments require longer implementation times than on-premises deployments B. Cloud deployments are more customizable than on-premises deployments. C. Cloud deployments require less frequent upgrades than on-premises deployments. IT Certification Exams - Questions & Answers | VCEplus.io D. Cloud deployments have lower upfront costs than on-premises deployments. Correct Answer: C Section: QUESTION 123 AN engineer is implementing a route map to support redistribution within BGP. The route map must configured to permit all unmatched routes. Which action must the engineer perform to complete this task? A. Include a permit statement as the first entry B. Include at least one explicit deny statement C. Remove the implicit deny entry D. Include a permit statement as the last entry Correct Answer: D Section: QUESTION 124 Which HHTP status code is the correct response for a request with an incorrect password applied to a REST API session? A. HTTP Status Code 200 B. HTTP Status Code 302 C. HTTP Status Code 401 D. HTTP Status Code: 504 Correct Answer: C Section: www.VCEplus.io Explanation: A 401 error response indicates that the client tried to operate on a protected resource without providing the proper authorization. It may have provided the wrong credentials or none at all. Note: answer 'HTTP Status Code 200' 4xx code indicates a "client error" while a 5xx code indicatesa "server error". Reference: https://restfulapi.net/http-status-codes/ QUESTION 125 What does the LAP send when multiple WLCs respond to the CISCO_CAPWAPCONTROLLER. localdomain hostname during the CAPWAP discovery and join process? A. broadcast discover request B. join request to all the WLCs C. unicast discovery request to each WLC D. Unicast discovery request to the first WLS that resolves the domain name Correct Answer: D Section: QUESTION 126 A customer requests a design that includes GLBP as the FHRP The network architect discovers that the members of the GLBP group have different throughput capabilities Which GLBP load balancing method supports this environment? A. host dependent B. least connection IT Certification Exams - Questions & Answers | VCEplus.io C. round robin D. weighted Correct Answer: D Section: Explanation: Weighted: Defines weights to each device in the GLBP group to define the ratio of load balancing between the devices. This allows for a larger weight to be assigned to bigger routers that can handle more traffic. protocol is used by an extended QUESTION 127 In a Cisco SD-WAN solution, which two functions are performed by OMP? (Choose two.) A. advertisement of network prefixes and their attributes B. configuration of control and data policies C. gathering of underlay infrastructure data D. delivery of crypto keys E. segmentation and differentiation of traffic Correct Answer: A, B Section: Explanation: OMP is the control protocol that is used to exchange routing, policy, and management information between Cisco vSmart Controllers and Cisco IOS XE SD-WAN devices in the overlay network. These devices automatically initiate OMP peering sessions between themselves, and the two IP end points of the OMP session are the system IP addresses of the two devices. QUESTION 128 www.VCEplus.io What are two benefits of virtual switching when compared to hardware switching? (Choose two.) A. increased MTU size B. hardware independence C. VM-level isolation D. increased flexibility E. extended 802.1Q VLAN range Correct Answer: C, D Section: QUESTION 129 which entity is a Type 1 hypervisor? A. Oracle VM VirtualBox B. VMware server C. Citrix XenServer D. Microsoft Virtual PC Correct Answer: C Section: QUESTION 130 IT Certification Exams - Questions & Answers | VCEplus.io Refer to the exhibit How was spanning-tree configured on this interface? A. By entering the command spanning-tree portfast trunk in the interface configuration mode. B. By entering the command spanning-tree portfast in the interface configuration mode C. By entering the command spanning-tree mst1 vlan 10,20,30,40 in the global configuration mode D. By entering the command spanning-tree vlan 10,20,30,40 root primary in the interface configuration mode Correct Answer: A Section: QUESTION 131 What is a characteristic of a next-generation firewall? A. only required at the network perimeter B. C. D. required in each layer of the network filters traffic using Layer 3 and Layer 4 information only provides intrusion prevention www.VCEplus.io Correct Answer: D Section: Explanation: The feature set for NGFWs build upon traditional firewall features by including critical security functions like intrusion prevention, VPN, and anti-virus, and even encrypted web traffic inspection to help prevent packets containing malicious content from entering the network QUESTION 132 which features does Cisco EDR use to provide threat detection and response protection? A. containment, threat intelligence, and machine learning B. firewalling and intrusion prevention C. container-based agents D. cloud analysis and endpoint firewall controls Correct Answer: B Section: QUESTION 133 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io An engineer must ensure that all traffic leaving AS 200 will choose Link 2 as an entry point. Assuming that all BGP neighbor relationships have been formed and that the attributes have not been changed on any of the routers, which configuration accomplish task? www.VCEplus.io A. Option A B. Option B C. Option C D. Option D Correct Answer: A Section: IT Certification Exams - Questions & Answers | VCEplus.io Explanation: R3 advertises BGP updates to R1 with multiple AS 100 so R3 believes the path to reach AS 200 via R3 is farther than R2 so R3 will choose R2 to forward traffic to AS 200. QUESTION 134 A network engineer is enabling HTTPS access to the core switch, which requires a certificate to beinstalled on the switch signed by the corporate certificate authority Which configuration commandsare required to issue a certificate signing request from the core switch? A. B. C. www.VCEplus.io D. Correct Answer: B Section: Explanation: Certificate authorities (CAs) are responsible for managing certificate requests and issuing certificates to participating IPSec network devices. These services provide centralized security key and certificate management for the participating devices. Specific CA servers are referred to as "trustpoints." The command "crypto pki trustpoint name" declares the trustpoint and a given name and enters catrustpoint configuration mode. The command "enrollment terminal" specifies manual cut-and-paste certificate enrollment method. The certificate request will be displayed on the console terminal so that you may manually copied (or cut). The command "crypto pki enroll name" generates certificate request and displays the request for copying and pasting into the certificate server. The full configuration is shown in the reference below. Reference: https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/convert/sec_pki_xe_3s_book/sec_cert_enroll_pki_xe.html QUESTION 135 What is the process for moving a virtual machine from one host machine to another with no downtime? IT Certification Exams - Questions & Answers | VCEplus.io A. high availability B. disaster recovery C. live migration D. multisite replication Correct Answer: C Section: QUESTION 136 When are multicast RPs required? A. RPs are required only when using protocol independent multicast dense mode. B. By default, the RP is needed penodically to maintain sessions with sources and receivers. C. RPs are required for protocol Independent multicast sparse mode and dense mode. D. By default, the RP Is needed only start new sessions with sources and receivers. Correct Answer: D Section: QUESTION 137 An engineer must create a new SSID on a Cisco 9800 wireless LAN controller. The client has asked to use a pre-shared key for authentication Which profile must the engineer edit to achieve this requirement? A. RF B. C. D. Policy WLAN Flex www.VCEplus.io Correct Answer: B Section: Explanation: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-configwpa2-psk-00.html QUESTION 138 A vulnerability assessment highlighted that remote access to the switches is permitted using unsecure and unencrypted protocols Which configuration must be applied to allow only secure and reliable remote access for device administration? A. line vty 0 15 login local transport input none B. line vty 0 15 login local transport input telnet ssh C. line vty 0 15 login local transport input ssh D. line vty 0 15 login local transport input all Correct Answer: C Section: QUESTION 139 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io What does the output confirm about the switch's spanning tree configuration? A. The spanning-tree mode stp ieee command was entered on this switch B. The spanning-tree operation mode for this switch is IEEE. C. The spanning-tree operation mode for this switch is PVST+. D. The spanning-tree operation mode for this switch is PVST Correct Answer: C Section: QUESTION 140 www.VCEplus.io What are two common sources of interference for Wi-Fi networks? (Choose two.) A. rogue AP B. conventional oven C. fire alarm D. LED lights E. radar Correct Answer: A, E Section: QUESTION 141 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io After configuring HSRP an engineer enters the show standby command. Which two facts are derived from the output? (Choose two.) A. The router with IP 10.10 1.3 is active because it has a higher IP address B. If Fa0/0 is shut down, the HSRP priority on R2 becomes 80 C. D. E. R2 Fa1/0 regains the primary role when the link comes back up R2 becomes the active router after the hold time expires. R2 is using the default HSRP hello and hold timers. www.VCEplus.io Correct Answer: D, E Section: QUESTION 142 If a client's radio device receives a signal strength of -67 dBm and the noise floor is -85 dBm, what is the SNR value? A. 15 dB B. 16 dB C. 18 dB D. 20 dB Correct Answer: C Section: QUESTION 143 Refer to the exhibit. IT Certification Exams - Questions & Answers | VCEplus.io An engineer configures OSPF and wants to verify the configuration Which configuration is applied to this device? A. B. www.VCEplus.io C. IT Certification Exams - Questions & Answers | VCEplus.io D. Correct Answer: C Section: QUESTION 144 A network monitoring system uses SNMP polling to record the statistics of router interfaces The SNMP queries work as expected until an engineer installs a new interface and reloads the router After this action, all SNMP queries for the router fail What is the cause of this issue? A. The SNMP community is configured incorrectly B. C. D. The SNMP interface index changed after reboot. The SNMP server traps are disabled for the interface index The SNMP server traps are disabled for the link state. www.VCEplus.io Correct Answer: B Section: QUESTION 145 In a Cisco SD-Access solution, which protocol is used by an extended node to connect to a single edge node? A. VXLAN B. IS-IS C. 802 1Q D. CTS Correct Answer: C Section: Explanation: SD-Access Extended Nodes provide the ability to extend the enterprise network by providing connectivity to non-carpeted spaces of an enterprise – commonly called the Extended Enterprise. This allows network connectivity and management of IoT devices and the deployment of traditional enterprise end devices in outdoor and non-carpeted environments such as distribution centers, warehouses, or Campus parking lots. This feature extends consistent, policy-based automation to Cisco Industrial Ethernet, Catalyst 3560- CX Compact, and Digital Building Series switches and enables segmentation for user endpoints and IoT devices connected to these nodes. Using Cisco DNA Center automation, switches in the extended node role are onboarded to their connected edge node using an 802.1Q trunk over an EtherChannel with one or multiple physical link members. Extended nodes are discovered using zero-touch Plugand- Play. Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-designguide.html#Network_Components IT Certification Exams - Questions & Answers | VCEplus.io QUESTION 146 An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail Which configuration should be applied? A. aaa authentication login CONSOLE group radius local-case enable aaa B. authentication login CONSOLE group radius local enable none C. aaa authentication login CONSOLE group radius local enable D. aaa authentication login CONSOLE group tacacs+ local enable Correct Answer: D Section: QUESTION 147 Refer to the exhibit. www.VCEplus.io Which Python code snippet prints the descriptions of disabled interfaces only? A. B. IT Certification Exams - Questions & Answers | VCEplus.io C. D. www.VCEplus.io Correct Answer: D Section: QUESTION 148 When firewall capabilities are considered, which feature is found only in Cisco next-generation firewalls? A. malware protection B. stateful inspection C. traffic filtering D. active/standby high availability Correct Answer: A Section: QUESTION 149 What does a northbound API accomplish? IT Certification Exams - Questions & Answers | VCEplus.io A. programmatic control of abstracted network resources through a centralized controller B. access to controlled network resources from a centralized node C. communication between SDN controllers and physical switches D. controlled access to switches from automated security applications Correct Answer: A Section: QUESTION 150 Refer to the exhibit. www.VCEplus.io An engineer must prevent the R6 loopback from getting into Area 2 and Area 3 from Area 0 Which action must the engineer take? IT Certification Exams - Questions & Answers | VCEplus.io A. Apply a fitter list inbound on R2 and R9 B. Apply a filter list outbound on R3 and R7 C. Apply a filter list outbound on R7 only. D. Apply a filter list inbound on R3 and R7 Correct Answer: B Section: Explanation: This question asks to prevent route advertised into Area 2 and Area 3 only. It does not ask to prevent route advertised into Area 0 so applying a filter list outbound on R3 and R7 would best fit the requirement. QUESTION 151 Refer to the exhibit. An engineer must configure HSRP for VLAN 1000 on SW2. The secondary switch must immediately take over the role of active router If the interlink with the primary switch fails. Which command set completes this task? A. www.VCEplus.io B. C. D. Correct Answer: C Section: IT Certification Exams - Questions & Answers | VCEplus.io QUESTION 152 Refer to the exhibit. An engineer attempts to establish BGP peering between router CORP and two ISP routers. What is the root cause for the failure between CORP and ISP#2? A. Router ISP#2 is configured to use SHA-1 authentication. B. There is a password mismatch between router CORP and router ISP#2. C. Router CORP is configured with an extended access control list. D. MD5 authorization is configured incorrectly on router ISP#2. Correct Answer: B Section: www.VCEplus.io QUESTION 153 In which two ways does TCAM differ from CAM? (Choose two.) A. CAM is used to make Layer 2 forwarding decisions, and TCAM is used for Layer 3 address lookups. B. The MAC address table is contained in CAM, and ACL and QoS Information Is stored in TCAM. C. CAM Is used by routers for IP address lookups, and TCAM is used to make Layer 2 forwarding decisions. D. CAM is used for software switching mechanisms, and TCAM Is used for hardware switching mechanisms. E. The MAC address table Is contained in TCAM, and ACL and QoS information is stored in CAM. Correct Answer: C, E Section: QUESTION 154 What are two benefits of implementing a Cisco SD-WAN architecture? (Choose two) A. It provides resilient and effective traffic flow using MPLS. B. It improves endpoint protection by integrating embedded and cloud security features. C. It allows configuration of application-aware policies with real time enforcement. D. It simplifies endpoint provisioning through standalone router management IT Certification Exams - Questions & Answers | VCEplus.io E. It enforces a single. scalable. hub-and-spoke topology. Correct Answer: C, D Section: Explanation: The top SD-WAN benefits are: + Increased bandwidth at a lower cost + Centralized management across branch networks + Full visibility into the network + Providing organizations with more connection type options and vendor selection when building a network. Reference: https://www.sdxcentral.com/networking/sd-wan/definitions/sd-wan-technology/-> We can provision endpoints (vEdges) through a centralized router vManage -> Answer D is correct. Answer A is not correct as we can use different kind of connections on SD-WAN: MPLS, LTE, 4G, xDSL, Internet connections… Application-Aware Routing policy is configured in vManage as a centralized data policy that maps the serviceside application(s) to specific SLA requirements. The centralized policies provisioned in vSmart controller is pushed to relevant WAN Edge devices for enforcement. The defined policy consists of match-action pairs, where the match statement defines the application-list or the type of traffic to match, and the action statement defines the SLA action the WAN Edge devices must enforce for the specified traffic. Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwanapplication-awarerouting-deploy-guide.html QUESTION 155 How does CEF switching differ from process switching on Cisco devices? A. CEF switching saves memory by sorting adjacency tables in dedicate memory on the line cards, and process switching stores all tables in the main memory B. CEF switching uses adjacency tables built by the CDP protocol, and process switching uses the routing table C. CEF switching uses dedicated hardware processors, and process switching uses the main processor D. CEF switching uses proprietary protocol based on IS-IS for MAC address lookup, and process switching uses in MAC address table Correct Answer: B Section: www.VCEplus.io Explanation: Cisco Express Forwarding (CEF) switching is a proprietary form of scalable switching intended to tackle the problems associated with demand caching. With CEF switching, the information which is conventionally stored in a route cache is split up over several data structures. The CEF code is able to maintain these data structures in the Gigabit Route Processor (GRP), and also in slave processors such as the line cards in the 12000 routers. The data structures that provide optimized lookup for efficient packet forwarding include: The Forwarding Information Base (FIB) table - CEF uses a FIB to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and these changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with switching paths such as fast switching and optimum switching. Adjacency table - Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries. CEF can be enabled in one of two modes: Central CEF mode - When CEF mode is enabled, the CEF FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding. You can use CEF mode when line cards are not available for CEF switching, or when you need to use features not compatible with distributed CEF switching. Distributed CEF (dCEF) mode - When dCEF is enabled, line cards maintain identical copies of the FIB and adjacency tables. The line cards can perform the express forwarding by themselves, relieving the main processor - Gigabit Route Processor (GRP) - of involvement in the switching operation. This is the only switching method available on the Cisco 12000 Series Router. dCEF uses an Inter-Process Communication (IPC) mechanism to ensure synchronization of FIBs and adjacency tables on the route processor and line cards. For more infor