CCDP Arch 300-320 by Gon Dec 2018 180Q

CCDP_Arch_300-320_by_Gon_Dec_2018_180Q
Number: 300-320
Passing Score: 860
Time Limit: 120 min
File Version: 3.0
This ls the latest updated collection gathered Starting By Antoni , Mr.x, Pentacis,
Crossbar and Madox, Baldasar, Gutsy, Red-dot, Canelo, CCDP1, wolf, Ragnar
Lothbrok, LetsCCDP, Malkil ...
Every thing here is updated , corrected , and non-duplicated by December 2018
Exam A
QUESTION 1
A network designer needs to explain the advantages of route summarization to a client. Which two options are
advantages that should be included in the explanation? (Choose two)
A. Increases security by advertising fake networks

B. Reduces routing table size
C. Advertises detailed routing tables
D. Utilizes the routers full CPU capacity
E. Reduces the upstream impact of a flapping interface
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
What is the next action taken by the Cisco NAC Appliance after it identifies vulnerability on a client device?
A. Denies the client network resource access

B. Repairs the effected devices
C. Generates a Syslog message
D. Permits the client but limits to guest access
Correct Answer: A
Section: (none)
Explanation
@Zoltan
From Cisco doc : NAC Appliance enforces security policies by blocking, isolating, and repairing noncompliant
machines.
=>(Order) Blocking > Isolating > Repairing
QUESTION 3
Which of the following facts must be considered when designing for IP telephony within an Enterprise Campus
network?
A. Because the IP phone is a three-port switch, IP telephony extends the network edge, impacting the
Distribution layer.
B. Video and voice are alike in being bursty and bandwidth intensive, and thus impose requirements to be
lossless, and have minimized delay and jitter.
C. IP phones have no voice and data VLAN separation, so security policies must be based on upper layer
traffic characteristics.
D. Though multi-VLAN access ports are set to Dot1Q and carry more than two VLANs they are not trunk ports.
Correct Answer: D
Section: (none)
Explanation
Red-dot
The multi-VLAN access ports are not trunk ports, even though the hardware is set to the dot1q trunk. The
hardware setting is used to carry more than one VLAN, but the port is still considered an access port that is
able to carry one native VLAN and the auxiliary VLAN. => not more than two.
This is the other one that has been bugging me since the best 2 ANSWERs seem to have false statements.
I’m going to go with D since the hardware is set to dot1Q trunk which is used to carry more than 2 VLANs
according to the below quote from the CCNP FLG p68. All the documentation I have seen says answer A
affects the access layer which makes sense. CCNP FLG p68 .
D would be the correct answer if it wouldn’t say “more than two VLANs”
B cannot be answer because voice is not bursty and bandwidth intensive, video yes but not voice
QUESTION 4
Which two values does EIGRP use to calculate the metric of a route in a converged EIGRP topology? (Choose
two)
A. redundancy
B. bandwidth
C. cost
D. delay
E. hops
Correct Answer: BD
Section: (none)
Explanation
QUESTION 5
An engineer must add a new firewall in front of the public web server infrastructure in an ACI network. Which
ACI function is used to accomplish this requirement?
A. Application Network Profile

B. Service chaining
C. Static binding
D. Layer 4-7 services
Correct Answer: D
Section: (none)
Explanation
QUESTION 6
A Consultant has been tasked with QoS design. The customer has specified that for the application end-to-end
bandwidth has to be specified. With what can you accomplish this?
A. DSCP markings
B. CoS markings
C. DiffServ
D. IntServ with RSVP
Correct Answer: D
Section: (none)
Explanation
QUESTION 7
One-to-one ratio mapping for access switches close to servers?
A. ToR
B. EoR
C. …
D. …
Correct Answer: A
Section: (none)
Explanation
QUESTION 8
A network engineer must use an Internet connection to provide backup connectivity between two sites. The
backup must be encrypted and support multicast. Which technology must be used?
A. DMVPN
B. GRE over IPSec
C. IPSec direct encapsulation
D. GETVPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 9
Which VPN connectivity representing both Hub-and-Spokes and Spokes-to- Spokes?
A. DMVPN
B. IPSec VPN
C. VPN Router
D. VPN Hub
Correct Answer: A
Section: (none)
Explanation
QUESTION 10
A network consultant is designing an Internet Edge solution and is providing the details around the flow
supporting a local Internet Proxy. How is on-premises web filtering supported?
A. A Cisco ASA redirects HTTP and HTTPS traffic to the WSA using WCCP
B. A Cisco ASA uses an IPS module to inspect HTTP and HTTPS traffic
C. A Cisco ASA redirects HTTPS and HTTPS traffic to CWS with a Web Security Connector
D. A Cisco ASA connects to the web Security Appliance via TLS to monitor HTTP and HTTPS traffic
Correct Answer: A
Section: (none)
Explanation
QUESTION 11
What is the preferred protocol for a router that is running an IPv4 and IPv6 dual stack configuration?
A. IPX
B. Microsoft NetBIOS
C. IPv6
D. IPv4
Correct Answer: C
Section: (none)
Explanation
QUESTION 12
Two company want to merge their OSPF networks , but they run different OSPF domains , Which is option
must be created to accomplished this requirement?
A. OSPF virtual link to bridge the backbone areas of the two companies together
B. Route summarization
C. Static OSPF
D. Redistribute routes between domains
Correct Answer: A
Section: (none)
Explanation
From my CCIE colleague:
To join two companies probably best to statically route between ASBRs – if the companies are to merge as one
then you would merge area 0 using virtual link.
QUESTION 13
An engineer is designing a multi cluster BGP network, each cluster has two Route Reflectors and four Route
Reflector clients. Which 2 options must be considered? (Choose two)
A. Clients from all clusters should peer with all Route Reflectors
B. All Route Reflectors should be non-client peers in a partially meshed topology
C. All Route Reflectors must be non-client peers in a fully meshed topology
D. Clients must not peer with iBGP speakers outside the client router
E. Clients should peer with at least one other client outside it’s cluster
Correct Answer: CD
Section: (none)
Explanation
QUESTION 14
A network Engineer is designing a hierarchical design and needs to optimize WAN design. On what group of
devices can a network engineer summarise routes to remote WAN sites?
A. Core
B. Distribution
C. Data Center Distribution WAN Edge
D. WAN Edge
E. Campus access distribution layer
Correct Answer: B
Section: (none)
Explanation
Comments:
Summarize at Service Distribution. It is important to force summarization at the distribution towards WAN Edge
and towards campus & data centre
QUESTION 15
Which two design concerns must be addressed when designing a multicast implementation? (Choose two)
A. only the low-order 23 bits of the MAC address are used to map IP addresses
B. only the low-order 24 bits of the MAC address are used to map IP addresses
C. only the high-order 23 bits of the MAC address are used to map IP addresses
D. only the low-order 23 bits of the IP address are used to map MAC addresses
E. the 0x01004f MAC address prefix is used for mapping IP addresses to MAC addresses
F. the 0x01005e MAC address prefix is used for mapping IP addresses to MAC addresses
Correct Answer: DF
Section: (none)
Explanation
Comments:
Ethernet & FDDI Multicast Addresses
- The low order bit (0x01) in the first octet indicates that this packet is a Layer 2 multicast packet. Furthermore,
the “0x01005e” prefix has been reserved for use in mapping L3 IP multicast addresses into L2 MAC addresses.
- When mapping L3 to L2 addresses, the low order 23 bits of the L3 IP multicast address are mapped into the
low order 23 bits of the IEEE MAC address. Notice that this results in 5 bits of information being lost.
https://www.cisco.com/networkers/nw00/pres/3200/3200_c1_Mod2_rev1.pdf
QUESTION 16
Which of the following is a result when designing multiple EIGRP autonomous systems within the Enterprise
Campus network?
A. Improves scalability by dividing the network using summary routes at AS boundaries

B. Decreases complexity since EIGRP redistribution is automatically handled in the background
C. Reduces the volume of EIGRP queries by limiting them to one EIGRP AS
D. Scaling is improved when a unique AS is run at the Access, Distribution, and Core layers of the network
Correct Answer: A
Section: (none)
Explanation
Comments:
Chapter 2 of CiscoPress CCDP fourth edition clearly says (there is even a test at the end of the chapter) that
introducing additional ASes won’t reduce the volume of EIGRP queries as these will be forwarded across the
ASes.
QUESTION 17
What two sensor types exist in an IDS/IPS solution? (Choose two)
A. host
B. anomaly based
C. policy based
D. network based
E. signature
Correct Answer: BC
Section: (none)
Explanation
@Malkil
Book 1 Security(210-260)
What Sensors Do
A sensor is a device that looks at traffic on the network and then makes a decision based on a set of rules to
indicate whether that traffic is okay or whether it is malicious in some way.
Because these are systems acting based on configured rules, no single system is ever 100 percent perfect.
However, the objective is the same: to reduce the risk of malicious traffic,
even though it cannot be completely eliminated. Identifying Malicious Traffic on the Network Sensors can
identify malicious traffic in many different ways. This section examines some of
the techniques used by IPS and IDS sensors. When the sensor is analyzing traffic, it looks for malicious traffic
based on the rules that are currently in place on that sensor. There are several different methods that sensors
can be configured to use to identify malicious traffic, including the following:
■ Signature-based IPS/IDS
■ Policy-based IPS/IDS
■ Anomaly-based IPS/IDS
■ Reputation-based IPS/IDS
WEB CISCO
Types of IDS and IPS Systems
Table 6-4 summarizes the advantages and limitations of the various types of IDS and IPS sensors available.
Table 6-4. Types of IDS and IPS Sensors
.SignatureBased
.Policy Based
.Anomaly Based
.Honeypot Based
http://www.ciscopress.com/articles/article.asp?p=1336425
BOOK 2 Security(640-533)
Also notice the use of a Network-based Intrusion Detection System (NIDS), a Network Intrusion Prevention
System (NIPS), and a Host-based Intrusion Prevention System (HIPS). All three of these mitigation strategies
look for malicious traffic and can alert or drop such traffic. However, these strategies are deployed at different
locations in the network to protect different areas of the network. This overlapping yet diversified protection is
an example of the Defense in Depth design philosophy.
Network-Based Versus Host-Based IPS

As previously mentioned, IPS solutions can be either network-based or host-based. Often network-based and
host-based solutions can be used together to protect against a wider range of potential attacks.
IDS and IPS Device Categories

IDS and IPS devices can be categorized based on how they detect malicious traffic. Alternatively, IPS devices
can be categorized based on whether they run on a network device or on a host.
Detection Methods
Consider the following approaches for detecting malicious traffic:
■ Signature-based detection
■ Policy-based detection
■ Anomaly-based detection
■ Honey pot detection
QUESTION 18
Which of this is true of IP addressing with regard to VPN termination?
A. IGP routing protocols will update their routing tables over an IPsec VPN
B. Termination devices need routable addresses inside the VPN
C. Addressing design need to allow for summarization
D. Designs should not include overlapping address spaces between sites, since NAT is not supported
Correct Answer: C
Section: (none)
Explanation
Comments:
Best design practices say the VPN design should allow for summarization. With regards to D - sometimes you
cannot avoid overlapping addresses as this is what is configured at client's end, and the only option is to hide
the overlapping subnet behind NAT - based on experience (The author of this remark has 50x VPN tunnels and
majority of them is using NAT, even if the subnet doesn't overlap, we want to hide our real IPs behind
something else - extra security)
QUESTION 19
A network design team is experiencing sustained congestion on access and distribution uplinks. QoS has
already been implemented and optimized, and it is no longer effective in ensuring optimal network performance.
Which two actions can improve network performance? (Choose two)
A. Reconfigure QoS based on the IntServ model

B. Configure selective packet discard to drop noncritical network traffic
C. Implement higher-speed uplink interfaces
D. Bundle additional uplinks into logical Ether-Channels
E. Utilize random early detection to manage queues
Correct Answer: CD
Section: (none)
Explanation
QUESTION 20
Which technology is an example of the need for a designer to clearly define features and desired performance
when designing advanced WAN services with a service provider?
A. FHRP to remote branches

B. Layer 3 MPLS VPNs secure routing
C. Control protocols (for example Spanning Tree Protocol) for a Layer 3 MPLS service
D. Intrusion prevention, QoS, and stateful firewall support network wide
Correct Answer: B
Section: (none)
Explanation
Malkil
VPN is:
.An IP-based network delivering private network services over a public infrastructure.
.A set of sites that are allowed to communicate with each other privately over the Internet or other public or
private networks.
The most common implementation of a Layer 3 VPN is MPLS VPN. MPLS is a technology that is used to
forward packets over the core network, by doing forwarding decisions that are based on labels. That is
sometimes referred to as label switching.
Layer 3 MPLS VPN is the technology that is used to connect multiple customer sites.
MPLS-based VPNs are created in Layer 3 and are based on the peer model.
LAYER 3 SERVICE
Layer 3 MPLS VPNs forward only IP packets. The CE routers become peers of MPLS VPN provider routers. In
this case, routing may well be a cooperative venture. Stability of the provider routing, their experience with
routing, and speed of provider routing convergence are all valid customer considerations. Layer 3 VPNs can
support any access or backbone technology. Service providers can use Layer 3 VPNs as a foundation to
provide advanced WAN services.
QUESTION 21
Which option is correct when using Virtual Switching System?
A. Both control planes forward traffic simultaneously

B. Only the active switch forward traffic
C. Both data planes forward traffic simultaneously
D. Only the active switch handles the control plane
Correct Answer: C
Section: (none)
Explanation
Comments:
Definitely C – again Chapter 1 of CiscoPress CCDP fourth edition Distribution-to Distribution Interconnect with
the Virtual Switch Model
The virtual switch system operates differently at different planes. From a control plane point of view, the VSS
peers (switches) operate in active standby redundancy mode. The switch in active redundancy mode will
maintain the single configuration file for the VSS and sync it to the standby switch, and only the console
interface on the active switch is accessible
VSS1440 (in the book) A VSS1440 refers to the VSS formed by two Cisco Catalyst 6500 Series Switches with
the
Virtual Switching Supervisor 720-10GE. In a VSS, the data plane and switch fabric with capacity of 720 Gbps of
supervisor engine in each chassis are active at the same time on both chassis, combining for an active 1400-
Gbps switching capacity per VSS. Only one of the virtual switch members has the active control plane. Both
chassis are kept in sync with the inter-chassis Stateful Switchover (SSO) mechanism along with Nonstop
Forwarding (NSF) to provide nonstop communication even in the event of failure of one of the member
supervisor engines or chassis.
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switchingsystem-
1440/prod_qas0900aecd806ed74b.html
In my opinion C & D are correct.
QUESTION 22
Routing protocol that provides unequal cost path with different metrics for load balancing purposes?
A. OSPF
B. EIGRP
C. ISIS
D. BGP
E. RIP
Correct Answer: B
Section: (none)
Explanation
QUESTION 23
Refer to the exhibit. An engineer must provide a redesign for the distribution and access layers of the network.
Which correction allows for a more efficient design?
A. Change the link between Distribution Switch A and Distribution Switch B to be a routed link.
B. Reconfigure the Distribution Switch A to become the HSRP Active.
C. Create an EtherChannel link between Distribution Switch A and Distribution Switch B.
D. Add a link between Access Switch A and Access Switch B.
Correct Answer: B
Section: (none)
Explanation
QUESTION 24
Which option is the Cisco recommendation for data oversubscription for access ports on the access-to
distribution uplink?
A. 4 to 1
B. 20 to 1
C. 16 to 1
D. 10 to 1
Correct Answer: B
Section: (none)
Explanation
QUESTION 25
An engineer is designing a layer 3-enabled access layer. Which design recommendation must the engineer
consider when deploying EIGRP routing within the access layer?
A. Implement floating static routes on access switches for redundant links

B. Configure all edge access layer switches to use a stub routing feature
C. Enable multiple uplinks from each access switch stack to the distribution switches
D. Use the First Hop Redundancy Protocol on access layer switches
Correct Answer: B
Section: (none)
Explanation
QUESTION 26
What are the two methods of ensuring that the RPF check passes? (Choose two)
A. implementing static mroutes

B. implementing OSPF routing protocol
C. implementing MBGP
D. disabling the interface of the router back to the multicast source
E. disabling BGP routing protocol
Correct Answer: AC
Section: (none)
Explanation
Comments:
The router determines the RPF interface by the underlying unicast routing protocol or the dedicated multicast
routing protocol in cases where one exists. An example of a dedicated multicast routing protocol is MP-BGP. It
is important to note that the multicast routing protocol relies on the underlying unicast routing table. Any change
in the unicast routing table immediately triggers an RPF recheck on most modern routers.
Having OSPF routing protocol in place won’t really ensure that the RPF check passes.
Let’s say we have implemented OSPF routing protocol within the topology below (have a look at the URL
below), “R3” knows the best path to 1.1.1.0/24 is via interface F0/0 but “R3” receives multicast packet from
source server (1.1.1.1/24) on interface S0/0. The RPF will fail. We can get this fixed by implementing static
mroutes (static multicast-routes) to force multicast traffic to go back via interface S0/0 (ip mroute 0.0.0.0 0.0.0.0
s0/0)
Having unicast routing protocol (OSPF, EIGRP, BGP, RIP, IGRP, IS-IS etc) won't necessarily mean the RPF
will succeed but having a multicast routing protocol (Multipoint BGP) or dedicated multicast static routes
(mroutes) will. The only which I still have is that if the multicast
routing protocol relies on the underlying unicast routing table (OSPF) how does it ensure that the RPF check
passes.
https://supportforums.cisco.com/t5/network-infrastructure-documents/multicast-rpf-recovery-using-static-
multicast-routing/ta-p/3139007
QUESTION 27
A client requirement to separate management and control layer within an organization. Which technology can
be used to achieve this requirement while minimizing physical devices?
A. Virtual Device Context

B. VRF
C. Virtual Switching System
D. Virtual Local Area Networks
E. MEC
Correct Answer: A
Section: (none)
Explanation
QUESTION 28
An engineer is designing a multitenant network that requires separate management access and must share a
single physical firewall. Which two features support this design? (Choose two)
A. Site-to-Site VPN
B. dynamic routing protocols
C. multicast routing
D. threat detection
E. quality of service
F. unified communications
Correct Answer: AB
Section: (none)
Explanation
@Red-dot
Reference: This one is a little bit trickier, separate management access means the multi-context mode
https://www.cisco.com /c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/
hacontexts.pdf Page 14 of Guidelines for Multiple Context Mode lists unsupported features,
after you cross the unsupported features out – you are left with what works on a multi-context mode firewall
QUESTION 29
Which technology should a network designer combine with VSS to ensure a loop free topology with optimal
convergence time?
A. PortFast
B. UplinkFast
C. RPVST+
D. Multichassis EtherChannel
Correct Answer: D
Section: (none)
Explanation
Comments:
"C" definitely not as STP is disabled when VSS is configured at the distribution layer.
MEC comes with Cisco Catalyst (VSS) like vPC comes with Cisco NX-OS.
QUESTION 30
While designing a wide area network, the network team wants to avoid undesired transit traffic through remote
branch sites with multiple WAN connections. Which option can be used to manage traffic flows in the remote
network?
A. route weighting
B. route tagging
C. route filtering
D. route prioritising
Correct Answer: C
Section: (none)
Explanation
QUESTION 31
What are the true regarding 802.1X? (Choose three)
A. Authenticates the user itself

B. Authenticates the device itself
C. If the device does not support, allow the access automatically
D. Cisco proprietary
E. Industry standard
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 32
What is one function of key server in Cisco GETVPN deployment?
A. sending the RSA certificate

B. providing pre-shared keys
C. maintaining security polices
D. providing the group ID
Correct Answer: C
Section: (none)
Explanation
Comments:
Key server is responsible for maintaining security policies, authenticating the GMs and providing the session
key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful
registration the GMs can participate in group SA.
https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transportvpn/
deployment_guide_c07_554713.html
QUESTION 33
What is the primary benefit of deployment MPLS over the WAN as opposed to extending VRF-lite across the
WAN?
A. Convergence time
B. Low operating expense (OpEx)
C. Low latency
D. Dynamic fault-tolerance
Correct Answer: B
Section: (none)
Explanation
QUESTION 34
An engineer has implemented a QoS architecture that requires a signalling protocol to tell routers which flows
of packets require special treatment. Which two mechanisms are important to establish and maintaining QoS
architecture? (Choose two)
A. Classification
B. Tagging
C. Packet Scheduling
D. Admission Control
E. Resource Reservation
Correct Answer: DE
Section: (none)
Explanation
QUESTION 35
An engineer wants to have a resilient access layer in the Data Center so that access layer switches have
separate physical connections to a pair of redundant distribution switches. Which technology achieves this
goal?
A. PaGP
B. LACP
C. VSL
D. EVPC
E. VSS
F. ECMP
Correct Answer: D
Section: (none)
Explanation
@crossbar
Enhanced vPC is a form of Multichassis Etherchannel and VSS by itself, withour MEC, doesn’t provide
resiliency.
ECMP could also be a correct answer, assuming an L3 access layer design. But the question specifies “in the
Data Centre” and most DC access layer designs are L2.
Furthermore, (E)vPC is a tech exclusive to Nexus, which is marketed by Cisco as DC switches.
QUESTION 36
What is advantage of using the vPC feature in Data Centre environment?
A. Two switches form a single control plane

B. Utilizes all available uplinks bandwidth
C. FHRP is not required
D. A single IP is used for management for both devices
Correct Answer: B
Section: (none)
Explanation
QUESTION 37
Cisco FabricPath brings the benefits of routing protocols to Layer 2 network Ethernet environments. What are
two advantages of using Cisco FabricPath technology? (Choose two)
A. Cisco FabricPath relies on OSPF to support Layer 2 forwarding between switches, which allows load
balancing between redundant paths.
B. Cisco FabricPath provides MAC address scalability with conversational learning.
C. Loop mitigation is provided by the TTL field in the frame.
D. Cisco FabricPath is IETF-standard and is not used with Cisco products.
E. Cisco FabricPath technology is supported in all Cisco platforms and can replace legacy Ethernet in all
campus networks.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 38
A client request includes a network design that ensures all connections between the access layer and
distribution layer are active and forwarding traffic at all times. Which design approach achieves this request?
A. Enable backbone fast on the two distribution switches and create a port channel between each access layer
switch and both distribution switches
B. Configure HSRP for all VLANs and adjust the hello timer for faster convergence
C. Configure Rapid PVST+ and adjust the timers for fast convergence
D. Create a VSS between the two distribution switches and also create a MEC between the VSS and each
access layer switch.
Correct Answer: D
Section: (none)
Explanation
QUESTION 39
What is the most important consideration when selecting a VPN termination device?
A. CPU cycles per second

B. VPN sessions per interface
C. Packets per second
D. Bits per second
Correct Answer: C
Section: (none)
Explanation
QUESTION 40
Which option is a design recommendation for route summarizations?
A. Filtered redistribution for the prevention of re-advertising of routes

B. Routing protocol stub areas
C. Route summarization for scalable routing and addressing design
D. Defensive route filtering to defence against inappropriate routing traffic
E. Route summarization to support greater volumes of transit traffic
Correct Answer: C
Section: (none)
Explanation
@Malkil
QUESTION 41
A company is multihomed to different service providers running BGP. Which action ensures that the company
AS does not become a transit AS?
A. Create a distribute list that filters all routes except the default route and applies to both BGP neighbor
interfaces in the inbound direction
B. Create a distribute list that filters all routes except the default route and applies to a single BGP neighbor in
the outbound direction
C. Create prefix list that matches the company prefixes and applies to both BGP neighbor interfaces in the
outbound direction.
D. Create a route map that matches the provider BGP communities and networks and applies to both transit
neighbor interfaces in the outbound direction.
Correct Answer: C
Section: (none)
Explanation
QUESTION 42
A network engineer wants to limit the EIGRP query scope to avoid high CPU and memory utilization on low-end
routers as well as limiting the possibility of a stuck-in-active routing event between HQ and branch offices.
Which way to achieve these goals?
A. Configure different Autonomous System number per each branch office and HQ and redistribute routes
between autonomous systems.
B. Configure all routers at branch offices as EIGRP stub and allow only directly connected networks at branch
offices to be advertised to HQ
C. Configure all routers at branch offices as EIGRP stub
D. Configure all routers at HQ and branch offices as EIGRP stub
Correct Answer: C
Section: (none)
Explanation
QUESTION 43
Which two protocols support simple plaintext and MD5 authentication? (Choose two)
A. RIP
B. IPv6
C. EIGRP
D. BGP
E. OSPF
Correct Answer: AE
Section: (none)
Explanation
Comments:
Simple password authentication (also called plain text authentication) - supported by Integrated-System to
Integrated-System (IS-IS), Open Shortest Path First (OSPF) and Routing Information Protocol Version 2
(RIPv2)
MD5 authentication - supported by OSPF, RIPv2, BGP, and EIGRP
QUESTION 44
A network engineer must create a backup network connection between two corporate sites over the Internet
using the existing ASA firewalls. Which VPN technology best satisfies this corporate need?
A. VPLS
B. DMVPN
C. GETVPN
D. IPSec
E. MPLS
F. OTV
Correct Answer: D
Section: (none)
Explanation
QUESTION 45
A large-scale IP SLA deployment is causing memory and CPU shortages on the router in an enterprise
network. Which solution can be implemented to mitigate these issues?
A. An offline router for disaster recovery

B. CPE device that is managed by the network provider
C. A shadow router
D. A standby router for failover operation
Correct Answer: C
Section: (none)
Explanation
Comments:
https://www.cisco.com/en/US/technologies/tk869/tk769/technologies_white_paper0900aecd806bfb52.html
QUESTION 46
Which two options describe how Taboo contracts differ from regular contracts in Cisco ACI? (Choose two)
A. Taboo contract entries are looked up with higher priority than entries in regular contracts
B. Taboo contract entries are looked up with lower priority than entries in regular contracts.
C. They are not associated with one EPG
D. They are associated with one EPG
E. Taboo contract entries are looked up based on administrator configured priority
F. They are associated with pair of EPGs
Correct Answer: AF
Section: (none)
Explanation
Comments:
There may be times when the ACI administrator might need to deny traffic that is allowed by another contract.
Taboos are a special type of contract that an ACI administrator can use to deny specific traffic that would
otherwise be allowed by another contract. Taboos can be used to drop traffic matching a pattern (any EPG, a
specific EPG, matching a filter, and so forth). Taboo rules are applied in the hardware before the rules of
regular contracts are applied. Taboo contracts are not recommended as part of the ACI best practices but they
can be used to transition from traditional networking to ACI. To imitate the traditional networking concepts, an
"allow-all-traffic" contract can be applied, with taboo contracts configured to restrict certain types of traffic."
EPG – End-Point Groups
QUESTION 47
A network manager wants all remote sites to be designed to communicate dynamically with each other using
DMVPN technology without requiring much configuration on the spoke routers. Which protocol is use by
DMVPN to achive this goal?
A. GRE
B. NHRP
C. SSH
D. ARP
Correct Answer: B
Section: (none)
Explanation
QUESTION 48
An organization is creating a detailed QoS plan that limits bandwidth to specific rates. Which three parameters
can be configured when attempting to police traffic within the network? (Choose three)
A. Conforming
B. Violating
C. Bursting
D. Peak information rate
E. Committed information rate
F. Exceeding
G. Shaping rate
Correct Answer: ABF

Section: (none)
Explanation
@Red-Dot @LetsCCDP
Reference: https://www .cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/
qcfpoli.html#wp1006389
QUESTION 49
An engineer must design a Cisco VSS-based configuration within a customer campus network. The two VSS
switches are provisioned for the campus distribution layer… Which option is the primary reason to avoid
plugging both VSL links into the supervisor ports?
A. The implementation creates a loop

B. The design lacks optimal hardware diversity
C. Limited bandwidth is available for VSS convergence
D. QoS is required on the VSL links
Correct Answer: B
Section: (none)
Explanation
Comments:
The best-practice recommendation for VSL link resiliency is to bundle two 10-Gbps ports from different
sources. Doing this might require having one port from the supervisor and other from a Cisco 6708 line card.
When configuring the VSL, note the following guidelines and restrictions:
For line redundancy, we recommend configuring at least two ports per switch for the VSL. For
module redundancy, the two ports can be on different switching modules in each chassis.
QUESTION 50
An engineer is configuring QoS to meet the following requirement:
- all traffic that exceeds the allocated bandwidth will still traverse the infrastructure but will be forwarded later
What will be requirements?
A. Per-Hop behaviours
B. Weighted Fair Queuing
C. IP Precedence
D. Shaping
Correct Answer: D
Section: (none)
Explanation
QUESTION 51
An engineer is designing a network using RSTP. Several devices on the network support only legacy STP.
Which outcome occurs?
A. RSTP and STP choose the protocol with the best performance.
B. RSTP and STP interoperate and fast convergence is achieved.
C. RSTP and STP are not compatible and legacy ports error disable.
D. RSTP and STP interoperate but the fast convergence is not used.
Correct Answer: D
Section: (none)
Explanation
QUESTION 52
What is the outcome when RPF check passes successfully?
A. Packet is dropped because it arrived on the interface that used to forward the packet back to source.
B. Packet is dropped because it arrived on the interface that used to forward the packet back to destination.
C. Packet is forwarded because it arrived on the interface that used to forward the packet back to destination
D. Packet is forwarded because it arrived on the interface that used to forward the packet back to source
Correct Answer: D
Section: (none)
Explanation
Comments:
Routers perform a reverse path forwarding (RPF) check to ensure that arriving multicast packets were received
through the interface that is on the most direct path to the source that sent the packets. An RPF check is
always performed regarding the incoming interface, which is considered to be the RPF interface. The RPF
check will succeed if the incoming interface is the shortest path to the source. The router
determines the RPF interface by the underlying unicast routing protocol or the dedicated multicast routing
protocol in cases where one exists. An example of a dedicated multicast routing protocol is MP-BGP. It is
important to note that the multicast routing protocol relies on the underlying unicast routing table. Any change in
the unicast routing table immediately triggers an RPF recheck on most modern routers.
QUESTION 53
Multicast PIM-Sparse mode sends traffic overload. Which feature can reduce the multicast traffic in the access
layer?
A. IGMP snooping
B. Filter at Boundaries
C. PIM Dense-Mode
D. MSDP
Correct Answer: A
Section: (none)
Explanation
Comments:
I think solution for this one was to move STP root
QUESTION 54
Refer to the exhibit. A customer wants to use HSRP as a First Hop Redundancy Protocol. Both routers are
currently running and all interfaces are active. Which factor determines which router becomes the active HSRP
device?
A. the router with the highest MAC address for the respective group
B. the router with the highest interface bandwidth for the respective group
C. the router that boots up last
D. the router with the highest IP address for the respective group
Correct Answer: D
Section: (none)
Explanation
QUESTION 55
An engineer is considering uplink bandwidth over-subscription in a Layer 3 network design. Which option is the
Cisco recommended over-subscription ratio for uplinks between the distribution and core layers?
A. 3 to 1
B. 4 to 1
C. 6 to 1
D. 8 to 1
Correct Answer: B
Section: (none)
Explanation
Comments:
Network oversubscription refers to a point of bandwidth consolidation where the ingress bandwidth is greater
than the egress bandwidth. For example, at an ISL uplink from an edge layer switch to a core, the
oversubscription of the ISL is typically on the order of 7:1 or greater. In a single director fabric, the fan-out ratio
of server to storage subsystem ports is directly related to the network oversubscription and is typically on the
order of 10:1 or higher. Network oversubscription is normal and unavoidable-it is a direct by product of the
primary
purpose for deploying a SAN. An important characteristic of the network related to oversubscription is its ability
to fairly allocate its bandwidth
resources among all clients of the SAN.
QUESTION 56
A network consultant is designing an enterprise network that includes an IPsec headend termination device.
Which two capabilities are the most important to consider when assessing the headend device's scalability?
(Choose two)
A. Packets per second processing capability

B. Bandwidth capabilities
C. Number of tunnels that can be aggregated
D. CPU capabilities
E. Memory capabilities
Correct Answer: AD
Section: (none)
Explanation
Reference From Cisco “Scalability considerations guide the order is Packets, Tunnel quantity, Gre
encapsulation and then only Routing protocols affecting the CPU. sound like asking for enterprise IPsec, so like
anyconnect Remote-Access = no routing affected on VPN headend
Look what IPSEC VPN WAN Design guide says: Number of Tunnels May be a Factor
Each time a crypto engine encrypts or decrypts a packet, it performs mathematical computations on the IP
packet payload using the unique crypto key for the trustpoint, agreed upon by the sender and receiver. If more
than one IPsec tunnel is terminated on a router, the router has multiple trust points and therefore multiple crypto
keys. When packets are to be sent or received to a different tunnel than the last packet sent or received, the
crypto engine must swap keys to use the right key matched with the trustpoint. This key swapping can degrade
the performance of a crypto engine, depending on its architecture, and increase the router CPU utilization.
QUESTION 57
When 2 distribution switches are configured for VSS, what needs to be done to extend back plane connectivity?
A. PAgP
B. IVR
C. ISL
D. VSL
Correct Answer: D
Section: (none)
Explanation
QUESTION 58
Refer to the exhibit. A customer discovers router R1 remains active even when the R1 uplink (F0/1) is down.
Which two commands can be applied to R1 to allow R2 to take over as the HSRP active? (Choose two)
A. track 50 ip route 10.10.10.0/24 reachability

B. track 50 interface Fa0/1 ip routing
C. standby 10 track 50 decrement 20
D. standby 10 track 50 shutdown
E. standby 10 track 50
Correct Answer: BC
Section: (none)
Explanation
QUESTION 59
Which technology simplifies encryption management?
A. GETVPN
B. DMVPN
C. IPsec
D. EasyVPN
E. GRE
Correct Answer: A
Section: (none)
Explanation
QUESTION 60
When a site has Internet connectivity with two different ISP's, which two strategies are recommended to avoid
becoming a BGP transit site? (Choose two)
A. Use a single service provider

B. Filter routes outbound to the ISPs
C. Accept all inbound routes from the ISPs
D. Filter routes inbound from the ISPs
E. Advertise all routes to both ISPs
Correct Answer: BC
Section: (none)
Explanation
@Red-Dot
Reference: B is definitely correct, but what bugs me is there are two strategies formulation: it sounds to me that
the two required answers would not necessarily need to be applied at the same time. If this interpretation is
correct, C doesn’t help at all, it actually would be the cause of the issue (this is true for E too).If it is not, C
doesn’t hurt, but doesn’t help either. For the other answers:
A would definitely work, but denies the question’s supposition
D Your AS wouldn’t be a transit for the filtered routes, but it doesn’t make sense filter what you WANT to learn
from ISP. Bottom line, I think I would answer AB. But I am not certain, let me know what you think!
(the reason is simple, here question is about not becoming transit AS, its not that whole design is changed and
discard one ISP loosing all the high availability and resiliency
QUESTION 61
to use multiple path from distribution to core
A. install IGP
B. ECMP
C. RSTP+
D. HSRP
Correct Answer: B
Section: (none)
Explanation
QUESTION 62
What is the characteristic of 802.1x (Choose two)
A. EAP messages in Ethernet frames and don't use PPP

B. Works only on wired connections
C. It's created by IETF
D. It's created by IEEE
Correct Answer: AD
Section: (none)
Explanation
QUESTION 63
An engineer is designing an infrastructure to use a 40 Gigabit link as the primary uplink and a 10 Gigabit uplink
as the alternate path. Which routing protocol allows for unequal cost load balancing?
A. OSPF
B. RIP
C. EIGRP
D. BGP
E. IS-IS
Correct Answer: C
Section: (none)
Explanation
QUESTION 64
Which two options regarding the Cisco TrustSec Security Group Tag are true? (Choose two)
A. It is assigned by the Cisco ISE to the user or endpoint session upon login
B. Best practice dictates it should be statically created on the switch
C. It is removed by the Cisco ISE before reaching the endpoint.
D. Best Practice dictates that deployments should include a guest group allowing access to minimal services
E. Best Practice dictates that deployments should include a security group for common services such as DNS
and DHCP
Correct Answer: AE
Section: (none)
Explanation
QUESTION 65
After an incident caused by a DDOS attack on a router, an engineer must ensure that the router is accessible
and protected from future attacks without making any changes to traffic passing through the router. Which
security function can be utilized to protect the router?
A. zone-based policy firewall
B. access control lists
C. class maps
D. control plane policing
Correct Answer: D
Section: (none)
Explanation
QUESTION 66
Which two statements about 802.1X are true? (Choose three)
A. It is Cisco standard
B. It can allow and deny port access based on device identity
C. It works only with wired devices
D. It can allow and deny port access based on user identity
E. EAP messages in Ethernet frames and don't use PPP
F. EAP messages in Ethernet frames and use PPP
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 67
An OSPF router should have a maximum of how many adjacent neighbours?
A. 80
B. 50
C. 60
D. 100
Correct Answer: C
Section: (none)
Explanation
QUESTION 68
Which first hop redundancy protocols ensures that loading occurs over multiple routers using a single virtual ip
address and multiple MAC address?
A. GLBP
B. IRDP
C. HSRP
D. VRRP
Correct Answer: A
Section: (none)
Explanation
GLBP is a first-hop redundancy protocol designed by Cisco that allows packet load sharing among groups of
redundant routers.
When HSRP or VRRP is used to provide default-gateway redundancy, the backup members of the peer
relationship are idle, waiting for a failure event to occur before they take over and actively forward traffic.
Methods to use backup uplinks with HSRP or VRRP are difficult to implement and manage. In one technique,
the HSRP and STP or RSTP roots alternate between distribution node peers, with the even VLANs homed on
one peer and the odd VLANs homed on the alternate. Another technique uses multiple HSRP groups on a
single interface and uses DHCP to alternate between the multiple default gateways. These techniques work but
are not optimal from a configuration, maintenance, or management perspective.
GLBP provides all the benefits of HSRP and includes load balancing, too. For HSRP, a single virtual MAC
address is given to the endpoints when the endpoints use Address Resolution Protocol (ARP) to learn the
physical MAC address of their default gateways. GLBP allows a group of routers to function as one virtual
router by sharing one virtual IP address while using multiple virtual MAC addresses for traffic forwarding.
QUESTION 69
Which routing protocol provides the fastest convergence and greatest flexibility within a campus environment?
A. OSPF
B. IS-IS
C. BGP
D. EIGRP
Correct Answer: D
Section: (none)
Explanation
QUESTION 70
What network technology provides Layer 2 high availability between the access and distribution layers?
A. HSRP
B. MEC
C. EIGRP
D. GLBP
Correct Answer: B
Section: (none)
Explanation
QUESTION 71
Which option maximizes EIGRP scalability?
A. route redistribution
B. route redundancy
C. route filtering
D. route summarization
Correct Answer: D
Section: (none)
Explanation
QUESTION 72
Which two options are advantages of having a modular design instead of an EOR design in a data center?
(Choose two)
A. cooling constraints
B. cable bulk
C. decreased STP processing
D. redundancy options
E. cost minimization
F. low-skilled manager
Correct Answer: AB
Section: (none)
Explanation
@Red-hot
There are some disadvantages with EOR designs:

· Cable bulk: More cabling needs to be routed and managed.
· Cooling constraints: The cable bulk at the cabinet floor entry can be difficult to manage and can block cool
airflow.
NOTE for your learnings: There are several advantages with EOR designs:
· Decreased management complexity: There are fewer devices to manage, makes this task less complex.
· Decreased STP processing: With fewer devices in the Layer 2 infrastructure and significantly fewer uplinks,
there is less impact on STP processing.
· Redundancy options: Redundant switch power and CPUs can be supported on modular switches
QUESTION 73
An engineer is designing a redundant dual-homed BGP solution that should prefer one specific carrier under
normal conditions. Traffic should automatically fail over to a secondary carrier case of a failure. Whitch twho
BGP attributes can be used to achieve this goal inbound traffic? (Choose two)
A. origin
B. MED
C. AS-PATH
D. local preference
E. weight
Correct Answer: BC
Section: (none)
Explanation
Multi-exit discriminator (MED)
QUESTION 74
A network team must provide a redundant secure connection between two entities using OSPF. The primary
connection will be an Ethernet Private Line and the secondary connection will be a site-to-site VPN. What
needs to be configured in order to support routing requirements for over the VPN connection?
A. GRE Tunnel
B. HTTPS
C. Root Certificate
D. AAA Server
Correct Answer: A
Section: (none)
Explanation
QUESTION 75
Which configuration represents resiliency at the hardware and software layers?
A. multiple connections and FHRP

B. HSRP and GLBP
C. redundant supervisor and power supplies
D. dual uplinks and switches
Correct Answer: C
Section: (none)
Explanation
I don’t see “multiple connections” as hardware resiliency. They are “physical layer resiliency” for me.
QUESTION 76
Which option is the primary reason to implement security in a multicast network?
A. maintain network operations

B. allow multicast to continue to function
C. optimize multicast utilization
D. ensure data streams are sent to the intended receivers
Correct Answer: A
Section: (none)
Explanation
The main goal for security of multicast networks is to keep the network running even if there are configuration
errors, malfunctions, or network attacks (such as a denial-of-service [DoS] attack from an unknown server).
Multicast security involves managing network resources and access control for multiple senders (sources) and
receivers by defining what multicast traffic should be allowed in the network. Multicast security must also
protect against rogue servers or RPs that should not be in the network. Network resource utilization must be
managed; this includes managing multicast state information in the network and services participating in
multicast activity.
QUESTION 77
A company requires redundancy for its multi-homed BGP external connections. What two features can be
configured on the WAN routers to automate failover for both outbound and inbound traffic? (Choose two)
A. AS path prepending
B. local preference
C. floating static route
D. HSRP
E. MED
F. weight
Correct Answer: AD
Section: (none)
Explanation
Reference: from https://www.cisco.com /c/en/us/support/docs/ip/border-gateway-protocol-bgp/13768-hsrp-
bgp.html
This document describes how to provide redundancy in a multihomed Border Gateway Protocol (BGP) network
where you have connections to two separate Internet service providers (ISPs). In the event of a failure of
connectivity toward one ISP, the traffic is rerouted dynamically through the other ISP with the BGP set AS path
{tag | prepend as-path-string} command and Hot Standby Router Protocol (HSRP)
QUESTION 78
In what situation must spanning-tree be implemented?
A. When redundant Layer 2 links, that are not part of a single EtherChannel or bundle, exist between
distribution switches
B. When redundant Layer 3 links, that are not part of a single EtherChannel or bundle, exist between
distribution switches
C. Between Distribution and Core switches when interfaces are configured with "no switchport"
D. Between Distribution and Core switches when VSS is configured
Correct Answer: A
Section: (none)
Explanation
STP (L2 loop prevention mechanism) should be implemented in topologies where possible loops may occur
and redundant L2 links between distribution switches is a very good example as long as the links are not
changelled (PC, vPC, MEC). If the redundant L2 links between distribution switches are changelled, the
topology is loop free so no STP is required but the doesn’t say anything about that. With regards to answer “A”,
VLAN can be stretched between multiple access switches via distribution layer and still be loop free so (know
from experience).
QUESTION 79
Which option does best practice dictate for the maximum number of areas that an OSPF router should belong
to for optimal performance?
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: C
Section: (none)
Explanation
QUESTION 80
Which option is an advantage of using PIM sparse mode instead of PIM dense mode?
A. No RP is required
B. There is reduced congestion in the network
C. IGMP is not required
D. It floods all multicast traffic throughout the network
Correct Answer: B
Section: (none)
Explanation
QUESTION 81
An engineer is designing an IP addressing scheme for a local company that requires multicast for its
applications. For security reasons, only explicitly configured devices can be permitted to transmit across the
network. Which multicast technology and address range must the engineer select?
A. PIM-SM; 232.0.0.0/8
B. ASM; 232.0.0.0/8
C. SSM; 224.0.0.0/8
D. SSM; 232.0.0.0/8
Correct Answer: D
Section: (none)
Explanation
QUESTION 82
A company needs to configure a new firewall and have only one public IP address to use. The engineer needs
to configure the firewall with NAT to handle inbound traffic to the mail server in addition to internet outbound
traffic. Which options could he use? (Choose two)
A. Static NAT for inbound traffic on port 25

B. Dynamic NAT for outbound traffic
C. Static NAT for outbound traffic on port 25
D. Dynamic NAT for inbound traffic
E. NAT overload for outbound traffic
F. NAT overload for inbound traffic on port 25
Correct Answer: AE
Section: (none)
Explanation
QUESTION 83
A network engineer is using OTV to connect six data centers. Which option is preferred when deploying OTV to
more than three sites?
A. Filter MAC address at the join interface

B. Use multicast-enabled transport
C. Use Unicast-only transport
D. Configure one edge device for each data center
Correct Answer: B
Section: (none)
Explanation
QUESTION 84
An engineer is designing a Multichassis Etherchannel using VSS. Which network topology is the result?
A. Looped
B. Ring
C. Hybrid
D. Star
Correct Answer: D
Section: (none)
Explanation
QUESTION 85
A company is running BGP on the edge with multiple service providers in a primary and secondary role. The
company wants to speed up time if a failure was to occur with the primary, but they are concerned about router
resources. Which method best achieves this goal?
A. Utilize BFD and lower BGP hello interval

B. Decrease the BGP keep-alive timer
C. Utilize BFD and tune the multiplier to 50
D. Utilize BFD and keep the default BGP timers
Correct Answer: D
Section: (none)
Explanation
QUESTION 86
An engineer is designing a QoS architecture for a small organization and must meet these requirements:
- Guarantees resources for a new traffic flow prior to sending
- Polices traffic when the flow does not conform
Which QoS architecture model will accomplish this?
A. auto quality of service

B. modular quality of service
C. differentiated services
D. integrated services
Correct Answer: D
Section: (none)
Explanation
QUESTION 87
When designing data centres for multitenancy, which two benefits are provided by the implementation of VSAN
and zoning? (Choose two)
A. VSAN provides a means of restricting visibility and connectivity among devices connected to a zone
B. VSANs have their own set of services and address space, which prevents an issue in one VSAN from
affecting others
C. Zones provide the ability to create many logical SAN fabrics on a single Cisco MDS 9100 family switch
D. VSANs and zones use separate fabrics
E. Zones allow an administrator to control which initiators can see which targets
Correct Answer: BE
Section: (none)
Explanation
QUESTION 88
A network engineer is designing a network that must incorporate active-active redundancy to eliminate
disruption when a link failure occurs between the core and distribution layer. What two technologies will allow
this? (Choose two)
A. Equal Cost Multi-Path (ECMP)

B. Rapid Spanning Tree Protocol Plus (RSTP+)
C. Hot Standby Routing Protocol (HSRP)
D. Rapid Spanning Tree Protocol (RSTP)
E. EtherChannel (MEC)
Correct Answer: AE
Section: (none)
Explanation
QUESTION 89
When designing layer 2 STP based LAN with FHRP, what design recommendation should be followed?
A. Assign STP root with active FHRP device

B. Assign native VLAN to lowest number in use
C. Avoid configuring router preempt
D. Avoid modifying STP & FHRP default timers
Correct Answer: A
Section: (none)
Explanation
QUESTION 90
A network engineer wants to segregate three interconnected campus network via IS-IS routing. A two-layer
hierarchy must be used to support large routing domains to avoid more specific routes from each campus
network being advertised to other campus network routers automatically. What two actions should be taken to
accomplish this segregation? (Choose two)
A. Assign a unique IS-IS NET value for each campus and configure internal campus routers with level 1
routing.
B. Designate two IS-IS routers from each campus to act as a Layer 1/Layer 2 backbone routers at the edge of
each campus network.
C. Designate two IS-IS routers as BDR routers at the edge of each campus.
D. Assign similar router IDs to all routers within each campus.
E. Change the MTU sizes of the interface of each campus network router with a different value
Correct Answer: AB
Section: (none)
Explanation
QUESTION 91
An engineer is trying to minimize the number of EIGRP routes within an infrastructure. Which command
achieves automatic summarization?
A. area 0 range 10.0.0.0 255.0.0.0.0

B. router eigrp 1
C. ip summary-address eigrp 1 10.0.0.0 255.0.0.0
D. ip summary-address 10.0.0.0 255.0.0.0
E. eigrp stub
Correct Answer: B
Section: (none)
Explanation
Auto-summarization is enabled by default when you turn EIGRP on.
QUESTION 92
What is the physical topology of ACI?
A. spine & leaf

B. point to point
C. hub & spoke
D. spoke to spoke
Correct Answer: A
Section: (none)
Explanation
QUESTION 93
Which security function is inherent in an Application Centric Infrastructure network?
A. Default Inter-EPG connectivity

B. Intrusion Prevention
C. Intrusion Detection
D. Default Denial Network
Correct Answer: D
Section: (none)
Explanation
Comments:
All the traffic between servers is denied (micro segmentation), to allow the traffic between EPGs we need to
configure contracts.
QUESTION 94
What security feature would require a packet to be received on the interface that the interface would use to
forward the return packet?
A. URPF
B. arp inspection
C. vlan acl
Correct Answer: A
Section: (none)
Explanation
QUESTION 95
At which layer in the ACI fabric are policies enforced?
A. End Point
B. Spine
C. Leaf
D. APIC
Correct Answer: C
Section: (none)
Explanation
Security policies are configured on the APIC, and enforced on the leaves
QUESTION 96
A customer with 30 branch offices requires dynamic IGP routing protocol, IP multicast, and non-IP protocol
support. Which solution satisfies these requirements?
A. DMVPN spoke-to-spoke
B. DMVPN hub-to-spoke
C. VTI
D. P2P GRE
Correct Answer: D
Section: (none)
Explanation
Comments:
Non IP traffic is not supported by DMVPN.
https://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enterprise-class-
teleworker-ect-solution/prod_brochure0900aecd80582078.pdf
QUESTION 97
A company security policy states that their data center network must be segmented from the layer 3
perspective. The segmentation must separate various network security zones so that they do not exchange
routing information and their traffic path must be completely segregated. which technology achieves this goal?
A. VPC
B. VXLAN
C. VRF
D. VDC
Correct Answer: C
Section: (none)
Explanation
@Malkil
Virtual device context (VDC)

Cisco Nexus switches introduce support for virtual device contexts (VDCs). A VDC enables the switches to be
virtualized at the device level. Each configured VDC presents itself as a unique device, further expanding tenant
separation not only on data and control planes, but also on the management plane. A VDC runs as a separate
logical entity within the switch, maintaining its own unique set of running software processes, having its own
configuration, and being managed by a separate administrator.
Virtual Routing and Forwarding (VRF)

The goal of every solid network design is to minimize the extent of the broadcast domain and exposure to
spanning-tree loops, a method to translate the Layer 2 VLAN to a Layer 3 virtual network or virtual private
network (VPN) is required. This Layer 3 VPN must be capable of supporting its own unique control plane,
complete with its own addressing structure and routing tables for data forwarding completely isolated from any
other Layer 3 VPN on that device and in the network. The technology enabling this type of functionality is known
as the virtual routing and forwarding (VRF) instance.
Virtualized Firewalls
■ Multicontext mode: Virtualized firewalls run on a single physical ASA appliance.
■ Virtual firewalls: Virtual firewalls are software-only firewalls running in a hypervisor (virtual machine’s
manager).
The multicontext mode was originally designed for multitenant deployments. It is also commonly deployed in
virtual routing and forwarding (VRF) environments, where VLANs map to VRFs, and each VRF has its own
virtual firewall.
SUMMARY(BOOK)
Technology Description
VRF-Lite : Provides Layer 3 separation without the need for MPLS.
VDC : Provides data, control, and management plane separation.
VLAN : Provides Layer 2 separation.
VRF : Provides Layer 3 separation in conjunction with MPLS.
QUESTION 98
An engineer is working for a large scale cable TV provider that requires multicast on multisourced streaming
video, but must not use any rendezvous point mechanism. Which multicast protocol must be configured?
A. ASM
B. PIM-SM
C. BIDR-PIM
D. PIM-SSM
Correct Answer: D
Section: (none)
Explanation
QUESTION 99
Reduce security risk in BGP. Which option help to avoid rogue route injection, unwanted peering and malicious
BGP activities?
A. Apply MD5 authentication between all BGP peers

B. Use GRE tunnel
C. Encrypt all traffic
D. Apply route maps and policies in route redistribution events
Correct Answer: A
Section: (none)
Explanation
QUESTION 100
How does stub routing affect transit route in EIGRP?
A. Transit routes are passed from a stub network to a hub network

B. It prevents the hub router from advertising networks learned from the spoke
C. Transit routes are filtered from stub networks to the network hub
D. It’s designed to prevent the distribution of external routes
Correct Answer: C
Section: (none)
Explanation
QUESTION 101
A customer would like to implement a firewall to secure an enterprise network, however the customer is unable
to allocate any new subnets. What type of firewall mode must be implemented?
A. active/standby
B. active/active
C. zone based
D. virtual
E. routed
F. transparent
Correct Answer: F
Section: (none)
Explanation
QUESTION 102
The network engineering team for a large university must increase the security within the core of the network by
ensuring that IP traffic only originates from a network segment that is assigned to that interface in the routing
table. Which technology must be chosen to accomplish this requirement?
A. VLAN access control lists

B. Unicast Reverse Path Forwarding
C. Intrusion prevention system
D. ARP inspection
Correct Answer: B
Section: (none)
Explanation
ROUTE 300-101 page 714
Unicast Reverse Path Forwarding
One approach to preventing malicious traffic from entering a network is to use Unicast Reverse Path
Forwarding (uRPF) . Specifically, uRPF can help block packets having a spoofed IP address. The way that
uRPF works is to check the source IP address of a packet arriving on an interface and determine whether that
IP address is reachable, based on the router’s Forwarding Information Base (FIB) used by Cisco Express
Forwarding (CEF). Optionally, the router can also check to see whether the packet is arriving on the interface
the router would use to send traffic back to that IP address.
QUESTION 103
Which option provides software modularity in Cisco NX-OS software in the data center design?
A. The ip routing command enables all of the features in the Cisco NX-OS.
B. All of the features are enabled by default in the Cisco NX-OS.
C. Individual features must be manually enabled to start the process.
D. The Cisco NX-OS has a management VRF that is enabled by default.
Correct Answer: C
Section: (none)
Explanation
QUESTION 104
Which technology allows multiple instances of a routing table to coexist on the same router simultaneously?
A. VRF
B. Cisco virtual router
C. Instanced virtuer router
D. IS-IS
Correct Answer: A
Section: (none)
Explanation
QUESTION 105
Which two features provide resiliency in a data center? (Choose two.)
A. Cisco FabricPath
B. VTP
C. encryption
D. vPC
E. VRF
Correct Answer: AD
Section: (none)
Explanation
QUESTION 106
Which network virtualization technology provides logical isolation of network traffic at Layer 3?
A. VSS
B. VLAN
C. VRF-Lite
D. MEC
Correct Answer: C
Section: (none)
Explanation
QUESTION 107
Which technology extends Layer 2 LANs over any network that supports IP?
A. OTV
B. VSS
C. vPC
D. VLAN
Correct Answer: A
Section: (none)
Explanation
QUESTION 108
Which two technologies can be used to interconnect data centers over an IP network and provide Layer 2 LAN
extension? (Choose two.)
A. IS-IS
B. VXLAN
C. TRILL
D. Fabric Path
E. OTV
Correct Answer: BE
Section: (none)
Explanation
QUESTION 109
Which protocol should be run on the LAN side of two edge routers (that are terminating primary and backup
WAN circuits) to provide quick failover in case of primary WAN circuit failure?
A. VTP
B. STP
C. VRRP
D. RIP
Correct Answer: C
Section: (none)
Explanation
QUESTION 110
Which protocol is best when there are circuit connections with two different ISPs in a multihoming scenario?
A. VRRP
B. BGP
C. IPsec
D. SSL
Correct Answer: B
Section: (none)
Explanation
QUESTION 111
What QoS technology allows traffic to pass even though it has exceeded the bandwidth limit but will be queued
later ?
A. Shaping
B. Policing
C. Weighted Fair Queuing
D. Low Latency Queuing Correct
Correct Answer: A
Section: (none)
Explanation
QUESTION 112
Which technology can block interfaces and provide a loop-free topology?
A. STP
B. VSS
C. VLAN
D. vPC
Correct Answer: A
Section: (none)
Explanation
QUESTION 113
A customer has an existing Wan circuit with a capacity 10 mbps. The circuit has 6 Mbps of various user traffic
and 5 mbps of real-time audio traffic on average. Which two measures could be taken to avoid loss of real time
Traffic? (Choose Two)
A. Police the traffic to 5 mbps and allow excess traffic to be remarked to the default queue
B. Configure congestion avoidance mechanism WRED within the priority queue
C. Policy the traffic to 3.3 mbps and allow excess traffic to be remarked to the default queue
D. Increase the wan circuit bandwidth
E. Ensure that real time traffic is prioritized over other traffic
Correct Answer: DE
Section: (none)
Explanation
@LetsCCDP
A is not a good choice since policing mean dropping excess traffic, if it were shaping then it might have been
considered
QUESTION 114
An organization is adquiring another company and merging the two company networks. No subnets overlap, but
the engineer must limit the networks advertised to the new organization. which feature implements this
requierement?
A. Interface ACl
B. Stub area
C. Router filtering
D. Passive interface
Correct Answer: C
Section: (none)
Explanation
QUESTION 115
When APIC is down on cluster device. What is the minimum number of APICs requirement for a production
ACI Fabric to continue to operate?
A. 1
B. 2
C. 3
D. 4
Correct Answer: A
Section: (none)
Explanation
Reference: From Designing for Cisco Network Service Architecture Fourth Edition: The recommended
minimum sizing has the following requirements: Three or more Cisco APIC controllers that are dual connected
to different leaf Switches for maximum resilience. Note that the fabric is manageable even with just one
controller and operational without a controller. I’m not sure what ‘manageable’ means, is it still an ACI fabric or
does it revert to a different state. It seems weird to me you would no longer have your ACI fabric if one/ two of
your three APIC’s went offline. Not usually how redundancy works. This Cisco topic seems to indicate it will still
work on 1 APIC
**https : // **supportforums*cisco*com /discussion/12448836/apic-cluster-why-minimum-3-controllers
Interesting your reasoning. “Manageable”, means that you can still make changes, add/remove things, etc. So,
now reading your comments, it makes sense that if the is talking about continuing to operate, the answer must
be 1. I’ve seen 3 as the answer in all dumps but now I doubt it.
–> Nothing is correct. ARCH Design guide states correct answer is 0 (zero):
“The recommended minimum sizing has the following requirements: Three or more Cisco APIC controllers that
are dual-connected to different leaf switches for maximum resilience. Note that the fabric is manageable even
with just one controller and operational without a controller.”
= Management min 1
= Operate min 0
QUESTION 116
L2 extention through IP in the data center (MAC-in-IP)
A. FIBERPATH
B. TRILL
C. OTV
D. VXLAN
Correct Answer: D
Section: (none)
Explanation
@crossbar
QUESTION 117
An engineer is implementing VXLAN to extend layer 2 traffic at three geographically diverse data centers.Which
feature is required at each data center to extend traffic?
A. VTEP
B. VLSM
C. VRRP
D. VPLS
E. VRF
Correct Answer: A
Section: (none)
Explanation
QUESTION 118
A data center is being deployed, and one design requirement is to be able to readily scale server virtualization.
Which IETF standard technology can provide this requirement?
A. Cisco Fabric Path
B. Data Center Bridging
C. CUS
D. Transparent Interconnection of Lots of Links
Correct Answer: D
Section: (none)
Explanation
@skummy
The Data Center Bridging (DCB) architecture is based on a collection of open standards Ethernet extensions
developed through the IEEE 802.1 working group to improve and expand
Ethernet networking and management capabilities in the data center.
https**://**www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/ieee-802-1-data-center-
bridging/at_a_glance_c45-460907.pdf
TRILL (“Transparent Interconnection of Lots of Links”) is an IETF Standard[1] implemented by devices called
RBridges (routing bridges) or TRILL Switches.
https**://en.wikipedia.org/wiki/TRILL_(computing)
QUESTION 119
Which two hashing distribution algorithms are available for an engineer when work with multichasis
etherchannel? Choose two
A. src-dst-mac
B. src-dst-port
C. round-robin
D. fixed
E. adaptive
Correct Answer: DE
Section: (none)
Explanation
QUESTION 120
Which two modes for deploying cisco Trustsec are valid? (Choose two)
A. cascade
B. low-impact
C. open
D. high availability
E. monitor
Correct Answer: BE
Section: (none)
Explanation
QUESTION 121
While configuring QOS policy, analysis of the switching infrastructure indicates that the switches support
1P3Q3T egress queuning. Which option describes the egress queueing in the infrastruture?
A. The threshold configuration allos of inter-queq Wos by utilizing buffers

B. The 1P3Q3T indicates one priority queue, three standard queues, and three thresholds
C. The priority queue should use less than 20% of the total bandwidth
D. The prority queue must contain real-time traffic and network management traffic
Correct Answer: B
Section: (none)
Explanation
QUESTION 122
Refer to the exhibit. HSRP is running Between SW A and Distribution SW B. Which two links do the switches
use to transmit HSRP mess? Choose two
A. core Switch A, port g2/1 to distr switch A, port g3/1

B. distr Switch A, port g5/1 to distr swit B, port g5/2
C. Core Switch A, por g1/1 tp core swit B, port g1/2
D. Core Switch B, port g2/2 to distr switch b, port g3/2
E. Distr Switch A, port g4/1 to acc swi, port g1/0/1
F. Distri Switch B, port g4/2 to acc switch, port g2/0/1
Correct Answer: EF
Section: (none)
Explanation
QUESTION 123
An engineer set up a multicast network design using all three Cisco supported PIM modes. Which are two
characteristics of Bidirectional PIM in this situation are true? (Choose two)
A. In Bidirectional PIM, the RP IP address does not need to be a router.

B. In Bidirectional PIM, the RP IP address can be shared with any other router interface.
C. A Cisco router cannot support all three PIM modes simultaneously.
D. Membership to a bidirectional group is signaled via explicit join messages
E. Bidirectional PIM is deigned to be used for one-to-many applications.
Correct Answer: AD
Section: (none)
Explanation
@Red-dot
https://www.cisco.com /c/en/us/td/docs/ios/12_0s/feature/guide/fsbidir.html
Reference : A router can simultaneously support all three modes or any combination of them for different
multicast groups. In bidirectional mode, traffic is routed only along a bidirectional shared tree that is rooted at
the rendezvous point (RP) for the group. In bidir-PIM, the IP address of the RP acts as the key to having all
routers establish a loop-free spanning tree topology rooted in that IP address. This IP address need not be a
router, but can be any unassigned IP address on a network that is reachable throughout the PIM domain. Using
this technique is the preferred configuration for establishing a redundant RP configuration for bidir-PIM.
Membership to a bidirectional group is signaled via explicit join messages. Traffic from sources is
unconditionally sent up the shared tree toward the RP and passed down the tree toward the receivers on each
branch of the tree.
Bidir-PIM is designed to be used for many-to-many applications within individual PIM domains. Multicast groups
in bidirectional mode can scale to an arbitrary number of sources without incurring overhead due to the number
of sources.
QUESTION 124
Which NAC design model matches the following definitions?
NAS is deployed centrally in the core or distribution layer.
Users are multiple hops away from the Cisco NAS.
After authentication and posture assessment the client traffic no longer passes through the Cisco NAS.
PBR is needed to direct the user traffic appropriately
A. Layer 3 in-band virtual gateway

B. Layer 3 out-of-band with addressing
C. Layer 2 in-band virtual gateway
D. Layer 2 out-of-band virtual gateway
Correct Answer: B
Section: (none)
Explanation
QUESTION 125
The network engineering team is interested in deploying NAC within the enterprise network to enhance security.
What deployment model should be used if the team requests that the NAC be logically inline with clients?
A. Layer 2 in-band
B. Layer 2 out-of-band
C. Layer 3 in-band
D. Layer 3 out-of-band
Correct Answer: A
Section: (none)
Explanation
page 434 Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide Third Edition
Layer 2 In-Band Designs
The Layer 2 in-band topology is the most common deployment option. The Cisco NAS is logically inline with the
client traffic, but is not physically inline.
QUESTION 126
A network engineer must perform posture assessments on Cisco ASA remote access VPN clients and control
their network access based on the results. What mode is the Cisco best practice NAC deployment design for
this situation?
A. Layer 2 in-band real IP gateway mode

B. Layer 2 out-of-band real IP gateway mode
C. Layer 3 in-band virtual gateway mode
D. Layer 3 out-of-band virtual gateway mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 127
Which Cisco NAC Appliance design is the most scalable in large Layer 2-to-distribution implementation?
A. Layer 2 out-of-band
B. Layer 2 in-band
C. Layer 3 out-of-band
D. Layer 3 in-band
Correct Answer: B
Section: (none)
Explanation
Layer 2 In-Band Designs
page 434 Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide
This is the most scalable design in large L2-to-distribution environments, because thiscdesign can be
transparently implemented in the existing network supporting multiplecaccess layer switches. It supports all
network infrastructure equipment. The Cisco NAS supports per-user ACLs.
QUESTION 128
While designing a QoS policy for an organization, a network engineer is determining the method to limit the
output rate of traffic whit in the real-time queue. How must the limiting of traffic within the real-time queue
occur?
A. The traffic must be remarked to a low pritorty to and allowed pass

B. The traffic must be policed and not allowed to pass
C. The traffic within the real-time queue must not be limited
D. The traffic must be shaped to allow for it to be trasnmitted after the tokens have been replenisehd
Correct Answer: C
Section: (none)
Explanation
QUESTION 129
Which option is a Fundamental proccess of the cisco TrustSec tecnology?
A. Marketing
B. Detection
C. Propagation
D. Prioitization
Correct Answer: C
Section: (none)
Explanation
Cisco TrustSec is defined in three phases: classification, propagation, and enforcement
QUESTION 130
Refer to the exhibit.
What should be implemented to prevent exceeding the 50MB allowable bandwidth of internet circuit?
A. CIR
B. police
C. shaping
D. ACL
E. rate-limit
Correct Answer: C
Section: (none)
Explanation
QUESTION 131
An engineer is designing a network with OSPF and must filter ingress routes form a partner network that is also
running OSPF. Which two design options are available for this configuration? (Choose Two)
A. Use a different routing protocol usch as EIGRP between the networks

B. Configure a diferent OSPF area that would prevent any unwanted routes form entering the network
C. Use a distribution-list in the OSPF process to filter out the routes
D. Use access list on the ingress interface to prevent the routes form entering the network
E. Design a filter using prefix list to ensure that the routes are filtered out at the redistribution point
Correct Answer: CE
Section: (none)
Explanation
QUESTION 132
Which design technology allows two cisco catalyst chassis to use SSO and NSF to provide nonstop
communication even if one of the member chassis fails?
A. Auto chassis detect

B. VSS
C. VPC
D. Peer Gateway
Correct Answer: B
Section: (none)
Explanation
A VSS operates with stateful switchover (SSO) redundancy if it meets the following requirements:
-Both supervisor engines must be running the same software version.

-VSL-related configuration in the two chassis must match.
-PFC mode must match.
-SSO and nonstop forwarding (NSF) must be configured on each chassis.
QUESTION 133
While designing a backup BGP solution, a network engineer wants to ensure that a single router with multiplex
connections prefers the routes from a specific connection over all others. Which BGP path selection attribute is
considered first when seleccting a route?
A. As-Length
B. Link Bandwidth
C. Local preference
D. Weight
E. MED
Correct Answer: D
Section: (none)
Explanation
QUESTION 134
A data center has several business partners who want to have their compute resources installed. The data
center uses one VLAN to support vendor equipment and requires limited visibility and connectivity between
vendor servers. Which segmentation concept satisfies theses requirements?
A. IP NAT
B. Private vlans
C. Lan to lan vpn
D. Protected vlans
Correct Answer: B
Section: (none)
Explanation
QUESTION 135
Which cisco NX-OS feature can be used to build highly scalable layer 2 multipath networks without utilizing the
spanning tree protocol?
A. OTV
B. FabricPath
C. vPC
D. MST
Correct Answer: B
Section: (none)
Explanation
From the FLG 4th Ed. page 403:
“Cisco FabricPath brings routing techniques from Layer 3 to solve Layer 2 loop problems”
Layer 2 loop problems are what STP was designed to solve and the mentioned routing techniques are done by
IS-IS (page 404):
“Cisco FabricPath uses extensions to the Intermediate System-to-Intermediate System (IS-IS) protocol to
exchange
unicast and multicast location and reachability information and to forward traffic in
the network using Cisco FabricPath headers. (IS-IS forms the underlay network for the
FabricPath and enables the underlay fabric to be a nonblocking Layer 3-routed network
with ECMP forwarding).”
QUESTION 136
An engineering team must design a firewall solution with shared hardware resources but separation of features
such as ACLs, NATs, and management between the external business partners of the organization. Which
ASA deployment mode meets these requirements?
A. Routed mode
B. Multicontext mode
C. Transparent mode
D. Cluster mode
Correct Answer: B
Section: (none)
Explanation
@Red-dot
QUESTION 137
During the integration of a new company, a network engineering team discovers that IP address space
overlaps, between the two company networks.Which two technologies can be used to allow overlapping IP
addresses to coexist on shared network infrastructure? (Choose two)
A. VRF
B. OTV
C. NAT
D. HSRP
E. VPN
Correct Answer: AC
Section: (none)
Explanation
QUESTION 138
Engineer wants to interconnecting with a new company, the both companies uses OSPF. How should you filter
the ingress traffic between them?
A. Use eigrp on the other company

B. Use distribute-list
C. Use prefix-list
D. Use ACL
Correct Answer: B
Section: (none)
Explanation
QUESTION 139
Where should loop guard the implemented in a campus network design?
A. Ports configured with port fast

B. Alternate ports only
C. Ports configured with root guard
D. Alternate, backup and root ports
Correct Answer: D
Section: (none)
Explanation
QUESTION 140
Refer to the exhibit
An engineer must apply IP addressing to five new WAN sites and choses the new subnets pictured. The
previous administrator applied the addressing at Headquarters. Whitch option is the minimum summary range
to cover the existing WAN sites while also allowing for three additional WAN sites of the same size, for future
growth?
A. 10.0.60.0/18
B. 10.0.64.0/21
C. 10.0.64.0/17
D. 10.0.0.0/17
E. 10.0.64.0/18
Correct Answer: E
Section: (none)
Explanation
QUESTION 141
Which two options are features of a scalable cluster design utilizing Cisco ASA firewalls? (Choose two)
A. Each cluster supports up to 10 ASA devices.

B. The design supports up to 100 Gbps of aggregate traffic.
C. Each member of the cluster can forward every traffic flow.
D. The design supports up to 1 Terabyte of aggregate traffic.
E. The ASA cluster actively load balances traffic flows.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 142
Which action should be taken when implementing a preferred IPS design?
A. Place the management interface on a separate VLAN

B. Place all sensors on PVLAN community ports
C. Place the management interface on the same VLAN
D. Place the monitoring interface on the inside network
Correct Answer: A
Section: (none)
Explanation
QUESTION 143
How does OTV provide STP isolation?
A. By using STP root optimization

B. By using BPDU guard
C. By dropping BPDU packets
D. By using BPDU filtering
Correct Answer: C
Section: (none)
Explanation
QUESTION 144
A LAN infrastructure consists of swiches from multiple vendors. Spanning Tree is used as a Layer 2 loop
prevention mechanism. All configured VLANs must be grouped in two STP instances. Which standards-based
Spanning Tree technology must be used?
A. MSTP
B. Rapid PVST
C. STP
D. RSTP
Correct Answer: A
Section: (none)
Explanation
QUESTION 145
A network team is designing a Layer 3 Data Center Interconnect between two data centers. There is a
requirement for all links of equal bandwidth be utilized have automatic failover and not use any bundling
technology. Which routing function must be used to achieve this requirement?
A. BGP router reflectors

B. Equal cost multipath routing
C. Virtual private LAN service
D. Virtual links
E. Policy-based routing
Correct Answer: B
Section: (none)
Explanation
QUESTION 146
An engineer is redesigning the infrastructure for a campus environment. The engineer must maximize the use
of the links between the core and distribution layers. By which two methods can this usage be maximized?
(Choose two)
A. Design the links between the core and distribution layers HSRP
B. Design the links between the core and distribution layers to use an IGP
C. Design the links between the core and distribution layers to use RPVSTP+
D. Design with multiple equal-cost links between the core and distribution layers
E. Design with multiple unequal-cost links between the core and distribution layers
Correct Answer: BD
Section: (none)
Explanation
@LetsCCDP
A is not possible if routed links are used between distribution and core layers, E is just a side benefit of EIGRP
not very well suited in situations where asymmetric routing is undesirable
QUESTION 147
An engineer must create this design:
Restrict cetain networks from being advertised to remote branches connected via eBGP
Prohibit advertisement of the specific prefix to external peer only
Which BGP community must be configured to meet these requirements?
A. gshut
B. internt
C. local-as
D. no-export
E. no-advertise
Correct Answer: D
Section: (none)
Explanation
https://learningnetwork.cisco.com/thread/58299
https://tools.ietf.org/html/rfc1997
QUESTION 148
An engineer is working on an OSPF network design and wants to minimize the failure detection time and the
impact on the router CPU. Witch technology accomplishes this goal?
A. LSA pacing
B. LSA delay interval
C. BFD
D. Fast hellos
Correct Answer: C
Section: (none)
Explanation
QUESTION 149
An engineer wants to assure that host can locate routers that can be used as a gateway to reach IPbased
devices on other networks. Which first hop redundancy protocol accomplishes this goal?
A. VRRP
B. GLBP
C. IRDP
D. HSRP
E. GSLB
Correct Answer: C
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-irdp.html
QUESTION 150
What added enforcement feature is avaiable on IDS-based devices to terminate active malicious traffic?
A. Signature detection
B. TCP reset
C. SNMP alert
D. Layer 4 filtering
Correct Answer: B
Section: (none)
Explanation
QUESTION 151
An engineer has been asked to purpose a solution for a campus network that offers the capability to create
multiple Layer 3 virtual networks. Each network must have its own addressing structure and routing table for
data forwarding. The proposed design must be scalable to support a high number of virtual networks allowing
simple configuration and management with minimal administrative overhead. Which technology does the
engineer recommend?
A. hop-by-hop VRF-Lite
B. multihop IPsec tunneling
C. multihop MPLS core
D. hop-by-hop easy virtual network
Correct Answer: D
Section: (none)
Explanation
@Malkil
Book: Foundation Learning Guide, Fourth Edition CCDP ARCH 300-320, page 20.
Hop-by-hop easy virtual network (EVN) based: Hop-by-hop VRF-lite is manageable for networks with fewer
numbers of virtual networks and fewer numbers of hops in a virtual network path. However, when the number
of logical networks (virtual/tenants) increases, there will be a high degree of operational complexity to create
and configure the interface or subinterface per VN. EVN provides the same benefits for guaranteeing traffic
separation with more simplified operations. In other words, EVN builds on VRF-Lite concepts and capabilities
and provides additional benefits, including the following:
■ EVN offers better end-to-end VN scalability compared to the classic hop-by-hop 802.1Q-based solution.
■ EVN offers simplified configuration and management.
■ EVN offers the capability to provision shared services among different logical groups.
As illustrated in Figure 1-15, with the EVN path, you can achieve isolation by using a unique tag for each VN.
This tag is referred to as VNET tag. Each VN carries over a virtual network the same tag value that was
assigned by a network administrator.
Based on that, EVN-capable devices along the path will use these tags to ensure endto- end traffic isolation
among different VNs. With this approach, the dependency on the classical (802.1Q based) physical or logical
interfaces to provide traffic separation is eliminated.
QUESTION 152
Which two types of authentication mechanisms can be used by VRRP for security? (Choose two)
A. SHA-1
B. MD5
C. SHA-256
D. Plain Text
E. PEAP
Correct Answer: BD
Section: (none)
Explanation
QUESTION 153
An engineer has been requested to utilize a method in an ACI network that will ensure only permitted
communications are transmitted between End Point Group tier in a three tier application. Which element would
be utilized to accomplish within the fabric?
A. Contract
B. Filter
C. Subject
D. Label
Correct Answer: A
Section: (none)
Explanation
QUESTION 154
An engineer is seeking to improve access layer convergens. Which two actions accomplish this goal? (Choose
two)
A. Configure storm control

B. Utilize Rapid PVST+
C. Implement MST
D. Propagate all VLANs to switches
E. Prune unused VLANs to switches
Correct Answer: BE
Section: (none)
Explanation
QUESTION 155
An engineer has to increase the security in the core network. What needs to be implemented to be sure that the
IP traffic is originating from the correct network segment?
A. IPS
B. ACL
C. VLAN access lists
D. ARP inspection
Correct Answer: D
Section: (none)
Explanation
QUESTION 156
New Question. What are the two main elements used by RBAC to provide secure accees within an Enterprise?
(Choose two)
A. User Privileges
B. User Roles
C. User Profile
D. User Domains
E. User Locales
Correct Answer: AB
Section: (none)
Explanation
QUESTION 157
New Question. Which two security measures must an engineer follow then implementing Layer 2 and Layer 3
network design? (Choose two)
A. Utilize the native VLAN only on trunk ports to reduce the risk of an Double-Tagged 802.1q VLAN hopping
attack
B. Utilize an access list to prevent the use of ARP to modify entries to the table
C. Utilize DHCP snooping on a per VLAN basis an apply ip dhcp snooping untrusted on all ports
D. Utilize the ARP inspection feature to help prevent the misuse of gARP
E. Utilize private VLANs an ensure that all ports are part of the isolated port group
Correct Answer: AD
Section: (none)
Explanation
QUESTION 158
New Question. While designing quality of services policies, which two of traffic must be prioritized as
management traffic? (choose two)
A. RADIUS
B. SSH
C. HTTPS
D. ICMP
E. SCP
Correct Answer: AB
Section: (none)
Explanation
QUESTION 159
New Question. Which mechanism is enabled by default in the OTV technology to conserve bandwich?
A. Unknown unicast flooding suppressed over the OTV link

B. Control plane traffic is prevented from traversing the OTV link
C. BPDUs are allowed to traverse the OTV link
D. Data plane traffic is prevented from traversing the OTV link
Correct Answer: A
Section: (none)
Explanation
QUESTION 160
New Question. How many multicast groups can one multicast MAC address represent?
A. 128
B. 16
C. 1
D. 32
Correct Answer: D
Section: (none)
Explanation
QUESTION 161
New Question. A dual-homed office is opposed to using path optimization by flows. Which feature helps
application resiliency?
A. ATM
B. CEF
C. PFR
D. MLPPP
Correct Answer: C
Section: (none)
Explanation
QUESTION 162
New Question. A company is building a large data center. About 80% of ints traffic will be North to South an the
other 20% will be East to West. The company is (…)expecting a signigicant amount of data center growth over
the next 5-10 years but wants to keep the cost of growth low. Which data center design is the best suited to
meet these goals?
A. Two-tier design with the layer 2 termination on data center core

B. A Spine an leaf design with layer2/3 termination on the leaf nodes
C. A Spine an leaf design with layer2/3 termination on the spine nodes
D. A three-tier design with the layer 3 termination on data center core
Correct Answer: B
Section: (none)
Explanation
QUESTION 163
New Question. A company (………….). Due to limited IPv4 addres availability, the company was able to
allocate only a /24 address block. Which method must be used to ensure that the primary data center receives
all traffic unless it is offline?
A. EIGRP, Advertise two/25 address blocks to each ISP at the primary DC and a /24 at the secondary D
B. BGP, AS prepend at the secondary DC
C. OSPF, AS prepend at the secondary DC
D. BGP, Advertise two/25 address blocks to each ISP at the primary DC and a /24 at the secondary
Correct Answer: B
Section: (none)
Explanation
QUESTION 164
New Question. Headquarters has 3 branch routers and only want one default route sent to the branch routers.
What type of area will be configure?
A. Normal Area
B. Stub Area
C. Totally stub area
D. Not-so-stubby-area
Correct Answer: C
Section: (none)
Explanation
It is stated that just default route has to be injected to branch routers, thats Totally Stub Area (LSA 1,2 + default
route). NSSA would be correct answer if it contains ASBR
it should be answer C (Totally Stub area), as a branch office is not supposed to import external routes and
redistribute them (Type 7 LSA´s), and also it specifies it should receive only one default route and not inter-area
routes (not receive Type 3 LSA´s)
Here are some details:
stub area : LSA 5 no, LSA 3 yes (no external LSA 5 flooding to this area)
Totally Stubby Areas : LSA 5 no, LSA 4 no, LSA 3 no, they send just a sinle LSA for the default route
Not So Stubby Areas (NSSA) LSA 7 yes
LSA types:
LSA 1 – originated by every router in the single area
LSA 2 – originated by DR within an area
LSA 3 – produced by ABR it is sent into an area to advertise destination outside the area
LSA 4 – originated by ABRs sent into an area by the ABR to advertise the ip address of ASBR
LSA 5 – originated by ASBR advertises destination external to OSPF AS flooded through the whole OSPF
domain
LSA 7 – NSSA originated by ASBRS in an NSSA, flooded only to NSSA no through the OSPF AS
QUESTION 165
New Question. Company has OSPF and 300 router inside the backbone area. how to change design. (the
question was much longer)
A. Route summarization in the backbone area

B. Breakdown area into smaller nonbackone area
C. Add virutal link
D.
Correct Answer: B
Section: (none)
Explanation
QUESTION 166
New Question. Which feature regarding a FlexLink design is true?
A. It optimized the access switch density

B. It permits VLANs to extend across access switches that connect to a common aggregation module
C. All of the uplinks are in active state
D. The aggregation layeris aware of FlexLinks
Correct Answer: B
Section: (none)
Explanation
QUESTION 167
New Question. Office with one-homed .... What you have to do to make resilient
A. DMVPN
B. MPLS
C. WAE
D. MSE
Correct Answer: C
Section: (none)
Explanation
The WAN Automation Engine (WAE) is a powerful, flexible software-defined networking (SDN) platform. It
abstracts and simplifies your WAN environment while making it fully open and programmable.
The WAN Automation Engine helps ensure that the most expensive network resources are fully optimized,
assigning best load-share metrics using the Path Computation Element Communication Protocol (PCEP). You
can optimize and Automate your Network with the WAN Automation Engine.
QUESTION 168
New Question. Extensión Ethernet L2 into the a private network…with multipath…
A. MPLS
B. VPLS
C. eoEMPLS
D.
Correct Answer: C
Section: (none)
Explanation
QUESTION 169
New Question. An engineer is considering time of convergence in a new Layer 3 environment design. Which
two attributes must be considered? (Choose two)
A. Addition of a valid forwarding path

B. Loss of a valid forwarding path
C. SPT timers update
D. OSPF database updates
E. Forwarding table updates
Correct Answer: DE
Section: (none)
Explanation
QUESTION 170
New Question. What technique allows both IPv4 and IPv6 to run at the same time on a router?
A. IPv4 tunnelling
B. Dual Stack
C. IPv6 Tunneling
D. IPv6 .....
Correct Answer: B
Section: (none)
Explanation
QUESTION 171
New Question. Which STP feature can prevent other switches on the network from becoming the root switch,
but still allow that interface to participate in STP otherwise?
A. UDLO
B. Bridge Assurance
C. BPDU Guard
D. Root Guard
Correct Answer: D
Section: (none)
Explanation
@Red-dot
Reference: BPDU Guard cannot be an answer since it will move port into Err Disable state
.
Bridge Assurance is used for preventing loops, UDLO is probably UDLD which is not an answer too. My bet is
that there is another option, or you should choose just 1 answer instead of 2.
Root guards is clear. And BPDU guard is ok too, because of this:
Explanation: When a port only has a host device connected to it, we will enable portfast, this will speed up the
port initialization process and put the port into forwarding state straight away. This eliminates 30 seconds of
delay that would have been encountered if STP was not bypassed and the port went through the Listening and
Learning states. Because host is a workstation, it sends no BPDUs and so disabling Spanning Tree on a port
like this is not an issue.
If we removed this end host of this port and connected a switch. This new switch will start to generate BPDUs
and could take over as been the Root Bridge for the network, or it could cause a loop in our network if it has
another link connected into another part of the network.
http://ericleahy.com/index.php/bpdu-guard-bpdu-filter-root-guard-loop-guard-udld/
BPDU Guard is used to prevent unauthorized switches, its configured on end-user ports. If switch sees BPDU
packet on the port where BPDU guard is configured it will shut port down.
The question said “but still allow that interface to participate in STP” so BPDU guard cannot be an answer.
has only one answer – ROOT Guard.
https://vceguide.com/which-stp-feature-can-prevent-other-switches-on-the-network-from-becoming-the-root-
switch-but-still-allow-that-interface-to-participate-in-stp-otherwise/
QUESTION 172
NEW D&D
Select and Place:
Correct Answer:
Section: (none)
Explanation
QUESTION 173
New Question. A new data center fabric is designed, which to protocols can be replaced when using FabricPath
to create a loop-free topology? (Choose two)
A. STP
B. GLBP
C. LACP
D. HSRP
E. MST
Correct Answer: AE
Section: (none)
Explanation
@red-dot @Malkil
QUESTION 174
New Question. Company acquired another company and their IP addressing is overlapping with yours. What
can you do to allow users from acquired company to access your resources?
A. ReIP the network

B. 1-1 NAT
C. Use NAT with a pool of addresses
D. NAT overload
Correct Answer: B
Section: (none)
Explanation
@LetsCCDP
QUESTION 175
New Question. A outsource call center has very strict NAT policies and they have customer X. Which method
allows call center agents to access the internal resource?
A. Use Static NAT

B. Use Port translation
C. Assign /24 private IP address
D. Use Dynamic NAT
Correct Answer: A
Section: (none)
Explanation
@Malkil
STATIC NAT (book 210-260)

This is a one-to-one permanent mapping. If you have 100 internal users and 100 global addresses, a one-to-
one mapping can be done for every user, and every user would have a dedicated global address associated
with his inside address. We do not usually have enough global addresses for each user. A typical use of a static
mapping is this: We have a server on the inside of our network, or perhaps on a demilitarized zone (DMZ)
interface off of our firewall, and we want to allow devices on the Internet access to that specific device. When
you create a static mapping for that one server to a global IP address, that global IP address can be used in the
Domain Name System (DNS) tables, and users on the Internet can reach our server by name (for example,
XXwww.Xserver.XcomX).
QUESTION 176
New Question. An engineer has been asked to using a LAN topology with HA and loop free features as STP. It
has also support Etherchannels between multiple chasis and separate control plan for each switch terminating
these multichasis connections. Which technology the engineer recommended to be deployed on the upstream
switch?
A. VSS
B. StackWise
C. VPC
D. VDC
Correct Answer: C
Section: (none)
Explanation
@Malkil
Two Cisco Nexus 7000 switches can be combined into a vPC domain, allowing multichassis Link Aggregation
Control Protocol (LACP) port-channel connections across the pair. vPCs (also known as virtual channel ports)
can be built between the vPC switch pair and other neighboring devices. Even though the vPCs are terminated
on two different physical switches, the vPC switch pair represents itself as a single switch to neighboring
devices that are connected on the vPCs. This allows the traditional triangles between the access and
aggregation layers to be removed from the logical design. Physically, the access switches still connect to two
different aggregation switches, but logically, the pair of Cisco Nexus 7000 switches acts as a single
switch. The links between the access switch and aggregation switch pair are combined into a vPC, and STP
treats the connection as a single link. As a result, STP does not block any of the links, and the complete
bandwidth between the access and aggregation layers can be used. The concept of VPCs is similar to the
Catalyst 6500 VSS (Virtual Switching System) technology. With vPCs, however, it is an “active/active”
backplane model, whereas the Catalyst 6500 only has one supervisor active between VSS pair switches. This
is discussed in more detail later. With VPC, the switches combine to provide FHRP services, and therefore both
switches forward packets sent to a HSRP, VRRP, or GLBP virtual gateway MAC addresses, to avoid the
routing polarization previously common to FHRPs.
The vPC technology allows loop-free designs to be created in the access and aggregation layers, increasing
the total forwarding capacity and simplifying the network topology.
The vPC technology is a clustering technique that allows two Cisco Nexus 7000 switches to represent
themselves as a single switch to other network devices. The vPC technology enables Layer 2 Multichassis
EtherChannels (MEC) to be built between the other network device and the pair of Cisco Nexus switches.
Each peer device in the vPC domain runs its own control plane, and both devices work independently. Any
potential control plane issues stay local to the peer device and does not propagate or impact the other peer
device.
I discarded these alternatives for these reasons:
VSS: One control plane

STACKWISE: One control plane
VDC: One physical switch
QUESTION 177
New Question. An engineering team must allow communications between a new two-tier application in a Cisco
Application-Centric Infrastructure environment. Which two elements must be configured to allow
communications between two endpoint groups that represents the application? (Choose two.)
A. context
B. filter
C. access control list
D. contract
E. route map
Correct Answer: BD
Section: (none)
Explanation
@Malkil
https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/aci-fabric-controller/white-paper-
c11-729906.pdf
QUESTION 178
A slow performance router installed on Wan Edge to ensure connectivity with branches, how to configure BGP?
(choose two)
A. Set maximum path number

B. Configure iBGP
C. Filter routes to receive only routes with AS of branches
D. Filter routes to get more specific routes
E. Filter routes to get routes including AS of branches
Correct Answer: CE
Section: (none)
Explanation
QUESTION 179
In Internet edge topology where is the best place to put NTP server so users can easily access to it?
A. Private network
B. Internal network
C. Private DMZ
D. External DMZ
Correct Answer: B
Section: (none)
Explanation
QUESTION 180
A.
B.
C.
D.
Correct Answer:
Section: (none)
Explanation

CCDP Arch 300-320 by Gon Dec 2018 180Q

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCDP Arch 300-320 by Gon Dec 2018 180Q

Uploaded by

Copyright:

Available Formats

CCDP_Arch_300-320_by_Gon_Dec_2018_180Q

A. Increases security by advertising fake networks

A. Denies the client network resource access

A. Application Network Profile

A. Improves scalability by dividing the network using summary routes at AS boundaries

Network-Based Versus Host-Based IPS

IDS and IPS Device Categories

A. Reconfigure QoS based on the IntServ model

A. FHRP to remote branches

A. Both control planes forward traffic simultaneously

A. Implement floating static routes on access switches for redundant links

A. implementing static mroutes

A. Virtual Device Context

A. Authenticates the user itself

Correct Answer: ABE

A. sending the RSA certificate

A. Two switches form a single control plane

A. CPU cycles per second

A. Filtered redistribution for the prevention of re-advertising of routes

A. An offline router for disaster recovery

Correct Answer: ABF

A. The implementation creates a loop

A. Packets per second processing capability

A. track 50 ip route 10.10.10.0/24 reachability

A. Use a single service provider

A would definitely work, but denies the question’s supposition

A. EAP messages in Ethernet frames and don't use PPP

Correct Answer: BDE

There are some disadvantages with EOR designs:

A. multiple connections and FHRP

A. maintain network operations

A. Static NAT for inbound traffic on port 25

A. Filter MAC address at the join interface

A. Utilize BFD and lower BGP hello interval

A. auto quality of service

A. Equal Cost Multi-Path (ECMP)

A. Assign STP root with active FHRP device

A. area 0 range 10.0.0.0 255.0.0.0.0

A. spine & leaf

A. Default Inter-EPG connectivity

Virtual device context (VDC)

Virtual Routing and Forwarding (VRF)

A. Apply MD5 authentication between all BGP peers

A. Transit routes are passed from a stub network to a hub network

A. VLAN access control lists

A. The threshold configuration allos of inter-queq Wos by utilizing buffers

A. core Switch A, port g2/1 to distr switch A, port g3/1

A. In Bidirectional PIM, the RP IP address does not need to be a router.

A. Layer 3 in-band virtual gateway

A. Layer 2 in-band real IP gateway mode

A. The traffic must be remarked to a low pritorty to and allowed pass

A. Use a different routing protocol usch as EIGRP between the networks

A. Auto chassis detect

-Both supervisor engines must be running the same software version.

A. Use eigrp on the other company

A. Ports configured with port fast

A. Each cluster supports up to 10 ASA devices.

A. Place the management interface on a separate VLAN

A. By using STP root optimization

A. BGP router reflectors

Which BGP community must be configured to meet these requirements?

A. Configure storm control

A. Unknown unicast flooding suppressed over the OTV link