Professional Documents
Culture Documents
A. ID
B. TTL
C. FCS
D. ToS
Answer: D
Question 2
Drag and drop the characteristics from the left onto the technology types on the right.
Answer:
Configuration Management
+ Ansible is used for this type of technology.
+ This type of technology enables consistent configuration of infrastructure resources.
Orchestration
+ Puppet is used for this type of technology.
+ This type of technology provides automation across multiple technologies and domains.
Question 3
Answer: C
Explanation
We tested with GNS3 and the router only requires password “cisco123” configured under line
console to authenticate. So we can deduce the “password” command under line interface is
preferred over “login authentication” command.
Question 4
A customer transitions a wired environment to a Cisco SD-Access solution. The customer does
not want to integrate the wireless network with the fabric. Which wireless deployment approach
enables the two systems to coexist and meets the customer requirement?
Answer: C
Explanation
Customers with a wired network based on SD-Access fabric have two options for integrating
wireless access:
+ SD-Access Wireless Architecture
+ Cisco Unified Wireless Network Wireless Over the Top (OTT)
OTT basically involves running traditional wireless on top of a fabric wired network.
Why would you deploy Cisco Unified Wireless Network wireless OTT? There are two primary
reasons:
…
2. Another reason for deploying wireless OTT could be that customer doesn’t want or cannot
migrate to fabric for wireless.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/deploy-guide/cisco-dna-center-sd-access-wl-dg.pdf
Question 5
Which two solutions are used for backing up a Cisco DNA Center Assurance database? (Choose
two)
A. NFS share
B. local server
C. non-linux server
D. remote server
E. bare metal server
Answer: A D
Explanation
Cisco DNA Center creates the backup files and posts them to a remote server. Each backup is
uniquely stored using the UUID as the directory name.
To support Assurance data backups, the server must be a Linux-based NFS server that meets
the following requirements:
Support NFS v4 and NFS v3.
Cisco DNA Center stores backup copies of Assurance data on an external NFS device and
automation data on an external remote sync (rsync) target location.
The remote share for backing up an Assurance database (NDP) must be an NFS share.
Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/2-1-2/admin_guide/
b_cisco_dna_center_admin_guide_2_1_2/
b_cisco_dna_center_admin_guide_2_1_1_chapter_0110.html
Question 6
Answer: A
Question 7
A customer wants to provide wireless access to contractors using a guest portal on Cisco ISE.
The portal is also used by employees. A solution is implemented, but contractors receive a
certificate error when they attempt to access the portal. Employees can access the portal
without any errors. Which change must be implemented to allow the contractors and employees
to access the portal?
A. Install a trusted third-party certificate on the Cisco ISE.
B. Install an internal CA signed certificate on the Cisco ISE.
C. Install a trusted third-party certificate on the contractor devices.
D. Install an internal CA signed certificate on the contractor devices.
Answer: A
Explanation
It is recommended to use the Company Internal CA for Admin and EAP certificates, and a
publicly-signed certificate for Guest/Sponsor/Hotspot/etc portals. The reason is that if a user or
guest comes onto the network and ISE portal uses a privately-signed certificate for the Guest
Portal, they get certificate errors or potentially have their browser block them from the portal
page. To avoid all that, use a publicly-signed certificate for Portal use to ensure better user
experience. Additionally, Each deployment node(s)’s IP address should be added to the SAN field
to avoid a certificate warning when the server is accessed via the IP address.
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/
215621-tls-ssl-certificates-in-ise.html
Question 8
Which IP address becomes the active next hop for 192.168.102.0/24 when 192.168.101.2 fails?
A. 192.168.101.10
B. 192.168.101.14
C. 192.168.101.6
D. 192.168.101.18
Answer: D
Explanation
Path Selection Attributes: (highest) Weight > (highest) Local Preference > Originate >
(shortest) AS Path > Origin > (lowest) MED > External > IGP Cost > eBGP Peering > (lowest)
Router ID
Besides 192.168.101.2, other next hops have the same weight attribute of 0 so we have to
consider Local preference. There are two next hops with LocPrf of 100 which are 192.168.101.18
and 192.168.101.10 (The field of LocPrf is empty means the default Local Preference of 100).
Next we compare their AS Path. The next hop 192.168.101.18 has shorter AS Path so it will be
the active next hop when the current one fails.
Question 9
Answer: A
Explanation
In REST API Security – API keys are widely used in the industry and became some sort of
standard, however, this method should not be considered a good security measure.
API Keys were created as somewhat of a fix to the early authentication issues of HTTP Basic
Authentication and other such systems. In this method, a unique generated value is assigned to
each first time user, signifying that the user is known. When the user attempts to re-enter the
system, their unique key (sometimes generated from their hardware combination and IP data,
and other times randomly generated by the server which knows them) is used to prove that
they’re the same user as before.
Reference: https://blog.restcase.com/4-most-used-rest-api-authentication-methods/
Question 10
Which configuration elects SW4 as the root bridge for VLAN 1 and puts G0/2 on SW2 into a
blocking state?
Answer: C
Question 11
Which Python code snippet must be added to the script to save the returned configuration as a
JSON-formatted file?
Answer: A
Explanation
Note: response.json() returns a JSON object of the result so it cannot be written to a file
directly.
Question 12
An engineer must configure an ERSPAN session with the remote end of the session 10.10.0.1.
Which commands must be added to complete the configuration?
Answer: A
Explanation
The configuration in the exhibit is missing destination IP address for the GRE tunnel so we have
to add it with the “ip address 10.10.0.1”.
Question 13
The administrator troubleshoots an Etherchannel that keeps moving to err-disabled. Which two
actions must be taken to resolve the issue? (Choose two)
Answer: C E
Explanation
The errdisable status indicates that the port was automatically disabled by the switch operating
system software because of an error condition encountered on the port.
Check the EtherChannel configuration on both switches. If one side is configured for
EtherChannel in the On mode, the peer ports must also be in On mode or they will go to
errdisable.
Reference: https://community.cisco.com/t5/networking-documents/port-status-is-errdisable-
due-to-etherchannel-misconfiguration/ta-p/3131226
Question 14
Drag and drop the snippets onto the blanks within the code to construct a script that shows all
logging that occurred on the appliance from Sunday until 9:00 p.m Thursday. Not all options are
used.
Answer:
1 – 0 21 * * 0-4
2 – 3.0
3 – redirect ftp://cisco:cisco@192.168.1.1
Explanation
cron-entry Text string that consists of five fields separated by spaces. The fields represent the
times and dates when CRON timer events will be triggered. There are 5 values you can specify:
minute – this controls what minute of the hour the command will fire values between 0 and 59
hour – this controls what hour the command will run – specified in the 24 hour clock format 0-23
(0=midnight)
day-of-month – A number in the range from 1 to 31 that specifies the day of the month when a
CRON timer event is triggered.
month – A number in the range from 1 to 12 or the first three letters (not case-sensitive) of the
name of the month in which a CRON timer event is triggered.
day-of-week – A number in the range from 0 to 6 (Sunday is 0) or the first three letters (not
case-sensitive) of the name of the day when a CRON timer event is triggered.
Examples:
01 * * * * This command is run at one min past every hour
17 8 * * * This command is run daily at 8:17 am
*/1 **** this command runs every minute
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/
eem-cr-e2.html
Question 15
Drag and drop the characteristics from the left onto the infrastructure deployment models on the
right.
Answer:
On Premises:
+ Infrastructure requires large and regular investments.
+ It requires capacity planning for power and cooling.
Cloud:
+ Capacity easily sales up or down.
+ It enables users to access resources from anywhere.
Question 16
Answer: C
Question 17
Drag and drop the characteristics from the left onto the routing protocols they describe on the
right.
Answer:
EIGRP
+ sends hello packets every 5 seconds on high-bandwidth links
OSPF
+ cost is based on interface bandwidth
+ uses virtual links to link an area that does not have a connection to the backbone
Question 18
Answer: A
Explanation
When a FlexConnect access point enters standalone mode, it disassociates all clients that are on
centrally switched WLANs. Controller-dependent activities, such as network access control (NAC)
and web authentication (guest access), are disabled.
However, a FlexConnect access point supports dynamic frequency selection (DFS) in standalone
mode.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/
cg/cg_flexconnect.html
Question 19
Which two Cisco SD-Access components provide communication between traditional network
elements and controller layer? (Choose two)
Answer: B C
Question 20
A. OSPF is a Cisco proprietary protocol, and EIGRP is an IETF open standard protocol.
B. EIGRP uses the DUAL distance vector algorithm, and OSPF uses the Dijkstra link-state
algorithm
C. EIGRP uses the variance command lot unequal cost load balancing, and OSPF supports
unequal cost balancing by default.
D. OSPF uses the DUAL distance vector algorithm, and EIGRP uses the Dijkstra link-state
algorithm
Answer: B
Question 21
Which function does a fabric wireless LAN controller perform in a Cisco SD-Access deployment?
A. performs the assurance engine role for both wired and wireless clients
B. coordinates configuration of autonomous nonfabric access points within the fabric
C. manages fabric-enabled APs and forwards client registration and roaming information to the
Control Plane Node
D. is dedicated to onboard clients in fabric-enabled and nonfabric-enabled APs within the fabric
Answer: C
Explanation
+ Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the
SDA fabric.
Question 22
Drag and drop the characteristics from the left onto the orchestration tools that they describe on
the right.
Answer:
Chef
+ communicates using knife tool
+ procedural
SaltStack
+ declarative
+ communicates through SSH
Question 23
Answer: D
Question 24
How must network management traffic be treated when defining QoS policies?
Answer: A
Question 25
Option A Option B
ip sla 6 ip sla 6
icmp-echo 172.29.139.134 source-ip icmp-echo 172.29.139.134 source-ip
172.29.139.132 172.29.139.132
frequency 300 frequency 300
ip sla schedule 6 start-time now ip sla schedule 6 start-time now
show ip protocol
Option C Option D
ip sla 6 ip sla 6
icmp-echo 10.0.1.3 source-ip 10.0.0.3 icmp-echo 10.0.1.3 source-ip 10.0.0.3
frequency 300 frequency 300
ip sla schedule 6 life forever start-time now ip sla schedule 6 life forever start-time now
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
Question 26
What are the main components of Cisco TrustSec?
Answer: B
Explanation
The key component of Cisco TrustSec is the Cisco Identity Services Engine. It is typical for
the Cisco ISE to provision switches with TrustSec Identities and Security Group ACLs (SGACLs),
though these may be configured manually.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/
configuration/guide/sy_swcg/trustsec.pdf
Question 27
A. The information for all interfaces is read from the network appliance
B. The native interface information is read from the network appliance
C. The “params” variable sends data fields to the network appliance
D. The “params” variable reads data fields from the network appliance
Answer: A
Question 28
A. value that identifies a specific tunnel within the Cisco SD-WAN overlay
B. identifier that represents a specific service offered by nodes within the Cisco SD-WAN overlay
C. attribute that acts as a next hop for network prefixes
D. component set by the administrator to differentiate similar nodes that offer a common service
Answer: C
Explanation
TLOCs serve another important function besides data plane connectivity. In OMP terms (the
routing protocol used over the SD-WAN Fabric), the TLOC serves as a next-hop for route
advertisements. OMP is very similar to BGP in many ways, and just as the next-hop must be
resolvable for BGP to install a route, the same is true of OMP.
Reference: https://carpe-dmvpn.com/2019/12/14/tlocs-cisco-sd-wan/
Question 29
Which Cisco FlexConnect state allows wireless users that are connected to the network to
continue working after the connection to the WLC has been lost?
Answer: C
Explanation
Question 30
Option A Option B
Option C Option D
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
Question 31
An engineer must configure and validate a CoPP policy that allows the network management
server to monitor router R1 via SNMP while protecting the control plane. Which two commands
or command sets must be used? (Choose two)
A. show quality-of-service-profile
policy-map CoPP-policy
class CoPP-management
police 8000 conform-action transmit exceed-action transmit
violate-action transmit
control-plane
service-policy input CoPP-policy
Answer: C D
Question 32
How do EIGRP metrics compare to OSPF metrics?
A. The EIGRP administrative distance for external routes is 170, and the OSPF administrative
distance for external routes is 110
B. EIGRP uses the Dijkstra algorithm, and OSPF uses The DUAL algorithm
C. The EIGRP administrative distance for external routes is 170, and the OSPF administrative
distance for external routes is undefined
D. EIGRP metrics are based on a combination of bandwidth and packet loss, and OSPF metrics
are based on interface bandwidth
Answer: A
Question 33
A network engineer is configuring OSPF on a router. The engineer wants to prevent having a
route to 177.16.0.0/16 learned via OSPF. In the routing table and configures a prefix list using
the command ip prefix-list OFFICE seq 5 deny 172.16.0.0/16. Which two identical
configuration commands must be applied to accomplish the goal? (Choose two)
Answer: A B
Question 34
Which two features does the Cisco SD-Access architecture add to a traditional campus network?
(Choose two)
A. private VLANs
B. software-defined segmentation
C. SD-WAN
D. identity services
E. modular QoS
Answer: B D
Explanation
SD-Access uses logic blocks called fabrics which leverage virtual network overlays that are
driven through programmability and automation to create mobility, segmentation, and visibility.
Network virtualization becomes easy to deploy through software-defined segmentation and
policy for wired and wireless campus networks.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/SD-Access-
Distributed-Campus-Deployment-Guide-2019JUL.html
Question 35
Which feature is used to propagate ARP broadcast, and link-local frames across a Cisco SD-
Access fabric to address connectivity needs for silent hosts that require reception of traffic to
start communicating?
Answer: B
Explanation
Cisco SD-Access fabric provides many optimizations to improve unicast traffic flow, and to
reduce the unnecessary flooding of data such as broadcasts. But, for some traffic and
applications, it may be desirable to enable broadcast forwarding within the fabric.
By default, this is disabled in the Cisco SD-Access architecture. If broadcast, Link local multicast
and Arp flooding is required, it must be specifically enabled on a per-subnet basis using Layer 2
flooding feature.
Layer 2 flooding can be used to forward broadcasts for certain traffic and application types which
may require leveraging of Layer 2 connectivity, such as silent hosts, card readers, door locks,
etc.
Reference: https://community.cisco.com/t5/networking-documents/cisco-sd-access-layer2-
flooding/ta-p/3943916
Question 36
An engineer must configure a new loopback interface on a router and advertise the interface as
a /24 in OSPF. Which command set accomplishes this task?
A. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf 100 area 0
B. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf network broadcast
R2(config-if)#ip ospf 100 area 0
C. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf network point-to-multipoint
R2(config-if)#router ospf 100
R2(config-router)#network 172.22.2.0 0.0.0.255 area 0
D. R2(config)#interface Loopback0
R2(config-if)#ip address 172.22.2.1 255.255.255.0
R2(config-if)#ip ospf network point-to-point
R2(config-if)#ip ospf 100 area 0
Answer: D
Explanation
Although the configured loopback address is 172.22.2.1/24 but by default OSPF will advertise
this route to loopback0 as 172.22.2.1/32 (most specific route to that loopback). In order to
override this, we have to change the network type to point-to-point. After this OSPF will
advertise the address to loopback as 172.22.2.0/24.
Question 37
Answer: A
Explanation
Control plane: based on Locator Identity Separator Protocol (LISP). LISP simplifies routing by
removing destination information from the routing table and moving it to a centralized mapping
system.
Question 38
An engineer must configure a router to leak routes between two VRFs. Which configuration must
the engineer apply?
Option A Option B
Option C Option D
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200158-Configure-Route-
Leaking-between-Global-a.html
Question 39
Answer: A
Question 40
If the maximum power level assignment for global TPC 802.11a/n/ac is configured to 10 dBm,
which power level effectively doubles the transmit power?
A. 13dBm
B. 14dBm
C. 17dBm
D. 20dBm
Answer: A
Explanation
Question 41
A. IP first-hop redundancy
B. communication between different nodes for cluster setup
C. physical link redundancy
D. minimal network downtime following an RP switchover
Answer: D
===================================================
There are two questions that we still have not had information about them, but we post the
description here for your reference. Special thanks to KMV who shared these new
questions:
2). Engineer received response code 504 when accessing some blah blah server/application.
what is the issue?
Authentication was unsuccessful, Username and password is wrong, Server was unavailable,
Server timeout
Correct answer should be “Server timeout”
4). What is the CISCO WiFi6 compatible AP technology for small office branches?
Cisco new Generation WLAN, Mobile Controller or some similar answer (I remember the word
“Mobile” only), XXXX, YYYY
I selected “Mobile xxxx”
Question 42
Answer: A
Explanation
In type 1 hypervisor (or native hypervisor), the hypervisor is installed directly on the physical
server. Then instances of an operating system (OS) are installed on the hypervisor. Type 1
hypervisor has direct access to the hardware resources. Therefore they are more efficient than
hosted architectures. Some examples of type 1 hypervisor are VMware vSphere/ESXi, Oracle VM
Server, KVM and Microsoft Hyper-V.
In contrast to type 1 hypervisor, a type 2 hypervisor (or hosted hypervisor) runs on top of an
operating system and not the physical hardware directly. A big advantage of Type 2 hypervisors
is that management console software is not required. Examples of type 2 hypervisor are VMware
Workstation (which can run on Windows, Mac and Linux) or Microsoft Virtual PC (only runs on
Windows).
Question 43
Option A Option B
R1 R1
interface Tunnel1 interface Tunnel1
ip address 1.1.1.13 ip address 1.1.1.13 255.255.255.0
255.255.255.0 tunnel source Loopback0
tunnel source Loopback0 tunnel destination x.y.z.160
tunnel destination x.y.z.110
R3
R3 interface Tunnel1
interface Tunnel1 ip address 1.1.1.31 255.255.255.0
ip address 1.1.1.31 tunnel source Loopback0
255.255.255.0 tunnel destination x.y.z.110
tunnel source Loopback0
tunnel destination x.y.z.125
Option C Option D
R1 R1
interface Tunnel1 interface Tunnel2
ip address 1.1.1.13 ip address 1.1.1.12 255.255.255.0
255.255.255.0 tunnel source Loopback0
tunnel source Loopback0 tunnel destination x.y.z.125
tunnel destination x.y.z.110
R2
R3 interface Tunnel1
interface Tunnel1 ip address 1.1.1.125 255.255.255.0
ip address 1.1.1.31 tunnel source Loopback0
255.255.255.0 tunnel destination x.y.z.110
tunnel source Loopback0 interface Tunnel3
tunnel destination x.y.z.160 ip address 1.1.1.125 255.255.255.0
tunnel source Loopback0
tunnel destination x.y.z.160
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Question 44
An engineer must allow R1 to advertise the 192.168.1.0/24 network to R2. R1 must perform this
action without sending OSPF packets to SW1. Which command set should be applied?
A. R1(config)#router ospf 1
R1(config-router)#no passive-interface gig0/0
B. R1(config)#interface gig0/0
R1(config-if)#ip ospf hello-interval 0
C. R1(config)#router ospf 1
R1(config-router)#passive-interface gig0/0
D. R1(config)#interface gig0/0
R1(config-if)#ip ospf hello-interval 65535
Answer: C
Question 45
What is an OVF?
Answer: A
Explanation
Open Virtualization Format (OVF) is an open-source standard for packaging and distributing
software applications for virtual machines (VM). An OVF package contains multiple files in a
single directory.
Question 46
Answer: A
Explanation
NTP uses the concept of a stratum to describe how many hops (routers) away a machine is from
an authoritative time source, usually a reference clock. A reference clock is a stratum 0 device
that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers
cannot be used on the network but they are directly connected to computers which then operate
as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.
Question 47
A. confidential algorithms
B. separation of privilege
C. OAuth
D. password hashing
Answer: B
Explanation
Reference: https://restfulapi.net/security-essentials/
Question 48
https://192.168.43.103/restconf/data/ietf-interfaces/interfaces/interface-
Loopback100
What does the response “204 No Content” mean for the REST API request?
Answer: A
Explanation
The 204 status code means that the request was received and understood, but that there is no
need to send any data back. The server has fulfilled the request but does not need to return an
entity-body, and might want to return updated meta information.
Note: HTTP status code of 2xx means “Success”, which indicates that the client’s request was
accepted successfully.
Question 49
Which LISP component decapsulates messages and forwards them to the map server responsible
for the egress tunnel routers?
A. Map Resolver
B. Router Locator
C. Proxy ETR
D. Ingress Tunnel Router
Answer: A
Explanation
The function of the LISP Map Resolver (MR) is to accept encapsulated Map-Request messages
from ingress tunnel routers (ITRs), decapsulate those messages, and then forward the messages
to the MS responsible for the egress tunnel routers (ETRs) that are authoritative for the
requested EIDs.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-
mt/irl-15-mt-book/irl-overview.pdf
In the example below, R3 works as a Map-resolver (MR) to receive and process the EID-to-
RLOC mapping lookup queries and provides the mappings to requester.
MS & MR functions are often included in a single device, which is referred to as an MR/MS
device. If MS and MR are two separate devices, MR is responsible to forward the Map-Request
messages to the correct MS.
Question 50
Which character formatting is required for DHCP Option 43 to function with current AP models?
A. MD5
B. ASCII
C. Hex
D. Base64
Answer: C
Question 51
Where are operations related to software images located in the Cisco DNA Center GUI?
A. Provisioning
B. Services
C. Design
D. Assurance
Answer: C
Explanation
Cisco DNA Center stores all of the software images, software maintenance updates (SMUs),
subpackages, ROMMON images, and so on for the devices in your network. Image Repository
provides the following functions:
Image Repository: Cisco DNA Center stores all the unique software images according to image
type and version. You can view, import, and delete software images.
In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.
Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/
b_cisco_dna_center_ug_2_1_1_chapter_0100.html
Question 52
Answer: B
Explanation
The categories of data collected in the product usage telemetry are the Cisco.com ID, system
telemetry, feature usage telemetry and network device (for example, switch or router)
inventory, and license entitlement.
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-
center/nb-06-dna-center-data-sheet-cte-en.html#Productusagetelemetry
Question 53
What is one requirement when mobility tunnels are used between WLCs?
Answer: D
Question 54
Which two Cisco SD-WAN components exchange OMP information? (Choose two)
A. WAN Edge
B. vsmart
C. vBond
D. vAnalytics
E. vManage
Answer: A B
Question 55
Which two prerequisites must be met before Cisco DNA Center can provision a device? (Choose
two)
A. Cisco DNA Center must have the software image for the provisioned device in its image
repository.
B. The provisioned device must be put into bootloader mode.
C. The provisioned device must be configured with cli and snmp credentials that are known to
DNA center.
D. Cisco DNA Center must have IP connectivity to the provisioned device.
E. The provisioned device must recognize Cisco DNA Center as its LLDP neighbor.
Answer: C D
Explanation
Planned Provisioning
…
Define the device credentials (CLI and SNMP) for the devices you are deploying -> Answer C is
correct.
Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/
b_cisco_dna_center_ug_2_1_1_chapter_01101.html
Also it is obvious that the DNA Center must have IP connectivity to the provisioned device to
manage it.
Question 56
What are two benefits of implementing a traditional WAN instead of an SD-WAN solution?
(Choose two)
A. simplified troubleshooting
B. comprehensive configuration standardization
C. faster fault detection
D. lower control plane abstraction
E. lower data plane overhead
Answer: D E
Question 57
Drag and drop the characteristics from the left onto the configuration models on the right.
Answer:
Procedural
+ Administrators require deep syntax and context knowledge for the configured entities
+ This model defines a set of commands that must be executed in a certain order for the system
to achieve the desired state
Declarative
+ This model states what is wanted but not how it is achieved
+ Puppet is tool that uses this configuration model
Explanation
Chef and Ansible encourage a procedural style where you write code that specifies, step-by-step,
how to achieve some desired end state. Terraform, SaltStack, and Puppet all encourage a more
declarative style where you write code that specifies your desired end state, and the IAC tool
itself is responsible for figuring out how to achieve that state.
Question 58
Drag and drop the automation characteristics from the left onto the appropriate tools on the
right.
Answer:
Ansible
+ assesses the impact of changes before applied
+ agentless automation platform
Puppet
+ provides intent-based networking feedback loop
+ agent or agentless automation platform
Question 59
Drag and drop the characteristics from the left onto the correct places on the right.
Answer:
Explanation
Question 60
What is the recommended minimum SNR for data applications on wireless networks?
A. 10
B. 25
C. 15
D. 20
Answer: D
Explanation
Generally, a signal with an SNR value of 20 dB or more is recommended for data networks
where as an SNR value of 25 dB or more is recommended for networks that use voice
applications.
Question 61
What does the destination MAC on the outer MAC header identify in a VXLAN packet?
Answer: A
Question 62
Answer: A
Question 63
Answer: D
Explanation
In instances where the client roams between APs that are connected to different WLCs and the
WLC WLAN is connected to a different subnet, a Layer 3 roam is performed, and there is an
update between the new WLC (foreign WLC) and the old WLC (anchor WLC) mobility databases.
If this is the case, return traffic to the client still goes through its originating anchor WLC. The
anchor WLC uses Ethernet over IP (EoIP) to forward the client traffic to the foreign WLC, to
where the client has roamed. Traffic from the roaming client is forwarded out the foreign WLC
interface on which it resides; it is not tunneled back. (-> Answer D is not correct). But this is
contradict to what is said in the Official Cert Guide book:
“A Layer 3 intercontroller roam consists of an extra tunnel that is built between the client’s
original controller and the controller it has roamed to. The tunnel carries data to and from the
client as if it is still associated with the original controller and IP subnet.”
The client begins with a connection to AP B on WLC 1. This creates an ANCHOR entry in the WLC
client database. As the client moves away from AP B and makes an association with AP C, WLC 2
sends a mobility announcement to peers in the mobility group looking for the WLC with the client
MAC address. WLC 1 responds to the announcement, handshakes, and ACKs. Next the client
database entry for the roaming client is copied to WLC 2, and marked as FOREIGN. Included
PMK data (master key data from the RADIUS server) is also copied to WLC 2. This provides fast
roam times for WPA2/802.11i clients because there is no need to re-authenticate to the RADIUS
server.
After a simple key exchange between the client and AP, the client is added to the WLC 2
database and is similar, except that it is marked as FOREIGN.
Reference: https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/
TechArch.html
In Layer 3 roaming, no IP address refresh needed (although client must be re-authenticated and
new security session established) -> Answer A is not correct.
Therefore the client entry on the original controller is not passed to the database totally. The
client entry is still on the old controller but it is marked “Anchor” (not “Foreign”) -> Answer B is
not correct.
Answer C is not correct as the “Client database entry is not moved, but copied to the new
controller.
Question 64
A. It uses a traditional routed access design to provide performance and high availability to the
network
B. It provides multicast support to enable Layer 2 flooding capability in the Underlay
C. It consists of a group of physical routers and switches that are used to maintain the network
D. It provides isolation among the virtual networks and independence from the physical network
Answer: D
Question 65
What is one characteristic of Cisco DNA Center and Manage northbound APIs?
Answer: A
Question 66
A company requires a wireless solution to support its main office and multiple branch locations.
All sites have local Internet connections and a link to the main office for corporate connectivity.
The branch offices are managed centrally. Which solution should the company choose?
Answer: C
Question 67
A system must validate access rights to all its resources and must not rely on a cached
permission matrix. If the access level to a given resource is revoked but is not reflected in the
permission matrix, the security is violated. Which term refers to this REST security design
principle?
Answer: D
Explanation
The principle of complete mediation requires that all accesses to objects be checked to ensure
that they are allowed.
Whenever a subject attempts to read an object, the operating system should mediate the action.
First, it determines if the subject is allowed to read the object. If so, it provides the resources for
the read to occur. If the subject tries to read the object again, the system should check that the
subject is still allowed to read the object. Most systems would not make the second check. They
would cache the results of the first check and base the second access on the cached results.
Reference: https://www.informit.com/articles/article.aspx?p=30487&seqNum=2
Question 68
An administrator is configuring NETCONF using the following XML string. What must the
administrator end the request with?
A. </rpc-reply>
B. </rpc>]]>]]>
C. <pc message-id=”9.0″><notification-off/>
D. </rpc>
Answer: B
Explanation
Use the following XML string to enable the NETCONF network manager application to send and
receive NETCONF notifications:
Example:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cns/configuration/15-e/cns-15-
e-book/cns-netconf.html
Question 69
Which configuration enables a Cisco router to send information to a TACACS+ server for
individual EXEC commands associated with privilege level 15?
Answer: C
Explanation
Authorization–Provides fine-grained control over user capabilities for the duration of the user’s
session, including but not limited to setting autocommands, access control, session duration, or
protocol support. You can also enforce restrictions on what commands a user may execute with
the TACACS+ authorization feature.
Accounting–Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track user activity for a
security audit or to provide information for user billing. Accounting records include user
identities, start and stop times, executed commands (such as PPP), number of packets, and
number of bytes.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/
xe-16/sec-usr-tacacs-xe-16-book/sec-cfg-tacacs.html
Question 70
An engineer must configure the wireless endpoints to authenticate using Active Directory
credentials in an encrypted tunnel in addition to using a hashed password. Which action is
required?
Answer: C
Explanation
EAP-PEAP is a protocol that creates an encrypted (and more secure) channel before the
password-based authentication occurs. The PEAP authentication creates an encrypted SSL/TLS
tunnel between client and authentication server.
-> Therefore both PEAP and EAP-TLS can be used to create an encrypted tunnel so both of them
are correct.
Generic Token Card (GTC) enables the exchange of clear-text authentication credentials across
the network -> Answers with “GTC” are not correct.
Reference: https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/
CPPM_UserGuide/Auth/AuthMethod_eap-gtc.htm
If you use EAP-MSCHAPv2, it means that your clients doesn’t need to have a certificate, but your
authentication server (NPS) has a certificate. Passwords from the clients are send using hashes
to the authentication server.
You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server
(NPS) and a password for clients. (-> Therefore answer C is correct). You can use PEAP-
EAP-TLS which use a certificate on the authentication server and a certificate on the client.
Reference: https://social.technet.microsoft.com/Forums/Lync/en-US/7962d24d-7aa2-4413-
97da-4f03793f2405/very-confused-on-authenciation-concepts-eap-peap-eapmschapv2-?
forum=winserversecurity
Question 71
A. Interface Fastethernet 0/0 is configured in vrf CUST-A so the arp entry is also in that VRF.
B. When VRFs are used, ARP protocol must be enabled in each VRF.
C. When VRFs are used, ARP protocol is disabled in the global routing table.
D. The ping command must be executed in the global routing table.
Answer: A
Question 72
A network engineer must configure the router to use the ISE-Servers group for authentication. If
both ISE servers are unavailable, the local username database must be used. If no usernames
are defined in the configuration, then the enable password must be the last to log in. which
config must be applied to achieve this result?
Answer: B
Question 73
Which python snippet should be used to store the device data structure in a JSON file?
import json
Devices= {'Switches':[{'name': 'AccSW1',
'ip':'2001:db8:db8:db8::1'},
{'name': 'AccSW2',
'ip':'2001:db8:db8:db8::2'}],
'Routers': [{'name': 'CE1', 'ip':'2001:db8:db8:db8::1'},
{'name': 'CE2', 'ip':'2001:db8:db8:db8::2'}
]
}
B. OutFile = open(“devices.json”,”w”)
json.dump(Devices, OutFile)
OutFile.Close()
D. OutFile = open(“devices.json”,”w”)
OutFile.write(str(Devices))
OutFile.close()
Answer: D
Explanation
Only one answer has the “write” function to write to a file so it is the correct answer.
Question 74
Users cannot reach the webserver at 192.168.100.1. what is the root cause of the failure?
Answer: D
Question 75
Drag and drop the configs from the bottom onto the correct places.
Answer:
Question 76
Drag and drop the characteristics from the left onto the correct places on the right.
Answer:
TCAM table
+ used to build IP Routing tables
+ stores ACL, QOS and other upper layer information
Question 77
Drag and drop the characteristics from the left onto the correct places on the right.
Answer:
RLOC: IPV4 or IPV6 address of an egress tunnel router that is internet facing or network core
facing
map resolver: receives map-request messages from ITR and searches for appropriate ETR by
consulting mapping database
ITR: Encapsulates LISP packets coming from inside of LISP site to destinations outside of the
site
Question 78
An engineer must design a wireless network to primarily support 5-GHz clients. The clients do
not support the UNII-2c portion of the 5-GHz band. Due to application bandwidth requirements,
the engineer uses 40-MHz channels. Which design consideration must be made in this scenario?
Answer: B
Explanation
5 Ghz offers significantly more bandwidth than 2.4 GHz. All of the 5 GHz channels offered
support at least 20MHz channel width without overlap.
When using 5 GHz, it is recommended to use at least 40 MHz channel width, as some client
devices may not prefer 5 GHz unless it offers a greater channel width than 2.4 GHz.
If using 40 MHz channel width, the bandwidth of the following channel is used:
36 – 40
44 – 48
149 – 153
157 – 161
Note: There are 6 non-overlapping channels but 2 channels are reserved for DFS.
“However, due to the coexistence of both radar and Wi-Fi networks in the same area of
spectrum, the Wi-Fi standard (IEEE 802.11) was designed to incorporate a spectrum sharing
mechanism on 5GHz to ensure that Wi-Fi networks do not operate on frequencies (hence
causing interference) that are used by nearby radar stations. This mechanism is known as
Dynamic Frequency Selection (DFS) and is designed to mitigate interference to 5GHz radar by
WLANs.”
Question 79
A. The Router-ID for Router DAL is lower than the Router-ID for RouterCHI.
B. The route from RouterDAL has a lower MED.
C. BGP is not running on RouterCHI.
D. There is a static route in RouterSF for 10.0.0.0/24.
Answer: A
Explanation
From the output of “show bgp 10.0.0.0” command, we see that two paths have the same
localpref 100, same AS path length, same Origin IGP. We don’t have information about the
Weight so we can guess the Router ID is used to choose the BGP best path.
Note: BGP Path Selection Attributes: (highest) Weight > (highest) Local Preference > Originate
> (shortest) AS Path > Origin > (lowest) MED > External > IGP Cost > eBGP Peering > (lowest)
Router ID
Question 80
A. It is installed on an operating system and supports other operating systems above it.
B. It is completely independent of the operating system.
C. Problems in the base operating system can affect the entire system.
D. It is referred to as a hosted hypervisor.
Answer: B
Question 81
An engineer must configure an eBGP neighborship to Router B on Router A. The network that is
connected to G0/1 on Router A must be advertised to Router B. Which configuration should be
applied?
Answer: D
Question 82
An engineer configures the trunk and proceeds to configure an ESPAN session to monitor VLANs
10, 20, and 30. Which command must be added to complete this configuration?
Answer: D
Explanation
The command “filter vlan 30” limits to monitor only VLAN 30 so we will not see any traffic for
VLAN 10 and 20. Therefore we must remove this command.
Question 83
Answer: A
Explanation
We need to write the Response in the for loop because the Response would change for every
element of the loop. “Insert after the for loop” in Python means the for loop ends before our
code is executed.
Question 84
Answer: A
Explanation
When we use the “copy” command , the device asks many parameters although we provided it
in the command. For example:
Therefore we can disable the annoying questions with the file prompt quiet configuration
command. This command is under global configuration mode:
Question 85
Answer: D
Question 86
Answer: C
Question 87
Answer: A
Explanation
Each VM is provided with a virtual NIC (vNIC) that is connected to the virtual switch. Multiple
vNICs can connect to a single vSwitch, allowing VMs on a physical host to communicate with one
another at layer 2 without having to go out to a physical switch.
Although vSwitch does not run Spanning-tree protocol but vSwitch implements other loop
prevention mechanisms. For example, a frame that enters from one VMNIC is not going to go
out of the physical host from a different VMNIC card.
Question 88
A network engineer must be notified when a user switches to configuration mode. Which script
should be applied to receive an SNMP trap and a critical-level log message?
Answer: D
Explanation
We need to create critical-level log so our action must include “priority critical”. Also we need to
define two different action (1.0 and 1.1).
Question 89
Drag and drop the characteristics from the left onto the deployment types on the right.
Answer:
On-Premises
+ It is responsible for hardware maintenance
+ Scalability requires time and effort
Cloud-Based
+ It provides on-demand scalability
+ Maintenance is handled by a third party
Question 90
Which option works with a DHCP server to return at least one WLAN management interface IP
address during the discovery phase and is dependent upon the VCI of the AP?
A. Option 43
B. Option 42
C. Option 125
D. Option 15
Answer: A
Explanation
The DHCP client sends option code 60 in a DHCPREQUEST to the DHCP server. When the server
receives option 60, it sees the VCI, finds the matching VCI in its own table, and then it returns
option 43 with the value (that corresponds to the VCI), thereby relaying vendor-specific
information to the correct client. Both the client and server have knowledge of the VCI.
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/dhcp/
dhcp-options/dhcp-options-43-55-and-60-and-other-customized-options
The AP boots up, performs POST, and then sends a DHCP request. The switch should send out a
DHCP offer, an IP address to use, a default gateway to use, and also the option 43 TLV . The TLV
should contain the IP address of the WLC, with which the AP needs to be associated.
Reference: https://supportportal.juniper.net/s/article/EX-How-to-associate-the-Cisco-AP-with-
WLC-via-DHCP-Option-43?language=en_US
Question 91
A.
R1#username admin privilege 15
aaa authorization exec default local
netconf-yang
B.
R1# netconf-yang
username admin privilege 15 secret cisco123
aaa new-model
aaa authorization exec default local
C.
R1# aaa new-model
aaa authorization exec default local
enable aaa admin privilege 15
D.
R1# username admin privilege 15
aaa authorization exec default local
Answer: B
Explanation
In the exhibit above, we are trying to SSH to R1 over NETCONF. In order to use NETCONF we
have to use the command “netconf-yang” command. Also from the exhibit we learn the
username/password should be admin/cisco123.
Note: The above output is the hello message that includes all of R1 capabilities.
Question 92
Which component transports data plane traffic across a Cisco SD-WAN network?
A. vSmart
B. vManage
C. cEdge
D. vBond
Answer: C
Question 93
Which type of tunnel is required between two WLCs to enable intercontroller roaming?
A. mobility
B. LWAPP
C. iPsec
D. CAPWAP
Answer: A
Explanation
There are two types of intercontroller roaming: Intercontroller Layer 2 Roaming and
Intercontroller Layer 3 Roaming. But the first one does not require tunnel between two WLCs.
The second one requires mobility tunnel:
Question 94
Answer: C
Explanation
In this question an attacker advertises OSPF fake routes so it must establish OSPF neighbor
relationship with R2. Therefore we can disable this relationship by configuring a passive interface
on e0/1 of R2.
Question 95
An engineer has configured an IP SLA for UDP echo’s. Which command is needed to start the IP
SLA to test every 30 seconds and continue until stopped?
Answer: D
Question 96
Which two characteristics apply to the endpoint security aspect of the Cisco Threat Defense
architecture? (Choose two)
Answer: A D
Explanation
The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can
help facilitate the discovery, containment, and remediation of threats once they have penetrated
into the network interior.
Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its
objectives:
..
Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd2-0/
design_guides/ctd_2-0_cvd_guide_jul15.pdf
Question 97
Answer: B
Explanation
Policing: is used to control the rate of traffic flowing across an interface. During a bandwidth
exceed (crossed the maximum configured rate), the excess traffic is generally dropped or
remarked. The result of traffic policing is an output rate that appears as a saw-tooth with crests
and troughs. Traffic policing can be applied to inbound and outbound interfaces. Unlike traffic
shaping, QoS policing avoids delays due to queuing. Policing is configured in bytes.
Question 98
Answer: A
Question 99
Answer: D
Explanation
Reference: https://developer.cisco.com/codeexchange/github/repo/ncclient/ncclient/
Question 100
A. VTEP
B. GRE
C. EVPN
D. VNI
Answer: A
Explanation
VTEPs connect between Overlay and Underlay network and they are responsible for
encapsulating frame into VXLAN packets to send across IP network (Underlay) then
decapsulating when the packets leaves the VXLAN tunnel.
Question 101
A Cisco DNA Center REST API sends a PUT to the /dna/intent/api/v1/network-device endpoint. A
response code of 504 is received. What does the code indicate?
Answer: A
Explanation
This error response (504) is given when the server is acting as a gateway and cannot get a
response in time.
Question 102
A. interface gig0/0
ip address 10.10.110.1 255.255.255.0
ip nat inside
interface gig0/1
ip address 172.16.1.1 255.255.255.252
ip nat outside
B. interface gig0/0
ip address 10.10.110.1 255.255.255.0
ip nat outside
interface gig0/1
ip address 172.16.1.1 255.255.255.252
ip nat inside
Answer: A C
Explanation
The purpose of this question is when someone tries to access the IP 10.10.110.10, the IP
addresses from 10.0.0.2 to 10.0.0.9 will be handed out in a rotary fashion. This performs a basic
form of load balancing. In order to do this, we need “type rotary” in the “ip nat pool …”
statement -> Answer C is correct.
Also Gi0/0 interface must be the NAT inside interface -> Answer A is correct.
Question 103
A large campus network has deployed two wireless LAN controllers to manage the wireless
network. WLC1 and WLC2 have been configured as mobility peers. A client device roams from
AP1 on WLC1 to AP2 on WLC2, but the controller’s client interfaces are on different VLANs. How
do the wireless LAN controllers handle the inter-subnet roaming?
A. WLC2 marks the client with a foreign entry in its own database. The database entry is copied
to the new controller and marked with an anchor entry on WLC1
B. WLC2 marks the client with an anchor entry in its own database. The database entry is copied
to the new controller and marked with a foreign entry on WLC1
C. WLC1 marks the client with a foreign entry in its own database. The database entry is copied
to the new controller and marked with an anchor entry on WLC2
D. WLC1 marks the client with an anchor entry in its own database. The database entry is copied
to the new controller and marked with a foreign entry on WLC2
Answer: D
Explanation
In instances where the client roams between APs that are connected to different WLCs and the
WLC WLAN is connected to a different subnet, a Layer 3 roam is performed, and there is an
update between the new WLC (foreign WLC) and the old WLC (anchor WLC) mobility databases.
If this is the case, return traffic to the client still goes through its originating anchor WLC. The
anchor WLC uses Ethernet over IP (EoIP) to forward the client traffic to the foreign WLC, to
where the client has roamed. Traffic from the roaming client is forwarded out the foreign WLC
interface on which it resides; it is not tunneled back.
The client begins with a connection to AP B on WLC 1. This creates an ANCHOR entry in the
WLC client database. As the client moves away from AP B and makes an association with AP C,
WLC 2 sends a mobility announcement to peers in the mobility group looking for the WLC with
the client MAC address. WLC 1 responds to the announcement, handshakes, and ACKs. Next the
client database entry for the roaming client is copied to WLC 2, and marked as FOREIGN.
Included PMK data (master key data from the RADIUS server) is also copied to WLC 2. This
provides fast roam times for WPA2/802.11i clients because there is no need to re-authenticate
to the RADIUS server.
After a simple key exchange between the client and AP, the client is added to the WLC 2
database and is similar, except that it is marked as FOREIGN.
Reference: https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/
TechArch.html
Question 104
Answer: A
Explanation
As we can see there is the line “type generic, total addresses 2, allocated 2(100%), missed 7”.
This means all the IP addresses for NAT have been allocated and 7 requests were missed. It
means this is NAT 1:1, not PAT so answer A is correct.
Answer D is not correct as the NAT ACL covers internal hosts 10.0.3.1 but it still failed to
allocated address so we cannot say it does not match all internal hosts.
Question 105
Answer: A
Question 106
Which configuration creates a CoPP policy that provides unlimited SSH access from client
10.0.0.5 and denies access from all other SSH clients?
Option A Option B
Option C Option D
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
Explanation
A strange thing here is we have to “deny” source 10.0.0.5 in the ACL so that it is excluded from
“policy-map CoPP”. It will be matched by the “class-default” which is implemented implicitly at
the end of the policy-map. This default class will match all the traffic and allows them by default.
Question 107
Which python code parses the response and prints “18:32:21.474 UTC sun Mar 10 2019?
A. print(response[‘result’][0][‘simple_time’])
B. print(response[result’][‘body’][‘simple_time’])
C. print(response[‘body’][‘simple_time’])
D. print(response[‘result’][‘body’][‘simple_time’])
Answer: D
Explanation
When we executed it, we simply received the system version. So we should use the same syntax
to get the simple time.
Question 108
The Gig0/0 interface of two routers is directly connected with a 1G Ethernet link. Which
configuration must be applied to the interface of both routers to establish an OSPF adjacency
without maintaining a DR/BDR relationship?
A. interface Gig0/0
ip ospf network point-to-multipoint
B. interface Gig0/0
ip ospf network non-broadcast
C. interface Gig0/0
ip ospf network broadcast
D. interface Gig0/0
ip ospf network point-to-point
Answer: D
Question 109
The port channel between the switches does not work as expected. Which action resolves the
issue?
Answer: C
Explanation
This is because one side is mode “On” while the other side is mode “active”.
Question 110
A. 04.16.19.09.4c.0e
B. 00:05:5e:19:0c:14
C. 00:05:0c:07:ac:14
D. 00:00:0c:07:ac:0e
Answer: D