Question 1

What is the function of northbound API?

A. It upgrades software and restores files.

B. It relies on global provisioning and configuration.
C. It supports distributed processing for configuration.
D. It provides a path between an SDN controller and network applications.

Answer: D

Explanation

Now, in turn, the networking administrators and SDN applications want to control the controller!
So the controller need a northbound interface (NBI) to communicate with us. The NBI
applications included various network services, including network virtualization, dynamic virtual
network provisioning, firewall monitoring, user identity management and access policy control.

Question 2

Drag and drop the wireless architecture benefits from the left onto the architecture types on the
right.

Answer:

Split-MAC:
+ Work is divided between the access point and the controller
+ The access points transmit beacon frames
+ Uses the CAPWAP tunneling protocol

Autonomous:
+ Appropriate for a small-business environment
+ Supports per device configuration and management

Explanation

An autonomous AP is a self-contained device with both wired and wireless hardware so that it
can bridge to the wired VLAN infrastructure wireless clients that belong to SSIDs. Each
autonomous AP must be configured with a management IP address so that it can be remotely
accessed using Telnet, SSH, or a web interface. Each AP must be individually managed and
maintained unless you use a management platform such as Cisco DNA Center.

The division of labor between the WLC and LAPs is known as split-MAC architecture. The LAP
must interact with wireless clients on some low level, known as the Media Access Control (MAC)
layer. These functions must stay with the LAP hardware, closest to the clients. The management
functions are not integral to handling frames but are things that should be centrally administered.
Therefore, those functions can be moved to a centrally located platform away from the AP.

Reference: https://www.ciscopress.com/articles/article.asp?p=2999384&seqNum=5

Question 3

Drag and drop the Ansible terms from the left onto the right.

Answer:

+ collection of actions to perform on target devices, expressed in YAML format: playbook

+ device with Ansible installed that manages target devices: control node
+ network device, without Ansible installed, upon which commands can be executed: managed
node
+ specific action to be performed on one or more target devices: module
+ unit of Python code to be executed: task
+ Ansible file that defines the target devices upon which commands and tasks can be
executed: inventory

Explanation

Once Ansible is installed, it creates several text files:

+ Playbooks: These files provide actions and logic about what Ansible should do. Ansible
playbooks are files that contain tasks to configure hosts. Ansible playbooks are written in YAML
format.
+ Inventory: a file contains a list of the hosts (usually their IP addresses, ports) which you want
to configure or manage. Hosts in an inventory can be divided into smaller groups for easier
management and configuration. Each group can run different tasks. An example of a task is to
ping all hosts in group [routers].
…

Modules (also referred to as “task plugins” or “library plugins”) are discrete units of code that can
be used from the command line or in a playbook task. Ansible executes each module, usually on
the remote managed node, and collects return values.

The control node is a computer that runs Ansible. A managed node is any device being managed
by the control node.
Reference: https://opensource.com/resources/what-ansible

Question 4

What is a purpose of traffic shaping?

A. It enables dynamic flow identification.

B. It enables policy-based routing.
C. It provides best-effort service.
D. It limits bandwidth usage.

Answer: D

Explanation

+ Shaping: retains excess packets in a queue and then schedules the excess for later
transmission over increments of time. When traffic reaches the maximum configured rate,
additional packets are queued instead of being dropped to proceed later. Traffic shaping is
applicable only on outbound interfaces as buffering and queuing happens only on outbound
interfaces. Shaping is configured in bits per second.

Best Effort Service means a service on a shared network in which the network does not provide
any guarantee that data is delivered or that delivery meets any quality of service, meaning that
the services obtain unspecified variable bit rate, latency and packet loss, depending on the current
traffic load -> Traffic shaping does not drop packets so it does not offer best effort service ->
Answer C is not correct.

The primary reasons you would use traffic shaping are to control access to available
bandwidth, to ensure that traffic conforms to the policies established for it, and to regulate the
flow of traffic in order to avoid congestion that can occur when the sent traffic exceeds the access
speed of its remote, target interface -> Answer D is correct.
Question 5

Drag and drop the characteristics of device-management technologies from the left onto the
corresponding deployment types on the right.

Answer:

Cisco DNA Center

+ orchestrates background device configuration
+ supports centralized software management
+ supports open APIs

Traditional
+ relies on per-device management
+ provides greater flexibility for custom and non-standard configurations
+ uses individual software management

Question 6

Which type of port is used to connect to the wired network when an autonomous AP maps two
VLANs to its WLANs?

A. LAG
B. EtherChannel
C. trunk
D. access

Answer: C

Explanation

In this example, we will configure the switch in our Autonomous AP deployment. First, we need to
create Vlan 21, which is assigned to Corporate users, and Vlan 22, which is assigned to Guess
users. Then we will configure the trunk interface between the AP and the switch to allow multiple
Vlans to traverse the link.

Reference: https://study-ccna.com/autonomous-ap-access-point-configuration/

Question 7

Refer to the exhibit.

R1#show ip ospf interface g0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet address is 192.168.1.2/24, Area 0
Process ID 1, Router ID 192.168.1.2, Network Type POINT-TO-POINT, Cost: 1
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 15, Dead 20, Wait 20, Retransmit 5
Hello due in 00:00:08
Index 1/1, flood queue length 0
Next 0x0(0) /0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Suppress hello for 0 neighbor(s)

R2#show ip ospf interface g0/0/0

GigabitEthernet0/0/0 is up, line protocol is up
Internet address is 192.168.1.1/24, Area 0
Process ID 1, Router ID 10.1.1.1, Network Type POINT-TO-POINT, Cost: 1
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:11
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Suppress hello for 0 neighbor(s)

The network engineer is configuring router R2 as a replacement router on the network. After the
initial configuration is applied it is determined that R2 failed to show R1 as a neighbor. Which
configuration must be applied to R2 to complete the OSPF configuration and enable it to establish
the neighbor relationship with R1?

Option A Option B

R2(config)#interface g0/0/0 R2(config)#router ospf 1

R2(config-if)#ip ospf hello-interval 15 R2(config-router)#router-id
R2(config-if)#ip ospf dead-interval 20 192.168.1.2

Option C Option D

R2(config)#router ospf 1 R2(config)#interface g0/0/0

R2(config-router)#network 192.168.1.0 R2(config-if)#ip ospf dead-interval
255.255.255.0 area 2 20
R2(config-router)#network 10.1.1.0 255.255.255.255
area 2

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

In order to become OSPF neighbor, the following values must be matched on both routers:
+ Area ID
+ Authentication
+ Hello and Dead Intervals
+ Stub area Flag
+ MTU Size

Question 8

What is a characteristics of a collapsed-core network topology?

A. It allows the core and distribution layers to run as a single combined layer.
B. It enables the core and access layers to connect to one logical distribution device over an
EtherChannel.
C. It enables all workstations in a SOHO environment to connect on a single switch with internet
access.
D. It allows wireless devices to connect directly to the core layer, which enables faster data
transmission.

Answer: A

Explanation

The three-tier hierarchical design maximizes performance, network availability, and the ability to
scale the network design. Most small enterprise campus’ do not grow significantly larger over time,
and most small enterprise campus are small enough to be well served by a two-tier hierarchical
design, where the core and distribution layers are collapsed into one layer. The primary motivation
for the collapsed core design is reducing network cost, while maintaining most of the benefits of
the three-tier hierarchical model.

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Small_Enterprise_Design_
Profile/SEDP/chap2.html

Question 9

What is the purpose of configuring different levels of syslog for different devices on the network?

A. to rate-limit messages for different severity levels from each device

B. to set the severity of syslog messages from each device
C. to identify the source from which each syslog message originated
D. to control the number of syslog messages from different devices that are stored locally

Answer: A

Question 10

Which interface enables communication between a program on the controller and a program on
the networking devices?

A. northbound interface
B. software virtual interface
C. southbound interface
D. tunnel interface

Answer: C

Explanation

We use Southbound API to communicate between the Controllers and Network Elements.
Question 11

Drag and drop the REST API call method for HTTP from the left onto the action they perform on
the right.

Answer:

+ creates a resource on the server: POST

+ reads data from the server: GET
+ removes a resource from the server: DELETE
+ updates an entry in the database: PUT

Explanation

GET: retrieve data

POST: create data
PUT: fully update (i.e. replace) an existing record
PATCH: update part of an existing record
DELETE: delete records

PUT is similar to POST in that it can create resources, but it does so when there is a defined URL
wherein PUT replaces the entire resource if it exists or creates new if it does not exist.

Unlike PUT Request, PATCH does partial update. Fields that need to be updated by the client, only
that field is updated without modifying the other field.

Question 12

What is the primary purpose of private address space?

A. conserve globally unique address space
B. simplify the addressing in the network
C. limit the number of nodes reachable via the Internet
D. reduce network complexity

Answer: A

Question 13

What is a reason to configure a trunk port that connects to a WLC distribution port?

A. Eliminate redundancy with a link failure in the data path.

B. Allow multiple VLAN to be used in the data path.
C. Provide redundancy if there is a link failure for out-of-band management.
D. Permit multiple VLANs to provide out-of-band management.

Answer: B

Question 14

Refer to the exhibit.

Traffic from R1 to the 10.10.2.0/24 subnet uses 192.168.1.2 as its next hop. An network engineer
wants to update the R1 configuration so that traffic with destination 10.10.2.1 passes through
router R3, and all other traffic to the 10.10.2.0/24 subnet passes through r2. Which command
must be used?

A. ip route 10.10.2.1 255.255.255.255 192.168.1.4 115

B. ip route 10.10.2.0 255.255.255.0 192.168.1.4 100
C. ip route 10.10.2.0 255.255.255.0 192.168.1.4 115
D. ip route 10.10.2.1 255.255.255.255 192.168.1.4 100

Answer: D

Question 15
Which cipher is supported for wireless encryption only with the WPA2 standard?

A. AES256
B. AES
C. RC4
D. SHA

Answer: B

Explanation

Unlike WEP and WPA, WPA2 uses the AES standard instead of the Rivest Cipher 4 (RC4) stream
cipher.

WPA3-Enterprice mode uses AES-256 in GCM mode.

SHA stands for Secure Hash Algorithm while AES stands for Advanced Encryption Standard. So
SHA is a suite of hashing algorithms. It is not a cipher which is used to encrypt.

Question 16

Refer to the exhibit.

Entry #
1 192.168.10.0 255.255.254.0
2 192.168.10.0 255.255.255.192
3 192.168.10.0 255.255.0.0
4 192.168.10.0 255.255.224.0

Which entry is the longest prefix match for host IP address 192.168.10.5?

A. 1
B. 2
C. 3
D. 4

Answer: B

Question 17

Which two features introduced in SNMPv2 provides the ability to retrieve large amounts of data in
one request? (Choose two)

A. Get
B. GetNext
C. Set
D. GetBulk
E. Inform

Answer: D E

Explanation

The two additional messages are added in SNMP2 (compared to SNMPv1)

GetBulkRequest The GetBulkRequest message enables an SNMP manager to access large chunks
of data. GetBulkRequest allows an agent to respond with as much information as will fit in the
response PDU. Agents that cannot provide values for all variables in a list will send partial
information.

InformRequest The InformRequest message allows NMS stations to share trap information.
(Traps are issued by SNMP agents when a device change occurs.) InformRequest messages are
generally used between NMS stations, not between NMS stations and agents.
Question 18

Refer to the exhibit.

router# show ip route

...
D 172.18.32.0/26 [90/25789217] via 10.1.1.1
R 172.18.32.0/24 [120/4] via 10.1.1.2
O 172.18.32.0/19 [110/229840] via 10.1.1.3
C 172.18.32.32/32 is directly connected, Loopback0
C 172.18.32.36/30 directly connected, GigabitEthernet0/0
L 172.18.32.37/32 is directly connected, GigabitEthernet0/0

A packet sourced from 172.18.33.2 is destined for 172.18.32.38. Where does the router forward
the packet?

A. GigabitEthernet0/0
B. Loopback0
C. 10.1.1.1
D. 10.1.1.3

Answer: A

Explanation

The best entry for destination 172.18.32.38 is “C 172.18.32.36/30 …, GigabitEthernet0/0” so the

router will forward the packet to Gi0/0 interface.

Question 19

Refer to the exhibit.

The Router1 routing table has multiple methods to reach 10.10.10.0/24 as shown. The default
Administrative Distance is used. Drag and drop the network conditions from the left onto the
routing methods that Router1 uses on the right.
Answer:

eBGP:
+ The static route and EIGRP are down
+ The static route and OSPF are down

EIGRP:
+ The static route and eBGP are down

Static:
+ All protocols are up
+ OSPF and eBGP are down

Explanation

The Administrative Distance (AD) of popular routing protocols is shown below. You should learn
them by heart:

Note: The AD of eBGP is 20 and iBGP is 200.

The smaller the AD is, the better it is. The router will choose the routing protocol with smallest AD.

In this case the router will choose in this order: Static (1) -> eBGP (20) -> EIGRP (90) -> OSPF
(110) -> iBGP (200).

Question 20

Refer to the exhibit.

A newly configured PC fails to connect to the internet using TCP port 80 to www.cisco.com. Which
setting must be modified for the connection to work?

A. Subnet Mask
B. DNS Servers
C. Default Gateway
D. DHCP Server

Answer: A

Explanation

We see this PC has been assigned an IP address 10.2.2.2, Default Gateway 10.2.2.1, DNS Server
8.8.8.8 but its subnet mask is 255.255.255.192 (or /26) which is different from the subnet mask
of its default gateway so this is the issue.

Question 21

What does a switch do when it receives a frame whose destination MAC address is missing from
the MAC address table?

A. It floods the frame unchanged across all remaining ports in the incoming VLAN.
B. It appends the table with a static entry for the MAC and shuts down the port.
C. It updates the CAM table with the destination MAC address of the frame.
D. It changes the checksum of the frame to a value that indicates an invalid frame.

Answer: A

Question 22

Which enhancement is implemented in WPA3?

A. applies 802.1x authentication

B. uses TKIP
C. employs PKI to identify access points
D. protects against brute force attacks

Answer: D

Explanation
Another security enhancement that has been made in WP3 reduces potential for password cracking
attacks such as the WPA2 KRACK Attack. WPA2 is vulnerable to brute force and dictionary-based
attacks. That is because security relies on the AP provider setting a secure password and many
establishments don’t. With WPA3, the Pre-Shared Key (PSK) exchange protocol is replaced with
Simultaneous Authentication of Equals (SAE) or the Dragonfly Key Exchange, which improves
security of the initial key exchange and offers better protection against offline dictionary-based
attacks.

Reference: https://www.webtitan.com/blog/wpa3-wifi-security-enhancements-will-not-block-all-
threats/

Question 23

Which type of address is shared by routers in a HSRP implementation and used by hosts on the
subnet as their default gateway address?

A. multicast address
B. loopback IP address
C. virtual IP address
D. broadcast address

Answer: C

Question 24

What are two reasons a switch experiences frame flooding? (Choose two)

A. A defective patch cable is connected to the switch port

B. Topology changes are occurring within spanning-tree
C. An aged MAC table entry is causing excessive updates
D. Port-security is configured globally
E. The forwarding table has overflowed

Answer: B E

Explanation

However, other events in the network might cause the switch MAC address table to be flushed
more frequently than the configured aging time. One such event is due to spanning-tree topology
changes in the network.

Topology changes reduce the MAC address table aging time from the default time of 300 seconds
to 15 seconds in the case of 802.1D Spanning Tree Protocol (STP) to freshen stale MAC address
table entries -> Answer B is correct.

If the Layer 2 forwarding table or the MAC address table is full and it can not save any more MAC
address, its enters into a fail-open mode and start behaving like a network Hub. Frames are
flooded to all ports, similar to broadcast type of communication. The MAC flooding attack uses this
feature of the switch to steal information -> Answer E is correct.

Question 25

Why is TCP desired over UDP for application that require extensive error checking, such as HTTPS?

A. UDP operates without acknowledgments, and TCP sends an acknowledgment for every packet
received.
B. UDP reliably guarantees delivery of all packets, and TCP drops packets under heavy load.
C. UDP uses flow control mechanisms for the delivery of packets, and TCP uses congestion control
for efficient packet delivery.
D. UDP uses sequencing data for packets to arrive in order, and TCP offers the capability to receive
packets in random order.

Answer: A
Explanation

Note: The flow control mechanism tells the sender the maximum speed at which the data can be
sent to the receiver device. One of the popular flow control mechanisms in TCP is the sliding
window protocol -> Answer C is not correct.

Reference: https://www.baeldung.com/cs/tcp-flow-control-vs-congestion-control

Question 26

To improve corporate security, an organization is planning to implement badge authentication to

limit access to the data center. Which element of a security program is being deployed?

A. user training
B. user awareness
C. vulnerability verification
D. physical access control

Answer: D

Explanation

Physical access control: Infrastructure locations, such as network closets and data centers, should
remain securely locked. Badge access to sensitive locations is a scalable solution, offering an audit
trail of identities and timestamps when access is granted. Administrators can control access on a
granular basis and quickly remove access when an employee is dismissed.

Question 27

Drag and drop the statement about AAA services from the left to the corresponding AAA services
on the right.

Answer:

Accounting
+ It records the duration of each connection
+ It supports User Access Reporting

Authorization
+ It restricts the CLI commands that a user is able to perform
+ It performs user validation via TACACS+

Question 28

The address block 192.168.32.0/24 must be subnetted into smaller networks. The engineer must
meet these requirements:
* Create 8 new subnets
* Each subnet must accommodate 30 hosts
* Interface VLAN 10 must use the last usable IP in the first new subnet
* A Layer 3 interface is used

Which configuration must be applied to the interface?

A. no switchport mode access

ip address 192.168.32.62 255.255.255.240

B. switchport
ip address 192.168.32.65 255.255.255.240

C. no switchport mode trunk

ip address 192.168.32.97 255.255.255.224

D. no switchport
ip address 192.168.32.30 255.255.255.224

Answer: D

Explanation

8 new subnets -> 8 = 23. Therefore the subnet mask is 255.255.255.224 (224 in decimal = 1110
0000 in binary) and each new subnet consists of 25 – 2 = 30 hosts.

“Interface VLAN 10 must use the last usable IP in the first new subnet” -> The first new subnet is
192.168.32.0/27 ( increment: 32) so it ranges from 192.168.32.0 to 192.168.32.31) so the last
usable IP is 192.168.32.20. Therefore we must assign IP address 192.168.32.20/27 to interface
VLAN 10.

Question 29

Refer to the exhibit.

How many JSON objects are presented?

A. 1
B. 2
C. 3
D. 4

Answer: A

Explanation

A JSON object contains zero, one, or more key-value pairs, also called properties. The object is
surrounded by curly braces {} so there is only one object in this question.

Question 30

Refer to the exhibit.

PC1 regularly sends 1800 Mbps of traffic to the server. A network engineer needs to configure the
EtherChannel to disable Port Channel 1 between SW1 and SW2 when the Ge0/0 and Ge0/1 ports
on SW2 go down. Which configuration must the engineer apply to the switch?

A. SW2#configure terminal
SW2(config)# interface port-channel 1
SW2(config-if)#lacp port-priority 32000

B. SW2#configure terminal
SW2(config)#interface port-channel 1
SW2(config-if)#lacp max-bundle 2

C. SW2#configure terminal
SW2(config)#lacp system-priority 32000

D. SW2#configure terminal
SW2(config)#interface port-channel 1
SW2(config-if)#port-channel min-links 2

Answer: D

Explanation

The port-channel min-links command specifies the minimum number of interfaces that the
configuration mode LAG requires to be active. If there are fewer ports than specified by this
command, the port channel interface does not become active.

Question 31

Which IPv6 address range is suitable for anycast addresses for distributed services such DHCP or
DNS?

A. FF00:1/12
B. 2001:db8:0234:ca3e::1/128
C. 2002:db84:3f37:ca98:be05:8/64
D. FE80::1/10

Answer: B

Explanation

FF00::/8 range is used for IPv6 multicast -> The first octet is FF (1111 1111) -> Answer A is not
correct.

FE80::/10 is link-local address -> Answer D is not correct.

The 2002::/16 prefix is used for 6to4, which requires the next 32 bits (after the 16 bit prefix) to
be a global unicast IPv4 address -> Answer C is not correct.
Note: Anycast addresses are syntactically indistinguishable from unicast addresses, because
anycast addresses are allocated from the unicast address space. Assigning a unicast address to
more than one interface makes a unicast address an anycast address. Nodes to which the anycast
address is assigned must be explicitly configured to recognize that the address is an anycast
address.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/ipv6_basic/configuration/xe-3se/5700/ip6-anycast-add-xe.html

Question 32

Refer the exhibit.

R19#show int fa0/0

FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140, address is ca02.7788.0000 (bia ca02.7788.0000)
Description: SALES_SUBNET
Internet address is 10.32.102.2/30
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (60 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/300/0/0 (size/max/drops/flushes); Total output drops:
135298429
Queueing strategy: fifo
Output queue: 0/300 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
73310 packets input, 7101162 bytes
Received 73115 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 4 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
3927513096455 packets output, 14404034810952 bytes, 0 underruns
0 output errors, 11 collisions, 0 interface resets

What is the cause of poor performance on router R19?

A. excessive collisions
B. speed and duplex mismatch
C. port oversubscription
D. excessive CRC errors

Answer: C

Explanation

We see the “Total output drops: 135298429” is high.

Typically, the output drops can occur if QoS is configured and does not provide enough
bandwidth to certain class of packets. It also occurs when the hardware hits an oversubscription.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-
switches/12027-53.html#anc75

Note: Total output drops: The number of packets dropped because the output queue is full. A
common cause of this might be traffic from a high bandwidth link being switched to a lower
bandwidth link or traffic from multiple inbound links being switched to a single outbound link.

Question 33

An engineer is configuring a switch port that is connected to a VoIP handset. Which command
must the engineer configure to enable port security with a manually assigned MAC address of
abcd.abcd.abcd on voice VLAN 4?

A. switchport port-security mac-address abcd.abcd.abcd

B. switchport port-security mac-address abcd.abcd.abcd vlan 4
C. switchport port-security mac-address sticky abcd.abcd.abcd vlan 4
D. switchport port-security mac-address abcd.abcd.abcd vlan voice

Answer: D

Explanation

We tested the port-security configuration under Web-IOU with IOSv15.2 but there is no “vlan
voice” keyword:

But in this Cisco link, we can find such command:

Device(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice

So we believe answer D is the best choice.

Question 34

Drag and drop the DNS commands from the left onto their effects on the right.
Answer:

+ enables host-to-IP-address translation: ip domain-lookup

+ adds an entry to the host table: ip host switch_1 192.168.0.1
+ displays address-mapping information: show hosts
+ specifies the IP address of the DNS server: ip name-server
+ completes the FQDN of the DNS server: ip domain-name

Question 35

How does encryption protect the wireless network?

A. via integrity checks to identify wireless forgery attacks in the frame

B. via specific ciphers to detect and prevent zero-day network attacks
C. via an algorithm to change wireless data so that only the access point and client understand it
D. via a policy to prevent unauthorized users from communicating on the wireless network

Answer: C

Question 36

Which device segregates a network into separate zones that have their own security policies?

A. IPS
B. firewall
C. access point
D. switch

Answer: B

Question 37

What is a specification for SSIDS?

A. They are a Cisco proprietary security feature.

B. They must include one number and one letter.
C. They define the VLAN on a switch.
D. They are case sensitive.

Answer: D

Explanation
The SSID is limited to a maximum length of 32 bytes. When represented in ASCII form, the
characters of the SSID are case-sensitive. This means that “9tut” is a different network than
“9TUT”.

Question 38

Refer to the exhibit.

An engineer is configuring a new Cisco switch NewSW, to replace SW2. The details have been
provided:
* Switches SW1 and SW2 are third-party devices without support for trunk ports
* The existing connections must be maintained between PC1 PC2 and PC3
* Allow the switch to pass traffic from future VLAN 10. Which configuration must be applied?

Option A Option B

NewSW(config)#interface f0/0 NewSW(config)#interface f0/0

NewSW(config-if)#switchport mode trunk NewSW(config-if)#switchport mode trunk
NewSW(config-if)#switchport trunk allowed NewSW(config-if)#switchport trunk allowed
vlan 2,10 vlan 10
NewSW(config-if)#switchport trunk native NewSW(config-if)#switchport trunk native
vlan 2 vlan 10

Option C Option D

NewSW(config)#interface f0/0 NewSW(config)#interface f0/0

NewSW(config-if)#switchport mode access NewSW(config-if)#switchport mode access
NewSW(config-if)#switchport trunk allowed NewSW(config-if)#switchport trunk allowed
vlan 2,10 vlan 2,10
NewSW(config-if)#switchport trunk native NewSW(config-if)#switchport trunk native
vlan 10 vlan 2

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

We can configure trunking on the NewSW and set the native VLAN to the access VLAN 2 of SW1 so
that untagged frames received from SW1 will be placed into VLAN 2.
Question 39

What is a reason to implement IPv4 private addressing?

A. Reduce the risk of a network security breach

B. Comply with PCI regulations
C. Comply with local law
D. Reduce the size of the forwarding table on network routers

Answer: A

Question 40

Which is a fact related to FTP?

A. It uses block numbers to identify and mitigate data-transfer errors

B. It always operates without user authentication
C. It relies on the well-known UDP port 69.
D. It uses two separate connections for control and data traffic

Answer: D

Explanation

FTP communicates using two TCP connections. Control traffic is exchanged over TCP/21, and data
transmission is performed over TCP/20.

Question 41

Which two protocols are used by an administrator for authentication and configuration on access
points? (Choose two)

A. Kerberos
B. 802.1Q
C. 802.1x
D. TACACS+
E. RADIUS

Answer: C E

Explanation

You can configure 802.1X authentication between a lightweight access point and a Cisco switch.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-
guide/b_cg76/b_cg76_chapter_01101000.pdf

Question 42

Refer to the exhibit.

CPE1# show protocols e0/1

Ethernet0/1 is up, line protocol is up
Internet address is 10.0.12.2/24

CPE1#show ip access-list LAN

Standard IF access list LAN
10 permit 10.0.12.0, wildcard bits 0.0.0.255

CPE1# show ip nat translations

CPE1# show ip net statistics

Total active translations: 0 (0 static, 0 dynamic, 0 extended)

Peak translations: 0
Outside interfaces:
Inside interfaces:
Ethernet0/1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Funted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list LAN pool NATPOOL refcount 0
pool NATPOOL: netmask 255.255.255.0
start 198.51.100.11 end 198.51.100.20
type generic, total addresses 10, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

What is the next step to complete the implementation for the partial NAT configuration shown?

A. Reconfigure the static NAT entries that overlap the NAT pool
B. Configure the NAT outside interface
C. Modify the access list for the internal network on e0/1
D. Apply the ACL to the pool configuration

Answer: B

Explanation

We see the line “Outside interfaces: ” is still empty which means we have not configured an
outside interface yet.

Question 43

Which type of IPv4 address type helps to conserve the globally unique address classes?

A. multicast
B. private
C. loopback
D. public

Answer: B

Question 44

Drag and drop the IPv6 address types from the left onto their description on the right.
Answer:

+ multicast address used only locally within the site: FF05::23:becf:22:1111

+ address that is automatically created on a link when IPv6 is enabled on an interface:
FE80::abcf:ffff:12de:3992
+ address that is prohibited from routing to the Internet:
FD00:0000:0000:1a2d:a153:3992:a19d:ccca
+ address that is unique and reserved for documentation purposes:
2001:DB8::bced:1234:456d:aacc

Explanation

FF00::/8 range is used for IPv6 multicast -> The first octet is FF which indicates a multicast
address.

Address that is automatically created on a link when IPv6 is enabled on an interface -> Link-local
address in the range of FE80::/10

Address that is prohibited from routing to the Internet -> Site-local address (or Unique local
address). They are analogous to IPv4’s private address classes. They start with FC00::/7 (for used
in private networks) -> The first octet can be FC or FD. However when you implement this you
have to set the L-bit (the right-most bit of the first octet) to 1 which means that the first two digits
will be FD.

Question 45

Drag and drop the wireless standards from the left onto the number of nonoverlapping channels
they support on the right.
Answer:

3 Non-Overlapping Channels:
+ 802.11b
+ 802.11g
+ 802.11n 2.4 GHz

23 Non-Overlapping Channels:
+ 802.11a
+ 802.11n 5 GHz

Explanation

For 802.11n, in the 2.4 GHz band, there are three non-overlapping 20 MHz channels or one 40
MHz channel. In the 5 GHz band, twenty four non-overlapping 20 MHz or up to twelve 40 MHz
channels exist.

Also in the table “Comparison of 802.11 LAN Standards” of the reference below, we can see the
“Maximum Non-Overlapping Channels (Americas)” of 802.11b & 802.11g are 3.

Reference: https://www.air802.com/ieee-802.11-standards-facts-amp-channels.html

=============================

Question 46

Drag and drop the statements about AAA from the left onto the corresponding AAA services on the
right. Not all options are used.

Answer:

Authentication
+ It permits and denies login attempts
+ It supports local, PPP, RADIUS, and TACACS+ options

Authorization
+ It assigns per-user attributes
+ It restricts the CLI commands that a user is able to perform

Question 47
Drag and drop the cloud-computing components from the left onto the correct descriptions on the
right.

Answer:

+ The resource pool can expand quickly to meet demand: rapid elasticity
+ The consumer can choose when to start or stop using the service: on-demand self-service
+ The provider allocates CPU, memory, and disk from its shared compute resources to multiple
customers: resource pooling
+ The provider can bill the consumer in accordance with the level of usage: measured service
+ The service is available from many types of devices and networks: broad network access

Explanation

On-demand self-service: A consumer can unilaterally provision computing capabilities, such as

server time and network storage, as needed automatically without requiring human interaction
with each service provider.

Broad network access: Capabilities are available over the network and accessed through
standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g.,
mobile phones, tablets, laptops, and workstations).

Resource pooling: The provider’s computing resources are pooled to serve multiple consumers
using a multi-tenant model, with different physical and virtual resources dynamically assigned and
reassigned according to consumer demand. There is a sense of location independence in that the
customer generally has no control or knowledge over the exact location of the provided resources
but may be able to specify location at a higher level of abstraction (e.g., country, state, or
datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases
automatically, to scale rapidly outward and inward commensurate with demand. To the consumer,
the capabilities available for provisioning often appear to be unlimited and can be appropriated in
any quantity at any time.

Measured service: Cloud systems automatically control and optimize resource use by leveraging
a metering capability at some level of abstraction appropriate to the type of service (e.g., storage,
processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled,
and reported, providing transparency for both the provider and consumer of the utilized service.

Reference: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

Question 48

Refer to the exhibit.

 EIGRP: 192.168.12.0/24
RIP: 192.168.12.0/27
OSPF: 192.168.12.0/28

How does the router manage traffic to 192.168.12.16?

A. It selects the RIP route because it has the longest prefix inclusive of the destination address.
B. It load-balances traffic between all three routes.
C. It chooses the OSPF route because it has the longest prefix inclusive of the destination address.
D. It chooses the EIGRP route because it has the lowest administrative distance.

Answer: A

Question 49

Drag and drop the VLAN port modes from the left onto the descriptions on the right.

Answer:

+ allows the port to belong to one VLAN when manually configured: static access
+ allows the port to be assigned automatically to one VLAN: dynamic access
+ allows the port to belong to one or more VLANs: trunk
+ allows the port to support a single VLAN across a service-provider network: tunnel
+ allows the port to communicate with others within the same community VLAN: private

Question 50

Refer to the exhibit.

CPE# show ipv6 route

IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, II - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
la - LISP alt, lr - LISP site-registrations, ld - LISP dyn-eid
lA - LISP away, le - LISP extranet-policy, lp - LISP publications
ND ::/0 [2/0]
via FE80::A8BB:CCFF:FE00:200, Ethernet0/0
NDp 2001:DB8:1234:1::/64 [2/0]
via Ethernet0/0, directly connected
L 2001:DB8:1234:1:A8BB:CCFF:FE00:100/128 [0/0]
via Ethernet0/0, receive
C 2001:DB8:1234:2::/64 [0/0]
via Ethernet0/1, directly connected
L 2001:DB8:1234:2:A8BB:CCFF:FE00:110/128 [0/0]
via Ethernet0/1, receive
L FF00::/8 [0/0]
via Null0, receive

The administrator must configure a floating static default route that points to 2001:db8:1234:2::1
and replaces the current default route only if it fails. Which command must the engineer configure
on the CPE?

A. ipv6 route ::/0 2001:db8:1234:2::1 2

B. ipv6 route ::/0 2001:db8:1234:2::1 3
C. ipv6 route ::/128 2001:db8:1234:2::1 3
D. ipv6 route ::/0 2001:db8:1234:2::1 1

Answer: B

Explanation

From the output line “ND ::/0 [2/0]” we learn that the current static default route has the AD of 2
so we have to configure the floating static default route with AD of 3 or greater so that it acts as a
backup route.

Question 51

What is the benefit of using private IPv4 addressing?

A. to provide reliable connectivity between like devices

B. to enable secure connectivity over the Internet
C. to shield internal network devices from external access
D. to be routable over an external network

Answer: C

Question 52

Which QoS feature drops traffic that exceeds the committed access rate?

A. weighted fair queuing

B. FIFO
C. shaping
D. policing

Answer: D

Explanation

Policing: is used to control the rate of traffic flowing across an interface. During a bandwidth
exceed (crossed the maximum configured rate), the excess traffic is generally dropped or
remarked.

Question 53
Two switches have been implemented and all interfaces are at the default configuration level. A
trunk link must be implemented between two switches with these requirements:
+ using an industry-standard trunking protocol
+ permitting VLANs 1-10 and denying other VLANs

How must the interconnecting ports be configured?

A. switchport mode trunk

switchport trunk allowed vlans 1-10
switchport trunk native vlan 11

B. switchport mode trunk

switchport trunk encapsulation dot1q
switchport trunk allowed vlans 1-10

C. switchport mode dynamic desirable

channel-group 1 mode desirable
switchport trunk encapsulation isl
switchport trunk allowed vlan except 11-4094

D. switchport mode dynamic

channel-protocol lacp
switchport trunk allowed vlans 1-10

Answer: B

Explanation

“Using an industry-standard trunking protocol” so we have to use 802.1Q, not ISL.

Question 54

Refer to the exhibit.

A network engineer is configuring a WLAN to connect with the 172.16.10.0/24 network on VLAN
20. The engineer wants to limit the number of devices that connect to the WLAN on the USERWL
SSID to 125. Which configuration must the engineer perform on the WLC?

A. In the WLAN configuration, set the Maximum Allowed Clients value to 125.
B. In the Advanced configuration, set the DTIM value to 125.
C. In the Controller IPv6 configuration, set the Throttle value to 125.
D. In the Management Software activation configuration, set the Clients value to 125.

Answer: A

Explanation

In the example below, we can limit the number of clients that can access in a WLAN to 50 with the
“Maximum Allowed Clients” field:
Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/113303-restrict-wlan-clients-00.html

Note: DTIM stands for Delivery traffic indication map or message. It is basically an additional
message added after the normal beacon broadcast by your router or access point.

Question 55

Why would a network administrator choose to implement automation in a network environment?

A. to centralize device information storage

B. to simplify the process of maintaining a consistent configuration state across all devices
C. to deploy the management plane separately from the rest of the network
D. to implement centralized user account management

Answer: B

Question 56

When deploying a new network that includes both Cisco and third-party network devices, which
redundancy protocol avoids the interruption of network traffic if the default gateway router fails?

A. FHRP
B. VRRP
C. HSRP
D. GLBP

Answer: B

Explanation

Only VRRP is an open standard protocol.

Question 57

Refer to the exhibit.

A network administrator configures the CPE to provide internet access to the company
headquarters. Traffic must be load-balanced via ISP1 and ISP2 to ensure redundancy. Which two
command sets must be configured on the CPE router? (Choose two)

A. ip route 0.0.0.0 0.0.0.0 198.51.100.1

ip route 0.0.0.0 0.0.0.0 203.0.113.1 2

B. ip route 0.0.0.0 128.0.0.0 198.51.100.1

ip route 128.0.0.0 128.0.0.0 203.0.113.1
ip route 0.0.0.0 0.0.0.0 198.51.100.1
ip route 0.0.0.0 0.0.0.0 203.0.113.1

C. ip route 0.0.0.0 128.0.0.0 198.51.100.1

ip route 128.0.0.0 128.0.0.0 203.0.113.1

D. ip route 0.0.0.0 0.0.0.0 198.51.100.1 255

ip route 0.0.0.0 0.0.0.0 203.0.113.1 255
ip route 128.0.0.0 128.0.0.0 203.0.113.1

E. ip route 0.0.0.0 0.0.0.0 198.51.100.1

ip route 0.0.0.0 0.0.0.0 203.0.113.1

Answer: B E

Explanation

Answer A is not correct as it uses floating static route with an AD of 2 for the second static route
so traffic cannot be load-balancing.

An administrative distance of 255 is considered unreachable, and static routes with an

administrative distance of 255 are never entered into the routing table -> Answer D is not correct.

Now let’s explain more detail about the command “ip route 128.0.0.0 128.0.0.0 …”. It is same as
“ip route 0.0.0.0 128.0.0.0 …” command or we can call it “0.0.0.0/1” route. Because of the
“longest-prefix match” rule, it is preferred to the default static “0.0.0.0/0” route. So 0.0.0.0/0
route would not be used.

Now we can why answer C is not correct as the route “ip route 128.0.0.0 128.0.0.0 203.0.113.1”
is always preferred to “ip route 0.0.0.0 128.0.0.0 198.51.100.1”.

Answer B is correct as we have two “0.0.0.0/1” routes (“0.0.0.0 128.0.0.0” and “128.0.0.0
128.0.0.0” are totally the same)

Question 58

Refer to the exhibit.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#ip domain-name CC-Net.com
R1(config)#enable secret Passfornewuser
R1(config)#line vty 0 15
R1(config-line)#transport input ssh
R1(config-line)#login local

A network administrator is configuring a router for user access via SSH. The service-password
encryption command has been issued. The configuration must meet these requirements:

– Create the username as CCUser.

– Create the password as NA!2$cc.
– Encrypt the user password.

What must be configured to meet the requirements?

A. username CCUser password NA!2$cc

enable password level 5 NA!2$cc

B. username CCUser privilege 15 password NA!2$cc

enable secret 0 NA!2$cc

C. username CCUser secret NA!2$cc

D. username CCUser privilege 10 password NA!2$cc

Answer: C

Explanation

In fact all other answers look good too, but answer C is the best choice as the password of the
username is encrypted with highest security level.

Question 59

Refer to the exhibit.

An engineer must configure a static network route between two networks so that host A
communicates with host B. Drag and drop the commands from the left onto the routers where
they must be configured on the right. Not all commands are used.
Answer:

R1:
ip route 10.10.13.0 255.255.255.128 10.10.10.1

R2:
ip route 10.10.13.0 255.255.255.128 10.10.10.5
ip route 10.10.14.0 255.255.255.0 10.10.10.2

R3:
ip route 10.10.14.0 255.255.255.0 10.10.10.6

Question 60

Refer to the exhibit.

R1# show ip route | begin Gateway

Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial0/0/1
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.2.0/24 is directly connected, GigabitKthernet0/0
L 172.16.2.2/32 is directly connected, GigabitEthernet0/0
C 172.16.4.0/21 is directly connected, Serial0/0/1
L 172.16.8.2/26 is directly connected, Serial0/0/1

What is the subnet mask for route 172.16.4.0?

A. 255.255.255.192
B. 255.255.248.0
C. 255.255.254.0
D. 255.255.240.0

Answer: B

Question 61

Which interface or port on the WLC is the default for in-band device administration and
communications between the controller and access points?

A. virtual interface
B. management interface
C. console port
D. service port

Answer: B

Explanation

The management interface is the default interface for in-band management of the controller and
connectivity to enterprise services such as AAA servers. It is also used for communications
between the controller and access points, for all CAPWAP or intercontroller mobility messaging and
tunneling traffic.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0
10011011.html

Question 62

Refer to the exhibit.

The IPv6 address for the LAN segment on router R2 must be configured using the EUI-64 format.
Which address must be used?

A. ipv6 address 2001:DB8:D8D2:1009:10A0:ABFF:FECC:1 eui-64

B. ipv6 address 2001:DB8:D8D2:1009:12A0:AB34:FFCC:1 eui-64
C. ipv6 address 2001:DB8:D8D2:1009:1230:ABFF:FECC:1 eui-64
D. ipv6 address 2001:DB8:D8D2:1009:4345:80FF:FF16:7 eui-64

Answer: A

Explanation

On R2 LAN interface we use the command “ipv6 address 2001:db8:d8d2:1009::/64 eui-64” to tell
the router to assign an IPv6 address for this interface automatically. R2 takes the MAC address of
LAN interface 12A0.ABDD.0002 and insert FFFE between these two halves to form a 64-bit
address 2001:DB8:D8D2:1009:12A0.ABFF:FEdd:0002 by insert .

We have to invert the universal/local (U/L) flag (bit 7) in the OUI portion of the address so 12 (in
hex) = 0001 0010 (in binary) so after flipping the 7th bit we have 0001 0000 = 10 (in hex).
Therefore the EUI-64 IPv6 would be 2001:DB8:D8D2:1009:10A0:ABFF:FECC:1.

Note: There are some document saying that we have to flip bit 7th while some others say we have
to change the 7th bit to 1. So we tested with IOSv15.4:
We see the MAC address of E0/0 is “aabb……..” (“a” in hex = “1010″) so the 7th bit is 1. When we
enable IPv6 on this interface the link-local address changed to “FE80::A8BB……..”. So “a” changed
to 8 (“8” in hex = 1000″) and we are sure bit 1 changed to 0. But this is just the link-local address
so we will try to assign a global unique address:

The global unique address assigned is “2001::A8BB……..” so bit 1 changed to 0 too.

Question 63

A company has each office using wireless access with multiple SSIDs while limiting roaming
capabilities, covering different locations on the internal office LAN, guest networks, and BYOD
access for employees. Which change must be enabled to improve the customer experience during
SSID changes?

A. Assisted Roaming Prediction Optimization

B. Fast Transition
C. Neighbor List Dual Band
D. Fast SSID Change
Answer: D

Explanation

“When you enable Fast SSID Change, the controller allows clients to move between SSIDs. When
the client sends a new association request for a different SSID, the client entry in the controller
connection table is cleared before the client is added to the new SSID.

Question 64

Refer to the exhibit.

The EtherChannel is configured with a speed of 1000 and duplex as full on both ends of channel
group 1. What is the next step to configure the channel on switch A to respond to but not initiate
LACP communication?

A. interface range gigabitethernet0/0/0 -15

channel-group 1 mode desirable

B. interface range gigabitethernet0/0/0 -15

channel-group 1 mode on

C. interface port-channel 1
channel-group 1 mode auto

D. interface port-channel 1
channel-group 1 mode passive

Answer: D

Question 65

Which two VPN technologies are recommended by Cisco for multiple branch offices and large-scale
deployments? (Choose two)

A. IPsec remote access

B. site-to-site VPN
C. clientless VPN
D. GETVPN
E. DMVPN

Answer: D E

Explanation

Cisco DMVPN can be deployed in conjunction with Cisco IOS Firewall and Cisco IOS IPS, as well as
quality of service (QoS), IP Multicast, split tunneling, and routing-based failover
mechanisms. Large-scale, highly available Cisco DMVPN deployments are made possible by load
balancing multiple Cisco DMVPN hubs.

Reference: https://www.cisco.com/c/en/us/products/collateral/security/dynamic-multipoint-vpn-
dmvpn/data_sheet_c78-468520.html

Get VPNs provide large scale, connectionless, tunnel free transmission protection taking advantage
of existing routing infrastructure and can be used with MPLS, IP, Frame relay and ATM networks.

Reference: https://ipwithease.com/flexvpn-vs-getvpn/

Note:

Site-to-Site VPN is a simple VPN that connects a central site and a remote site, or a hub and
spoke VPN that connects a central site with multiple remote sites -> It is not suitable for large-
scale deployments.

With clientless VPN, a tunnel is established from a web browser on the remote user’s device to
the outside interface of the VPN gateway’s SSL component -> It is not suitable for large-scale
deployments.

IPSec remote access is used to connect remote-access clients, such as a PC or small office,
home office (SOHO) device.

Question 66

Refer to the exhibit.

{
"Test_Questions" : [
"Automation",
"Configuration",
],
"Test_Exam_Level" : [
"CCNA",
"CCNP",
],
"Test_Response" : [
"Correct",
"Incorrect",
]
}

How many arrays are present in the JSON data?

A. one
B. three
C. six
D. nine

Answer: B

Explanation

The JSON array is surrounded by square brackets [ ]. In this question there are three square
brackets in total.

Question 67

Refer to the exhibit.

Router1#show interface ethernet 1

Ethernet1 is up, line protocol is up
Hardware is Lance, address is 0010.7b36.Ibe8 (bia 0010.7b36.Ibe8)
Internet address is 10.100.48.240/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not
set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:06, output hang never
Last clearing of "show interface” counters never
Input queue: 1/75/1/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: random early detection(RED)
Output queue :0/40 (size/max)
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
7558065 packets input, 783768942 bytes, 1 no buffer
Received 8280963 broadcasts, 0 runts, 0 giants, 1 throttles
15 input errors, 14278 GRC, 0 frame, 0 overrun, 3 ignored
0 input packets with dribble condition detected
798092 packets output, 50280266 bytes, 0 underruns
0 output errors, 15000 collisions, 0 interface resets
0 babbles, 0 late collision, 179 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

An administrator received a call from a branch office regarding poor application performance
hosted at the headquarters. Ethernet 1 is connected between Router1 and the LAN switch. What
identifies the issue?

A. There is a duplex mismatch.

B. The MTU is not set to the default value.
C. The link is over utilized.
D. The QoS policy is dropping traffic.

Answer: A

Explanation

This interface gets high collision (15000 collisions) so one end may be set to “Half-duplex”.

Question 68

Refer to the exhibit.

SW1#show etherchannel
Channel-group listing:
----------------------
Group: 2
--------
Group state = L2
Ports: 1 Maxports = 8
Port-channels: 1 Max Portchannels = 1
Protocol: PAGP
A network engineer updates the existing configuration on interface fastethernet1/1 switch SW1. It
must establish an EtherChannel by using the same group designation with another vendor switch.
Which configuration must be performed to complete the process?

A. interface port-channel 2
channel-group 2 mode desirable

B. interface fastethernet 1/1

channel-group 2 mode on

C. interface port-channel 2
channel-group 2 mode auto

D. interface fastethernet 1/1

channel-group 2 mode active

Answer: D

Question 69

Refer to the exhibit.

Local access for R4 must be established and these requirements must be met:
– Only Telnet access is allowed.
– The enable password must be stored securely.
– The enable password must be applied in plain text
– Full access to R4 must be permitted upon successful login

Which configuration script meets the requirements?

Option A Option B

! conf t
conf t !
! username test1 password
username test1 password testpass1
testpass1 enable secret level 15 0 Test123
enable password level 1 7 !
Test123 line vty 0 15
! login local
line vty 0 15 transport input telnet
accounting exec default
transport input all

Option C Option D

! !
config t config t
! !
 username test1 password username test1 password
testpass1 testpass1
enable secret level 1 0 Test123 enable password level 15 0
! Test123
line vty 0 15 !
login authentication line vty 0 15
password Test123 password Test123
transport input telnet transport input all

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

“Only Telnet access is allowed” -> Only Option B and Option C are correct.

In fact the “login authentication” command in Option C can only be used when AAA is enabled
(with the command “aaa new-model”). And we cannot use the “login authentication” without
specifying an authentication list:

Therefore only option B is left. But in fact option B is not totally correct as “Full access to R4 must
be permitted upon successful login” but in option B we have to type the secret password to have
full access to R4 after logging in (with username “test1” and password “testpass1”).

Question 70

A packet from a company’s branch office is destined to host 172.31.0.1 at headquarters. The
sending router has three possible matches in its routing table for the packet: prefixes
172.31.0.0/16, 172.31.0.0/24, and 172.31.0.0/25. How does the router handle the packet?

A. It sends the traffic via the default gateway 0.0.0.0/0.

B. It sends the traffic via prefix 172.31.0.0/16.
C. It sends the traffic via prefix 172.31.0.0/25.
D. It sends the traffic via prefix 172.31.0.0/24.

Answer: C

Question 71

Which action must be taken when password protection is implemented?

A. Store passwords as contacts on a mobile device with single-factor authentication.

B. Share passwords with senior IT management to ensure proper oversight.
C. Include special characters and make passwords as long as allowed.
D. Use less than eight characters in length when passwords are complex.

Answer: C

Question 72

When an access point is seeking to join a wireless LAN controller, which message is sent to the AP-
Manager interface?
A. DHCP request
B. DHCP discover
C. discovery response
D. discovery request

Answer: D

Explanation

The LAPs always connect to the management interface address of the controller first with
a discovery request. The controller then tells the LAP the Layer 3 AP-manager interface (which
can also be the management by default) IP address so the LAP can send a join request to the AP-
manager interface next.

Reference: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-
controllers/119286-lap-notjoin-wlc-tshoot.html

Question 73

What is a reason why an administrator would choose to implement an automated network

management approach?

A. Reduce inconsistencies in the network configuration.

B. Increase recurrent management costs.
C. Enable “box by box” configuration and deployment.
D. Decipher simple password policies.

Answer: A

Question 74

Which device separates networks by security domains?

A. access point
B. firewall
C. intrusion protection system
D. wireless controller

Answer: B

Question 75

Which two characteristics are representative of virtual machines (VMs)? (Choose two)

A. A VM on a hypervisor is automatically interconnected to other VMs.

B. A VM on an individual hypervisor shares resources equally.
C. Each VMs operating system depends on its hypervisor.
D. Each VM runs independently of any other VM in the same hypervisor.
E. multiple VMs operate on the same underlying hardware.

Answer: D E

Question 76

Refer to the exhibit.

R7#
172.22.0.0/24 is subnetted, 1 subnets
D 172.22.49.0 [90/284160] via 10.81.22.2, 04:55:53, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 26 subnets, 5 masks
D EX 10.10.10.10/32 [170/35840] via 10.3.5.1, 04:55:55, FastEthernet0/1
D 10.9.1.0/30 [90/33280] via 10.3.5.1, 04:55:56, FastEthernet0/1
B 10.111.99.0/24 [20/0] via 10.6.25.2, 03:58:52
D 10.14.3.0/30 [90/30720] via 10.3.5.1, 04:55:58, FastEthernet0/1
C 10.9.4.0/30 is directly connected, FastEthernet1/0
B 10.100.100.0/24 [20/0] via 10.6.25.2, 03:58:53
D 10.0.1.0/30 [90/30720] via 10.3.5.1, 04:55:58, FastEthernet0/1
D EX 10.10.10.70/32 [170/1612801 via 10.3.5.1, 04:55:57, FastEthernet0/1
B 10.90.0.0/16 [200/0] via 0.0.0.0, 03:57:59, Null0
D EX 10.90.1.0/24 [170/158720] via 10.3.5.1, 04:55:57, FastEthernet0/1
D EX 10.90.2.0/24 [170/158720] via 10.3.5.1, 04:55:57, FastEthernet0/1
D 10.90.3.0/29 [90/161280] via 10.3.5.1, 02:46:03, FastEthernet0/1
D EX 10.90.3.0/24 [170/158720] via 10.3.5.1, 02:46:04, FastEthernet0/1
D EX 10.90.4.0/24 [170/158720] via 10.3.5.1, 04:55:59, FastEthernet0/1
D EX 10.90.5.0/24 [170/158720] via 10.3.5.1, 04:55:59, FastEthernet0/1
B* 0.0.0.0/0 [20/0] via 10.6.25.2, 02:22:38

According to the output, which parameter set is validated using the routing table of R7?

A. R7 is missing a gateway of last resort.

R7 is receiving routes that were redistributed from BGP
R7 will forward traffic destined to 10.90.8.0/24.

B. R7 is missing a gateway of last resort.

R7 is receiving routes that were redistributed in EIGRP
R7 will forward traffic destined to 10.90.8.0/24.

C. R7 has a gateway of last resort available.

R7 is receiving routes that were redistributed from BGP
R7 will drop traffic destined to 10.90.8.0/24

D. R7 has a gateway of last resort available.

R7 is receiving routes that were redistributed in EIGRP
R7 will drop traffic destined to 10.90.8.0/24.

Answer: D

Explanation

Traffic destined to 10.90.8.0/24 matches the output line “10.90.0.0/16 [200/0] via 0.0.0.0,
03:57:59, Null0” so it will be forwarded to Null0 interface, which means it will be dropped.

From “D EX” letter, we learn that R7 is receiving routes that were redistributed in EIGRP (another
routing protocol was redistributed into EIGRP).

Question 77

Refer to the exhibit.

Gateway of last resort is 172.16.2.2 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.10.0/24 is directly connected, GigabitEthernet0/0/0
L 10.10.10.3/32 is directly connected, GigabitEthernet0/0/0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.1.33/32 is directly connected, GigabitEthernet0/0/1
C 172.16.2.0/23 is directly connected, GigabitEthernet0/0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/0/1
S* 0.0.0.0/0 [1/0] via 172.16.2.2

A packet sourced from 10.10.10.1 is destined for 172.16.3.254. What is the subnet mask of the
destination route?

A. 0.0.0.0
B. 255.255.254.0
C. 255.255.255.0
D. 255.255.255.255

Answer: B

Explanation

The packet destined for 172.16.3.254 will be routed via the entry “C 172.16.2.0/23 …” as this
subnet ranges from 172.16.2.0 to 172.16.3.255.

Question 78

What is the operating mode and role of a backup port on a shared LAN segment in Rapid PVST+?

A. blocking mode and provides an alternate path toward the designated bridge
B. listening mode and provides an alternate path toward the root bridge
C. forwarding mode and provides the lowest-cost path to the root bridge for each VLAN
D. learning mode and provides the shortest path toward the root bridge handling traffic away from
the LAN

Answer: A

Explanation

An alternate port and a backup port are in a blocking state (or discarding state) to prevent loops.

Reference: https://www.ciscopress.com/articles/article.asp?p=2832407&seqNum=4

Question 79

Which DSCP per-hop forwarding behavior is divided into subclasses based on drop probability?
A. class-selector
B. assured
C. expedited
D. default

Answer: B

Explanation

The term Per-Hop Behaviour (PHB) refers to how a node will treat traffic having the same
Differentiated Services Code Point (DSCP) values.

Assured Forwarding has four standard classes from AF1 to AF4. It is important to note that the
class number does not determine priority. Each class is treated independently and placed into
different queues.

Each AF class has its own IP Precedence with three drop probabilities, low, medium, and high.

Reference: https://www.routeprotocol.com/dscp-per-hop-behaviour-assured-forwarding/

Question 80

What occurs when a switch receives a frame that has a destination that is an unknown MAC
address?

A. The frame is flooded to all interfaces in the VLAN to which the frame belongs.
B. The frame is flooded to all interfaces in the switch.
C. The frame is discarded
D. The MAC address table of the switch is flushed

Answer: A

Question 81

Drag and drop the facts about wireless architectures from the left onto the types of access point
on the right. Not all options are used.

Answer:

Cloud-Based Access Point

+ managed from a Web-based dashboard
+ supports automatic deployment
Lightweight Access Point
+ configured and managed by a WLC
+ supports different operational modes

Question 82

SIP-based Call Admission Control must be configured in the Cisco WLC GUI. SIP call-snooping
ports are configured. Which two actions must be completed next? (Choose two)

A. Set the QoS level to silver or greater for voice traffic

B. Enable Media Session Snooping on the WLAN
C. Configure two different QoS roles for data and voice traffic
D. Set the QoS level to platinum for voice traffic
E. Enable traffic shaping for the LAN interface of the WLC

Answer: B D

Explanation

Configuring SIP-Based CAC (CLI)

Procedure
Step 1 Set the voice to the platinum QoS level
Step 2 Enable the call-snooping feature for a particular WLAN
…

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-
guide/b_cg810/wireless_quality_of_service.html

Corrections:-
Question 1
What is the term for the concept of limiting communication between applications or containers on
the same node?
A. container orchestration
B. software-defined access
C. microservicing
D. microsegmentation
Answer: D microsegmentation

Question 2
What limits communication between applications or containers on the same node?
A. microservicing
B. container orchestration
C. microsegmentation
D. Software-Defined Access
Answer: C Microsegmentation

Question 3
An administrator is configuring NTP on Cisco ASA via ASDM and needs to ensure that rogue NTP
servers cannot insert themselves as the authoritative time source. Which two steps must be taken
to accomplish this task? (Choose two)
A. Set the NTP DNS host
B. Specify the NTP version
C. Configure the NTP stratum
D. Choose the interface for syncing to the NTP server
E. Set the authentication key
Correct Answers: Choose the interface for syncing to the NTP server and Set the authentication
key.

Question 4
An administrator needs to configure the Cisco ASA via ASDM such that the network management
system can actively monitor the host using SNMPv3. Which two tasks must be performed for this
configuration? (Choose two)
A. Specify the SNMP manager and UDP port.
B. Specify a community string.
C. Add an SNMP USM entry.
D. Add an SNMP host access entry.
E. Specify an SNMP user group.
Answer: D E

Question 5
Which two parameters are used for device compliance checks? (Choose two)
A. device operating system version
B. DHCP snooping checks
C. Windows registry values
D. endpoint protection software version
E. DNS integrity checks
Answer: C D

Question 6
What is a benefit of using Cisco Tetration?
A. It collects policy compliance data and process details.
B. It collects telemetry data from servers and then uses software sensors to analyze flow
information.
C. It collects near-real time data from servers and inventories the software packages that exist on
servers
D. It collects enforcement data from servers and collects interpacket variation.
Answer: A

Question 7
Why is it important for the organization to have an endpoint patching strategy?
A. so the organization can identify endpoint vulnerabilities
B. so the network administrator is notified when an existing bug is encountered
C. so the internal PSIRT organization is aware of the latest bugs
D. so the latest security fixes are installed on the endpoints
Answer: D

An engineer is configuring Cisco WSA and needs to enable a separated email transfer flow from the
Internet and from the LAN. Which deployment mode must be used to accomplish this goal?
A. two-interface
B. single interface
C. multi-context
D. transparent
Answer: D

Question 8
How does the Cisco WSA enforce bandwidth restrictions for web applications?
A. It implements a policy route to redirect application traffic to a lower-bandwidth link
B. It dynamically creates a scavenger class QoS policy and applies it to each client that connects
through the WSA
C. It sends commands to the uplink router to apply traffic policing to the application traffic
D. It simulates a slower link by introducing latency into application traffic
Answer: C

Question 9
What is a benefit of using Cisco Tetration?
A. It collects policy compliance data and process details.
B. It collects telemetry data from servers and then uses software sensors to analyze flow
information.
C. It collects near-real time data from servers and inventories the software packages that exist on
servers
D. It collects enforcement data from servers and collects interpacket variation.
Answer : B

Question 10
Which two actions does the Cisco Identity Services Engine posture module provide that ensures
endpoint security? (Choose two)
A. Assignments to endpoint groups are made dynamically, based on endpoint attributes.
B. Endpoint supplicant configuration is deployed.
C. A centralized management solution is deployed
D. The latest antivirus updates are applied before access is allowed
E. Patch management remediation is performed.
Correct Answers: The latest antivirus updates are applied before access is allowed and Patch
management remediation is performed.
Create Patch Management Conditions

Question 11
The DHCP snooping database resides on router R1, and dynamic ARP inspection is configured only
on switch SW2. Which ports must be configured as untrusted so that dynamic ARP inspection
operates normally?
A. P5, P6, and P7
B. P2 and P3 only
C. P1, P2, P3, and P4
D. P2, P3, and P6
Correct answer: P5, P6, and P7

Question 1
What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy
firewall?
A. The Cisco ASA denies all traffic by default whereas the Cisco IOS router with Zone-Based Policy
Firewall starts out by allowing all traffic, even on untrusted interfaces.
B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability,
whereas the Cisco ASA cannot
C. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas the
Cisco ASA starts out by allowing all traffic until rules are added
D. The Cisco ASA can be configured for high availability whereas the Cisco IOS router with Zone-
Based Policy Firewall cannot
Answer: D

An administrator is adding a new Cisco ISE node to an existing deployment. What must be done to
ensure that the addition of the node will be successful when inputting the FQDN?
A. Change the IP address of the new Cisco ISE node to the same network as the others
B. Make the new Cisco ISE node a secondary PAN before registering it with the primary
C. Open port 8905 on the firewall between the Cisco ISE nodes
D. Add the DNS entry for the new Cisco ISE node into the DNS server
Answer:D

An engineer needs to add protection for data in transit and have headers in the email message.
Which configuration is needed to accomplish this goal?
A. Provision the email appliance
B. Deploy an encryption appliance
C. Map sender IP addresses to a host interface
D. Enable flagged message handling
Answer : D

What must be enabled to secure SaaS-based applications?

A. two-factor authentication
B. end-to-end encryption
C. application security gateway
D. modular policy framework
Answer: B