Cisco CCNP Enterprise 300-410 Questions & Answers

• Question 521:

  Refer to the exhibit.

  

  An engineer configured NetFlow on R1, but the NMS server cannot see the flow from R1. Which configuration resolves the issue?

  A. interface Ethernet0/1 flow-destination 10.221.10.11

  B. interface Ethernet0/0 flow-destination 10.221.10.11

  C. flow exporter FlowAnalyzer1 destination 10.221.10.11

  D. flow monitor Flowmonitor1 destination 10.221.10.11

  Correct Answer: C

  From the output we notice that the destination IP address is not correct. The NMS server IP address should be 10.221.10.11, not 10.221.10.10. Therefore we have to change this information under "flow exporter ..."configuration. NetFlow configuration reference:https://www.cisco.com/c/en/us/td/docs/iosxml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/cfg-de-fnflow-exprts.html

• Question 522:

  Refer to the exhibit. An engineer cannot copy the IOS.bin file from the FTP server to the switch.

  

  Which action resolves the issue?

  A. Allow file permissions to download the file from the FTP server.

  B. Add the IOS.bin file, which does not exist on FTP server.

  C. Make memory space on the switch flash or USB drive to download the file.

  D. Use the copy flash:/ ftp://[email protected]/IOS.bin command.

  Correct Answer: B

• Question 523:

  Refer to the exhibit.

  

  An engineer configures DMVPN and receives the hub location prefix of 10.1.1.0724 on R2 and R3 The R3 prefix of 10 1.3.0/24 is not received on R2. and the R2 prefix 10.1,2.0/24 is not received on R3. Which action reserves the issue?

  A. Split horizon prevents the routes from being advertised between spoke routers it should be disabled with the command no ip split-horizon eigrp 10 on the tunnel interface of R1

  B. There is no spoke-to-spoke connection DMVPN configuration should be modified to enable a tunnel connection between R2 and R3 and neighbor relationship confirmed by use of the show ip eigrp neighbor command

  C. Split horizon prevents the routes from being advertised between spoke routers it should be disabled with the no ip split-horizon eigrp 10 command on the Gi0/0 interface of R1.

  D. There is no spoke-to-spoke connection DMVPN configuration should be modified with a manual neighbor relationship configured between R2 and R3 and confirmed bb use of the show ip eigrp neighbor command.

  Correct Answer: A

  In this topology, the Hub router will receive advertisements from R2 Spoke router on its tunnel interface. The problem here is that it also has a connection with R3 Spoke on that same tunnel interface. If we don't disable split-horizon, then the Hub will not relay routes from R2 to R3 and the other way around.That is because it received those routes on the same interface tunnel and therefore it cannot advertise back out that same interface (split-horizon rule). Therefore we must disable splithorizon on the Hub router to make sure the Spokes know about each other.

• Question 524:

  What is a function of IPv6 Source Guard?

  A. It works with address glean or ND to find existing addresses.

  B. It inspects ND and DHCP packets to build an address binding table.

  C. It denies traffic from known sources and allocated addresses.

  D. It notifies the ND protocol to inform hosts if the traffic is denied by it.

  Correct Answer: A

  IPv6 source guard is an interface feature between the populated binding table and data traffic filtering. This feature enables the device to deny traffic when it is originated from an address that is not stored in the binding table. IPv6 source guard does not inspect ND or DHCP packets;rather, it works in conjunction with IPv6 neighbor discovery (ND) inspection or IPv6 address glean, both of which detect existing addresses on the link and store them into the binding table.

• Question 525:

  Refer to the exhibit. The AP status from Cisco DNA Center Assurance Dashboard shows some physical connectivity issues from access switch interface G1/0/14.

  

  Which command generates the diagnostic data to resolve the physical connectivity issues?

  A. check cable-diagnostics tdr interface GigabitEthernet1/0/14

  B. verify cable-diagnostics tdr interface GigabitEthernet1/0/14

  C. show cable-diagnostics tdr interface GigabitEthernet1/0/14

  D. test cable-diagnostics tdr interface GigabitEthernet1/0/14

  Correct Answer: D

  The Time Domain Reflectometer (TDR) feature allows you to determine if a cable is OPEN or SHORT when it is at fault.

  To start the TDR test, perform this task:

  Step 1 (Starts the TDRtest):test cable-diagnostics tdr{interface{interface-number}} Step 2 (Displays the TDR test counter information):show cable-diagnostics tdr{interfaceinterface-number}

  https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/16- 11/configuration_guide/int_hw/b_1611_int_and_hw_9600_cg/checking_port_status_and_c onnectivitypdf

  

• Question 526:

  The network administrator configured R1 to authenticate Telnet connections based on Cisco ISE using TACACS+. ISE has been configured with an IP address of 192.168.1.5 and with a network device pointing toward R1(192.168.1.1) with a shared secret password of Cisco123.

  The administrator has configured this on R1:

  aaa new-model ! tacacs server ISE1 address ipv4 192.168.1.5 key Cisco123 ! aaa group server tacacs+ TAC-SERV server name ISE1 ! aaa authentication login telnet group TAC-SERV

  The network administrator cannot authenticate to R1 based on ISE. Which configuration fixes the issue?

  A. ip tacacs-server host 192.168.1.5 key Cisco123

  B. line vty 0 4 login authentication TAC-SERV

  C. line vty 0 4 login authentication telnet

  D. tacacs-server host 192.168.1.5 key Cisco123

  Correct Answer: C

  The last command "aaa authentication login telnet group TAC-SERV" created the method list name telnet so we need to assign itto line vty. Reference:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208Configure-ISE-2-0-IOS-TACACS-Authentic.html

• Question 527:

  Refer to the exhibit.

  

  After a security audit, the administrator implemented an ACL in the route reflector. The RR became unreachable from any router in the network. Which two actions resolve the issue? (Choose two.)

  A. Enable the ND proxy feature on the default gateway.

  B. Configure a link-local address on the Ethernet0/1 interface.

  C. Permit ICMPv6 neighbor discovery traffic in the ACL.

  D. Remove the ACL entry 80.

  E. Change the next hop of the default route to the link-local address of the default gateway.

  Correct Answer: CD

• Question 528:

  Refer to the exhibit.

  

  R1 is configured with uRPF, and ping to R1 is failing from a source present in the R1 routing table via the GigatxtEthernet 0/0 interface. Which action resolves the issue?

  A. Remove the access list from the interface GigabrtEthernet 0/0

  B. Modify the uRPF mode from strict to loose

  C. Enable Cisco Express Forwarding to ensure that uRPF is functioning correctly

  D. Add a floating static route to the source on R1 to the GigabitEthernet 0/1 interface

  Correct Answer: B

  with uRPF strict mode, this can cause legitimate packets to be dropped, so that's something to keep in mind. In uRPF loose mode, the source of the IP packet must simply appear in the routing table. So loose mode looks for any interface in the routing table other than the default route.

• Question 529:

  Refer to the exhibit The administrator configured the network devices for end-to-end reachability, but the ASBRs are not propagating routes to each other Which set of configurations resolves this issue?

  

  

  A. router bgp 100 neighbor 10.1.1.1 next-hop-self neighbor 10.1.2.2 next-hop-self neighbor 10.1.3.3 next-hop-self

  B. router bgp 100 neighbor 10.1.1.1 update-source Loopback0 neighbor 10.1.2.2 update-source Loopback0 neighbor 10.1.3.3 update-source Loopback0

  C. router bgp 100 neighbor 10.1.1.1 route-reflector-client neighbor 10.1.2.2 route-reflector-client neighbor 10.1.3.3 route-reflector-client

  D. router bgp 100 neighbor 10.1.1.1 ebgp-multihop neighbor 10.1.2.2 ebgp-multihop neighbor 10.1.3.3 ebgp-muttihop

  Correct Answer: C

• Question 530:

  Refer to the exhibit.

  

  While monitoring VTY access to a router, an engineer notices that the router does not have any filter and anyone can access the router with username and password even though an ACL is configured. Which command resolves this issue?

  A. access-class INTERNET in

  B. ip access-group INTERNET in

  C. ipv6 traffic-filter INTERNET in

  D. ipv6 access-class INTERNET in

  Correct Answer: D