Cisco CCNP Enterprise 300-440 Questions & Answers

• Question 21:

  Which method is used to create authorization boundary diagrams (ABDs)?

  A. identify only interconnected systems that are FedRAMP-authorized

  B. show all networks in CIDR notation only

  C. identify all tools as either external or internal to the boundary

  D. show only minor or small upgrade level software components

  Correct Answer: C

  According to the FedRAMP Authorization Boundary Guidance document, the method used to create authorization boundary diagrams (ABDs) is to identify all tools as either external orinternal to the boundary. The ABD is a visual representation of the components that make up the authorization boundary, which includes all technologies, external and internal services, and leveraged systems and accounts for all federal information, data, and metadata that a Cloud Service Offering (CSO) is responsible for. The ABD should illustrate a CSP's scope of control over the system and show components or services that are leveraged from external services or controlled by the customer. The other options are incorrect because they do not capture the full scope and details of the authorization boundary as required by FedRAMP.

  References: FedRAMP Authorization Boundary Guidance document

• Question 22:

  An engineer must enable the OMP advertisement of BGP routes for a specific VRF instance on a Cisco IOS XE SD-WAN device. What should be configured after the global address-family ipv4 is configured?

  A. Set the VRF-specific route advertisements.

  B. Enable bgp advertisement.

  C. Enter sdwan mode.

  D. Disable bgp advertisement.

  Correct Answer: B

  To enable the OMP advertisement of BGP routes for a specific VRF instance on a Cisco IOS XE SD-WAN device, the engineer must first configure the global address-family ipv4 and then enable bgp advertisement under the vrf definition.

  This will allow the device to advertise the BGP routes learned from the cloud provider to the OMP control plane, which will then distribute them to the other SD-WAN devices in the overlay network.

  References:

  Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3:Implementing Cloud Connectivity, Lesson 3: Configuring IPsec VPN from Cisco IOS XE to AWS, Topic: Configuring BGP on the Cisco IOS XE Device, Page 3-24.

• Question 23:

  Refer to the exhibits.

  

  While troubleshooting, a network engineer discovers that the backup path fails between ASBR3 and ASBR4 for traffic between BGP AS6000 and BGP AS6500 when the connection between ASBR1 and ASBR2 goes down. The following configurations were performed on ASBR1:

  

  Which command is missing?

  A. bgp additional-paths Install

  B. bgp additional-paths select

  C. redistribute static

  D. bgp advertise-best-external

  Correct Answer: D

  The bgp advertise-best-external command is used to enable the advertisement of the best external path to internal BGP peers. This command is useful when there are multiple exit points from the local AS to other ASes, and the local AS wants to use the closest exit point for each destination. By default, BGP only advertises the best path to its peers, and the best path is usually the one with the lowest IGP metric to the next hop. However, this may not be the optimal path for traffic leaving the local AS, as it may result in suboptimal hot-potato routing or MED oscillations. The bgp advertise-best-external command allows BGP to advertise the best external path, which is the path with the lowest MED among the paths from different neighboring ASes, in addition to the best path. This way, the internal BGP peers can choose the best exit point based on the MED value, rather than the IGP metric. In this scenario, ASBR1 is configured to receive additional paths from ASBR2, which is a route reflector. ASBR2 receivestwo paths for the same prefix from AS6500, one from ASBR3 and one from ASBR4. ASBR2 selects the best path based on the IGP metric to the next hop, and advertises it to ASBR1. However, this path may not be the best external path, as it may have a higher MED value than the other path. If the connection between ASBR1 and ASBR2 goes down, ASBR1 will not have any backup path to reach AS6500, as it does not know the other path from ASBR4. To prevent this situation, ASBR1 should be configured with the bgp advertise-best-external command, so that it can receive the best external path from ASBR2, along with the best path. This way, ASBR1 will have a backup path to reach AS6500, in case the primary path fails.

• Question 24:

  Which architecture model establishes internet-based connectivity between on-premises networks and AWS cloud resources?

  A. That establishes an iPsec VPN tunnel with Internet Key Exchange (IKE) for secure key negotiation and encrypted data transmission

  B. That relies on AWS Elastic Load Balancing (ELB) for traffic distribution and uses SSL/TLS encryption for secure data transmission.

  C. That employs AWS Direct Connect for a dedicated network connection and uses private IP addresses tor secure communication.

  D. That uses Amazon CloudFrontfor caching and distributing content globally and uses HTTPS for secure data transfer.

  Correct Answer: A

  The architecture model that establishes internet-based connectivity between on-premises networks and AWS cloud resources is the one that establishes an iPsec VPN tunnel with Internet Key Exchange (IKE) for secure key negotiation and encrypted data transmission. This model is also known as the VPN CloudHub model. It allows multiple remote sites to connect to the same virtual private gateway in AWS, creating a hub-and- spoke topology. The VPN CloudHub model provides the following benefits: It enables secure communication between remote sites and AWS over the public internet, using encryption and authentication protocols such as IPsec and IKE. It supports dynamic routing protocols such as BGP, which can automatically adjust the routing tables based on the availability and performance of the VPN tunnels. It allows for redundancy and load balancing across multiple VPN tunnels, increasing the reliability and throughput of the connectivity. It simplifies the management and configuration of the VPN connections, as each remote site only needs to establish one VPN tunnel to the virtual private gateway in AWS, rather than multiple tunnels to different VPCs or regions. The other options are not correct because they do not establish internet-based connectivity between on-premises networks and AWS cloud resources. Option B relies on AWS Elastic Load Balancing (ELB) for traffic distribution and uses SSL/TLS encryption for secure data transmission. However, ELB is a service that distributes incoming traffic across multiple targets within a VPC, not across different networks. Option C employs AWS Direct Connect for a dedicated network connection and uses private IP addresses for secure communication. However, AWS Direct Connect is a service that establishes a private connection between on-premises networks and AWS, bypassing the public internet. Option D uses Amazon CloudFront for caching and distributing content globally and uses HTTPS for secure data transfer. However, Amazon CloudFront is a service that delivers static and dynamic web content to end users, not to on-premises networks.

  References:

  1: Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5)

  2: Cisco ASA Site-to-Site VPN

  3: What Is Elastic Load Balancing?

  4: What is AWS Direct Connect?

• Question 25:

  Refer to the exhibit.

  

  A network engineer discovers that the policy that is configured on an on-premises Cisco WAN edge router affects only the route tables of the specific devices that are listed in the site list. What is the problem?

  A. An inbound policy must be applied.

  B. The action must be set to deny

  C. A localized data policy must be configured.

  D. A centralized data policy must be configured

  Correct Answer: D

  A centralized data policy is a policy that is applied to all devices in the overlay network, regardless of the site list. A localized data policy is a policy that is applied only to the devices that are listed in the site list. In this case, the network

  engineer wants to apply the policy to all devices in the overlay network, not just the specific devices in the site list. Therefore, a centralized data policy must be configured on the on-premises Cisco WAN edge router.

  References:

  Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3:

  Implementing Cloud Connectivity, Lesson 3: Implementing Cisco SD-WAN Cloud OnRamp for Colocation, Topic: Centralized Data Policy [Cisco SD-WAN Cloud OnRamp for Colocation Deployment Guide], Chapter:

  Configuring Centralized Data Policy

• Question 26:

  Which feature is unique to Cisco SD-WAN IPsec tunnels compared to native IPsec VPN tunnels?

  A. real-time dynamic path selection

  B. tunneling protocols

  C. end-to-end encryption

  D. authentication mechanisms

  Correct Answer: A

  Cisco SD-WAN IPsec tunnels are different from native IPsec VPN tunnels in several ways. One of the unique features of Cisco SD-WAN IPsec tunnels is that they support real-time dynamic path selection, which means that they can

  automatically choose the best path for each application based on the network conditions and policies. This feature improves the performance, reliability, and efficiency of the network traffic. Native IPsec VPN tunnels, on the other hand, do not

  have this capability and rely on static routing or manual configuration to select the path for each tunnel. This can result in suboptimal performance, increased latency, and higher costs.

  References:

  Traditional IPsec Versus Cisco SD-WAN IPsec, SD-WAN vs IPsec VPN's - What's the difference?, SD-WAN vs. VPN: How Do They Compare?, Traditional IPSEC Versus SD-WAN IPSEC

• Question 27:

  A company has multiple branch offices across different geographic locations and a centralized data center. The company plans to migrate Its critical business applications to the public cloud infrastructure that is hosted in Microsoft Azure. The company requires high availability, redundancy, and low latency for its business applications. Which connectivity model meets these requirements?

  A. ExpressRoute with private peering using SDCI

  B. hybrid connectivity with SD-WAN

  C. AWS Direct Connect with dedicated connections

  D. site-to-site VPN with Azure VPN gateway

  Correct Answer: A

  The connectivity model that meets the requirements of high availability, redundancy, and low latency for the company's business applications is ExpressRoute with private peering using SDCI.

  ExpressRoute is a service that provides a dedicated, private, and high-bandwidth connection between the customer's on-premises network and Microsoft Azure cloud network.

  Private peering is a type of ExpressRoute circuit that allows the customer to access Azure services that are hosted in a virtual network, such as virtual machines, storage, and databases.

  SDCI (Secure Data Center Interconnect) is a Cisco solution that enables secure and scalable connectivity between multiple data centers and cloud providers, using technologies such as MPLS, IPsec, and SD-WAN3.

  By using ExpressRoute with private peering and SDCI, the company can achieve the following benefits:

  References:

  What is Azure ExpressRoute?

  Azure ExpressRoute peering

  Cisco Secure Data Center Interconnect

  ExpressRoute circuit and routing domain

• Question 28:

  A company with multiple branch offices wants a suitable connectivity model to meet these network architecture requirements:

  1.

  high availability

  2.

  quality of service (QoS)

  3.

  multihoming

  4.

  specific routing needs

  Which connectivity model meets these requirements?

  A. hub-and-spoke topology using MPLS with static routing and dedicated bandwidth for QoS

  B. star topology with internet-based VPN connections and BGP for routing

  C. hybrid topology that combines MPLS and SD-WAN

  D. fully meshed topology with SD-WAN technology using dynamic routing and prioritized traffic for QoS

  Correct Answer: D

  A fully meshed topology with SD-WAN technology using dynamic routing and prioritized traffic for QoS meets the network architecture requirements of the company. A fully meshed topology provides high availability by eliminating single

  points of failure and allowing multiple paths between branch offices. SD-WAN technology enables multihoming by supporting multiple transport options, such as MPLS, internet, LTE, etc. SD-WAN also provides QoS by applying policies to

  prioritize traffic based on application, user, or network conditions. Dynamic routing allows the SD-WAN solution to adapt to changing network conditions and optimize the path selection for each traffic type. A fully meshed topology with SDWAN technology can also support specific routing needs, such as segment routing, policy-based routing, or application-aware routing.

  References:

  Designing and Implementing Cloud Connectivity (ENCC) v1.0 [Cisco SD-WAN Design Guide]

  [Cisco SD-WAN Configuration Guide]

• Question 29:

  What is the role of service providers to establish private connectivity between on-premises networks and Google Cloud resources?

  A. facilitate direct, dedicated network connections through Google Cloud Interconnect

  B. enable intelligent routing and dynamic path selection using software-defined networking

  C. provide end-to-end encryption for data transmission using native IPsec

  D. accelerate content delivery through integration with Google Cloud CDN

  Correct Answer: A

  The role of service providers to establish private connectivity between on- premises networks and Google Cloud resources is to facilitate direct, dedicated network connections through Google Cloud Interconnect. Google Cloud Interconnect is

  a service that allows customers to connect their on-premises networks to Google Cloud through a service provider partner. This provides low latency, high bandwidth, and secure connectivity to Google Cloud services, such as Google

  Compute Engine, Google Cloud Storage, and Google BigQuery. Google Cloud Interconnect also supports hybrid cloud scenarios, such as extending on-premises networks to Google Cloud regions, or connecting multiple Google Cloud

  regions together. Google Cloud Interconnect offers two types of connections: Dedicated Interconnect and Partner Interconnect. Dedicated Interconnect provides physical connections between the customer's network and Google's network at

  a Google Cloud Interconnect location. Partner Interconnect provides virtual connections between the customer's network and Google's network through a supported service provider partner. Both types of connections use VLAN attachments

  to establish private connectivity to Google Cloud Virtual Private Cloud (VPC) networks.

  References:

  Designing and Implementing Cloud Connectivity (ENCC) v1.0 [Google Cloud Interconnect Overview] [Google Cloud Interconnect Documentation]

• Question 30:

  An engineer is implementing a highly securemultitierapplication in AWS that includes S3. RDS, and some additional private links. What is critical to keep the traffic safe?

  A. VPC peering and bucket policies

  B. specific routing and bucket policies

  C. EC2 super policies and specific routing policies

  D. gateway load balancers and specific routing policies

  Correct Answer: B

  A highly secure multitier application in AWS that includes S3, RDS, and some additional private links requires specific routing and bucket policies to keep the traffic safe. The reasons are as follows:

  Specific routing policies are needed to ensure that the traffic between the tiers is routed through the private links, which provide secure and low-latency connectivity between AWS services and on-premises resources12. The private links can

  also prevent the exposure of the data and the application logic to the public internet12. Bucket policies are needed to control the access to the S3 buckets that store the application data34. Bucket policies can specify the conditions under

  which the requests are allowed or denied, such as the source IP address, the encryption status, the request time, etc.34. Bucket policies can also enforce encryption in transit and at rest for the data in S334.

  References:

  1: AWS PrivateLink

  2: AWS PrivateLink FAQs

  3: Using Bucket Policies and User Policies

  4: Bucket Policy Examples