Cisco CCNP Enterprise 350-401 Questions & Answers

• Question 1211:

  What is the data policy in a Cisco SD-WAN deployment?

  A. list of ordered statements that define node configurations and authentication used within the SDWAN overlay

  B. Set of statements that defines how data is forwarded based on IP packet information and specific VPNs

  C. detailed database mapping several kinds of addresses with their corresponding location

  D. group of services tested to guarantee devices and links liveliness within the SD-WAN overlay

  Correct Answer: B

  The Cisco SD-WAN architecture implements two types of data policy:

  Centralized data policy controls the flow of data traffic based on the source and destination addresses and ports and DSCP fields in the packet's IP header (referred to as a 5-tuple), and based on network segmentation and VPN membership. These types of data policy are provisioned centrally, on the Cisco vSmart controller, and they affect traffic flow across the entire network.

  Localized data policy controls the flow of data traffic into and out of interfaces and interface queues on a Cisco vEdge device. This type of data policy is provisioned locally using access lists. It allows you to classify traffic and map different classes to different queues. It also allows you to mirror traffic and to police the rate at which data traffic is transmitted and received.

• Question 1212:

  Wireless users report frequent disconnections from the wireless network. While troubleshooting, a network engineer finds that after the user is disconnected, the connection re-establishes automatically without any input required. The engineer also notices these message logs:

  AP 'AP2' is down. Reason: Radio channel set. 6:54:04 PM AP 'AP4' is down. Reason: Radio channel set. 6:44:49 PM AP 'AP7' is down. Reason: Radio channel set. 6:34:32 PM

  Which action reduces the user impact?

  A. increase the AP heartbeat timeout

  B. increase BandSelect

  C. enable coverage hole detection

  D. increase the dynamic channel assignment interval

  Correct Answer: D

  These message logs inform that the radio channel has been reset (and the AP must be down briefly). With dynamic channel assignment (DCA), the radios can frequently switch from one channel to another but it also makes disruption. The default DCA interval is 10 minutes, which is matched with the time of the message logs. By increasing the DCA interval, we can reduce the number of times our users are disconnected for changing radio channels.

• Question 1213:

  While configuring an IOS router for HSRP with a virtual IP of 10.1.1.1, an engineer sees this log message.

  Jan 1 12:12:12.111 : %HSRP-4-DIFFVIP1: GigabitEthernet0/0 Grp 1 active routers virtual IP address 10.1.1.1 is different to the locally configured address 10.1.1.25

  Which configuration change must the engineer make?

  A. Change the HSRP group configuration on the remote router to 1.

  B. Change the HSRP group configuration on the local router to 1.

  C. Change the HSRP virtual address on the remote router to 10.1.1.1.

  D. Change the HSRP virtual address on the local router to 10.1.1.1.

  Correct Answer: D

  Syslog points to local router having VIP ip 10.1.1.25, and remote router in g0/0 interface having 10.1.1.1. We want latter to all routers in HSRP so we need to configure local router, hence B. "is different to the locally configured..."

• Question 1214:

  Which configuration restricts the amount of SSH that a router accepts 100 kbps?

  A. class-map match-all CoPP_SSH match access-group name CoPP_SSH ! Policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! ! ! Interface GigabitEthernet0/1 ip address 209.165.200.225 255.255.255.0 ip access-group CoPP_SSH out duplex auto speed auto media-type rj45 service-policy input CoPP_SSH ! ip access-list extended CoPP_SSH permit tcp any any eq 22 !

  B. class-map match-all CoPP_SSH match access-group name CoPP_SSH ! Policy-map CoPP_SSH class CoPP_SSH police cir CoPP_SSH exceed-action drop ! Interface GigabitEthernet0/1 ip address 209.165.200.225 255.255.255.0 ip access-group ... out duplex auto speed auto media-type rj45 service-policy input CoPP_SSH ! Ip access-list extended CoPP_SSH deny tcp any any eq 22 !

  C. class-map match-all CoPP_SSH match access-group name CoPP_SSH ! Policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! Control-plane service-policy input CoPP_SSH ! Ip access-list extended CoPP_SSH deny tcp any any eq 22 !

  D. class-map match-all CoPP_SSH match access-group name CoPP_SSH ! Policy-map CoPP_SSH class CoPP_SSH police cir 100000 exceed-action drop ! Control-plane transit service-policy input CoPP_SSH ! Ip access-list extended CoPP_SSH permit tcp any any eq 22 !

  Correct Answer: C

  CoPP protects the route processor on network devices by treating route processor resources as a separate entity with its own ingress interface (and in some implementations, egress also). CoPP is used to police traffic that is destined to the route processor of the router such as:

  +

  routing protocols like OSPF, EIGRP, or BGP.

  +

  Gateway redundancy protocols like HSRP, VRRP, or GLBP. + Network management protocols like telnet, SSH, SNMP, or RADIUS.

  

  Therefore we must apply the CoPP to deal with SSH because it is in the management plane. CoPP must be put under "control-plane" command.

• Question 1215:

  An engineer has deployed a single Cisco 5520 WLC with a management IP address of 172.16.50.5/24. The engineer must register 50 new Cisco AIR-CAP2802I-E-K9 access points to the WLC using DHCP option 43. The access points are connected to a switch in VLAN 100 that uses the 172.16.100.0/24 subnet. The engineer has configured the DHCP scope on the switch as follows:

  

  The access points are failing to join the wireless LAN controller. Which action resolves the issue?

  A. configure option 43 Hex F104.AC10.3205

  B. configure option 43 Hex F104.CA10.3205

  C. configure dns-server 172.16.50.5

  D. configure dns-server 172.16.100.1

  Correct Answer: A

  172.16.50.5 in hex is We will have the answer from this paragraph: "TLV values for the Option 43 suboption: Type + Length + Value. Type is always the suboption code 0xf1. Length is the number of controller management IP addresses times

  4 in hex. Value is the IP address of the controller listed sequentially in hex. For example, suppose there are two controllers with management interface IP addresses, 192.168.10.5 and 192.168.10.20. The type is 0xf1. The length is 2 * 4 = 8 =

  0x08. The IP addresses translates to c0a80a05 (192.168.10.5) and c0a80a14 (192.168.10.20). When the string is assembled, it yields f108c0a80a05c0a80a14. The Cisco IOS IT Certification Guaranteed, The Easy Way! 81command that is

  added to the DHCP scope is option 43 hex f108c0a80a05c0a80a14."

  Reference: Click

  Therefore in this question the option 43 in hex should be "F104.AC10.3205 (the management IP address of 172.16.50.5 in hex is AC.10.32.05).

• Question 1216:

  A network engineer configures BGP between R1 and R2. Both routers use BGP peer group CORP and are set up to use MD5 authentication. This message is logged to the console of router R1:

  `May 5 39:85:55.469: %TCP-6-BADAUTH` Invalid MD5 digest from 10.10.10.1 (29832) to 10.120.10.1 (179) tebleid -0

  Which two configurations allow a peering session to form between R1 and R2? (Choose two.)

  A. R1(config-router)#neighbor 10.10.10.1 peer-group CORP R1(config-router)#neighbor CORP password Cisco

  B. R2(config-router)#neighbor 10.120.10.1 peer-group CORP R2(config-router)#neighbor CORP password Cisco

  C. R2(config-router)#neighbor 10.10.10.1 peer-group CORP R2(config-router)#neighbor PEER password Cisco

  D. R1(config-router)#neighbor 10.120.10.1 peer-group CORP R1(config-router)#neighbor CORP password Cisco

  E. R2(config-router)#neighbor 10.10.10.1 peer-group CORP R2(config-router)#neighbor CORP password Cisco

  Correct Answer: AB

  The log is on R1.The question states the console output is from R1, which means that R1 is 10.120.10.1, and R2 is 10.10.10.1. If you missed that you may have assumed the reverse and picked DE.

• Question 1217:

  Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two).

  

  A. Apply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode ipsec ipv4.

  B. Create an IPsec profile, associate the transform-set. and apply the profile to the tunnel interface.

  C. Remove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to 10.20.0.0/24.

  D. Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL

  E. Create an IPsec profile, associate the transform-set ACL. and apply the profile to the tunnel interface

  Correct Answer: BD

• Question 1218:

  A company plans to implement intent-based networking in its campus infrastructure.

  Which design facilitates a migration from a traditional campus design to a programmable fabric design?

  A. Layer 2 access

  B. three-tier

  C. two-tier

  D. routed access

  Correct Answer: D

  Layer 3 Routed Access--The use of a Layer 3 routed access network for the fabric provides the highest level of availability without the need to use loop avoidance protocols such as Spanning-Tree (STP), interface bundling techniques using link aggregation technologies such as EtherChannel, and Layer 2 redundancy technologies like StackWise Virtual (SVL), Virtual Switching System (VSS), or Nexus Virtual Port-Channels (vPCs).

  Reference: https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.pdf#%5B%7B%22num%22%3A37%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C272%2C708%2C0%5D

• Question 1219:

  SIMULATION

  Guidelines

  This is a lab item in which tasks will be performed on virtual devices.

  1.

  Refer to the Tasks tab to view the tasks for this lab item.

  2.

  Refer to the Topology tab to access the device console(s) and perform the tasks.

  3.

  Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.

  4.

  All necessary preconfigurations have been applied.

  5.

  Do no remove any existing configurations from the devices, only those necessary to make the appropriate changes required to fulfill the listed tasks.

  6.

  Do not change the enable password or hostname for any device.

  7.

  Save your configurations to NVRAM before moving to the next item.

  8.

  Click Next at the bottom of the screen to submit this lab and move to the next question

  9.

  When Next is clicked, the lab closes and cannot be reopened.

  Topology

  

  Tasks

  OSPF is partially configured. Complete the OSPF configurations to achieve these goals:

  1.

  Configure OSPF on router R1 according to the topology so that all networks are advertised. Do not use the network statement under the “router ospf” configuration section to accomplish this task.

  2.

  Configure a single command on the ABR routers to ensure only one summary route is advertised to area 0.

  R1

  

  

  

  

  A. See the solution below in Explanation.

  B. Place Holder

  C. Place Holder

  D. Place Holder

  Correct Answer: A

  R1:

  To advertise all connected networks without using the network statement, we will configure OSPF on each interface:

  Router#configure terminal

  Enter configuration commands, one per line. End with END or Ctrl-Z.

  R1(config)#interface Ethernet0/0

  R1(config-if)#ip ospf 1 area 0

  R1(config-if)#end

  R1(config)#interface Ethernet0/1

  R1(config-if)#ip ospf 1 area 0

  R1(config-if)#end R1(config)#interface Ethernet0/2 R1(config-if)#ip ospf 1 area 10 R1(config-if)#end R1(config)#end

  To ensure only one summary route is advertised to Area 0, we can use the summary-address command on the ABRs. In this case, we'll summarize the entire Area 10:

  R2: R2#configure terminal Enter configuration commands, one per line. End with END or Ctrl-Z. R2(config)#router ospf 1 R2(config-router)#summary-address 10.1.0.0 255.255.0.0 R2(config-router)#exit R2(config)#end

  R3: R3#configure terminal Enter configuration commands, one per line. End with END or Ctrl-Z. R3(config)#router ospf 1 R3(config-router)#summary-address 10.2.0.0 255.255.0.0 R3(config-router)#exit R3(config)#end

• Question 1220:

  SIMULATION

  Guidelines

  This is a lab item in which tasks will be performed on virtual devices.

  1.

  Refer to the Tasks tab to view the tasks for this lab item.

  2.

  Refer to the Topology tab to access the device console(s) and perform the tasks.

  3.

  Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.

  4.

  All necessary preconfigurations have been applied.

  5.

  Do no remove any existing configurations from the devices, only those necessary to make the appropriate changes required to fulfill the listed tasks.

  6.

  Do not change the enable password or hostname for any device.

  7.

  Save your configurations to NVRAM before moving to the next item.

  8.

  Click Next at the bottom of the screen to submit this lab and move to the next question

  9.

  When Next is clicked, the lab closes and cannot be reopened.

  Topology

  

  Tasks

  The Operations team started configuring several monitoring activities. Complete the configurations for the tasks below.

  1.

  Enable Flexible NetFlow on R1 E0/0 in both directions using the pre-configured flow monitor.

  2.

  Configure the switch port analyzer on Sw1 and mirror all VLAN 12 traffic to interface E1/3 using session number 12.

  3.

  Configure a basic IP SLA ICMP echo operation on R1 to ping PC1 every 300 seconds.

  R1

  

  

  

  A. See the solution below in Explanation.

  B. Place Holder

  C. Place Holder

  D. Place Holder

  Correct Answer: A

  R1 Configuration (Enable Flexible NetFlow) Router#configure terminal Enter configuration commands, one per line. End with END or Ctrl-Z. R1(config)#interface Ethernet0/0 R1(config-if)#ip flow ingress R1(config-if)#ip flow egress R1(config-if)#ip flow monitor Monitor-R1Flow input interface R1(config-if)#ip flow monitor Monitor-R1Flow output interface R1(config-if)#end

  Sw1 Configuration (Configure SPAN) Sw1#configure terminal Enter configuration commands, one per line. End with END or Ctrl-Z. Sw1(config)#monitor session 12 source interface VLAN12 Sw1(config)#monitor session 12 destination interface Ethernet1/3 Sw1(config)#end

  R1 Configuration (Configure IP SLA ICMP Echo) R1#configure terminal Enter configuration commands, one per line. End with END or Ctrl-Z. R1(config)#ip sla icmp-echo operation 1 R1(config-ip-sla-icmp)#source-interface Ethernet0/0 R1(config-ip-sla-icmp)#destination 10.12.1.2 R1(config-ip-sla-icmp)#frequency 300 R1(config-ip-sla-icmp)#exit R1(config)#end