350-401 Questions and Answers

https://www.aspiretransforms.com/2018/06/06/ insider-guide-cisco-sd-access/

We cannot filter traffic that is originated from the local router (R3 in this case) so we can only configure the ACL on R1 or R2. “Weekend hours” means from Saturday morning through Sunday night so we have to configure: “periodic weekend 00:00 to 23:59”.Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59.

Layer2 Flooding

Cisco SD-Access fabric provides many optimizations to improve unicast traffic flow, and to reduce the unnecessary flooding of data such as broadcasts. But, for some traffic and applications, it may be desirable to enable broadcast forwarding within the fabric.

By default, this is disabled in the Cisco SD-Access architecture. If broadcast, Link local multicast and Arp flooding is required, it must be specifically enabled on a per-subnet basis using Layer 2 flooding feature.

Layer 2 flooding can be used to forward broadcasts for certain traffic and

application types which may require leveraging of Layer 2 connectivity, such as silent hosts, card readers, door locks, etc.

+ Fabric edge node: This fabric device (for example, access or distribution layer

device) connects

When should I use the master controller mode on a WLC? – When there is a master controller enabled, all newly added access points with no primary, secondary, or tertiary controllers assigned associate with the master controller on the same subnet.

The collection that contains the resources to obtain a list of fabric nodes through the vManage API is the device inventory collection. This collection can be accessed through the Cisco Encor Documents and provides resources such as the Fabric Visualization, Device List, and Fabric Node Inventory APIs. These APIs can be used to obtain information about the fabric nodes, such as the device inventory, status, and version.

JWT: JSON Web Tokens are an open and standard (RFC 7519) way for you to represent your user's identity securely during a two-party interaction. That is to say, when two systems exchange data you can use a JSON Web Token to identify your user without having to send private credentials on every request.

 Option A is the properly formatted JSON script. JSON (JavaScript Object Notation) is a standard text-based format for representing structured data based on JavaScript object syntax. It is commonly used for transmitting data in web applications (e.g., sending some data from the server to the client, so it can be displayed on a web page, or vice versa). The JSON syntax rules are as follows12:

• Data is in name/value pairs, separated by commas. A name/value pair consists of a field name (in double quotes), followed by a colon, followed by a value: "name": "value".
• Curly braces hold objects. An object can contain multiple name/value pairs: {"name": "value", "name": "value", ...}.
• Square brackets hold arrays. An array can contain multiple values, separated by commas: ["value", "value", ...].
• Values can be strings (in double quotes), numbers, booleans (true or false), null, objects, or arrays.

Option A follows these rules and is a valid JSON script. It defines an object with four name/value pairs: "name", "age", "hobbies", and "address". The value of "name" is a string, the value of "age" is a number, the value of "hobbies" is an array of strings, and the value of "address" is another object with two name/value pairs: "city" and "country". The object is enclosed in curly braces and the name/value pairs are separated by commas.

Option B is not a valid JSON script because it uses single quotes instead of double quotes for the field names and string values. JSON requires double quotes for strings12.

Option C is not a valid JSON script because it does not use commas to separate the name/value pairs. JSON requires commas to separate the data elements within an object or an array12.

Option D is not a valid JSON script because it uses a semicolon instead of a colon to separate the field name and the value. JSON requires a colon to separate the name and the value in a name/value pair12. References: 1: JSON Introduction, 2: JSON Syntax

A picture containing timeline Description automatically generated

CEF uses a Forwarding Information Base (FIB) to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with earlier switching paths such as fast switching and optimum

switching.

Note: In order to view the Routing information base (RIB) table, use the “show ip route” command. To view the Forwarding Information Base (FIB), use the “show ip cef” command. RIB is in Control plane while FIB is in Data plane.

This is because EIGRP is an advanced distance vector routing protocol that uses a composite metric to calculate the best path to a destination. EIGRP has a default administrative distance value of 90, which means that it is more trustworthy than RIP (120) or OSPF (110), but less trustworthy than BGP (20). The source of this answer is the Cisco ENCOR v1.1 course, module 4, lesson 4.1: Implementing EIGRP.

The aaa authorization exec default group tacacs+ command enables TACACS+ exec authorization, which allows the TACACS+ server to grant access-level rights to remote users. Exec authorization determines whether the user can access the privileged EXEC mode or remain in user EXEC mode after authentication. The TACACS+ server can also assign a privilege level to the user based on the configuration of the server. The default keyword specifies that this is the default method list for exec authorization. The group tacacs+ keyword specifies that the TACACS+ server group defined by the tacacs server command is used for authorization.

Option B is the correct configuration to implement HSRP between two WAN routers with the given requirement. The configuration steps are as follows12:

• Define the HSRP group number and the virtual IP address for the group using the standby ip
   command. In this case, the group number is 300 and the virtual IP address is 10.10.10.1: standby 300 ip 10.10.10.1.
• Configure HSRP preemption and preemption delay using the standby preempt [delay [minimum] ] command. Preemption allows a router with higher priority to take over the active role from a router with lower priority. Preemption delay is the time that a router waits before taking over the active role in the HSRP group. In this case, the preemption delay is 100 seconds, which means that R1 will wait for 100 seconds before preempting R2 after R1 regains operational status: standby 300 preempt delay minimum 100.
• Configure the HSRP priority for the router using the standby priority  command. The priority determines which router is the active router and which router is the standby router. The higher the priority, the more likely the router is to become the active router. In this case, R1 has a priority of 200 and R2 has a priority of 100, which means that R1 is the preferred active router and R2 is the standby router: standby 300 priority 200 on R1 and standby 300 priority 100 on R2.

Option A is incorrect because it does not configure HSRP preemption and preemption delay, which are required by the question. Without preemption, R2 will remain the active router even if R1 has a higher priority and regains operational status. Without preemption delay, R1 will attempt to preempt R2 immediately, which may cause routing instability12.

Option C is incorrect because it configures HSRP preemption delay with the reload keyword, which means that the delay period applies only to the first interface-up event after the router has reloaded. This does not meet the requirement of the question, which states that the delay period should apply to any interface-up event after R1 fails and then regains operational status12.

Option D is incorrect because it configures HSRP preemption delay with the sync keyword, which means that the delay period applies only to the first interface-up event after the router has reloaded, and only if such an event occurs within 360 seconds from reload. This does not meet the requirement of the question, which states that the delay period should apply to any interface-up event after R1 fails and then regains operational status, and without any time limit12. References: 1: Configuring HSRP, 2: HSRP Configuration Guide

Source 1: https://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-1000v-switch-vmware-vsphere/at_a_glance_c45-5324 67.pdf

Source 2: https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/vm_fex/vmware/gui/config_guide/2-1/b_GUI_VMware_VM-FEX_UCSM_Configuration_Guide_2_1/b_GUI_VMware_VM-FEX_UCSM_Configuration_G uide_2_1_chapter_0110.pdf

R1

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

R2

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

Verification:-

DISTRO-SW1

Sw1

int vlan 100

standby 1 ip 192.168.1.1

standby 1 priority 110

standby 1 preempt

copy run start

DISTRO-SW2

SW2

int vlan 100

standby 1 ip 192.168.1.1

standby 1 preempt

copy run start

OR

MINOR CHANGE IN ABOVE HSRP SCENERIO

Graphical user interface, text, application, email Description automatically generated

Check the IP address 1.254 check the minimum 15 seconds solution get change.

DISTRO-SW1

Sw1

int vlan 100

glbp 1 ip 192.168.1.254

glbp 1 priority 110

glbp 1 timers 5 15

glbp 1 preempt

copy run start

DISTRO-SW2

SW2

int vlan 100

glbp 1 ip 192.168.1.254

glbp 1 timers 5 15

glbp 1 preempt

copy run start

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKCRS-2832.pdf

https://developer.cisco.com/docs/dna-center/#!api-quick-start/cisco-dna-center-platform-api-overview

The Python code in the exhibit defines a function called average that takes two parameters a and b and returns the arithmetic mean of them. The function is then called with the arguments 5 and 10, which are assigned to a and b respectively. The function returns (5 + 10) / 2, which is 7.5. Therefore, the result of the Python code is 7.5. References: Python Functions, Python Arithmetic Operators

This is because a virtual switch is a software-based switch that operates at the data link layer of the OSI model and provides connectivity between virtual machines that are running on the same physical host or different hosts. A virtual switch can also connect virtual machines to external networks, such as the Internet or a local area network, by using physical network adapters on the host. A virtual switch can perform the same functions as a physical switch, such as learning MAC addresses, forwarding frames, and applying VLANs. The source of this answer is the Cisco ENCOR v1.1 course, module 9, lesson 9.1: Implementing Network Virtualization.

Solution:

R1

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

R2

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

Verification:-

The Cisco DNA Center open platform for intent-based networking provides 360-

degree extensibility across multiple components, including:

+ Intent-based APIs leverage the controller to enable business and IT applications

to deliver intent to the network and to reap network analytics and insights for IT

and business innovation. These enable APIs that allow Cisco DNA Center to receive

input from a variety of sources, both internal to IT and from line-of-business

applications, related to application policy, provisioning, software image

management, and assurance.

…

 Clustering lets you group multiple Firepower Threat Defense (FTD) units together as a single logical device. Clustering is only supported for the FTD device on the Firepower 9300 and the Firepower 4100 series. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.}

As these wireless networks grow especially in remote facilities where IT professionals may not always be onsite, it becomes even more important to be able to quickly identify and resolve potential connectivity issuesideally before the users complain or notice connectivity degradation. To address these issues we have created Cisco’s Wireless Service Assurance and a new AP mode called “sensor”mode. Cisco’s Wireless Service Assurance platform has three components, namely, Wireless PerformanceAnalytics, Real-time Client Troubleshooting, and Proactive Health Assessment. Using a supported AP ordedicated sensor the device can actually function much like a WLAN client would associating andidentifying client connectivity issues within the network in real time without requiring an IT or technician to beon site.

From the output exhibit, we notice that the key-string of R1 is ―Cisco123!‖ (letter ―C‖ is in capital) while that of R2 is ―cisco123!‖. This causes a mismatch in the authentication so we have to fix their key-strings.

key-string [encryption-type] text-string: Configures the text string for the key. The text-string argument is alphanumeric, case-sensitive, and supports special characters.

Lines (CON, AUX, VTY) default to level 1 privileges.

The Intent API is a Northbound REST API that exposes specific capabilities of the Cisco DNA Center platform. The Intent API provides policy-based abstraction of business intent, allowing focus on an outcome rather than struggling with individual mechanisms steps.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.htm l

 An AP can be “primed” with up to three controllers—a primary, a secondary, and a tertiary. These are stored in nonvolatile memory so that the AP can remember them after a reboot or power failure.

A picture containing diagram Description automatically generated

option interface-table

This command causes the periodic sending of an options table, which will allow the collector to map the interface SNMP indexes provided in the flow records to interface names. The optional timeout can alter the frequency at which the reports are sent.

Router(config)# flow exporter FLOW-EXPORTER-1

Router(config-flow-exporter)# option interface-table

https://www.cisco.c om/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_02.html

sw2#show errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

arp-inspection Disabled

bpduguard Disabled

channel-misconfig (STP) Disabled

dhcp-rate-limit Disabled

dtp-flap Disabled

gbic-invalid Disabled

inline-power Disabled

l2ptguard Disabled

link-flap Disabled

mac-limit Disabled

link-monitor-failure Disabled

loopback Disabled

oam-remote-failure Disabled

pagp-flap Disabled

port-mode-failure Disabled

pppoe-ia-rate-limit Disabled

psecure-violation Disabled

security-violation Disabled

sfp-config-mismatch Disabled

storm-control Disabled

udld Disabled

unicast-flood Disabled

sw2#

According to the requirements (first use TACACS+, then allow login with no authentication), we

have to use “aaa authentication login … group tacacs+ none” for AAA command.

The next thing to check is the if the “aaa authentication login default” or “aaa authentication

login list-name” is used. The ‘default’ keyword means we want to apply for all login connections

(such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything

else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which

line(s) we want to apply the authentication feature.

From above information, we can find out answer 'R1#sh run | include aaa

aaa new-model

aaa authentication login default group tacacs+ none

aaa session-id common

R1#sh run | section vty

line vty 0 4

password 7 0202039485748

If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS

Tutorial – Part 2.

For your information, answer 'R1#sh run | include aaa

aaa new-model

aaa authentication login telnet group tacacs+ none

aaa session-id common

R1#sh run | section vty

line vty 0 4

R1#sh run | include username

R1#' would be correct if we add the following command under vty line (“line vty 0 4”): “login

authentication telnet” (“telnet” is the name of the AAA list above)

A picture containing diagram Description automatically generated

PIM-DM supports only source trees – that is, (S,G) entries–and cannot be used to build a shared distribution tree.

Low latency queuing (LLQ) adds a priority queue to CBWFQ from which delay-sensitive traffic, such as voice traffic, can be transmitted ahead of packets in other queues.

By configuring the quality of service (QoS), you can provide preferential treatment to specific types of traffic at the expense of other traffic types. Without QoS, the device offers best-effort service for each packet, regardless of the packet contents or size. The device sends the packets without any assurance of reliability, delay bounds, or throughput.

The following are specific features provided by QoS:

• Low latency
• Bandwidth guarantee
• Buffering capabilities and dropping disciplines
• Traffic policing
• Enables the changing of the attribute of the frame or packet header
• Relative services

• Modular QoS Command-Line Interface
• Supported QoS Features for Wired Access
• Hierarchical QoS

Cisco TrustSec uses tags to represent logical group privilege. This tag, called a Security Group Tag

(SGT), is used in access policies. The SGT is understood and is used to enforce traffic by Cisco

switches, routers and firewalls . Cisco TrustSec is defined in three phases: classification,

propagation and enforcement.

When users and devices connect to a network, the network assigns a specific security group. This

process is called classification. Classification can be based on the results of the authentication

or by associating the SGT with an IP, VLAN, or port-profile (-> Answer 'security group tag

ACL assigned to each port on a switch' and answer 'security group tag number assigned to each

user on a switch' are not correct as they say “assigned … on a switch” only. Answer 'security group

tag ACL assigned to each router on a network' is not correct either as it says “assigned to each

router”).

The Design area is where you create the structure and framework of your network, including the physical topology, network settings, and device type profiles that you can apply to devices throughout your network. Use the Design workflow if you do not already have an existing infrastructure. If you have an existing infrastructure, use the Discovery feature.

https://www.cisco.com/c/en/us/td/docs/clou d-systems-management/network-automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_0110.html

“The next step is to configure the WLC for the Internal web authentication. Internal web authentication is the defaultweb authentication type on WLCs.”

In step 4 of the link above, we will configure Security as described in this question. Therefore we can deduce thisconfiguration is for Internal web authentication.

This paragraph was taken from the link https://www.ci sco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html#c5 :

• Step 1. Create the loopback interface using the interface loopback number global configuration command.
• Step 2. Add a description. Although optional, it is a necessary component for documenting a network.
• Step 3. Configure the IP address.

For example, the following commands configure a loopback interface of the R1 router shown in (shown earlier in the chapter):

R1# configure terminal

R1(config)# interface loopback 0

R1(config-if)# ip address 10.0.0.1 255.255.255.0

R1(config-if)# exit

R1(config)#

cisco_R3#show run int e0/0.50

Building configuration...

Current configuration : 189 bytes

!

interface Ethernet0/0.50

encapsulation dot1Q 50

ip address 10.111.10.1 255.255.255.252

ip ospf network point-to-point <<<<<<<<<<<<<<<<<<<

ip ospf 1 area 22

bfd interval 999 min_rx 999 multiplier 3

end

cisco_R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.255.2 1 FULL/DROTHER 00:00:33 192.168.255.2 Ethernet0/0.10

200.200.200.200 1 FULL/DR 00:00:34 192.168.255.22 Ethernet0/0.10

5.5.5.5 0 FULL/ - 00:00:34 10.111.10.2 Ethernet0/0.50 <<<<<<<<<<<<<<<<<

cisco_R3#

Operation Modes

There are two modes of operation for the FlexConnect AP.

• Connected mode: The WLC is reachable. In this mode the FlexConnect AP has CAPWAP connectivity with its WLC.
• Standalone mode: The WLC is unreachable. The FlexConnect has lost or failed to establish CAPWAP connectivity with its WLC. A WAN-link outage between a branch and its central site is a example of such a mode of operation.

FlexConnect States

A FlexConnect WLAN, depending on its configuration and network connectivity, is classified as being in one of the following defined states.

• Authentication-Central/Switch-Central: This state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, or web. User traffic is sent to the WLC via CAPWAP (Central switching). This state is supported only when FlexConnect is in connected mode.
• Authentication Down/Switching Down: Central switched WLANs no longer beacon or respond to probe requests when the FlexConnect AP is in standalone mode. Existing clients are disassociated.
• Authentication-Central/Switch-Local: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when the FlexConnect AP is in connected mode.
• Authentication-Down/Switch-Local: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session time-out if configured. The WLAN continues to beacon and respond to probes until there are no more existing users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
• Authentication-local/switch-local: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes. Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

A picture containing table Description automatically generated

Separation of Privilege: Granting permissions to an entity should not be purely based on a single condition, a combination of conditions based on the type of resource is a better idea.

https://restfulapi.net/security-essentials/#:~:tex t=REST%20Security%20Design%20Principles&text=Least%20Privilege%3A%20An%20entity%20should,when%20no%20longer%20in%20use.

Cisco DNA Center creates the backup files and posts them to a remote server. Each backup is uniquely stored using the UUID as the directory name.To support Assurance data backups, the server must be a Linux-based NFS server that meets the following requirements:– Support NFS v4 and NFS v3.– Cisco DNA Center stores backup copies of Assurance data on an external NFS device and automation data on an external remote sync (rsync) target location.– The remote share for backing up an Assurance database (NDP) must be an NFS share.

Suppose a transmitter is configured for a power level of 10 dBm. A cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The resulting EIRP of the system is EIRP = 10 dBm – 5 dB + 8 dBi = 13 dBm.

https://www.cisco.com/c/en/us/support/docs/smb/switches/cis co-550x-series-stackable-managed-switches/smb5797-configure-ip-sla-tracking-for-ipv4-static-routes-on-an-sg550.html

The ―autocommand‖ causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line ―username CCNP autocommand show running-config‖.

A fabric edge node provides onboarding and mobility services for wired users and devices (including fabric-enabled WLCs and APs) connected to the fabric. It is a LISP tunnel router (xTR) that also provides the anycast gateway, endpoint authentication, and assignment to overlay host pools (static or DHCP), as well as group-based policy enforcement (for traffic to fabric endpoints).

From Cisco's guide, under SDA roaming - When a client on a fabric enabled WLAN, roams from an access point to another access point on a different access-switch, it is called Inter-xTR, like a highway. Intra is within intra is between. Like interstate highways. That's how I remember. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/mobility.html

An example of configuring NTP authentication is shown below:

Router1(config)#ntp authentication-key 2 md5 itexamanswersRouter1(config)#ntp authenticateRouter1(config)#ntp trusted-key 2

Table Description automatically generated

+ accepts LISP encapsulated map requests: LISP map resolver

+ learns of EID prefix mapping entries from an ETR: LISP map server

+ receives traffic from LISP sites and sends it to non-LISP sites: LISP

proxy ETR

+ receives packets from site-facing interfaces: LISP ITR

Explanation

ITR is the function that maps the destination EID to a destination RLOC and then

encapsulates the original packet with an additional header that has the source IP address of

the ITR RLOC and the destination IP address of the RLOC of an Egress Tunnel Router (ETR).

After the encapsulation, the original packet become a LISP packet.

ETR is the function that receives LISP encapsulated packets, decapsulates them and

forwards to its local EIDs. This function also requires EID-to-RLOC mappings so we need to

point out an “map-server” IP address and the key (password) for authentication.

A LISP proxy ETR (PETR) implements ETR functions on behalf of non-LISP sites. A PETR is

typically used when a LISP site needs to send traffic to non-LISP sites but the LISP site is

connected through a service provider that does not accept no routable EIDs as packet

sources. PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP

sites.

Map Server (MS) processes the registration of authentication keys and EID-to-RLOC

mappings. ETRs sends periodic Map-Register messages to all its configured Map Servers.

Map Resolver (MR): a LISP component which accepts LISP Encapsulated Map Requests,

typically from an ITR, quickly determines whether or not the destination IP address is part

of the EID namespace

CoPP protects the route processor on network devices by treating route processor

resources as a separate entity with its own ingress interface (and in some

implementations, egress also). CoPP is used to police traffic that is destined to the

route processor of the router such as:

+ routing protocols like OSPF, EIGRP, or BGP.

+ Gateway redundancy protocols like HSRP, VRRP, or GLBP.

+ Network management protocols like telnet, SSH, SNMP, or RADIUS.

Therefore we must apply the CoPP to deal with SSH because it is in the

management plane. CoPP must be put under “control-plane” command.

This control determines whether the Wireless LAN Controller is configured to prevent clients connected to the same Wireless Local Area Controller from communicating with each other.

Wireless Client Isolation prevents wireless clients from communicating with each other over the RF. Packets that arrive on the wireless interface are forwarded only out the wired interface of an Access Point. One wireless client could potentially compromise another client sharing the same wireless network.

R3 advertises BGP updates to R1 with multiple AS 100 so R3 believes the path to reach AS 200 via R3 is farther than R2 so R3 will choose R2 to forward traffic to AS 200.

Table Description automatically generated

There are four messages sent between the DHCP Client and DHCP Server: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST and DHCPACKNOWLEDGEMENT.

This process is often abbreviated as DORA (for Discover, Offer, Request, Acknowledgement).

The last command should be “R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10”.

The TCP port 6514 has been allocated as the default port for syslog over Transport Layer Security

(TLS).

The ―ip sla 10‖ will ping the IP 192.168.10.20 every 3 seconds to make sure the connection is still up. We can configure an EEM applet if there is any problem with this IP SLA via the command ―event track 10 state down‖.

Diagram Description automatically generated

The BFD (Bidirectional Forwarding Detection) is a protocol that detects link failures as part of the Cisco SD-WAN (Viptela) high availability solution, is enabled by default on all vEdge routers, and you cannot disable it.

Coverage defines the ability of wireless clients to connect to a wireless AP with a signal strength and quality high enough to overcome the effects of RF interference. The edge of the coverage for an AP is based on the signal strength and SNR measured as the client device moves away from the AP.

The signal strength required for good coverage varies dependent on the specific type of client devices and applications on the network.

To accommodate the requirement to support wireless Voice over IP (VoIP), refer to the RF guidelines specified in the Cisco 7925G Wireless IP Phone Deployment Guide. The minimum recommended wireless signal strength for voice applications is -67 dBm and the minimum SNR is 25 dB.

The first step in the analysis of a post site survey is to verify the ‘Signal Coverage’. The signal coverage is measured in dBm. You can adjust the color-coded signal gauge to your minimum-allowed signal level to view areas where there are sufficient and insufficient coverage. The example in Figure 8 shows blue, green, and yellow areas in the map have signal coverage at -67 dBm or better. The areas in grey on the coverage maps have deficient coverage. Source from Cisco

https://www.cis co.com/c/en/us/td/docs/wireless/technology/vowlan/troubleshooting/vowlan_troubleshoot/8_Site_Survey_RF_Design_Valid.html

With BGP, we must advertise the correct network and subnet mask in the “network” command (in

this case network 10.1.1.0/24 on R1 and network 10.2.2.0/24 on R2). BGP is very strict in the

routing advertisements. In other words, BGP only advertises the network which exists exactly in

the routing table. In this case, if you put the command “network x.x.0.0 mask 255.255.0.0” or

“network x.0.0.0 mask 255.0.0.0” or “network x.x.x.x mask 255.255.255.255” then BGP will not

advertise anything.

It is easy to establish eBGP neighborship via the direct link. But let’s see what are required when

we want to establish eBGP neighborship via their loopback interfaces. We will need two

commands:

+ the command “neighbor 10.1.1.1 ebgp-multihop 2” on R1 and “neighbor 10.2.2.2 ebgpmultihop

2” on R1. This command increases the TTL value to 2 so that BGP updates can reach the

BGP neighbor which is two hops away.

+ Answer ‘R1 (config) #router bgp 1

R1 (config-router) #neighbor 192.168.10.2 remote-as 2

R1 (config-router) #network 10.1.1.0 mask 255.255.255.0

R2 (config) #router bgp 2

R2 (config-router) #neighbor 192.168.10.1 remote-as 1

R2 (config-router) #network 10.2.2.0 mask 255.255.255.0

Quick Wireless Summary

Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight

+ Autonomous: self-sufficient and standalone. Used for small wireless networks.

+ Lightweight: A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller (WLC) to function.

LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels.

– Control and Provisioning for Wireless Access Point (CAPWAP) is an IETF standard for control

messaging for setup, authentication and operations between APs and WLCs. CAPWAP is similar to

LWAPP except the following differences:

+CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to

protect traffic between APs and controllers. LWAPP uses AES.

+ CAPWAP has a dynamic maximum transmission unit (MTU) discovery mechanism.

+ CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages)

An LAP operates in one of six different modes:

+ Local mode (default mode): measures noise floor and interference, and scans for intrusion

detection (IDS) events every 180 seconds on unused channels

+ FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode: allows data traffic

to be switched locally and not go back to the controller. The FlexConnect AP can perform standalone

client authentication and switch VLAN traffic locally even when it’s disconnected to the WLC (Local

Switched). FlexConnect AP can also tunnel (via CAPWAP) both user wireless data and control traffic to

a centralized WLC (Central Switched).

+ Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a

sensor for location-based services (LBS), rogue AP detection, and IDS

+ Rogue detector mode: monitor for rogue APs. It does not handle data at all.

+ Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to

a remote machine where you can use protocol analysis tool (Wireshark, Airopeek, etc) to review the

packets and diagnose issues. Strictly used for troubleshooting purposes.

+ Bridge mode: bridge together the WLAN and the wired infrastructure together.

Mobility Express is the ability to use an access point (AP) as a controller instead of a real WLAN

controller. But this solution is only suitable for small to midsize, or multi-site branch locations where

you might not want to invest in a dedicated WLC. A Mobility Express WLC can support up to 100 Aps

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BR KEWN-3010.pdf

Graphical user interface Description automatically generated with low confidence