350-401 Questions and Answers

When a client device roams from AP1 on WLC1 to AP2 on WLC2, and the controller’s client interfaces are on different VLANs, the wireless LAN controllers handle the inter-subnet roaming as follows:

Option A: WLC1 marks the client with an anchor entry in its own database. The database entry is copied to the new controller (WLC2) and marked with a foreign entry on WLC2.

Option B: WLC2 marks the client with an anchor entry in its own database. The database entry is copied to the new controller (WLC1) and marked with a foreign entry on WLC1.

Option C: WLCl marks the client with a foreign entry in its own database. The database entry is copied to the new controller (WLC2) and marked with an anchor entry on WLC2.

Option D: WLC2 marks the client with a foreign entry in its own database. The database entry is copied to the new controller (WLC1) and marked with an anchor entry on WLC1.

 The Cisco DNA Center telemetry feature significantly enhances the user experience by enabling every point on the network to become a sensor. This allows for continuous streaming telemetry on application performance and user connectivity in real-time. The feature includes automatic path-trace visibility and guided remediation, which means network issues can be resolved quickly — often before they escalate into problems. This proactive approach to network management ensures a smoother, more reliable user experience.

The configuration line ‘aaa authentication login default group ISE-Servers local enable’ sets up the router to use the ISE-Servers group for authentication first. If both servers in the ISE-Servers group are unavailable, it falls back to using the local username database (‘local’). If there are no usernames defined in the configuration, then as a last resort, it uses the enable password (‘enable’) for login. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) training materials.

 Intercontroller roaming between two Wireless LAN Controllers (WLCs) requires a CAPWAP tunnel to be established for the client’s data traffic to be transmitted as if it is still associated with the original IP subnet and WLC. This is necessary when a wireless client roams from one WLC to another, potentially across different IP subnets, and needs to maintain its current IP address for seamless connectivity.

VTEP, or VXLAN Tunnel Endpoint, is the component in VXLAN architecture responsible for encapsulating and decapsulating Ethernet frames. It acts as the interface between the overlay network where VXLAN operates and the underlay network, which is typically the physical network infrastructure. When encapsulating, the VTEP adds VXLAN headers to the original Ethernet frame, creating a VXLAN packet that can be transmitted over the underlay network. Upon reaching the destination VTEP, the process is reversed, and the VXLAN headers are removed to recover the original Ethernet frame for delivery within the destination network segment.

References:

Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) source book

Cisco’s official training and certification resources on VXLAN and VTEP functionalities.

 When a FlexConnect AP changes to standalone mode, it means that the AP has lost or failed to establish CAPWAP connectivity with its Wireless LAN Controller (WLC). In this scenario, all controller-dependent activities stop working except for the Dynamic Frequency Selection (DFS). DFS is a mechanism that allows wireless LANs to use 5 GHz frequencies that are shared with radar systems. It is a part of the radio regulations applied to WLANs, and it is designed to avoid causing interference to radar systems.

 In Cisco’s Software-Defined Access (SD-Access), Locator/ID Separation Protocol (LISP) plays a crucial role in the data plane for forwarding traffic. LISP separates the end systems’ identities from their locations on the network, allowing for more efficient routing decisions based on endpoints’ identity rather than their IP address alone. This separation allows SD-Access to create flexible overlays for traffic forwarding over various transport networks. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) v1.1

 The command ip sla schedule 100 start-time now life forever is used to start the IP SLA operation immediately (start-time now) and to continue it indefinitely (life forever). The 100 corresponds to the IP SLA operation number, which must match the one specified in the IP SLA configuration. This command ensures that the IP SLA operation for UDP echo tests will run every 30 seconds, as set by the frequency 30 command in the IP SLA configuration, and will not stop unless manually terminated.

API keys are a simple method used to authenticate an application or user when making API calls. They are a predetermined string that the client includes in the request header, which the server uses to recognize the API call and verify that it has the permissions to access the requested resources. API keys are not encrypted tokens, nor are they related to local router databases or transmitted unencrypted credentials.

The correct configuration to achieve the requirement of checking a AAA server first and then a local username, with denial if both fail, is aaa authorization exec default group radius local none. This command specifies the order of methods to be used for EXEC authorization. It first attempts to use the group specified by the radius method. If that fails, it tries the local database, and if both methods fail, the none keyword ensures the user is denied access.

 The task requires configuring NAT (Network Address Translation) to allow all users in the subnet 10.2.2.0/24 to access the Internet using a single public IP address, which is 209.165.201.1, for all external communication. This is typically done using PAT (Port Address Translation), also known as NAT overload, which allows multiple private IP addresses to be mapped to a single public IP address but with different port numbers.

The correct command set would include defining an access list that specifies the local subnet, configuring the router’s inside interface that connects to the local network with ip nat inside, configuring the outside interface with ip nat outside, and then specifying the NAT rule that uses PAT by referring to the access list and indicating overload.

Option C is likely correct because it includes these elements:

An access control list (ACL) that permits traffic from the 10.2.2.0/24 subnet.

The ip nat inside command applied to an internal interface.

The ip nat outside command applied to an external interface.

A NAT rule that matches traffic permitted by the ACL and translates it using the IP address of the external interface with overload enabled.

In the context of configuring an Encapsulated Remote SPAN (ERSPAN), an ERSPAN ID is required to identify the ERSPAN session uniquely. The command ‘erspan id’ followed by a number is used to set this identifier, which allows for the monitoring of traffic across multiple VLANs as specified in the configuration. References: Cisco’s official documentation and training materials on Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) would provide detailed steps and explanations for configuring ERSPAN sessions.

 Option B is the correct answer because it specifically permits and logs all traffic that comes from IP address 172.20.10.1 on interface GigabitEthernet0/1 without impacting the functionality of the access list. The command set in Option B is:

Router(config)#access-list 100 seq 5 permit ip host 172.20.10.1 any log

Router(config)#interface GigabitEthernet0/1

Router(config-if)#access-group 100 in

This command set adds a sequence to the access list (seq 5) that allows traffic from IP address 172.20.10.1, logs this traffic, and applies this access list to incoming traffic on interface GigabitEthernet0/1.

 JWT, or JSON Web Token, is an encoded JSON token that is used to securely exchange information between parties. It is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

References := Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR)

The correct configuration for establishing an eBGP neighborship and advertising a network involves specifying the local AS number, the neighbor’s IP address along with its AS number, and the network to be advertised with the correct subnet mask. Option C correctly configures Router A with its local AS number (65001), sets up Router B as a neighbor with its IP address (10.0.1.2) and remote AS number (65002), and advertises the connected network on interface G0/1 (10.0.1.0) with the appropriate subnet mask (255.255.255.0). This ensures that Router A will form an eBGP neighborship with Router B and advertise the connected network to it. References: = Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) training materials or official certification guide.

In the context of NETCONF (Network Configuration Protocol), XML strings are used to encapsulate and structure the data being exchanged between a client and a server. The XMLstring provided in the question is part of a NETCONF message, which should be properly closed to ensure that it is well-formed and can be processed correctly. The correct answer is option A, “]]>]]>”, which signifies the end of an RPC (Remote Procedure Call) message in NETCONF. This specific ending sequence includes the closing  tag followed by “]]>]]>”, which is used to mark the end of the content section in a NETCONF message.

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an ― ”established” access-list like this:

access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet

!

interface S0/0

ip access-group 100 in

ip access-group 101 out

Note: Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let‘s see how this process takes place:

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for trackingpurpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use ―”x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:

+ SYN sequence number (let‘s called it “y”) is a random number and does not have any relationship with Host A‘s SYN SEQ number.

+ ACK number is the next number of Host A‘s SYN sequence number it received, so we represent it with “x+1″. It means ―I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

To prevent a route to 172.16.0.0/16 from being learned via OSPF, the network engineer must apply a distribute-list that references the prefix list in the inbound direction of the OSPF process. The command distribute-list prefix OFFICE in under the OSPF process will filter incoming routing updates based on the specified prefix list. Since the prefix list named OFFICE has a sequence that denies the 172.16.0.0/16 prefix, any routes matching this prefix will not be accepted into the OSPF routing table. The distribute-list needs to be applied in both the inbound direction on interfaces receiving OSPF updates (option A) and in the OSPF process itself to filter routes being received from OSPF neighbors (option E).

In Cisco FlexConnect, when the connection to the Wireless LAN Controller (WLC) is lost, the state that allows wireless users to continue working is Authentication-Central/Switch-Local. This means that while authentication is centrally done through the WLC, the switching of data packets is done locally at the access point. If the WLC connection is lost, the access point can still switch data packets locally, allowing users to continue their work uninterrupted.

The correct method to display text directly into the active console with a synchronous EEM applet policy is by using the puts command. The puts command in EEM (Embedded Event Manager) is used to output messages to the console. In the context of the given options, option C is the correct one because it uses the puts command to display the message ‘logging directly to console’ to the active console session.

References:

Cisco Community discussion on sending ‘show’ command outputs to console/terminal using EEM1.

Cisco documentation on Writing Embedded Event Manager Policies Using the Cisco IOS CLI2.

Cisco IOS Embedded Event Manager Command Reference3.

Question regarding the method that displays text directly into the active console with a synchronous EEM applet policy4.

Cisco Press article on Embedded Events Manager5

Adopting a data modeling language like YANG provides a standardized data structure, which results in configuration scalability and consistency across different vendor and platform configurations. This standardization allows for the refactoring of vendor and platform-specific configurations into widely compatible configurations, facilitating easier management and automation of network devices.

To configure and verify router R3 to measure the response time to the file server, the correct command set involves enabling IP SLA responder and configuring an IP SLA probe. The IP SLA responder is configured on the target device, in this case, the file server, to respond to the IP SLA probe sent by R3. The probe is configured on R3 to send a specific type of test traffic to the responder, and the response time is measured based on the round-trip time of the packets.

Option C is the correct choice because it includes the commands to set up an IP SLA ICMP-echo operation, which sends ICMP echo requests from R3 to the file server’s IP address. The ip sla schedule command is used to specify the operation number, start time, life of the operation, and frequency of the test.

https://www.cisco.com/c/en/us/support/docs/smb/switches/cis co-550x-series-stackable-managed-switches/smb5797-configure-ip-sla-tracking-for-ipv4-static-routes-on-an-sg550.html

A virtual machine is an emulation of a computer system that provides dedicated compute memory, storage resources, and a fully installed operating system. It operates based on the architecture and functions of a real or physical computer. Virtual machines are isolated environments, allowing multiple instances to run on a single physical host machine, which can be managed independently.

The Cisco SD-Access control plane characteristic is that it stores remote routes in a centralized database server. This is achieved through the use of the Locator/ID Separation Protocol (LISP), which allows the control plane to map between endpoints and their locations within the network. LISP acts as the control plane for Cisco’s Software-Defined Access (SD-Access), resolving endpoint-to-VTEP mappings and enabling scalable host mobility across the network. References: Cisco SD-Access Architecture : Control, Data & Policy Plane

To protect the OSPF domain from fake route advertisements and black hole traffic, it is essential to implement route filtering. By applying a policy to filter OSPF packets on R2, you can prevent the propagation of unauthorized OSPF routes. This action allows only legitimate routes to be advertised into the OSPF domain while blocking any malicious route injections. Route filtering is a critical security measure in OSPF configurations to maintain the integrity of routing information within the network1.

 In a virtualized environment, physical server resources can be shared among multiple virtual machines (VMs). The disk resource, in particular, can be allocated to VMs in a way that allows them to access storage as if it were their own. This enables efficient utilization of storage resources and can help in reducing costs and improving scalability. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR)

In OSPF (Open Shortest Path First) configuration, the ‘network’ command is used to specify which interfaces will participate in OSPF, and to define the area assignment for those interfaces. The correct syntax for the ‘network’ command includes the network address followed by a wildcard mask, and then the area ID.

In this case, GigabitEthernet 0/1 has an IP address of 10.10.1.1 with a subnet mask of 255.255.255.0, which corresponds to a wildcard mask of 0.0.0.255 (the inverse of the subnet mask). Since we want this interface to participate in Area 0, as indicated by the exhibit showing it within Area 0’s boundary, option A is correct.

Layer 2 Flooding is used in Cisco SD-Access to address the connectivity needs of silent hosts. Silent hosts are devices that do not initiate communication but require reception of traffic to start communicating. In a Cisco SD-Access fabric, these hosts’ locations are not known because they have not sent any packets or frames. To ensure connectivity for these devices, Layer 2 Flooding can be enabled, which allows ARP broadcasts and link-local frames to be propagated across the fabric. This ensures that even if a silent host has not initiated communication, it can still receive traffic, which is essential for devices like IP cameras, sensors, or management interfaces that wait for an initial packet to begin communication.

 A type 2 hypervisor, also known as a hosted hypervisor, runs on top of a host operating system rather than directly on the hardware. This makes it ideal for client or end-user systems where ease of use and flexibility are more important than performance. Type 2 hypervisors are typically used for development, testing, or educational purposes where full virtualization of the underlying hardware is not necessary.

References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course materials1.

The script that should be applied to receive an SNMP trap and a critical-level log message when a user switches to configuration mode is the one that uses the EEM (Embedded Event Manager) applet with specific commands for SNMP trap generation and logging. The correct script would contain the event cli command to specify the CLI event, action commands for sending an SNMP trap (snmp-trap) and for logging a message (syslog) at a critical level.

A picture containing table Description automatically generated

 EIGRP (Enhanced Interior Gateway Routing Protocol) and OSPF (Open Shortest Path First) are both interior gateway protocols used for routing within a single routing domain. Let’s compare their metrics and administrative distances:

Metrics:

EIGRP Metrics:

EIGRP uses a composite metric called “feasible distance” to determine the best path to a destination.

The EIGRP metric is based on a combination of several factors, including bandwidth, delay, reliability, load, and MTU (Maximum Transmission Unit).

EIGRP calculates the metric using a formula that takes into account these parameters.

The metric is used to select the best route among multiple paths to the same destination.

OSPF Metrics:

OSPF uses a simple metric called “cost” to determine the best path.

The cost is based solely on the interface bandwidth.

OSPF routers calculate the cost by dividing a reference bandwidth (default is 100 Mbps) by the actual link bandwidth.

The path with the lowest cost is chosen as the best path to reach the destination.

Administrative Distances:

EIGRP Administrative Distance:

Administrative distance (AD) is a value assigned to each routing protocol to indicate its trustworthiness.

For external routes (routes learned from other autonomous systems), EIGRP assigns an AD of 170.

OSPF Administrative Distance:

OSPF does not use administrative distances in the same way as EIGRP.

OSPF relies on the cost metric to determine the best path.

The administrative distance for external routes in OSPF is undefined because OSPF does not directly use AD for route selection.

In summary, EIGRP uses a more complex metric based on multiple factors, while OSPF uses a simpler metric based solely on interface bandwidth. Additionally, OSPF does not explicitly define an administrative distance for external routes.

References:

Cisco Enterprise Networking Planet: 1

Cisco Community: 2

PyNet Labs: 3

Catchpoint: 

The correct JSON syntax for the given data should have key-value pairs separated by colons and strings enclosed in double quotes. Each pair is separated by a comma, and arrays are enclosed in square brackets.

The sampler feature in Flexible NetFlow configuration allows the router to sample data packets rather than processing every packet that passes through it. This reduces the CPU and memory utilization as only a subset of packets is inspected, leading to more efficient use of resources while still providing valuable insights into network traffic patterns.

References:

Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR)

Cisco Training & Certification resources

 In a scenario where Virtual Routing and Forwarding (VRF) is used, each VRF instance has its own separate set of routing and forwarding tables. When an interface is assigned to a specific VRF, all Layer 2 activities including ARP are limited to that particular VRF. Therefore, if you are trying to view the ARP table from the global routing context, you will not see an entry for an IP address that belongs to a different VRF. In this case, since Interface FastEthernet0/0 is part of VRF CUST-A, any ARP entries associated with it would only be visible within that specific VRF’s ARP table. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) v1.1

 The Hot Standby Router Protocol (HSRP) uses virtual MAC addresses for redundancy in a network. For HSRP group 14, the virtual MAC address is formed by the prefix 0000.0c07.ac followed by the HSRP group number in hexadecimal format. Since 14 in hexadecimal is ‘0e’, the correct virtual MAC address for HSRP group 14 is 00:00:0c:07:ac:0e. However, the question seems to contain a typo, as the correct hexadecimal representation for 14 is ‘0e’, not ‘14’. Therefore, the closest correct answer would be C, assuming the ‘14’ at the end of option C is a typo and should be ‘0e’. References: HSRP Calculations - Networking - Spiceworks Community

 The correct answer is A. VRF VPN_A. In a typical service provider network, a Customer Edge (CE) router like R1 is connected to a Provider Edge (PE) router, which in this case is R2. The PE router segregates traffic from different customers using Virtual Routing and Forwarding (VRF) instances. Since R1 is connected to R2 and is part of VPN_A, the Gi0/0 interface on R1 would be assigned to VRF VPN_A to maintain the separation of customer traffic and ensure that R1’s traffic is routed within VPN_A.

The endpoint security aspect of the Cisco Threat Defense architecture includes outbound URL analysis and data transfer controls, which help in preventing data exfiltration and unauthorized access to sensitive information. Additionally, cloud-based analysis of threats allows for continuous monitoring and rapid detection of new and emerging threats, leveraging the latest threat intelligence without requiring manual updates from security administrators. References := Cisco Cyber Threat Defense v2, What Is Endpoint Security? - Cisco, Cisco IoT Threat Defense, Endpoint security: A critical component for resilience, Cisco Bolsters Endpoint Security

 The correct option is C, 60. In the context of a Cisco Wireless LAN Controller (WLC) with an IPv6 management address supporting 100 Cisco Aironet 2800 Series access points using DHCP for registration, the option that must be used is 60. This is because option 60 is used for vendor class identifier (VCI), which is necessary for the access points to identify the type of server from which they should request an IP address. References: The information can be found in the Cisco documentation for IPv6 Addressing and Basic Connectivity Configuration Guide, where it discusses the implementation of IPv6 connectivity and management of neighbor discovery1.

 In master controller mode, the Wireless LAN Controller (WLC) that is designated as the master will be the one that all new Access Points (APs) that join the WLAN will associate with, provided they have not been pre-configured with primary, secondary, or tertiary WLCs. This mode is particularly useful in scenarios where there are multiple controllers within the same network and a new AP has to select a controller to associate with. The master controller mode simplifies the process by ensuring that all new APs without specific controller assignments will associate with the master controller.Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/69561-wlc-faq.html

 Option C is the correct answer because it directly copies the running configuration to bootflash with the command “copy running-config bootflash:/current_config.txt” and generates a critical-level syslog message stating “Configuration saved and copied to bootflash”. The other options involve additional steps or commands that are not necessary for achieving the desired outcome.

The statement print(format(0.8, '.0%')) in Python uses the format specification .0%, which multiplies the number by 100 and displays it with zero decimal places, followed by a percent sign. Therefore, it displays '80%'2

In a Cisco StackWise Virtual environment, the control and forwarding planes are virtually combined in the common logical switch. This means that two physical switches are combined into a single logical entity, sharing the same control plane (which makes decisions about where traffic should go) and the forwarding plane (which actually moves packets to the selected destination). This combination allows for seamless operation and high availability as both switches operate as one. 

Graphical user interface, application Description automatically generated

The Mobility Role Anchor configuration under Clients > Detail on the WLC indicates support for Layer 3 intercontroller roaming. This roaming type allows clients to move across access points connected to different controllers while preserving their IP addresses and session continuity, thus ensuring seamless mobility within the network.

 In a VXLAN packet, the destination MAC address in the outer MAC header is used to identify the next-hop IP address based on the destination VTEP address in the routing table of the VTEP where the VM that sends packets resides. This ensures that the encapsulated packet is correctly forwarded towards the remote VTEP.

 Cisco DNA Center provides a comprehensive solution for managing and monitoring wireless networks, including the ability to locate and track malicious devices. It integrates with the Advanced Wireless Intrusion Prevention System (aWIPS), which allows for the monitoring of threat signatures and the implementation of security policies. The malicious rogue rules on Cisco DNA Center enable the security department to effectively identify, locate, and mitigate threats posed by unauthorized access points and other malicious devices within the network environment.

-

Solution:

On R1:

R1(config)#router bgp 123

R1(config-router)#address-family ipv4

R1(config-router-af)#neighbor 10.0.0.2 allowas-in

On R3:

R3(config)#router bgp 123

R3(config-router)# address-family ipv4

R3(config-router-af)#neighbor 192.168.1.2 allowas-in

VERIFICATION:

R3#sh ip route bgp

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 192.168.1.2, 00:01:17

2.0.0.0/32 is subnetted, 1 subnets

B 2.2.2.2 [20/0] via 192.168.1.2, 00:05:06

10.0.0.0/24 is subnetted, 1 subnets

B 10.0.0.0 [20/0] via 192.168.1.2, 00:01:17

Test Ping from R3 to R1:

R3#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

R3#ping 1.1.1.1 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 3.3.3.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Cisco TrustSec technology classifies traffic using Security Group Tags (SGTs). SGTs are assigned to endpoints, and these tags are then included in the packets that traverse the network. This allows for policy enforcement based on these tags, rather than relying on traditional IP addresses or VLANs. References: Cisco TrustSec Overview

Access points use DNS to resolve the IP address of a wireless LAN controller. The correct DNS A record type for this purpose is “CISCO-CAPWAP-CONTROLLER.localdomain”. This allows the access point to discover controllers through the domain name server (DNS) when the controller is in a different subnet than the access point. When an access point receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve this specific A record. Upon successful resolution, the access point sends discovery requests to the controllers’ IP addresses provided by the DNS. References: Cisco documentation on DNS Server for Wireless LAN Controller Discovery.

The issue is that VLAN 10 has propagated to SW3, which is against the company policy. The company policy allows only VLAN 10 on SW1 and SW2. To correct this issue, the allowed VLANs on the trunk link connecting to SW3 should be configured to exclude VLAN 10. Option C accomplishes this by configuring the trunk link on SW2 (int gi1/2) to allow all VLANs except VLAN 10 (switchport trunk allowed vlan 1-9,11-4094).

References :=

Implementing and Operating Cisco Service Provider Network Core Technologies

On-Demand E-Learning

Remote users need to access the Internet and upload files to the storage server. The correct configuration must allow for both these actions. Option C is the correct answer because it includes the necessary access control lists (ACLs) and network address translation (NAT) configurations that permit outbound Internet traffic while still allowing file uploads to the designated storage server. The ACLs are configured to permit the appropriate traffic, and the NAT configuration translates the internal network addresses to a public address for Internet access.

Graphical user interface, application Description automatically generated

The vSmart controller in a Cisco SD-WAN environment manages the control plane. It acts as the brain of the network, orchestrating control plane operations, optimizing routing decisions, and ensuring secure communication across the network. References: Cisco Catalyst SD-WAN Getting Started Guide3, [Part 6] Cisco SDWAN - vSmart Controller

YANG (Yet Another Next Generation) is the language that defines the structure or modeling of data for both NETCONF and RESTCONF. YANG is a data modeling language used to model configuration and operational features for network devices and is essential for the functionality of NETCONF and RESTCONF protocols4567.

References := Cisco’s training on Implementing and Operating Cisco Service Provider Network Core Technologies

The default virtual MAC address used by HSRP (Hot Standby Router Protocol) group 41 is 00:00:0c:07:ac:29. HSRP virtual MAC addresses are in the format of 0000.0c07.acXX, where XX is the HSRP group number in hexadecimal. For group 41, the hexadecimal equivalent is 29.

When Cisco DNA Center loses connectivity to devices in the SD-ACCESS fabric, already connected users remain unaffected, ensuring continuous user connectivity (B). However, new users cannot connect due to the loss of communication with Cisco DNA Center ©. The devicesdo not reload simply because of the lost connection (A), and while Cisco DNA Center cannot collect monitoring data in Assurance (D), this does not directly affect user connectivity. Users also do not lose connectivity (E) as the fabric continues to function for existing connections.

The GRE tunnel is disabled due to recursive routing, which occurs when the router learns the destination IP address for the tunnel interface through the tunnel itself. This creates a loop where the tunnel attempts to route traffic to its destination via the tunnel, causing it to collapse. The router then recalculates the routes, re-establishes the tunnel, and the cycle repeats. This is indicated by the system log message “%TUN-5-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing.” References := Study CCNP: GRE Tunnels and Recursive Routing Problems

To provide controlled Layer 2 network connectivity between virtual machines running on the same hypervisor, a virtual switch provided by the hypervisor (B) can be used to manage internal VM traffic. Additionally, a virtual switch running as a separate virtual machine © can also facilitate this connectivity. A single trunk link to an external Layer 2 switch (A) or a single routed link to an external router on stick (D) would not be contained within the hypervisor environment. VXLAN fabric (E) is used for overlay networks across different hosts and requires additional tunneling configuration.

Source 1:https://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-1000v-switch-vmware-vsphere/at_a_glance_c45-5324 67.pdf

Source 2:https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/vm_fex/vmware/gui/config_guide/2-1/b_GUI_VMware_VM-FEX_UCSM_Configuration_Guide_2_1/b_GUI_VMware_VM-FEX_UCSM_Configuration_G uide_2_1_chapter_0110.pdf

A Type 2 hypervisor is unique in that it requires a host operating system to function. Unlike a Type 1 hypervisor, which runs directly on the host hardware, a Type 2 hypervisor operates as an application within the host OS environment, providing virtualization services above the host operating system layer1.

References := AWS - Type 1 vs Type 2 Hypervisors

 The command ip nat inside source list 10 interface FastEthernet0/1 overload enables NAT on the router, allowing multiple hosts on the internal network connected to FastEthernet0/2 to share a single IP address (the one assigned to FastEthernet0/1) when accessing the Internet. This is known as PAT (Port Address Translation), part of the NAT process, which helps conserve IP addresses and allows multiple devices to access the Internet using one public IP address.

The MAC address table, also known as the CAM (Content Addressable Memory) table, is used for Layer 2 forwarding decisions and contains MAC addresses mapped to specific ports. TCAM (Ternary Content Addressable Memory), on the other hand, is used for storing ACL (Access Control Lists) and QoS (Quality of Service) information. TCAM allows for more complex matching criteria, including wildcard matching, which is essential for implementing security and traffic management policies. References := What is the actual difference between TCAM and MAC address table, CAM (Content Addressable Memory) VS TCAM (Ternary Content Addressable Memory)

A picture containing application Description automatically generated

OSPF (Open Shortest Path First) adjacency between R1 and R2 fails due to a timers mismatch. In OSPF, it’s crucial for routers to have matching Hello and Dead intervals to form an adjacency. Ifthese timers do not match, OSPF routers cannot establish an adjacency, leading to failure in exchanging routing information. References: Implementing and Operating Cisco Service Provider Network Core Technologies source documents or study guide

To enable router R2 to be configured via NETCONF, the necessary command set is found in Option C. NETCONF is a network management protocol developed and standardized by the IETF. It allows for the installation, manipulation, and deletion of the configuration of network devices. The commands in Option C are designed to start the NETCONF server on the device and open the required NETCONF session over SSH, which is the standard transport for NETCONF.

 The command ip http secure-server is used to enable the HTTPS server on a Cisco device, which is necessary for RESTCONF to operate securely. RESTCONF is an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in NETCONF. Enabling the HTTPS server ensures that RESTCONF can be used over a secure connection, which is a best practice for network security. References: Cisco Programmability Configuration Guide, RESTCONF Protocol Video.

Chart Description automatically generated

 In the Locator/ID Separation Protocol (LISP), the Map Resolver is responsible for receiving encapsulated messages from the Ingress Tunnel Router (ITR) and forwarding them to the appropriate Map Server, which then communicates with the egress tunnel routers (ETRs) to ensure proper message delivery. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course materials.

In this scenario, NAT (Network Address Translation) is configured on Router R1 to enable communication between hosts PC1, PC2, PC3, and Server1. The IP addresses used by these hosts when communicating globally to Server1 would be random addresses in the 155.1.1.0/24 range (Option B). This is because NAT translates their private IP addresses into public IP addresses allowing them to communicate over the internet.

The orchestration plane of the Cisco SD-WAN is handled by the vBond component. It is responsible for the initial bring-up of devices, orchestrating connectivity between different network elements, and facilitating the establishment of secure control and data plane connections. References: Cisco SD-WAN Design Guide1, Cisco Viptela SDWAN: vBond as Orchestration Plane2.

 Utilizing data models in a multivendor environment facilitates a unified approach to configuration and management. This is because data models provide a standardized way to represent network configurations, making it easier to manage devices from different vendors within the same network. References: The advantage of using data models is supported by the Implementing and Operating Cisco Service Provider Network Core Technologies source book and corroborated by the search results

 In the given network topology, PC1 is connected to ALSW1. ALSW1 has a direct Layer 3 link to DSW1. Since all links are functional, the shortest and most direct path for PC1 to reach DSW1 would be through this direct connection from ALSW1 to DSW1. There is no need for the traffic to traverse through DSW2 or CORE as there exists a more efficient path directly connecting ALSW1 and DSW1. References: The explanation can be inferred from understanding basic networkingprinciples and routing, which seeks the most efficient path between two points in a network. For further details, refer to the Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) source book and study guide.

he ingress tunnel router (ITR) is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites. When the ITR receives a packet destined for an EID, it first looks for the EID in its mapping cache. If it’s not there, the ITR sends a map-request to the map resolver, which then forwards the request to the appropriate map server that holds the desired mappings.

References := LISP Overview - Cisco

The exhibit shows that R1 has a BGP neighborship with a router at IP address 192.168.50.2. The command set that is applied between the iterations of show ip bgp 2.2.2.2 is the one that would cause a RIB-failure. A RIB-failure occurs when a route is not installed in the Routing Information Base (RIB) due to a routing issue. In this case, removing the specific static route to the neighbor with no ip route 192.168.50.2 255.255.255.255 Gi0/0 would cause theBGP session to drop and result in a RIB-failure for the route to 2.2.2.2, which is what we observe in the exhibit. References := For more information on BGP neighborship and RIB-failure, refer to the Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course materials, specifically the sections on BGP routing and troubleshooting.

 The code snippet provided in the exhibit is a simple Python program that initializes a variable count with the value of 8. It then enters a while loop that continues executing as long as count is greater than 4. Inside the loop, it prints the current value of count and then decrements count by one each iteration. As a result, it will print the numbers 8, 7, 6, and 5 before count becomes less than or equal to four and the loop terminates.

Cisco DNA Center and vManage northbound APIs are characterized by their implementation of the RESTCONF protocol, which is a REST API interface for accessing the automation and assurance workflows of these network management platforms3.

The output indicates that the HSRP group’s virtual IP address is 10.1.1.1 (Option B), as seen from the line “Virtual IP address is 10.1.1.1.” Additionally, the hello and hold timers are set to custom values of 3 seconds and 10 seconds, respectively (Option D), which differ from the default values, indicating they have been manually configured.

 Classification is the QoS feature that uses the IP Precedence bits in the ToS field of the IP packet header to partition traffic into different priority levels. It involves identifying and categorizing packets based on the IP Precedence value, which can range from 0 to 7, with higher values indicating higher priority traffic. This process is essential for applying appropriate QoS policies to different types of traffic, ensuring that high-priority traffic, such as voice and video, receives the necessary bandwidth and low latency treatment. References := Quality of Service (QoS) Configuration Guide, Cisco IOS XE Everest 16.6.x

The function of vBond in a Cisco SD-WAN deployment is to onboard SD-WAN routers into the SD-WAN overlay. vBond orchestrates the establishment of control connections between the controllers and the SD-WAN routers, ensuring initial authentication and facilitating the joining process of the routers to the SD-WAN fabric.

The correct command set to complete the ERSPAN session configuration must include the source session ID, the traffic direction, and the mirrored traffic. Option A correctly specifies the source session and includes both the ‘rx’ and ‘tx’ directions, indicating that both received and transmitted traffic should be mirrored. References := The answer is derived from the Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course materials, which provide detailed information on configuring ERSPAN sessions in a Service Provider network infrastructure.

For further study and detailed explanations, you can refer to the official Cisco training and certification resources:

Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR)

Cisco Certification Exam Overview for 350-501 SPCOR

On-Demand E-Learning for Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) v1.1

The default virtual MAC address used by HSRP (Hot Standby Router Protocol) group 30 is “00:00:0c:07:ac:1e”. HSRP uses a well-known MAC address format which includes the HSRP group number in hexadecimal. For group 30, the hexadecimal equivalent is “1e”, hence the virtual MAC address ends with “ac:1e”. References: Cisco Community discussion on HSRP Virtual MAC Format.

Text, letter Description automatically generated

 The issue described is that the laptop does not attempt to connect to the network with a hidden SSID and RADIUS-based client authentication. The option “Connect even if this network is notbroadcasting” should be selected to resolve this issue. When a wireless network hides its SSID, devices won’t see the network’s name as an available connection. By selecting this option, the device will connect to the network even if it can’t find a broadcasted SSID, ensuring connectivity in environments where SSID broadcasting is disabled for security reasons. References: The Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course provides a comprehensive understanding of configuring, verifying, troubleshooting, and optimizing next-generation, Service Provider IP network infrastructures, which includes knowledge relevant to resolving such wireless network issues

In the given scenario, Cisco IOS routers R1 and R2 can form an OSPF neighborship on interface Gi0/0 by ensuring that the interface is not set as passive and by configuring the OSPF network command on R1. In Option C, R2 has been configured with “passive-interface Gi0/0” under the OSPF routing process, which means OSPF neighbor relationships won’t be formed on thisinterface. However, on R1, “no passive-interface Gi0/0” is configured ensuring that OSPF hello packets are exchanged allowing for neighbor formation. Additionally, the “network” command is used to enable OSPF on specified interfaces belonging to the mentioned network.

Solution:

R1

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

R2

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

Verification:-

Table Description automatically generated with medium confidence

 The error will be flagged when trying to add the command “monitor session 1 source interface FatEthernet0/1 tx” because there is a typo in the interface name. It should be “FastEthernet” not “FatEthernet”. In Cisco IOS, the correct syntax and spelling are crucial for the commands to be accepted and executed. Any typos or incorrect syntax will result in an error.

The GRE tunnel configuration requires both a source and destination address to establish a point-to-point link. In this scenario, R2 must have a tunnel source address configured to match the destination address on R1. Since R1’s tunnel destination is set to 200.1.1.1, the corresponding tunnel source address on R2 should be 200.1.1.1 to complete the configuration and allow the tunnel to become operational.

An AP can discover a wireless LAN controller (WLC) using several methods. Broadcasting on the local subnet allows the AP to send a discovery request to all devices within its local network segment. DHCP Option 43 is used to provide the IP address of the WLC to the AP via the DHCP server. Both methods are commonly used for AP discovery. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) training materials1.

Graphical user interface, application Description automatically generated

In a Cisco StackWise Virtual environment, the control plane and forwarding plane are virtually combined into a single logical switch. This technology allows for the configuration and management of two physical switches as if they were one device, enhancing redundancy and providing non-stop communication. The control plane is responsible for making decisions about where traffic is sent, while the forwarding plane moves packets to the selected destination.

The configuration shown in the exhibit indicates that OSPF is being configured on interface GigabitEthernet0/1 with the OSPF process ID of 1 and it is assigned to area 0. This is a standard configuration for enabling OSPF on an interface in a Cisco router to participate in OSPF routing within area 0. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) v1.1

The failure of BGP peering between router CORP and ISP#2 is due to a password mismatch. BGP peering requires both routers to have matching passwords if password authentication is configured. If the passwords do not match, the BGP session will not be established, and the routers will not exchange routes.

 In the context of Cisco devices, when configuring a port channel with LACP (Link Aggregation Control Protocol), both ends of the port-channel must be set to compatible modes for the LACP bundle to form successfully. The exhibit shows that interface Gi0/1 is in an active state (SA flag), which means it is actively sending LACP packets. For Gi0/0 to join the bundle, it also needs to be set to either active or passive mode. Since we want it to function as expected and form a port-channel, setting it to ‘active’ will ensure that it sends LACP packets and attempts to negotiate with other LACP-enabled ports.

The correct configuration for the scenario described is to use TACACS for authentication, and if TACACS is unavailable, allow login without any credentials. This is achieved by the command aaa authentication login default group tacacs+ none, which specifies TACACS as the primary authentication method and none as the secondary method, meaning no authentication is required if TACACS is not available.

References: The information is based on the Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) training

The json.dumps() method is used to convert a Python object into a JSON string. This method is particularly useful when you need to export the contents of an object, like ‘Devices’, in JSON format which can be easily shared or stored. It serializes the data in a format that ensures it’s easily parsable by systems that support JSON. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) source book or official documentation would provide more details on JSON handling within Python scripts used for network automation.

The deployment option of Cisco NGFW that provides scalability is clustering. Clustering allows multiple NGFW devices to be connected and work together as a single entity. This enables the system to handle larger volumes of traffic and provides redundancy, ensuring high availability and load balancing across the network.

The task is to create an access list that allows traffic from a specific range of networks while logging the traffic. The networks in question span from 10.0.32.0/24 to 10.0.39.0/24. To summarize these networks into a single entry, we use a subnet mask that encompasses all the individual /24 networks. The correct summary uses the wildcard mask 0.0.7.255, which corresponds to the subnet mask 255.255.248.0. This wildcard mask allows for all addresses from 10.0.32.0 to 10.0.39.255, which includes all the specified networks.

OMP, or Overlay Management Protocol, is a critical component of the Cisco SD-WAN solution. It performs several functions essential to the operation of the SD-WAN network:

A. Advertisement of network prefixes and their attributes: OMP advertises routes, TLOCs (Transport Location), and services within the SD-WAN fabric. It facilitates the distribution of routing information and related location mappings across the network, ensuring that all nodes have the necessary data to route traffic efficiently.

E. Segmentation and differentiation of traffic: OMP enables the segmentation of traffic into different VPNs or VRFs (Virtual Routing and Forwarding instances). This allows for the creation of separate, secure environments within the same physical infrastructure, catering to various service levels and user groups.

The Design workflow in Cisco DNA Center is used in a greenfield deployment where there is no existing infrastructure. It allows engineers to create the structure and framework of the network from scratch, including the physical topology, network settings, and device type profiles2.

The Design area is where you create the structure and framework of your network, including the physical topology, network settings, and device type profiles that you can apply to devices throughout your network. Use the Design workflow if you do not already have an existing infrastructure. If you have an existing infrastructure, use the Discovery feature.

https://www.cisco.com/c/en/us/td/docs/clou d-systems-management/network-automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_0110.html

A picture containing text, clock, device, meter Description automatically generated

When a client device roams between access points that are joined to the same controller, even if the access points are in different AP groups with different IP addresses, the type of roam that occurs is known as an intra-controller roam. This is because the access points are managed by the same controller, and the client remains within the same VLAN across the roam. The intra-controller roam is seamless and efficient, as the client’s session and authentication state are maintained by the controller, allowing for uninterrupted service.

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association

seamlessly from one access point to another securely and with as little latency as

possible. Three popular types of client roaming are:

Intra-Controller Roaming: Each controller supports same-controller client roaming

across access points managed by the same controller. This roaming is transparent

to the client as the session is sustained, and the client continues using the same

DHCP-assigned or client-assigned IP address.

Inter-Controller Roaming: Multiple-controller deployments support client roaming

across access points managed by controllers in the same mobility group and on the

same subnet. This roaming is also transparent to the client because the session is

sustained and a tunnel between controllers allows the client to continue using the

same DHCP- or client-assigned IP address as long as the session remains active.

Inter-Subnet Roaming: Multiple-controller deployments support client roaming

across access points managed by controllers in the same mobility group on different

subnets. This roaming is transparent to the client because the session is sustained

and a tunnel between the controllers allows the client to continue using the same

DHCP-assigned or client-assigned IP address as long as the session remains active.

 In the Cisco SD-WAN architecture, Datagram Transport Layer Security (DTLS) is used to encrypt the control plane traffic between the SD-WAN controllers and the SD-WAN endpoints. DTLS is a communications protocol that provides security for datagram-based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) v1.1

The correct configuration for the scenario described would involve setting up VPN-A to send traffic to VPN-B and receive from VPN-C, and VPN-B to send to VPN-C and receive from VPN-A. This can be achieved through proper routing and forwarding configurations using technologies such as MPLS L3VPNs, which allow for the segregation of different VPN traffic over a shared network infrastructure. The configuration would ensure that the correct paths are established for traffic flow between the VPNs as specified. References := The Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course provides a deep dive into Service Provider technologies including core architecture, services, networking, automation, quality of services, security, and network assurance. It covers topics such as MPLS VPNs, which are relevant to the question1

 In a Cisco SD-Access solution, the control-plane node’s function is to operate a mapping system that manages the relationships between endpoints and network devices. This involves maintaining a database of all endpoints connected to the network, including their location, identity, and network access policies. The control-plane node is crucial for ensuring that endpoints can be correctly located and communicated with across the network, facilitating efficient routing and policy enforcement.

When a switch running Per-VLAN Spanning Tree Plus (PVST+) is added to a network with switches running Rapid PVST+, the network supports both protocols simultaneously due to the backward compatibility of Rapid PVST+ with PVST+. The existing switches will continue to operate using Rapid PVST+, while the newly added switch will operate using its configured protocol, which is PVST+. This ensures that there is no disruption in service and that spanning tree continues to prevent loops as expected.

A picture containing diagram Description automatically generated

Fastlane is a feature used on Apple devices that prioritizes network traffic for applications requiring a higher quality of service. Enabling Fastlane on the Wireless LAN Controller (WLC) allows the network to optimize QoS for Apple devices by providing a dedicated lane for traffic associated with critical applications, ensuring they receive the necessary bandwidth and reduced latency.

References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) training materials.

 The vSwitch, or virtual switch, is the component that enables communication between guest VMs within a virtualized environment. It operates at the data link layer (Layer 2) of the OSI model and allows virtual machines on the same host to communicate with each other as if they were connected to the same physical switch. The vSwitch can also connect to physical switches to facilitate communication between VMs and the external network.

References:

The concept of vSwitch is covered in the Cisco course “Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR)” where it discusses the role of virtualization in modern network environments.

Additional information can be found in the Cisco documentation and training materials available on the Cisco Learning Network Store, specifically in the course materials for SPCOR.

Multicast Rendezvous Points (RPs) are essential components in Protocol Independent Multicast Sparse Mode (PIM-SM). They act as a meeting place for sources and receivers of multicast traffic. By default, RPs are required to periodically maintain sessions with sources and receivers to facilitate the joining of multicast groups and the forwarding of multicast traffic.

In OSPF (Open Shortest Path First), different network types can impact the formation of adjacencies between routers. The compatibility between OSPF network types is crucial for successful peering. Point-to-multipoint network type is designed to work over networks that have no broadcast capability, and it treats each connection as a separate point-to-point link. This allows it to communicate with nonbroadcast network types, which also do not assume broadcast capabilities. Therefore, point-to-multipoint to nonbroadcast network types are compatible and allow communication through the two peering devices. This compatibility is essential for OSPF operations over certain types of WAN links, such as Frame Relay or ATM, where broadcast capability is not present.

A picture containing timeline Description automatically generated

YANG is a data modeling language used for the definition and semantics of data sent over network management protocols such as NETCONF (Network Configuration Protocol). It provides a powerful and flexible way to model configuration and state data for network elements. YANG allows for the modeling of both configuration data, which is writable and used to configure network devices, and state data, which is read-only and used to reflect the current status of network devices.

HSRP (Hot Standby Router Protocol) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway. The protocol establishes a framework between network routers to achieve default gateway failover if the primary gateway becomes inaccessible.

B: If Fa0/0 is shut down, the HSRP priority on R2 becomes 80. This is because interfaces going down can trigger a priority decrement in HSRP, which is often configured with the standby track  command.

E: R2 is using the default HSRP hello and hold timers. The default hello time is 3 seconds, and the hold time is 10 seconds. These values can be seen in the output of the show standby command if they are not explicitly configured to different values.

R2

R3

R1

config

flow exporter Export-NetFlowENCOR

transport udp 2055

ip sla schedule 100 life forever start-time now

wr

Sw1

monitor session 11 source interface e0/2

monitor session 11 destination interface et1/1

wr

OR

OR

Solution:

Copy run start

Verification:

OR

SOLUTION: -

SW10

Conf t

Default int e0/0

Int e0/0

No sh

Switchport trunk encap dot1q

Switchport mode trunk

Udld port aggressive

Switchport trunk allowed vlan add 300

No sh

Ex

OR

Solution:

Copy run start

Verification:

OR

Solution:

SW20

Conf t

Spanning-tree mode rapid-pvst

No int po10

No shut

exit

Int e0/0

No switchport mode access

Copy run start

Verification:

Solution:

Copy run start

Copy run start

Copy run start

Verification:-

OR

Solution:

SW10

Conf t

Default int e0/0

Int e0/0

No sh

Conf t

Copy run start

Verification from PC2

Show etherchannel summary

OR

Solution:-

Copy run start

Solution:

R10

Copy run start

R20

Copy run start

Verification:

Solution:

SW10

Int ran e02/-3

Channel-group 10 mode active

Verification:

router bgp 10

bgp router-id 10.1.1.111

no bgp defa ipv4-unicast

nei 209.165.200.226 remote-as 20

nei 209.165.202.130 remote-as 30

address-family ipv4

neigh 209.165.200.226 activate

neigh 209.165.202.130 activate

network 10.1.1.10 mask 255.255.255.255

network 209.165.201.10 mask 255.255.255.255

network 209.165.201.20 mask 255.255.255.255

wr

R1

en

Conf t

Router ospf 10

Router-id 10.x.x.x – lo0 address

Int range lo0, e0/0-1

Ip ospf 10 area 0

Exit

wr

R2

Router ospf 10

Area 10 range 10.1.0.0 255.255.0.0

exit

wr

R3

Router ospf 10

Area 10 range 10.2.0.0 255.255.0.0

Exit

Wr

OR

Solution: -

Easy as per above configurations you can get it done anyway they change it.

Solution:-

wr

R22

int tun0

vrf forwarding FINANCE

ip add 10.10.10.2 255.255.255.0

tunn source e0/0

tunnel dest 209.165.200.230

no shut

ip route vrf FINANCE 10.10.111.0 255.255.255.0 tunn0

int et0/1

vrf forwarding FINANCE

ip address 10.22.22.1 255.255.255.252

wr

Verification:-

OR

SOLUTION: -

VERIFICATION: -

OR

Solution on R1:

R1# copy run start

Verification:

OR

R3

Config#int et0/1

config-if#ip ospf priority 255

wr

R20

clear ip ospf process

yes

R10

int et0/0

ip ospf priority 0

wr

R2

clear ip ospf process

yes

Solution:

R3

Int e0/1

Ip ospf priority 255

End

Copy run start

R2

Int e0/1

Ip ospf network point-to-point

End

Copy run start

R10

Int e0/0

Ip ospf network point-to-point

End

Copy run start

OR

Solution:-

Default int range et0/0-1

Int range e0/0 – 1

Sw trunk encap dot1

Switch mode trunk

Channel-group 2 mode passive

No shut

Spanning-tree vlan 10 priority 0

Spanning-tree vlan 30 priority 0

R2

config t

username NetworkAdmin privilege 15 password CiscoENCOR

line vty 0 4

login local

transport input telnet rlogin

exec-timeout 1200 0

Answer: See the solution below in Explanation.

R1

router bgp 10

no bgp default ipv4-unicast

bgp router-id 10.1.1.111

neigh 209.165.200.226 remote-as 20

neigh 209.165.202.130 remote-as 30

address-family ipv4

network 10.1.1.10 mask 255.255.255.255

network 209.165.201.20 mask 255.255.255.255

network 209.165.201.10 mask 255.255.255.255

neigh 209.165.200.226 activate

neigh 209.165.202.130 activate

wr

VERIFICATION: -

OR

For full reachability between AS 1000 and AS 2000, R1 needs to advertise network 192.168.0.0 (option A) and R2 needs to advertise network 209.165.201.0 (option D). These commands ensure that both Autonomous Systems are aware of each other’s networks, enabling full reachability between them as per the BGP routing protocol’s operation.References := Cisco BGP Configuration Guide

In a Cisco SD-WAN deployment, a centralized control policy is a set of statements that define how routing decisions are made across the network. This policy is centrally managed and distributed to the network devices (vEdges or cEdges) through the SD-WAN controllers. The centralized control policy influences the path selection for data traffic by applying rules that can prioritize,restrict, or modify traffic flows based on various criteria such as application, user, source, destination, and more. It operates on the control plane level, affecting the Overlay Management Protocol (OMP) routes that are distributed by the vSmart controllers throughout the SD-WAN fabric.

References:

Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x - Localized Policy [Cisco SD-WAN] - Cisco1.

Policies Configuration Guide, Cisco IOS XE SD-WAN Releases 16.11, 16.12 - Control Policies [Cisco SD-WAN] - Cisco2.

What is a Centralized Data Policy? | NetworkAcademy.io

YANG (Yet Another Next Generation) is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), one of the network management protocols. The benefits of YANG include:

Enabling multiple leaf statements within a leaf list ©: YANG allows for the definition of multiple ‘leaf’ elements within a ‘leaf-list’, which represents a sequence of list elements. This structure enables the modeling of multiple instances of a particular type of data.

Enforcing configuration constraints (E): YANG provides mechanisms to define constraints on the data that can be input, ensuring that the configuration data adheres to the defined schema. This includes mandatory fields, value ranges, and patterns that must be followed.

YANG’s design allows for a vendor-neutral approach to defining the objects, data types, and their relationships when mapping device operational and configuration data to usable programmatic entities. This facilitates a unified and standardized method of representing network configurations, making it easier to manage and automate networks.

References: The explanation provided is based on the information from the Cisco official documentation on YANG, which outlines its primary benefits and use cases in network configuration and management. 

 NTP (Network Time Protocol) uses the MD5 (Message-Digest Algorithm 5) hashing algorithm for authentication purposes. MD5 is utilized to create a hash value based on the time information being sent over the network. This hash is then used to verify the integrity and authenticity of the NTP messages, ensuring that the time data has not been tampered with during transit. While MD5 is not the most secure hashing algorithm available, it is widely used in NTP implementations due to its balance of security and computational efficiency.

References := Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR)

To configure HSRP group 300 on a Cisco IOS router and ensure it becomes the active router when functional, the necessary commands are:

standby version 2: This command enables HSRP version 2, which supports an expanded group number range from 0 to 4095.

standby 300 priority 90: This sets the priority of the HSRP router to 90. Since the default priority is 100, a lower priority ensures this router will be the standby router if both routers are functional.

standby 300 preempt: This command allows the router to take over as the active router if it has a higher priority and the current active router fails.

References :=

Implementing and Operating Cisco Service Provider Network Core Technologies

On-Demand E-Learning

 The correct configuration to restrict the amount of SSH traffic that a router accepts to 100 kbps involves creating a policy map that specifies the maximum bandwidth for the class of traffic. This is done by defining a class map to match the SSH traffic, then creating a policy map that uses the police command to set the rate limit. The policy map is then applied to the control plane to enforce the limit on SSH traffic.

References: The information is based on the Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) source book

CoPP protects the route processor on network devices by treating route processor

resources as a separate entity with its own ingress interface (and in some

implementations, egress also). CoPP is used to police traffic that is destined to the

route processor of the router such as:

+ routing protocols like OSPF, EIGRP, or BGP.

+ Gateway redundancy protocols like HSRP, VRRP, or GLBP.

+ Network management protocols like telnet, SSH, SNMP, or RADIUS.

Therefore we must apply the CoPP to deal with SSH because it is in the

management plane. CoPP must be put under “control-plane” command.

 VXLAN, or Virtual Extensible LAN, is a network virtualization technology designed to address the scalability problems associated with large cloud computing deployments. It allows for the creation of a virtualized Layer 2 network on top of a Layer 3 underlay network.

VTEPs: VXLAN uses Virtual Tunnel Endpoints (VTEPs) to encapsulate Layer 2 frames within Layer 3 packets (MAC-in-UDP encapsulation), which can then be sent across the underlay network. This encapsulation and decapsulation process enables Layer 2 segments to stretch across Layer 3 boundaries, facilitating greater flexibility and scalability.

16 Million Segments: Unlike traditional VLANs, which are limited to a 12-bit identifier allowing for only 4096 unique VLANs, VXLAN extends this identifier to 24 bits. This expansion provides up to 16 million unique VXLAN Network Identifiers (VNIs), significantly increasing the number of possible segments and addressing the need for larger scale in cloud environments.

 To fix the issue of intermittent Wi-Fi connectivity due to frequent channel changes near a large commercial airport, the actions that should be taken are to remove UNII-2 and Extended UNII-2 channels from the 5 GHz channel list (Option A) and disable DFS channels (Option E). These channels are more susceptible to interference from radar systems used in aviation, and disabling them can reduce the occurrence of automatic channel switching that leads to connectivity loss. References: Implementing and Operating Cisco Service Provider Network Core Technologies source book

 The Cisco Stealthwatch system is the component of the Cisco Cyber Threat Defense solution that provides user and flow context analysis. This system offers broad visibility across the network and is designed to analyze and understand network behaviors, detect anomalies, and provide insights into network traffic patterns. It leverages NetFlow data to perform security monitoring, application visibility, and control, as well as incident response. By analyzing the flow data, Stealthwatch can identify malicious activities and potential threats within the network, enabling a more proactive defense posture.

References: The information is based on the Cisco Cyber Threat Defense v2.0 Design Guide

The exec-timeout command is used to configure the timeout for the exec session on a Cisco router or switch. This command takes two arguments: the first is the timeout in minutes, and the second is the timeout in seconds. To meet the security policy of terminating all idle-exec sessions in 600 seconds (which equals to 10 minutes), option C “line vty 0 4 exec-timeout 10 0” should be used. This configuration sets an exec timeout of ten minutes and zero seconds on vty lines from zero to four, effectively meeting the security policy requirement. References := For further details, you can refer to Cisco’s official documentation on the exec-timeout command here.

The correct JSON syntax is option B. In JSON, data is stored in key-value pairs, and it must follow a specific syntax where the keys and string values are enclosed in double quotes. Numbers do not need to be in quotes, and boolean values are represented as true or false without quotes. Arrays are represented using square brackets, and each element inside the array is separated by a comma. References := The information is based on the JSON data structures andsyntax rules as outlined in the Implementing and Operating Cisco Service Provider Network Core Technologies training materials

Quality of Service (QoS) is essential in a campus network to manage packet loss and delay, which can significantly affect the performance of real-time applications. Excess jitter (B) refers to the variation in time between packets arriving, caused by network congestion, timing drift, or route changes. Bandwidth-related packet loss (E) occurs when the network is unable to handle the volume of traffic, leading to dropped packets. Implementing QoS allows for prioritization of critical traffic and can mitigate these issues by managing traffic flows and ensuring that high-priority traffic is delivered efficiently, even in times of congestion.

References: The Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course provides a comprehensive guide on configuring, verifying, troubleshooting, and optimizing Service Provider IP network infrastructures, which includes a deep dive into QoS mechanisms and their implementation in various network scenarios1

 Cisco Advanced Malware Protection for Endpoints (AMP4E) is designed to prevent, detect, and respond to advanced malware attacks. It has the capability to block ransomware by identifying malicious files and behavior associated with this type of threat. Additionally, AMP4E can block Microsoft Word macro attacks by detecting the malicious scripts often embedded within macros that are designed to execute malware or other harmful actions on a user’s system. References := Implementing and Operating Cisco Service Provider Network Core Technologies

https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-fo r-endpoints/c11-742008-00-cisco-amp-for-endpoints-wp-v2a.pdf

The correct configuration for an EEM applet to respond to an IP SLA event is option D: event manager applet EEM_IP_SLA event sla 10 state down. This configuration will trigger the EEM applet when the IP SLA operation number 10 goes to a “down” state, indicating a problem with the monitored service, which can then be used to execute corrective actions such as shutting down an interface.

References: Implementing and Operating Cisco Service Provider Network Core Technologies source documents or study guide.

In a square office where coverage is needed in all directions, an omnidirectional antenna is the best choice. This type of antenna radiates radio frequency (RF) signal equally in all directions horizontally, which would provide uniform wireless coverage throughout the office space. Directional antennas, on the other hand, focus the RF signal in a specific direction and are not suitable for this scenario. Polarized and Yagi antennas have specific applications that do not match the requirement of uniform coverage in all directions.

The decision for a wireless client to roam is primarily made by the wireless client itself. The client device listens for beacon frames or sends probe requests to discover access points (APs) advertising the preferred SSID. The client’s driver uses the received signal strength of beacons or probe responses to make decisions on whether to change APs or remain connected to the current AP. This process is a client-side decision in 802.11 WiFi.

The WLAN security settings indicate that the PSK (Pre-Shared Key) is enabled, which typically requires a passphrase or text string for authentication. However, since the question specifies that the configuration is based on the exhibit, and without the ability to view the exhibit, it’s not possible to provide a definitive answer. Generally, if PSK is used, a text string would be the method for clients to authenticate to the network. If 802.1X is enabled, then username and password would be used. References := Implementing and Operating Cisco Service Provider Network Core Technologies

MACsec, defined by IEEE standard 802.1AE, is a security technology that provides encryption, integrity, and authentication for data on Ethernet networks. It ensures that only authorized devices can access and modify the transmitted data, thereby protecting against threats like interception and tampering. MACsec operates at Layer 2 of the OSI model, which means it secures data at the link level between devices such as switches and hosts.Reference:https://www.cisco.com/c/en/us/td/doc s/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

 The output would typically show that RSPAN session 1 is incompletely configured if it does not display any source or destination ports or VLANs for monitoring. RSPAN (Remote Switched Port Analyzer) sessions are used to monitor traffic on one or more source ports and send the monitored traffic to a destination port on a remote switch. An incomplete configuration means that the session is not fully set up to capture and forward traffic as intended. References := Implementing and Operating Cisco Service Provider Network Core Technologies

When a 1500-byte IPv4 packet traverses a GRE tunnel, and the DF (Don’t Fragment) bit is cleared, the packet can be fragmented if necessary. However, since the MTU on the physical interfaces underlying the tunnel is set to 1500 bytes and there is no MTU command applied on the tunnel interfaces, the packet will not need to be fragmented. Therefore, it will arrive at router C without fragmentation. References := Implementing and Operating Cisco Service Provider Network Core Technologies source book and official Cisco documentation.

The issue described indicates that even though 172.20.20.2 stops responding to ICMP echoes, the default route does not get removed as expected. This suggests a problem with the tracking configuration of the route. The correct implementation should include associating the tracked object with the routing configuration so that if the tracked object goes down, it triggers the removal of the associated route. Since option C points out that the default route lacks this association with tracking, it is identified as the cause of the issue.

 DHCP Option 43 is used by lightweight APs to discover wireless LAN controllers. This option allows the DHCP server to provide the IP addresses of one or more controllers to the AP. The AP can then use these addresses to discover and join the controller network456.

References := Cisco community documentation on Lightweight AP Discovery Process, Cisco Support documentation on DHCP Option 43

 In the scenario provided, SW1 is configured with ‘switchport mode dynamic auto’ which means it is willing to convert the link to a trunk link if the connecting switch is set to trunk or desirable mode. Since SW2 also appears to be set to ‘switchport mode dynamic auto’, neither switch is initiating the trunking negotiation. To resolve this issue:

Option C: Configuring ‘switchport mode trunk’ on SW2 would manually set the port into permanent trunking mode which would then negotiate with SW1 and form a trunk.

Option D: Configuring ‘switchport nonegotiate’ on SW1 would disable Dynamic Trunking Protocol (DTP) negotiation messages. This should be done if you are setting one side of the connection (SW2) to a static trunk because DTP messages are unnecessary in this case.

The customer’s requirements include FHRP redundancy, a multivendor router environment, and support for IPv4 and IPv6 hosts. VRRP (Virtual Router Redundancy Protocol) version 2 is the appropriate protocol to meet these requirements. It provides FHRP redundancy to increase the availability of routing paths via automatic default gateway selections on an IP subnetwork. VRRP version 2 supports both IPv4 and IPv6, making it suitable for environments that utilize both IP versions. Additionally, being a standard protocol, it supports a multivendor router environment. References: Implementing and Operating Cisco Service Provider Network Core Technologies source documents or study guide

 In the given network topology, when an engineer issues a ping from S1 to S2, the packet will pass through R1 to reach R2 where the TTL value will expire. This is because each hop in thenetwork (each router it passes through) decreases the TTL value by one until it reaches zero. When this happens at R2, it will reply with a TTL exceeded message. References := Cisco Routing

Cisco DNA Center configures all devices that integrate with Cisco Identity Services Engine (ISE) when deploying an IP-based access control policy. This allows for consistent policy application across the network and for the devices to enforce the access controls as defined by the policy.

References: The Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) source book and study guide 

Diagram Description automatically generated

 In the scenario described, the engineer needs to configure DHCP Option 43 to provide the management IP address of the WLC in a format that the access points can understand. The correct configuration for Option 43 includes the IP address of the WLC in hexadecimal format. The management IP address of the WLC is 172.16.50.5, which translates to AC10.3205 in hexadecimal notation. The prefix F104 indicates that it is an IPv4 address and specifies its length (in this case, four bytes or one word). Therefore, configuring option 43 with Hex F104.AC10.3205 will resolve the issue by directing access points to find and register with the WLC at IP address 172.16.50.5.

The configuration in the image establishes an EBGP neighborship between two directly connected neighbors and exchanges the loopback network of the two routers through BGP. In this configuration, both routers R1 and R2 are configured with router bgp followed by their respective AS numbers. The neighbor command is used to establish a BGP session, with the remote-as option specifying the AS number of the neighboring router. The update-source lo0 command ensures that BGP messages are exchanged using the IP address of Loopback0 interface, facilitating EBGP multihop if necessary. Finally, the network command advertises each router’s loopback network into BGP.

References := Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR v1.1) - Module: Border Gateway Protocol

 VTEP (VXLAN Tunnel Endpoint) is responsible for encapsulating the original Ethernet frame into a VXLAN packet and de-encapsulating it upon arrival at its destination within the VXLAN fabric. It adds or removes VXLAN headers as necessary for traffic entering or leaving the overlay network. References := Cisco

The RIB (Routing Information Base) is a database of routing prefixes that includes all learned routes, such as those from dynamic routing protocols, static routes, and directly connected routes. The FIB (Forwarding Information Base), on the other hand, is used to make IP destination prefix-based switching decisions and contains only the best path as determined by the routing protocol, which is used to forward packets12345.

References := Cisco documentation and learning resources on RIB and FIB.

802.1X is a standard for network access control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is based on the EAP (Extensible Authentication Protocol) framework for transporting authentication protocols and encapsulating the EAP within Ethernet frames. In the context of the Cisco Service Provider, implementing 802.1X can ensure that only authenticated devices are allowed access to the network, enhancing security.

References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) - Cisco

The commands shown in Option C are the appropriate ones to resolve the connectivity issue. The command no interface po1 disables the port-channel interface, which might be causing a conflict or misconfiguration. The interface range fa0/1-2 command selects the range of interfaces to be configured next. The channel-group 1 mode passive command adds these interfaces to an EtherChannel group in passive mode, which waits for LACP packets from another LACP-enabled device before forming an EtherChannel link. Finally, the end command exits the configuration mode.

References := This answer is based on the knowledge from the Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course

The command “Router(config)# ip sla responder udp-connect” configures the router to be the destination of jitter measurements by enabling it to respond to UDP connect operations sent by another Cisco device performing IP SLAs operations, which are used for measuring jitter among other metrics. References := Cisco

 The recommended Maximum Transmission Unit (MTU) size for a Cisco SD-Access Fabric is 1500 bytes. This size is optimal for ensuring compatibility across most internet pathways without the need for fragmentation. It’s a standard size that balances the efficiency of data transmission with the need to accommodate various network infrastructures and end-point capabilities.

References: This information is supported by the Cisco SD-Access Solution Design Guide and other Cisco documentation that outlines best practices for network design and configuration

 Ansible and Chef are both automation tools used for configuration management, but they differ in their operation. Ansible uses a push model, where the server pushes configurations to the clients. In contrast, Chef uses a pull model, where the clients pull configurations from the server. This operational difference is key in distinguishing Ansible from Chef.

References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) - Section on automation tools comparison.

In the context of Wi-Fi signal strength, RSSI (Received Signal Strength Indicator) values are measured in dBm (decibels relative to a milliwatt) and represent the power level being received by the antenna. The closer this value is to 0, the stronger the signal. Thus, a signal of -65 dBm is stronger than a signal of -75 dBm.

For option A, without knowing the specific RSSI requirements for web surfing, we cannot definitively say that location C’s signal is too weak.

Option B states that location D has the strongest RF signal strength; however, this is incorrect as location C has an RSSI of -65 dBm which indicates a stronger signal than location D’s -80 dBm.

Option C suggests that the RF signal strength at location B is 50% weaker than at location A. This statement does not accurately describe how RSSI values work; they are not linear percentages but rather logarithmic measurements.

Option D correctly states that the signal strength at location B (-75 dBm) is 10 dB better (stronger) than at location C (-65 dBm), which follows from understanding how decibel scales operate.

Lastly, option E incorrectly claims that the RF signal strength at location C is 10 times stronger than at Location B. The difference in decibels does not translate to a tenfold increase in power.

 To ensure that all traffic leaving AS 200 chooses Link 2 as the exit point, the local preference attribute can be used. By setting a higher local preference on R3 for routes learned via Link 2, traffic will prefer this path over others. The command bgp default local-preference 200 on R3 will accomplish this task, as local preference is a well-known discretionary BGP attribute that influences the outbound traffic policy by indicating the preferred path to exit the AS. References := Implementing and Operating Cisco Service Provider Network Core Technologies

On-premises infrastructures are physically closer to the end-user or the systems that are using them, which typically results in lower latency due to the reduced distance data must travel compared to cloud infrastructures. This proximity allows for quicker data retrieval and processing, making it ideal for applications that require real-time or near-real-time access to data.

References: The Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) course 

The logging message “HSRP-5-DUPADDR: Duplicate address 10.10.1.1 on FastEthernet0/0, sourced by 0000.0c07.ac02” indicates that there is another device on the network with the IP address that has been configured for HSRP group 50’s virtual IP address (10.10.1.1). This could be a PC or any other device that has been assigned this IP address statically or dynamically, which conflicts with the HSRP virtual IP causing the error message. References: Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) training materials would cover HSRP configuration and troubleshooting, including how to resolve issues related to duplicate IP addresses.

MACsec (Media Access Control Security) is a security technology that provides secure communication for all traffic on Ethernet links. MACsec provides Layer 2 hop-by-hop encryption, which enables data confidentiality and integrity to be maintained between nodes in the network. It operates at Layer 2 of the OSI model and encrypts packets before they are transmitted across the network cables and devices.

References: Implementing and Operating Cisco Service Provider Network Core Technologies

The HTTP 200 OK status code indicates that the request has been successfully processed by the server. In the context of a script, receiving a 200 status code would typically mean that there is no error, and therefore, the script would not exit due to an HTTP error. References: Implementing and Operating Cisco Service Provider Network Core Technologies study guide