Cisco 350-401 Exam Updated Dumps

Text Material Preview

350-401 Implementing and Operating Cisco Enterprise Network Core
Technologies (ENCOR) exam dumps questions are the best material for you to
test all the related Cisco exam topics. By using the 350-401 exam dumps
questions and practicing your skills, you can increase your confidence and
chances of passing the 350-401 exam.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.
Implementing and Operating Cisco Enterprise Network Core Technologies
(ENCOR) 350-401 exam free dumps questions are available below for you to
study. 
Full version: 350-401 Exam Dumps Questions
1.10.10.1/24.
B. The configuration fails because interface GigabitEthernet2 is missing on the target device.
C. The configuration is successfully sent to the device in cleartext.
D. Interface GigabitEthernet2 is configured with IP address 10.10.10.1/24
Answer: D
2.Refer to the exhibit.
 1 / 77
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/350-401
Which statement is needed to complete the EEM applet and use the Tel script to store the backup
file?
A. action 2.0 cli command "write_backup.tcl tcl"
B. action 2.0 cli command "flash:write_backup.tcl"
C. action 2.0 cli command "write_backup.tcl"
D. action 2.0 cli command "telsh flash:write_backup.tcl"
Answer: B
Explanation:
This is because the EEM applet needs to specify the full path of the Tcl script that is stored in the
flash memory of the device. The script name is write_backup.tcl and it is used to backup the running
configuration to a remote server. The source of this answer is the Cisco ENCOR v1.1 course, module
8, lesson 8.3: Implementing Embedded Event Manager.
3.Refer to the Exhibit.
 2 / 77
https://www.dumpsinfo.com/
The NETCONF object is sent to a Cisco IOS XE switch.
What is me purpose of the object?
A. view the configuration of all GigabitEthernet interfaces.
B. Discover the IP address of interface GigabitEthernet.
C. Set the description of interface GigabitEthernet1 to *1*.
D. Remove the IP address from interface GigabitEthernet1.
Answer: A
4.What is a characteristics of Cisco SD-WAN?
A. operates over DTLS/TLS authenticated and secured tunnels
B. requires manual secure tunnel configuration
C. uses unique per-device feature templates
D. uses control connections between routers
Answer: A
5.Refer to the exhibit.
 3 / 77
https://www.dumpsinfo.com/
What does the snippet of code achieve?
A. It creates a temporary connection to a Cisco Nexus device and retrieves a token to be used for API
calls.
B. It opens a tunnel and encapsulates the login information, if the host key is correct.
C. It opens an ncclient connection to a Cisco Nexus device and maintains it for the duration of the
context.
D. It creates an SSH connection using the SSH key that is stored, and the password is ignored.
Answer: C
Explanation:
ncclient is a Python library that facilitates client-side scripting and application development around the
NETCONF protocol.
The above Python snippet uses the ncclient to connect and establish a NETCONF session to a
Nexus device (which is also a NETCONF server).
6.Refer to the exhibit.
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet1/0 R1(config-ip-sla-
echo)#timeout 5000
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2
After implementing the configuration 172.20.20.2 stops replaying to ICMP echoes, but the default
route fails to be removed.
What is the reason for this behavior?
A. The source-interface is configured incorrectly.
B. The destination must be 172.30.30.2 for icmp-echo
 4 / 77
https://www.dumpsinfo.com/
C. The default route is missing the track feature
D. The threshold value is wrong.
Answer: C
Explanation:
The last command should be “R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10”.
7.A network administrator wants to install new VoIP switches in a small network closet but is
concerned about the current heat level of the room.
Which of the following should the administrator take into consideration before installing the new
equipment?
A. The power load of the switches
B. The humidity in the room
C. The fire suppression system
D. The direction of airflow within the switches
Answer: D
Explanation:
This is because the direction of airflow within the switches can affect the heat level of the room, as the
switches can either exhaust or intake hot air from the environment. The network administrator should
take into consideration the direction of airflow within the switches before installing the new equipment,
and ensure that the switches are aligned in the same direction and have enough space for ventilation.
The network administrator should also avoid mixing switches with different airflow directions, as this
can create a hot spot and reduce the cooling efficiency. The source of this answer is the Cisco
ENCOR v1.1 course, module 2, lesson 2.1: Implementing Device Hardening.
8.What NTP Stratum level is a server that is connected directly to an authoritative time source?
A. Stratum 0
B. Stratum 1
C. Stratum 14
D. Stratum 15
Answer: B
Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/bsm/16-6-1/b-
bsm-xe-16-6-1-asr920/bsm-timecalendar-set.html
9.In a Cisco StackWise Virtual environment, which planes are virtually combined in the common
logical switch?
A. control, and forwarding
B. management and data
C. control and management
D. control and data
Answer: C
10.Which JSON script is properly formatted?
A)
 5 / 77
https://www.dumpsinfo.com/
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation:
Option A is the properly formatted JSON script. JSON (JavaScript Object Notation) is a standard text-
 6 / 77
https://www.dumpsinfo.com/
based format for representing structured data based on JavaScript object syntax. It is commonly used
for transmitting data in web applications (e.g., sending some data from the server to the client, so it
can be displayed on a web page, or vice versa).
The JSON syntax rules are as follows12:
Data is in name/value pairs, separated by commas. A name/value pair consists of a field name (in
double quotes), followed by a colon, followed by a value: "name": "value".
Curly braces hold objects. An object can contain multiple name/value pairs: {"name": "value", "name":
"value", ...}.
Square brackets hold arrays. An array can contain multiple values, separated by commas: ["value",
"value", ...].
Values can be strings (in double quotes), numbers, booleans (true or false), null, objects, or arrays.
Option A follows these rules and is a valid JSON script. It defines an object with four name/value
pairs: "name", "age", "hobbies", and "address". The value of "name" is a string, the value of "age" is a
number, the value of "hobbies" is an array of strings, and the value of "address" is another object with
two name/value pairs: "city" and "country". The object is enclosed in curly braces and the name/value
pairs are separated by commas.
Option B is not a valid JSON script because it uses single quotes instead of double quotes for the
field names and string values. JSON requires double quotes for strings12.
Option C is not a valid JSON script because it does not use commas to separate the name/value
pairs. JSON requires commas to separate the data elements within an object or an array12.
Option D is not a valid JSON script because it uses a semicolon instead of a colon to separate the
field name and the value. JSON requires a colon to separate the name and the value in a name/valuepair12.
Reference: 1: JSON Introduction, 2: JSON Syntax
11.What is a characteristics of traffic policing?
A. lacks support for marking or remarking
B. must be applied only to outgoing traffic
C. can be applied in both traffic directions
D. queues out-of-profile packets until the buffer is full
Answer: D
12.Which option must be used to support a WLC with an IPv6 management address and 100 Cisco
Aironet 2800 Series access points that will use DHCP to register?
A. 43
B. 52
C. 60
D. 82
Answer: B
13.In a three-tier hierarchical campus network design, which action is a design best-practice for the
core layer?
A. provide QoS prioritization services such as marking, queueing, and classification for critical
network traffic
B. provide redundant Layer 3 point-to-point links between the core devices for more predictable and
faster convergence
C. provide advanced network security features such as 802. IX, DHCP snooping, VACLs, and port
security
D. provide redundant aggregation for access layer devices and first-hop redundancy protocols such
 7 / 77
https://www.dumpsinfo.com/
as
VRRP
Answer: B
14.Which method should an engineer use to deal with a long-standing contention issue between any
two VMs on the same host?
A. Adjust the resource reservation limits
B. Live migrate the VM to another host
C. Reset the VM
D. Reset the host
Answer: A
15.Refer to the exhibit.
Which code results in the working Python script displaying a list of network devices from the Cisco
DNA Center?
A)
 8 / 77
https://www.dumpsinfo.com/
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
16.Under which network conditions is an outbound QoS policy that is applied on a router WAN
interface most beneficial?
A. under interface saturation condition
B. under network convergence condition
C. under all network condition
D. under traffic classification and marking conditions.
Answer: A
17.A network administrator received reports that a 40Gb connection is saturated. The only server the
administrator can use for data collection in that location has a 10Gb connection to the network.
Which of the following is the best method to use on the server to determine the source of the
 9 / 77
https://www.dumpsinfo.com/
saturation?
A. Port mirroring
B. Log aggregation
C. Flow data
D. Packet capture
Answer: C
Explanation:
This is because flow data is a method of collecting and analyzing information about the traffic flows on
a network. Flow data can provide details such as the source and destination IP addresses, ports,
protocols, and bytes transferred for each flow. Flow data can help identify the source of the saturation
by showing which hosts and applications are generating or consuming the most bandwidth. Flow data
can be collected using protocols such as NetFlow, IPFIX, or sFlow. The source of this answer is the
Cisco ENCOR v1.1 course, module 10, lesson 10.1: Implementing NetFlow and IPFIX.
18.Refer to the Exhibit.
An engineer builds an EEM script to apply an access list.
Which statement must be added to complete the script?
A. event none
B. action 2.1 cli command "ip action 3.1 ell command 101''
C. action 6.0 ell command ''ip access-list extended 101''
D. action 6.0 cli command ''ip access-list extended 101"
Answer: A
19.If AP power level is increased from 25 mW to 100 mW. what is the power difference in dBm?
A. 6 dBm
B. 14 dBm
C. 17 dBm
D. 20 dBm
Answer: D
20.Refer to the exhibit.
 10 / 77
https://www.dumpsinfo.com/
The IP SLA is configured in a router. An engineer must configure an EEM applet to shut down the
interface and bring it back up when there is a problem with the IP SLA.
Which configuration should the engineer use?
A. event manager applet EEM_IP_SLA event track 10 state down
B. event manager applet EEM_IP_SLA event track 10 state unreachable
C. event manager applet EEM_IP_SLA event sla 10 state unreachable
D. event manager applet EEM_IP_SLA event sla 10 state down
Answer: A
Explanation:
The Dip sla 10? will ping the IP 192.168.10.20 every 3 seconds to make sure the connection is still
up. We can configure an EEM applet if there is any problem with this IP SLA via the command Devent
track 10 state down?.
Reference: https://www.theroutingtable.com/ip-sla-and-cisco-eem/
21.What does the LAP send when multiple WLCs respond to the CISCO_CAPWAP-
CONTROLLER.localdomain hostname during the CAPWAP discovery and join process?
A. broadcast discover request
B. join request to all the WLCs
C. unicast discovery request to each WLC
D. Unicast discovery request to the first WLS that resolves the domain name
Answer: D
Explanation:
The AP will attempt to resolve the DNS name CISCO-CAPWAP-CONTROLLER.localdomain. When
the AP is able to resolve this name to one or more IP addresses, the AP sends a unicast CAPWAP
Discovery Message to the resolved IP address(es). Each WLC that receives the CAPWAP Discovery
Request Message replies with a unicast CAPWAP Discovery Response to the AP.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/107606-dns-wlc-config.html
22.An engineer is configuring a new SSID to present users with a splash page for authentication.
Which WLAN Layer 3 setting must be configured to provide this functionally?
A. CCKM
 11 / 77
https://www.dumpsinfo.com/
B. WPA2 Policy
C. Local Policy
D. Web Policy
Answer: D
23.Refer to the exhibit.
What are two effect of this configuration? (Choose two.)
A. Inside source addresses are translated to the 209.165.201.0/27 subnet.
B. It establishes a one-to-one NAT translation.
C. The 10.1.1.0/27 subnet is assigned as the inside global address range.
D. The 209.165.201.0/27 subnet is assigned as the outside local address range.
E. The 10.1.1.0/27 subnet is assigned as the inside local addresses.
Answer: A, E
24.Refer to the exhibit.
An engineer is troubleshooting an application running on Apple phones. The application Is receiving
incorrect QoS markings. The systems administrator confirmed that ail configuration profiles are
correct on the Apple devices.
Which change on the WLC optimizes QoS for these devices?
A. Enable Fastlane
B. Set WMM to required
C. Change the QoS level to Platinum
D. Configure AVC Profiles
Answer: C
 12 / 77
https://www.dumpsinfo.com/
25.Which collection contains the resources to obtain a list of fabric nodes through the vManage API?
A. device management
B. administration
C. device inventory
D. monitoring
Answer: C
Explanation:
The collection that contains the resources to obtain a list of fabric nodes through the vManage API is
the device inventory collection. This collection can be accessed through the Cisco Encor Documents
and provides resources such as the Fabric Visualization, Device List, and Fabric Node Inventory
APIs. These APIs can be used to obtain information about the fabric nodes, such as the device
inventory, status, and version.
26.What is a client who is running 802.1x for authentication reffered to as?
A. supplicant
B. NAC device
C. authenticator
D. policy enforcement point
Answer: A
27.When is the Design workflow used In Cisco DNA Center?
A. in a greenfield deployment, with no existing infrastructure
B. in a greenfield or brownfield deployment, to wipe out existing data
C. in a brownfield deployment, to modify configuration of existing devices in the network
D. in a brownfield deployment, to provision and onboard new network devices
Answer: A
Explanation:
The Design area is where you create the structure and framework of your network, including the
physical topology, network settings, and device type profiles that you can apply to devices throughout
your network. Use the Design workflow if you do not already have an existing infrastructure. If you
have an existing infrastructure, use the Discovery feature.
https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-manage
ment/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_0110.html
Reference: https://synoptek.com/insights/it-blogs/greenfield-vs-brownfield-software-development/
“Greenfield development refers to developing a system for a totally new environment and requires
development from a clean slate C no legacy code around. It is an approach used when you’re
starting fresh and with no restrictions or dependencies.”
28.Refer to the exhibit.
 13 / 77
https://www.dumpsinfo.com/
Which command set must be added to the configuration to analyze 50 packets out of every 100?
A)
B)
C)
D)
 14 / 77
https://www.dumpsinfo.com/
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
29.Refer to the Exhibit.
An engineer tries to log in to router R1.
Which configuration enables a successful login?
A)
 15 / 77
https://www.dumpsinfo.com/
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
30.What is a benefit of Cisco TrustSec in a multilayered LAN network design?
A. Policy or ACLS are nor required.
B. There is no requirements to run IEEE 802.1X when TrustSec is enabled on a switch port.
C. Applications flows between hosts on the LAN to remote destinations can be encrypted.
D. Policy can be applied on a hop-by-hop basis.
Answer: C
31.DRAG DROP
Drag and drop the code snippets from the bottom onto the blanks in the code to construct a request
that configures a deny rule on an access list?
 16 / 77
https://www.dumpsinfo.com/
Answer:
 17 / 77
https://www.dumpsinfo.com/
32.Which action limits the total amount of memory and CPU that is used by a collection of VMs?
A. Place the collection of VMs in a resource pool.
B. Place the collection of VMs in a vApp.
C. Limit the amount of memory and CPU that is available to the cluster.
D. Limit the amount of memory and CPU that is available to the individual VMs.
Answer: A
33.A network administrator has designed a network with two multilayer switches on the distribution
layer, which act as default gateways for the end hosts.
Which two technologies allow every end host in a VLAN to use both gateways? (Choose two)
A. GLBP
B. HSRP
C. MHSRP
D. VSS
E. VRRP
Answer: AC
34.Refer to the exhibit.
 18 / 77
https://www.dumpsinfo.com/
On which interfaces should VRRP commands be applied to provide first hop redundancy to PC-01
and PC-02?
A. G0/0 and G0/1 on Core
B. G0/0 on Edge-01 and G0/0 on Edge-02
C. G0/1on Edge-01 and G0/1 on Edge-02
D. G0/0 and G0/1 on ASW-01
Answer: C
35.Refer to the exhibit.
 19 / 77
https://www.dumpsinfo.com/
The WLC administrator sees that the controller to which a roaming client associates has Mobility Role
Anchor configured under Clients > Detail.
Which type of roaming is supported?
A. Indirect
B. Layer 3 intercontroller
C. Layer 2 intercontroller
D. Intracontroller
Answer: B
36.Refer to the exhibit.
Which command must be configured for RESTCONF to operate on port 8888?
 20 / 77
https://www.dumpsinfo.com/
A. ip http port 8888
B. restconf port 8888
C. ip http restconf port 8888
D. restconf http port 8888
Answer: A
37.Refer to the Exhibit.
An engineer must configure an ERSPAN tunnel that mirrors traffic from linux1 on Switch1 to Linux2
on Switch2.
Which command must be added to the destination configuration to enable the ERSPAN tunnel?
A. (config-mon-erspan-dst-src)# origin ip address 172.16.10.10
B. (config-mon-erspan-dst-src)# erspan-id 172.16.10.10
C. (config-mon-erspan-dst-src)# no shut
D. (config-mon-erspan-dst-src)# erspan-id 110
Answer: D
38.A company requires a wireless solution to support its mam office and multiple branch locations. All
sites have local Internet connections and a link to the main office lor corporate connectivity. The
branch offices are managed centrally.
Which solution should the company choose?
A. Cisco United Wireless Network
B. Cisco DNA Spaces
 21 / 77
https://www.dumpsinfo.com/
C. Cisco Catalyst switch with embedded controller
D. Cisco Mobility Express
Answer: B
39.Which OSPF networks types are compatible and allow communication through the two peering
devices?
A. broadcast to nonbroadcast
B. point-to-multipoint to nonbroadcast
C. broadcast to point-to-point
D. point-to-multipoint to broadcast
Answer: A
Explanation:
The following different OSPF types are compatible with each other:
+ Broadcast and Non-Broadcast (adjust hello/dead timers)
+ Point-to-Point and Point-to-Multipoint (adjust hello/dead timers)
Broadcast and Non-Broadcast networks elect DR/BDR so they are compatible. Point-topoint/
multipoint do not elect DR/BDR so they are compatible.
40.An engineer is troubleshooting the Ap join process using DNS.
Which FQDN must be resolvable on the network for the access points to successfully register to the
WLC?
A. wlcbostname.domain.com
B. cisco-capwap-controller.domain.com
C. ap-manager.domain.com
D. primary-wlc.domain.com
Answer: B
Explanation:
DNS: If you have configured your DHCP server to provide both option 006 (DNS server address) and
option 015 (domain name) information, the AP can obtain WLC addresses from the DNS server.
The process works as follows:
41.Refer to the exhibit.
 22 / 77
https://www.dumpsinfo.com/
A company requires that all wireless users authenticate using dynamic key generation.
Which configuration must be applied?
A. AP(config-if-ssid)# authentication open wep wep_methods
B. AP(config-if-ssid)# authentication dynamic wep wep_methods
C. AP(config-if-ssid)# authentication dynamic open wep_dynamic
D. AP(config-if-ssid)# authentication open eap eap_methods
Answer: D
42.Refer to the Exhibit.
 23 / 77
https://www.dumpsinfo.com/
A network engineer configures a new GRE tunnel and enters the show run command.
What does the output verify?
A. The tunnel will be established and work as expected
B. The tunnel destination will be known via the tunnel interface
C. The tunnel keepalive is configured incorrectly because they must match on both sites
D. The default MTU of the tunnel interface is 1500 byte.
Answer: B
43.Refer to the Exhibit.
 24 / 77
https://www.dumpsinfo.com/
A network administrator must configure router B to allow traffic only from network 10.1002.0 to
networks outside of router 0.
Which configuration must be applied?
A)
B)
C)
 25 / 77
https://www.dumpsinfo.com/
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
44.Refer to the exhibit.
R2 is the neighboring router of R1. R2 receives an advertisement for network 192 168.10.50/32.
Which configuration should be applied for the subnet to be advertised with the original /24 netmask?
A)
 26 / 77
https://www.dumpsinfo.com/
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
45.Which Quality of Service (QoS) mechanism allows the network administrator to control the
maximum rate of traffic received or sent on a given interface?
A. Policing
B. Marking
C. Queueing
D. Classification
Answer: A
Explanation:
Traffic Policing In general, traffic policing allows you to control the maximum rate of traffic sent or
received on an interface and to partition a network into multiple priority levels or class of service
(CoS).
46.DRAG DROP
Drag and drop the characteristics from the left onto the deployment models on the right.
 27 / 77
https://www.dumpsinfo.com/
Answer:
47.Which method displays text directly into the active console with a synchronous EEM applet policy?
A. event manager applet boom
event syslog pattern 'UP'
action 1.0 gets 'logging directly to console'
B. event manager applet boom
event syslog pattern 'UP'
action 1.0 syslog priority direct msg 'log directly to console'
C. event manager applet boom
event syslog pattern 'UP'
action 1.0 puts 'logging directly to console'
D. event manager appletboom
event syslog pattern 'UP'
action 1.0 string 'logging directly to console'
Answer: B
48.Refer to the exhibit.
 28 / 77
https://www.dumpsinfo.com/
A network engineer is enabling logging to a local buffer, to the terminal and to a syslog server for all
debugging level logs filtered by facility code 7.
Which command is needed to complete this configuration snippet?
A. logging buffered debugging
B. logging discriminator Disc1 severity includes 7
C. logging buffered discriminator Disc1 debugging
D. logging discriminator Disc1 severity includes 7 facility includes fac7
Answer: B
49.Refer to the Exhibit.
What is the cause of the communication failure between R1 and R4?
A. R1 is configured with the no ip unreachables command.
B. R2 is denying ICMP
C. R4 is denying ICMP.
D. R3 is denying ICMP.
Answer: A
50.A wireless administrator must create a new web authentication corporate SSID that will be using
ISE as the external RADIUS server. The guest VLAN must be specified after the authentication
completes.
Which action must be performed to allow the ISE server to specify the guest VLAN?
A. Set AAA Policy name.
 29 / 77
https://www.dumpsinfo.com/
B. Enable AAA Override
C. Set RADIUS Profiling
D. Enable Network Access Control State.
Answer: C
51.Refer to the exhibit.
Which configuration enables fallback to local authentication and authorization when no TACACS+
server is available?
A. Router(config)# aaa authentication login default local
Router(config)# aaa authorization exec default local
B. Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
C. Router(config)# aaa fallback local
D. Router(config)# aaa authentication login FALLBACK local
Router(config)# aaa authorization exec FALLBACK local
Answer: B
52.Refer to the Exhibit.
 30 / 77
https://www.dumpsinfo.com/
Communication between London and New York is down.
Which command set must be applied to the NewYork switch to resolve the issue?
A. NewYork(config)#no interface po1
NewYork(config)#interface range fa0/1-2
NewYork(config-if)#channel-group 1 mode negotiate
NewYork(config-if)#end
NewYork#
B. NewYork(config)#no interface po1
NewYork(config)#interface range fa0/1-2
NewYork(config-if)#channel-group 1 mode on
NewYork(config-if)#end
NewYork#
C. NewYork(config)#no interface po1
NewYork(config)#interface range fa0/1-2
NewYork(config-if)#channel-group 1 mode auto
NewYork(config-if)#end
NewYork#
D. NewYork(config)#no interface po1
NewYork(config)#interface range fa0/1-2
NewYork(config-if)#channel-group 1 mode passive
NewYork(config-if)#end
NewYork#
Answer: D
53.Which design principle slates that a user has no access by default to any resource, and unless a
resource is explicitly granted, it should be denied?
A. least privilege
 31 / 77
https://www.dumpsinfo.com/
B. fail-safe defaults
C. economy of mechanism
D. complete mediation
Answer: B
54.Users have reported an issue connecting to a server over the network. A workstation was recently
added to the network and configured with a shared USB printer.
Which of the following is most likely causing the issue?
A. The switch is oversubscribed and cannot handle the additional throughput.
B. The printer is tying up the server with DHCP discover messages.
C. The web server's back end was designed for only single-threaded applications.
D. The workstation was configured with a static IP that is the same as the server.
Answer: D
Explanation:
The workstation was configured with a static IP that is the same as the server. This is because if two
devices on the same network have the same IP address, they will cause an IP address conflict, which
will prevent them from communicating with other devices on the network. The users who were moved
to different desks may have been assigned static IP addresses that were not updated after the move,
and they may have accidentally used the same IP address as the server. The source of this answer is
the Cisco ENCOR v1.1 course, module 3, lesson 3.1: Implementing IPv4 and IPv6 Addressing.
55.What happens when a FlexConnect AP changes to standalone mode?
A. All controller-dependent activities stop working except the DFS.
B. All client roaming continues to work
C. Only clients on central switching WLANs stay connected.
D. All clients on an WLANs are disconnected
Answer: A
56.Refer to the exhibit.
Which configuration must be applied for the TACACS+ server to grant access-level rights to remote
 32 / 77
https://www.dumpsinfo.com/
users?
A. R1(config)# aaa authentication login enable
B. R1(config)# aaa authorization exec default local if-authenticated
C. R1(config)# aaa authorization exec default group tacacs+
D. R1(config)# aaa accounting commands 15 default start-stop group tacacs+
Answer: C
Explanation:
The aaa authorization exec default group tacacs+ command enables TACACS+ exec authorization,
which allows the TACACS+ server to grant access-level rights to remote users. Exec authorization
determines whether the user can access the privileged EXEC mode or remain in user EXEC mode
after authentication. The TACACS+ server can also assign a privilege level to the user based on the
configuration of the server. The default keyword specifies that this is the default method list for exec
authorization. The group tacacs+ keyword specifies that the TACACS+ server group defined by the
tacacs server command is used for authorization.
Reference: TACACS+ Configuration Guide - Configuring TACACS [Cisco Cloud Services Router
1000V Series] - Cisco
57.Which DHCP option helps lightweight APs find the IP address of a wireless LAN controller?
A. Option 43
B. Option 60
C. Option 67
D. Option 150
Answer: A
58.Refer to the exhibit.
An LACP port channel is configured between Switch-1 and Switch-2, but It falls to come up.
Which action will resolve the issue?
 33 / 77
https://www.dumpsinfo.com/
A. Configure Switch-1 with channel-group mode active
B. Configure Switch-2 with channel-group mode desirable.
C. Configure Switch-1 with channel-group mode on.
D. Configure SwKch-2 with channel-group mode auto
Answer: A
59.Refer to the exhibit.
A network engineer must block Telnet traffic from hosts in the range of 10.100 2.248 to 10.100.2 255
to the network 10.100.3.0 and permit everything else.
Which configuration must the engineer apply'?
A)
B)
 34 / 77
https://www.dumpsinfo.com/
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
60.Which resource is able to be shared among virtual machines deployed on the same physical
server?
A. applications
B. disk
C. VM configuration file
D. operating system
Answer: B
61.An engineer must protect their company against ransom ware attacks.
Which solution allows the engineer to block the execution stage and prevent file encryption?
A. Use Cisco AMP deployment with the Malicious Activity Protection engineer enabled.
B. Use Cisco AMP deployment with the Exploit Prevention engine enabled.
C. Use Cisco Firepower and block traffic to TOR networks.
D. Use Cisco Firepower with Intrusion Policy and snort rules blocking SMB exploitation.
Answer: B
Explanation:
Ransomware are malicious software that locks up critical resources of the users. Ransomware uses
well-established public/private key cryptography which leaves the only way of recovering the files
being the payment of the ransom, or restoring files from backups.
Cisco Advanced Malware Protection (AMP) for Endpoints Malicious Activity Protection (MAP) engine
defends your endpoints by monitoring the system and identifying processes that exhibit malicious
activities when they execute and stops them from running. Because the MAP engine detects threats
by observing the behavior of the process at run time, it can generically determine if a system is under
attack by a new variant of ransomware or malware that may have eludedother security products and
detection technology, such as legacy signature-based malware detection. The first release of the
MAP engine targets identification, blocking, and quarantine of ransomware attacks on the endpoint.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/ampfor-endpoints/white-
paper-c11-740980.pdf
 35 / 77
https://www.dumpsinfo.com/
62.Refer to the Exhibit.
A network engineer configures NAT on R1 and enters the show command to verity the configuration
What does the output confirm?
A. The first pocket triggered NAT to add on entry to NAT table
B. R1 is configured with NAT overload parameters
C. A Telnet from 160.1.1 1 to 10.1.1.10 has been initiated.
D. R1 to configured with PAT overload parameters
Answer: A
63.High bandwidth utilization is occurring on interface Gig0/1 of a router. An engineer must identify
the flows that are consuming the most bandwidth. Cisco DNA Center is used as a flow exporter and is
 36 / 77
https://www.dumpsinfo.com/
configured with the IP address 192.168.23.1 and UDP port 23000.
Which configuration must be applied to set NetFlow data export and capture on the router?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation:
Option A is the correct configuration to set NetFlow data export and capture on the router. This option
enables NetFlow data export to the Cisco DNA Center with the IP address 192.168.23.1 and UDP
 37 / 77
https://www.dumpsinfo.com/
port 23000, and also enables the ip flow-top-talkers command on the interface Gig0/1. The ip flow-top-
talkers command displays the top talkers (the source and destination pairs that are consuming the
most bandwidth) on the interface, based on the NetFlow statistics collected by the router12.
Option B is incorrect because it does not enable the ip flow-top-talkers command on the interface
Gig0/1, which is required to identify the flows that are consuming the most bandwidth. The collect
counter bytes command is used to specify the fields to be collected by Flexible NetFlow, which is a
different feature from NetFlow3.
Option C is incorrect because it does not specify the UDP port for the NetFlow data export
destination, which is required to send the NetFlow packets to the Cisco DNA Center. The default UDP
port for NetFlow is 9996, which does not match the port configured on the Cisco DNA Center4.
Option D is incorrect because it does not enable NetFlow data export on the router, which is required
to send the NetFlow statistics to the Cisco DNA Center. The ip flow-export source command is used
to specify the source IP address of the NetFlow packets, but it does not enable the NetFlow data
export feature4.
Reference: 1: ip flow-top-talkers, 2: Capture NetFlow data, 3: collect counter bytes, 4: ip flow-export
destination
64.Refer to the exhibit.
An engineer configures the BGP adjacency between R1 and R2, however, it fails to establish.
Which action resolves the issue?
A. Change the network statement on R1 to 172.16 10.0
B. Change the remote-as number for 192 168.100.11.
C. Enable synchronization on R1 and R2
D. Change the remote-as number on R1 to 6500.
Answer: D
65.Which Cisco WLC feature allows a wireless device to perform a Layer 3 roam between two
separate controllers without changing the client IP address?
A. mobile IP
B. mobility tunnel
C. LWAPP tunnel
D. GRE tunnel
 38 / 77
https://www.dumpsinfo.com/
Answer: B
66.DRAG DROP
Drag and drop the threat defense solutions from the left onto their descriptions on the right.
Answer:
67.Refer to the exhibit.
 39 / 77
https://www.dumpsinfo.com/
An engineer must allow R1 to advertise the 192 168.1 0/24 network to R2 R1 must perform this action
without sending OSPF packets to SW1.
Which command set should be applied?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
68.DRAG DROP
Drag and drop the tools from the left onto the agent types on the right.
 40 / 77
https://www.dumpsinfo.com/
Answer:
69. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK
number “y+1” to host B. This confirms host A still wants to talk to host B.
70.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 192.168.1.2, 00:01:17
71.Refer to the exhibit.
 41 / 77
https://www.dumpsinfo.com/
Which JSON syntax is derived from this data?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
72.Which two methods are used to reduce the AP coverage area? (Choose two)
A. Reduce channel width from 40 MHz to 20 MHz
B. Disable 2.4 GHz and use only 5 GHz.
C. Reduce AP transmit power.
 42 / 77
https://www.dumpsinfo.com/
D. Increase minimum mandatory data rate
E. Enable Fastlane
Answer: C D
73.What is the structure of a JSON web token?
A. three parts separated by dots: header payload, and signature
B. header and payload
C. three parts separated by dots: version header and signature
D. payload and signature
Answer: A
Explanation:
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained
way for securely transmitting information between parties as a JSON object. This information can be
verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC
algorithm) or a public/private key pair using RSA or ECDSA.
JSON Web Tokens are composed of three parts, separated by a dot (.): Header, Payload, Signature.
Therefore, a JWT typically looks like the following: xxxxx.yyyyy.zzzzz
The header typically consists of two parts: the type of the token, which is JWT, and the signing
algorithm being used, such as HMAC SHA256 or RSA.
The second part of the token is the payload, which contains the claims. Claims are statements about
an entity (typically, the user) and additional data.
To create the signature part you have to take the encoded header, the encoded payload, a secret, the
algorithm specified in the header, and sign that.
Reference: https://jwt.io/introduction/
74.Refer to the exhibit.
 43 / 77
https://www.dumpsinfo.com/
An engineer configures a new WLAN that will be used for secure communications; however, wireless
clients report that they are able to communicate with each other.
Which action resolves this issue?
A. Enable Client Exclusions.
B. Disable Aironet IE
C. Enable Wi-Fi Direct Client Policy
D. Enable P2P Blocking.
Answer: D
75.An engineer must configure an EXEC authorization list that first checks a AAA server then a local
username. If both methods fail, the user is denied.
Which configuration should be applied?
A. aaa authorization exec default local group tacacs+
B. aaa authorization exec default local group radius none
C. aaa authorization exec default group radius local none
D. aaa authorization exec default group radius local
Answer: D
76.When is GLBP preferred over HSRP?
 44 / 77
https://www.dumpsinfo.com/
A. When encrypted helm are required between gateways h a single group.
B. When the traffic load needs to be shared between multiple gateways using a single virtual IP.
C. When the gateway routers are a mix of Cisco and non-Cisco routers
D. When clients need the gateway MAC address lo Be the same between multiple gateways
Answer: B
77.Which solution simplifies management ot secure access to network resources?
A. RFC 3580-based solution to enable authenticated access leveraging RADIUS and AV pairs
B. TrustSec to logically group internal user environments and assign policies
C. 802.1AE to secure communication in the network domain
D. ISE to automate network access control leveraging RADIUS AV pairs
Answer: B
78.DRAG DROP
Drag and drop the solutions that comprise Cisco Cyber Threat Defense from the left onto the
objectives they accomplish on the right.
Answer:
79.Refer to the Exhibit.45 / 77
https://www.dumpsinfo.com/
A network operator is attempting to configure an IS-IS adjacency between two routers, but the
adjacency cannot be established. To troubleshoot the problem, the operator collects this debugging
output.
Which interfaces are misconfigured on these routers?
A. The peer router interface is configured as Level 1 only, and the R2 interface is configured as Level
2 only
B. The R2 interface is configured as Level 1 only, and the Peer router interface is configured as Level
2
only
C. The R2 interface is configured as point-to-point, and the peer router interface is configured as
multipoint.
D. The peer router interface is configured as point-as-point, and the R2 interface is configured as
multipoint.
Answer: C
80.Refer to the Exhibit.
 46 / 77
https://www.dumpsinfo.com/
The EtherChannel between SW1 and SW2 is not operational.
Which a coon will resolve the issue?
A. Configure channel-group 1 mode active on GVO and G1 1 of SW2.
B. Configure twitchport trunk encapsulation dot1q on SW1 and SW2.
 47 / 77
https://www.dumpsinfo.com/
C. Configure channel-group 1 mode active on Gl'O and GM of SW1 .
D. Configure switchport mode dynamic desirable on SW1 and SW2
Answer: C
81.Which two security features are available when implementing NTP? (Choose two.)
A. symmetric server passwords
B. dock offset authentication
C. broadcast association mode
D. encrypted authentication mechanism
E. access list-based restriction scheme
Answer: DE
82.Which technology reduces the implementation of STP and leverages both unicast and multicast?
A. VSS
B. VXLAN
C. VPC
D. VLAN
Answer: B
83.Refer to the exhibit.
These commands have been added to the configuration of a switch.
Which command flags an error if it is added to this configuration?
A. monitor session 1 source interface port-channel 6
B. monitor session 1 source vlan 10
C. monitor session 1 source interface FatEtheret0/1 x
D. monitor session 1 source interface port-channel 7,port-channel8
Answer: B
 48 / 77
https://www.dumpsinfo.com/
84.Which function does a fabric wireless LAN controller perform In a Cisco SD-Access deployment?
A. manages fabric-enabled APs and forwards client registration and roaming information to the
Control Plane Node
B. coordinates configuration of autonomous nonfabric access points within the fabric
C. performs the assurance engine role for both wired and wireless clients
D. is dedicated to onboard clients in fabric-enabled and nonfabric-enabled APs within the fabric
Answer: A
Explanation:
Fabric Enabled WLC:
Fabric enabled WLC is integrated with LISP control plane. This WLC is responsible for AP image
/Config, Radio Resource Management, Client Session management and roaming and all other
wireless control plane functions.
For WLC Fabric Integration:
? Wireless Client MAC address is used as EID
? It inform about Wireless MAC address with its other information like SGT and Virtual Network
Information
? VN information is mapped to VLAN on FEs
? WLC is responsible for updating Host Database tracking DB with roaming information
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-
guide.html#FabricWLC
Both fabric WLCs and non-fabric WLCs provide AP image and configuration management, client
session management, and mobility services. Fabric WLCs provide additional services for fabric
integration such as registering MAC addresses of wireless clients into the host tracking database of
the fabric control plane nodes during wireless client join events and supplying fabric edge node RLOC-
association updates to the HTDB during client roam events.
85.DRAG DROP
Drag and drop the descriptions of the VSS technology from the left to the right. Not all options are
used.
 49 / 77
https://www.dumpsinfo.com/
Answer:
 50 / 77
https://www.dumpsinfo.com/
86.By default, which virtual MAC address does HSRP group 22 use?
A. c0:42:01:67:05:16
B. c0:07:0c:ac:00:22
C. 00:00:0c:07:ac:16
D. 00:00:0c:07:ac:22
Answer: D
87.An engineer must construct an access list tot a Cisco Catalyst 9800 Series WLC that will -edirect
wireless guest users to a splash page that is hosted on a Cisco ISE server. The Cisco ISE servers
are hosted at 10.9.11.141 and 10.1.11.141.
Which access list meets the requirements?
A)
B)
C)
 51 / 77
https://www.dumpsinfo.com/
D)
A. Option
B. Option
C. Option
D. Option
Answer: D
Explanation:
Option D is the correct access list to redirect wireless guest users to a splash page that is hosted on a
Cisco ISE server.
The configuration steps are as follows12:
Define an extended access list that permits TCP traffic from any source to the Cisco ISE servers on
port 80 (HTTP) and port 443 (HTTPS). In this case, the access list is named
ACL_WEBAUTH_REDIRECT and it allows any host to connect to the IP addresses 10.9.11.141 and
10.1.11.141 on port 80 and port 443: ip access-list extended
ACL_WEBAUTH_REDIRECT and permit tcp any host 10.9.11.141 eq 80, permit tcp any host
10.9.11.141 eq 443, permit tcp any host 10.1.11.141 eq 80, permit tcp any host 10.1.11.141 eq 443.
Apply the access list to the guest WLAN using the ip access-group command. This command filters
the traffic on the interface based on the access list. In this case, the access list
ACL_WEBAUTH_REDIRECT is applied to the guest WLAN interface in the inbound direction, which
means that only the traffic that matches the access list can enter the interface: interface wlan-guest
 52 / 77
https://www.dumpsinfo.com/
and ip access-group ACL_WEBAUTH_REDIRECT in.
Option A is incorrect because it does not permit TCP traffic to the Cisco ISE servers on port 80, which
is required for HTTP redirection. Without this, the guest users will not be able to see the splash page
on their web browsers12.
Option B is incorrect because it does not permit TCP traffic to the Cisco ISE servers on port 443,
which is required for HTTPS redirection. Without this, the guest users will not be able to see the
splash page on their web browsers if they use HTTPS12.
Option C is incorrect because it permits TCP traffic from any source to any destination on port 80 and
port 443, which is too broad and may allow unwanted traffic to enter the guest WLAN interface. This
may compromise the security and performance of the guest network12.
Reference: 1: Configuring Web Authentication, 2: ISE and Catalyst 9800 Series Integration Guide
88.which entity is a Type 1 hypervisor?
A. Oracle VM VirtualBox
B. VMware server
C. Citrix XenServer
D. Microsoft Virtual PC
Answer: C
89.Which of the following should a junior security administrator recommend implementing to mitigate
malicious network activity?
A. Intrusion prevention system
B. Load balancer
C. Access logging
D. Endpoint encryption
Answer: A
Explanation:
This is because an intrusion prevention system (IPS) is a security device that monitors the network
traffic and detects and blocks any malicious or suspicious activity, such as attacks, exploits, or
malware. An IPS can help mitigate malicious network activity by preventing it from reaching the
intended target or spreading to other devices on the network. An IPS can also alert the administrator
of any potential threats and provide information for further analysis and response. The source of this
answer is the Cisco ENCOR v1.1 course, module 2, lesson 2.5: Implementing Firewall Technologies.
90.Which type of tunnel Is required between two WLCs to enable Intercontroller roaming?
A. mobility
B. LWAPP
C. CAPWAP
D. iPsec
Answer: A
91.Refer to the exhibit.
 53 / 77
https://www.dumpsinfo.com/
Only administrators from the subnet 10.10.10.0/24 are permitted to have access to the router. A
secure protocol must be used for the remote access and management of the router instead of clear-
text protocols.
Which configuration achieves this goal?54 / 77
https://www.dumpsinfo.com/
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
92.Refer to the Exhibit.
 55 / 77
https://www.dumpsinfo.com/
An engineer must allow the FTP traffic from users on 172.16.1.0 /24 to 172.16.2.0 /24 and block all
other traffic.
Which configuration must be applied?
A)
B)
 56 / 77
https://www.dumpsinfo.com/
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
93.Which JSON script is properly formatted?
A)
B)
 57 / 77
https://www.dumpsinfo.com/
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
 58 / 77
https://www.dumpsinfo.com/
Explanation:
Option A is the properly formatted JSON script. JSON (JavaScript Object Notation) is a standard text-
based format for representing structured data based on JavaScript object syntax. It is commonly used
for transmitting data in web applications (e.g., sending some data from the server to the client, so it
can be displayed on a web page, or vice versa). The JSON syntax rules are as follows12:
Data is in name/value pairs, separated by commas. A name/value pair consists of a field name (in
double quotes), followed by a colon, followed by a value: "name": "value".
Curly braces hold objects. An object can contain multiple name/value pairs: {"name": "value", "name":
"value", ...}.
Square brackets hold arrays. An array can contain multiple values, separated by commas: ["value",
"value", ...].
Values can be strings (in double quotes), numbers, booleans (true or false), null, objects, or arrays.
Option A follows these rules and is a valid JSON script. It defines an object with four name/value
pairs: "name", "age", "hobbies", and "address". The value of "name" is a string, the value of "age" is a
number, the value of "hobbies" is an array of strings, and the value of "address" is another object with
two name/value pairs: "city" and "country". The object is enclosed in curly braces and the name/value
pairs are separated by commas.
Option B is not a valid JSON script because it uses single quotes instead of double quotes for the
field names and string values. JSON requires double quotes for strings12.
Option C is not a valid JSON script because it does not use commas to separate the name/value
pairs. JSON requires commas to separate the data elements within an object or an array12.
Option D is not a valid JSON script because it uses a semicolon instead of a colon to separate the
field name and the value. JSON requires a colon to separate the name and the value in a name/value
pair12.
Reference: 1: JSON Introduction, 2: JSON Syntax
94.Which configuration creates a CoPP policy that provides unlimited SSH access from dient 10.0.0.5
and denies access from all other SSH clients'?
A)
 59 / 77
https://www.dumpsinfo.com/
B)
C)
D)
 60 / 77
https://www.dumpsinfo.com/
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
95.DRAG DROP
Drag and drop the characteristics from the left onto the infrastructure deployment models on the right.
Answer:
 61 / 77
https://www.dumpsinfo.com/
96.Refer to the Exhibit.
Which command filters the ERSPAN session packets only to interface GigabitEthernet1?
A. source ip 10.10.10.1
B. source interface gigabitethernet1 ip 10.10.10.1
C. filter access-group 10
D. destination ip 10.10.10.1
Answer: C
97.Refer to the Exhibit.
 62 / 77
https://www.dumpsinfo.com/
Running the script causes the output in the exhibit.
What should be the first line of the script?
A. from ncclient import manager
B. import manager
C. from ncclient import *
D. ncclient manager import
Answer: C
98.Refer to the Exhibit.
 63 / 77
https://www.dumpsinfo.com/
What are two results of the NAT configuration? (Choose two.)
A. Packets with a destination of 200.1.1.1 are translated to 10.1.1.1 or .2. respectively.
B. A packet that is sent to 200.1.1.1 from 10.1.1.1 is translated to 209.165.201.1 on R1.
C. R1 looks at the destination IP address of packets entering S0/0 and destined for inside hosts.
D. R1 processes packets entering E0/0 and S0/0 by examining the source IP address.
E. R1 is performing NAT for inside addresses and outside address.
Answer: B C
99.Which NGFW mode block flows crossing the firewall?
A. Passive
B. Tap
C. Inline tap
D. Inline
Answer: D
Explanation:
Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline
Pair, Inline Pair with Tap, Passive, Passive (ERSPAN).
 64 / 77
https://www.dumpsinfo.com/
When Inline Pair Mode is in use, packets can be blocked since they are processed inline When you
use Inline Pair mode, the packet goes mainly through the FTD Snort engine When Tap Mode is
enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through
FTD unmodified
100.Which technology provides a secure communication channel for all traffic at Layer 2 of the OSI
model?
A. MACsec
B. IPsec
C. SSL
D. Cisco Trustsec
Answer: A
Explanation:
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-
ofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the
101.By default, which virtual MAC address does HSRP group 41 use?
A. 0c:5e:ac:07:0c:29
B. 00:05:0c:07:ac:41
C. 004:41:73:18:84:29
D. 00:00:0c:07:ac:29
Answer: D
102.How are the different versions of IGMP compatible?
A. IGMPv2 is compatible only with IGMPv1.
B. IGMPv2 is compatible only with IGMPv2.
C. IGMPv3 is compatible only with IGMPv3.
D. IGMPv3 is compatible only with IGMPv1
Answer: A
103.Which two threats does AMP4E have the ability to block? (Choose two.)
A. DDoS
B. ransomware
C. Microsoft Word macro attack
D. SQL injection
E. email phishing
Answer: BC
Explanation:
https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-for-
endpoints/c11-742008-00-cisco-amp-for-endpoints-wp-v2a.pdf
104.Refer to the exhibit.
 65 / 77
https://www.dumpsinfo.com/
An engineer attempts to establish BGP peering between router CORP and two ISP routers.
What is the root cause for the failure between CORP and ISP#2?
A. Router ISP#2 is configured to use SHA-1 authentication.
B. There is a password mismatch between router CORP and router ISP#2.
C. Router CORP is configured with an extended access control list.
D. MD5 authorization is configured incorrectly on router ISP#2.
Answer: B
105.When using BFD in a network design, which consideration must be made?
A. BFD is used with first hop routing protocols to provide subsecond convergence.
B. BFD is more CPU-intensive than using reduced hold timers with routing protocols.
C. BFD is used with dynamic routing protocols to provide subsecond convergence.
D. BFD is used with NSF and graceful to provide subsecond convergence.
Answer: C
106.Which A record type should be configured for access points to resolve the IP address of a
wireless LAN controller using DNS?
A. CISCO.CONTROLLER.localdomain
B. CISCO.CAPWAP.CONTROLLER.localdomain
C. CISCO-CONTROLLER.localdomain
D. CISCO-CAPWAP-CONTROLLER.localdomain
Answer: D
107.5.5.5 0 FULL/- 00:00:34 10.111.10.2 Ethernet0/0.50 <<<<<<<<<<<<<<<<<
cisco_R3#
 66 / 77
https://www.dumpsinfo.com/
108.Refer to the exhibit.
CR2 and CR3 ate configured with OSPF.
Which configuration, when applied to CR1. allows CR1 to exchange OSPF Information with CR2 and
CR3 but not with other network devices or on new Interfaces that are added to CR1?
A)
B)
C)
D)
 67 / 77
https://www.dumpsinfo.com/
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
109.Reter to the exhibit.
A client requests a new SSID that will use web-based authentication and external RADIUS servers.
Which Layer 2 security mode must be selected?
A. WPA + WPA2
B. WPA2 + WPA3
C. StaticWEP
D. None
Answer: A
110.Which TCP setting is tuned to minimize the risk of fragmentation on a GRE/IP tunnel?
A. MTU
B. Window size
C. MRU
D. MSS
Answer: D
 68 / 77
https://www.dumpsinfo.com/
Explanation:
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is
willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP
layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a
TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is
not negotiated between hosts. The sending host is required to limit the size of data in a single TCP
segment to a value less than or equal to the MSS reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not
handle the case where there is a smaller MTU link in the middle between these two endpoints.
PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is
111.Refer to the Exhibit.
Which command set enables router R2 to be configured via NETCONF?
A)
B)
C)
 69 / 77
https://www.dumpsinfo.com/
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
112.Which two characteristics apply to the endpoint security aspect of the Cisco Threat Defense
architecture? (Choose two.)
A. detect and black ransomware in email attachments
B. outbound URL analysis and data transfer controls
C. user context analysis
D. blocking of fileless malware in real time
E. cloud-based analysis of threats
Answer: B, D
113.Refer to the exhibit.
Extended access-list 100 is configured on interface GigabitEthernet 0/0 in an inbound direction, but it
does not have the expected behavior of allowing only packets to or from 192.168.0.0/16.
Which command set properly configures the access list?
A. R1(config)#no access-list 100 seq 10
R1(config)#access-list 100 seq 40 deny ip any any
B. R1(config)#ip access-list extended 100
R1(config-ext-nacl)#no 10
C. R1(config)#no access-list 100 deny ip any any
 70 / 77
https://www.dumpsinfo.com/
D. R1(config)#ip access-list extended 100
R1(config-ext-nacl)#5 permit to any any
Answer: A
114.Which two new security capabilities are introduced by using a next-generation firewall at the
Internet edge? (Choose two.)
A. DVPN
B. NAT
C. stateful packet inspection
D. application-level inspection
E. integrated intrusion prevention
Answer: D, E
115.DRAG DROP
Drag and drop the characteristics from the left onto the deployment models on the right Not all options
are used.
Answer:
 71 / 77
https://www.dumpsinfo.com/
116.DRAG DROP
An engineer is working with the Cisco DNA Center API Drag and drop the methods from the left onto
the actions that they are used for on the right.
Answer:
117.A wireless network engineer must configure a WPA2+WPA3 policy with the Personal security
type.
Which action meets this requirement?
A. Configure the GCMP256 encryption cipher.
B. Configure the CCMP256 encryption cipher.
C. Configure the CCMP128 encryption cipher.
D. Configure the GCMP128 encryption cipher.
Answer: A
Explanation:
This is because the GCMP256 cipher is the only one that supports both WPA2 and WPA3 with the
Personal security type. The GCMP256 cipher provides stronger encryption and authentication than
the CCMP ciphers, which are only compatible with WPA2. The source of this answer is the Cisco
ENCOR v1.1 course, module 7, lesson 7.2: Implementing WPA2 and WPA3.
118.Which free application has the ability to make REST calls against Cisco DNA Center?
A. API Explorer
B. REST Explorer
 72 / 77
https://www.dumpsinfo.com/
C. Postman
D. Mozilla
Answer: C
119.In a Cisco SD-Access environment, which function is performed by the border node?
A. Connect uteri and devices to the fabric domain.
B. Group endpoints into IP pools.
C. Provide reachability information to fabric endpoints.
D. Provide connectivity to traditional layer 3 networks.
Answer: D
120.Which two operational models enable an AP to scan one or more wireless channels for rouge
access points and at the same time provide wireless services to clients? (Choose two.)
A. Rouge detector
B. Sniffer
C. FlexConnect
D. Local
E. Monitor
Answer: D, E
121.How does Cisco Trustsec enable more flexible access controls for dynamic networking
environments and data centers?
A. uses flexible NetFlow
B. assigns a VLAN to the endpoint
C. classifies traffic based an the contextual identity of the endpoint rather than its IP address
D. classifies traffic based on advanced application recognition
Answer: C
122.Refer io me exhibit.
 73 / 77
https://www.dumpsinfo.com/
An engineer configures the trunk and proceeds to configure an ESPAN session to monitor VLANs10.
20. and 30.
Which command must be added to complete this configuration?
A. Device(config.mon.erspan.stc)# no filter vlan 30
B. Devic(config.mon.erspan.src-dst)# no vrf 1
C. Devic(config.mon.erspan.src-dst)# erspan id 6
D. Device(config.mon-erspan.Src-dst)# mtu 1460
Answer: A
123.Refer to the exhibit.
 74 / 77
https://www.dumpsinfo.com/
Which GRE tunnel configuration command is missing on R2?
A. tunnel source 192.181.2
B. tunnel source 172.16.1.0
C. tunnel source 200.1.1.1
D. tunnel destination 200.1.1.1
Answer: C
124.Refer to the exhibit.
Which command set changes the neighbor state from Idle (Admin) to Active?
A)
B)
 75 / 77
https://www.dumpsinfo.com/
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
125.In which two ways does the routing protocol OSPF differ from EIGRP? (Choose two.)
A. OSPF supports an unlimited number of hops. EIGRP supports a maximum of 255 hops.
B. OSPF provides shorter convergence time than EIGRP.
C. OSPF is distance vector protocol. EIGRP is a link-state protocol.
D. OSPF supports only equal-cost load balancing. EIGRP supports unequal-cost load balancing.
E. OSPF supports unequal-cost load balancing. EIGRP supports only equal-cost load balancing.
Answer: A, D
126.Which method ensures the confidentiality ot data exchanged over a REST API?
A. Use the POST method instead of URL-encoded GET to pass parameters.
B. Encode sensitive data using Base64 encoding.
C. Deploy digest-based authentication to protect the access to the API.
D. Use TLS to secure the underlying HTTP session.
Answer: B
127.A network engineer configures BGP between R1 and R2. Both routers use BGP peer group
CORP and are set up to use MD5 authentication.
This message is logged to the console of router R1:
“ May 5 39:85:55.469: %TCP-6-BADAUTH ” Invalid MD5 digest from 10.10.10.1 (29832) to
10.120.10.1 (179) tebleid -0
Which two configuration allow peering session to from between R1 and R2? Choose two.)
A. R1(config-router)#neighbor 10.10.10.1 peer-group CORP
R1(config-router)#neighbor CORP password Cisco
B. R2(config-router)#neighbor 10.120.10.1 peer-group CORP
R2(config-router)#neighbor CORP password Cisco
C. R2(config-router)#neighbor 10.10.10.1 peer-group CORP
R2(config-router)#neighbor PEER password Cisco
 76 / 77
https://www.dumpsinfo.com/
D. R1(config-router)#neighbor 10.120.10.1 peer-group CORP
R1(config-router)#neighbor CORP password Cisco
E. R2(config-router)#neighbor 10.10.10.1 peer-group CORP
R2(config-router)#neighbor CORP password Cisco
Answer: AB
128.Which tool is used in Cisco DNA Center to build generic configurations that are able to be applied
on device with similar network settings?
A. Command Runner
B. Template Editor
C. Application Policies
D. Authentication Template
Answer: B
129.What is the differences between TCAM and the MAC address table?
A. The MAC address table is contained in TCAM ACL and QoS information is stored in TCAM
B. The MAC address table supports partial matches. TCAM requires an exact match
C. Router prefix lookups happensin CAM. MAC address table lookups happen in TCAM.
D. TCAM is used to make Layer 2 forwarding decisions CAM is used to build routing tables
Answer: A
Explanation:
https://community.cisco.com/t5/networking-documents/cam-content-addressable-memory-vs-tcam-
ternary-content/ta-p/3107938
When using Ternary Content Addressable Memory (TCAM) inside routers it’s used for faster address
lookup that enables fast routing.
In switches Content Addressable Memory (CAM) is used for building and lookup of mac address table
that enables L2 forwarding decisions.
Besides Longest-Prefix Matching, TCAM in today’s routers and multilayer Switch devices are used to
store ACL, QoS and other things from upper-layer processing.
130.In a campus network design, what ate two benefits of using BFD tor failure detection? (Choose
two.)
A. BFD provides path failure detection in less than a second.
B. BFD is an efficient way to reduce memory and CPU usage.
C. BFD provides fault tolerance by enabling multiple routers to appear as a single virtual router.
D. BFD speeds up routing convergence time.
E. BFD enables network peers to continue forwarding packets in the event of a restart.
Answer: A, B
Powered by TCPDF (www.tcpdf.org)
 77 / 77
https://www.dumpsinfo.com/
http://www.tcpdf.org