Cisco 350-401 Implementing Cisco Enterprise Network Core Technologies (ENCOR) Exam Practice Test

Operation Modes

There are two modes of operation for the FlexConnect AP.

• Connected mode: The WLC is reachable. In this mode the FlexConnect AP has CAPWAP connectivity with its WLC.
• Standalone mode: The WLC is unreachable. The FlexConnect has lost or failed to establish CAPWAP connectivity with its WLC. A WAN-link outage between a branch and its central site is a example of such a mode of operation.

FlexConnect States

A FlexConnect WLAN, depending on its configuration and network connectivity, is classified as being in one of the following defined states.

• Authentication-Central/Switch-Central: This state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, or web. User traffic is sent to the WLC via CAPWAP (Central switching). This state is supported only when FlexConnect is in connected mode.
• Authentication Down/Switching Down: Central switched WLANs no longer beacon or respond to probe requests when the FlexConnect AP is in standalone mode. Existing clients are disassociated.
• Authentication-Central/Switch-Local: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when the FlexConnect AP is in connected mode.
• Authentication-Down/Switch-Local: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session time-out if configured. The WLAN continues to beacon and respond to probes until there are no more existing users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
• Authentication-local/switch-local: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes. Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

A TLOC is a Transport Locator that represents an attachment point where a Cisco WAN Edge device connects to a WAN transport. A TLOC is uniquely identified by a tuple of three values - (System-IP address, Color, Encapsulation).

A TLOC route consists of all required information needed by a remote peer in order to establish an overlay tunnel with that TLOC. This includes private and public IP addresses and ports, site-id, preference, weight, status, encapsulation info such as encryption and authentication parameters, and much more.

Generally, a signal with an SNR value of 20 dB or more is recommended for data networks where as an SNR value of 25 dB or more is recommended for networks that use voice applications

https://doc umentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Signal-to-Noise_Ratio_(SNR)_and_Wireless_Signal_Strength#:~:text=Generally%2C%20a%20signal%20with%20an,networks%20that%20use%20voice%20applications.

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an ― ”established” access-list like this:

access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet

!

interface S0/0

ip access-group 100 in

ip access-group 101 out

Note: Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let‘s see how this process takes place:

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use ―”x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:

+ SYN sequence number (let‘s called it “y”) is a random number and does not have any relationship with Host A‘s SYN SEQ number.

+ ACK number is the next number of Host A‘s SYN sequence number it received, so we represent it with “x+1″. It means ―I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

sw2#show errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

arp-inspection Disabled

bpduguard Disabled

channel-misconfig (STP) Disabled

dhcp-rate-limit Disabled

dtp-flap Disabled

gbic-invalid Disabled

inline-power Disabled

l2ptguard Disabled

link-flap Disabled

mac-limit Disabled

link-monitor-failure Disabled

loopback Disabled

oam-remote-failure Disabled

pagp-flap Disabled

port-mode-failure Disabled

pppoe-ia-rate-limit Disabled

psecure-violation Disabled

security-violation Disabled

sfp-config-mismatch Disabled

storm-control Disabled

udld Disabled

unicast-flood Disabled

sw2#

The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.

cisco_R3#show run int e0/0.50

Building configuration...

Current configuration : 189 bytes

!

interface Ethernet0/0.50

encapsulation dot1Q 50

ip address 10.111.10.1 255.255.255.252

ip ospf network point-to-point <<<<<<<<<<<<<<<<<<<

ip ospf 1 area 22

bfd interval 999 min_rx 999 multiplier 3

end

cisco_R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.255.2 1 FULL/DROTHER 00:00:33 192.168.255.2 Ethernet0/0.10

200.200.200.200 1 FULL/DR 00:00:34 192.168.255.22 Ethernet0/0.10

5.5.5.5 0 FULL/ - 00:00:34 10.111.10.2 Ethernet0/0.50 <<<<<<<<<<<<<<<<<

cisco_R3#

Fabric Enabled WLC:

Fabric enabled WLC is integrated with LISP control plane. This WLC is responsible for AP image /Config, Radio Resource Management, Client Session management and roaming and all other wireless control plane functions.

For WLC Fabric Integration:

• Wireless Client MAC address is used as EID
• It inform about Wireless MAC address with its other information like SGT and Virtual Network Information
• VN information is mapped to VLAN on FEs
• WLC is responsible for updating Host Database tracking DB with roaming information

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html#FabricWLC

Both fabric WLCs and non-fabric WLCs provide AP image and configuration management, client session management, and mobility services. Fabric WLCs provide additional services for fabric integration such as registering MAC addresses of wireless clients into the host tracking database of the fabric control plane nodes during wireless client join events and supplying fabric edge node RLOC-association updates to the HTDB during client roam events.

SD-Access Wireless Architecture Control Plane Node –A Closer Look

Fabric Control-Plane Node is based on a LISP Map Server / Resolver

Runs the LISP Endpoint ID Database to provide overlay reachability information

+ A simple Host Database, that tracks Endpoint ID to Edge Node bindings (RLOCs)+ Host Database supports multiple types of Endpoint ID (EID), such as IPv4 /32, IPv6 /128* or MAC/48+ Receives prefix registrations from Edge Nodes for wired clients, and from Fabric mode WLCs for wireless clients+ Resolves lookup requests from FE to locate Endpoints+ Updates Fabric Edge nodes, Border nodes with wireless client mobility and RLOC information

Orchestration

 Orchestration means arranging or coordinating multiple systems. It’s also used to mean “running the same tasks on a bunch of servers at once, but not necessarily all of them.”

 Configuration Management

Config Management is part of provisioning. Basically, that’s using a tool like Chef, Puppet or Ansible to configure our server. “Provisioning” often implies it’s the first time we do it. Config management usually happens repeatedly.

Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life Configuration management is all about bringing consistency in the infrastructure.

Configuration Orchestration vs Configuration Management

The first thing that should be clarified is the difference between “configuration orchestration” and “configuration management” tools, both of which are considered IaC tools and are included on this list.

Configuration orchestration tools, which include Terraform and AWS CloudFormation, are designed to automate the deployment of servers and other infrastructure. Configuration management tools like Chef, Puppet, and the others on this list help configure the software and systems on this infrastructure that has already been provisioned.

Separation of Privilege: Granting permissions to an entity should not be purely based on a single condition, a combination of conditions based on the type of resource is a better idea.

https://restfulapi.net/security-essentials/#:~:tex t=REST%20Security%20Design%20Principles&text=Least%20Privilege%3A%20An%20entity%20should,when%20no%20longer%20in%20use.

A control plane node maintains a host tracking database (HTDB), and also uses Locator/ID Separation Protocol (LISP) to provide a map server, populating the HTDB from fabric edge registration messages; and a map resolver to respond to queries from edge devices requesting location information about destination nodes.

R1

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

R2

Router ospf 1

Int loop0

Ip ospf 1 area 0

Int et0/0

Ip ospf 1 area 0

Ip ospf network point-to-point

Copy run start

Verification:-

This is because the response “204 No Content” means that the REST API request was successful, but there is no content to return. The request was a DELETE method, which is used to remove a resource from the server. The resource in this case was the interface loopback 100, which was deleted from the configuration of the device. The source of this answer is the Cisco ENCOR v1.1 course, module 8, lesson 8.4: Implementing REST API.

The Python code in the exhibit defines a function called average that takes two parameters a and b and returns the arithmetic mean of them. The function is then called with the arguments 5 and 10, which are assigned to a and b respectively. The function returns (5 + 10) / 2, which is 7.5. Therefore, the result of the Python code is 7.5. References: Python Functions, Python Arithmetic Operators

Graphical user interface Description automatically generated with medium confidence

This is because Fast Transition (FT) is a feature that allows 802.11r-capable clients to roam faster between access points by reducing the authentication and key exchange time. FT can be configured in two modes: adaptive and over-the-DS. Adaptive mode is recommended for mixed environments where both 802.11r-capable and non-capable clients are present, as it allows the access point to negotiate the FT mode with the client. Over-the-DS mode is only suitable for environments where all clients are 802.11r-capable, as it requires the access point to communicate with the previous access point over the distribution system. FT + PSK is a security option that enables FT with pre-shared key (PSK) authentication, which is a simple and common method of securing wireless networks. WPA2-AES is an encryption standard that provides strong security and privacy for wireless networks. The source of this answer is the Cisco ENCOR v1.1 course, module 7, lesson 7.2: Implementing WPA2 and WPA3.

ChefRuby syntax in configuration filesAnsible all functions are performed over ssh

YAML configuration language

Based on Python

 This is because the EEM applet needs to specify the full path of the Tcl script that is stored in the flash memory of the device. The script name is write_backup.tcl and it is used to backup the running configuration to a remote server. The source of this answer is the Cisco ENCOR v1.1 course, module 8, lesson 8.3: Implementing Embedded Event Manager.

-

Solution:

On R1:

R1(config)#router bgp 123

R1(config-router)#address-family ipv4

R1(config-router-af)#neighbor 10.0.0.2 allowas-in

On R3:

R3(config)#router bgp 123

R3(config-router)# address-family ipv4

R3(config-router-af)#neighbor 192.168.1.2 allowas-in

VERIFICATION:

R3#sh ip route bgp

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 192.168.1.2, 00:01:17

2.0.0.0/32 is subnetted, 1 subnets

B 2.2.2.2 [20/0] via 192.168.1.2, 00:05:06

10.0.0.0/24 is subnetted, 1 subnets

B 10.0.0.0 [20/0] via 192.168.1.2, 00:01:17

Test Ping from R3 to R1:

R3#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

R3#ping 1.1.1.1 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 3.3.3.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 Option A is the properly formatted JSON script. JSON (JavaScript Object Notation) is a standard text-based format for representing structured data based on JavaScript object syntax. It is commonly used for transmitting data in web applications (e.g., sending some data from the server to the client, so it can be displayed on a web page, or vice versa). The JSON syntax rules are as follows12:

• Data is in name/value pairs, separated by commas. A name/value pair consists of a field name (in double quotes), followed by a colon, followed by a value: "name": "value".
• Curly braces hold objects. An object can contain multiple name/value pairs: {"name": "value", "name": "value", ...}.
• Square brackets hold arrays. An array can contain multiple values, separated by commas: ["value", "value", ...].
• Values can be strings (in double quotes), numbers, booleans (true or false), null, objects, or arrays.

Option A follows these rules and is a valid JSON script. It defines an object with four name/value pairs: "name", "age", "hobbies", and "address". The value of "name" is a string, the value of "age" is a number, the value of "hobbies" is an array of strings, and the value of "address" is another object with two name/value pairs: "city" and "country". The object is enclosed in curly braces and the name/value pairs are separated by commas.

Option B is not a valid JSON script because it uses single quotes instead of double quotes for the field names and string values. JSON requires double quotes for strings12.

Option C is not a valid JSON script because it does not use commas to separate the name/value pairs. JSON requires commas to separate the data elements within an object or an array12.

Option D is not a valid JSON script because it uses a semicolon instead of a colon to separate the field name and the value. JSON requires a colon to separate the name and the value in a name/value pair12. References: 1: JSON Introduction, 2: JSON Syntax

This is because the CoPP configuration shown in the exhibit applies a service policy to the control plane of the router, which is responsible for processing the routing protocols, management protocols, and other control traffic. The service policy uses a class map that matches the access list 100, which permits the traffic with the source IP address 10.1.1.1. The service policy also uses a policy map that sets the committed information rate (CIR) for the matched traffic to 64 kbps, which means that the traffic is guaranteed to have a minimum bandwidth of 64 kbps. The policy map also sets the exceed action to drop, which means that any traffic that exceeds the CIR will be dropped. Therefore, the traffic that matches entry 10 of ACL 100 is always allowed with a limited CIR, and any excess traffic is dropped. The source of this answer is the Cisco ENCOR v1.1 course, module 6, lesson 6.3: Implementing QoS.

Graphical user interface, application Description automatically generated

This is because Cisco FlexConnect is a feature that allows wireless access points to operate in standalone mode when they lose connectivity to the wireless LAN controller. Cisco FlexConnect has different states depending on the status of the authentication and switching functions. Authentication-Down means that the access point cannot authenticate new users with the central server, such as a RADIUS server. Switch-Local means that the access point can switch the traffic locally without sending it to the wireless LAN controller. Therefore, Authentication-Down / Switch-Local is the state that rejects new users but allows existing users to function normally. The source of this answer is the Cisco ENCOR v1.1 course, module 7, lesson 7.3: Implementing FlexConnect.

Sw1

Config t

Monitor session 20 source vlan 99 tx

Monitor session 20 destination interface ethernet 0/1

Copy run start

R1

Config t

Ip flow-top-talkers

Top 50

Sort-by packets

Cache time-out 30

Eth 0/2

Ip flow egress

Copy run start

Sw02

Config t

Ip sla 10

Icmp-echo 1.1.1.1 source-ip 172.16.2.2

Frequency 5

Threshold 250

Timeout 3000

Ip sla schedule 10 start-time now life forever

Copy run start

Option A is the correct configuration to apply interface and sensor monitoring on a router with the given requirements. This option uses SNMPv3, which is the most secure version of SNMP that supports encryption and authentication. The configuration steps are as follows12:

• Create an access list named nms that permits only the NMS server with IP address 10.15.2.19 to access the router: ip access-list standard nms and permit 10.15.2.19 0.0.0.0.
• Create a view named rw that includes all the SNMP objects: snmp-server view rw included.
• Create a group named nms that uses SNMPv3 with privacy (encryption) and authentication, and assigns the view rw and the access list nms to the group: snmp-server group nms v3 priv read rw access nms.
• Create a user named nms that belongs to the group nms and uses DES for authentication and AES for encryption, with the passwords despass and aespass respectively: snmp-server user nms nms v3 auth des despass priv aes 192 aespass.

Option B is incorrect because it does not use encryption for SNMP communication, which is required by the question. The noauth keyword in the snmp-server group command means that no authentication or encryption is used, which makes the SNMP packets vulnerable to eavesdropping and tampering1.

Option C is incorrect because it does not use the most secure algorithms for SNMP communication, which is required by the question. The md5 and des keywords in the snmp-server user command mean that MD5 and DES are used for authentication and encryption respectively, which are considered weak and outdated algorithms. AES and SHA are recommended instead1.

Option D is incorrect because it does not restrict the access to the NMS server only, which is required by the question. The snmp-server community command creates a community string that acts as a password for SNMP access, but it does not specify an access list to limit the source IP addresses that can use the community string. Therefore, any device that knows the community string can access the router via SNMP1. References: 1: Configuring SNMPv3, 2: SNMP Configuration Guide, Cisco IOS XE Gibraltar 16.12.x

To configure multiple NetFlow export destinations to a router, use the following commands in global configuration mode:

Step 1: Router(config)# ip flow-export destination ip-address udp-port

Step 2: Router(config)# ip flow-export destination ip-address udp-port

The following example enables the exporting of information in NetFlow cache entries:

ip flow-export destination 10.42.42.1 9991 ip flow-export destination 10.0.101.254 1999

From the output we see DSW2 is running in RSTP mode (in fact Rapid PVST+ mode as Cisco does not support RSTP alone). When a new switch running PVST+ mode is added to the topology, they keep running the old STP instances as RSTP (in fact Rapid PVST+) is compatible with PVST+.

According to the requirements (first use TACACS+, then allow login with no authentication), we

have to use “aaa authentication login … group tacacs+ none” for AAA command.

The next thing to check is the if the “aaa authentication login default” or “aaa authentication

login list-name” is used. The ‘default’ keyword means we want to apply for all login connections

(such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything

else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which

line(s) we want to apply the authentication feature.

From above information, we can find out answer 'R1#sh run | include aaa

aaa new-model

aaa authentication login default group tacacs+ none

aaa session-id common

R1#sh run | section vty

line vty 0 4

password 7 0202039485748

If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS

Tutorial – Part 2.

For your information, answer 'R1#sh run | include aaa

aaa new-model

aaa authentication login telnet group tacacs+ none

aaa session-id common

R1#sh run | section vty

line vty 0 4

R1#sh run | include username

R1#' would be correct if we add the following command under vty line (“line vty 0 4”): “login

authentication telnet” (“telnet” is the name of the AAA list above)

The Intent API is a Northbound REST API that exposes specific capabilities of the Cisco DNA Center platform. The Intent API provides policy-based abstraction of business intent, allowing focus on an outcome rather than struggling with individual mechanisms steps.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained

way for securely transmitting information between parties as a JSON object. This information can

be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the

HMAC algorithm) or a public/private key pair using RSA or ECDSA.

JSON Web Tokens are composed of three parts, separated by a dot (.): Header, Payload,

Signature. Therefore, a JWT typically looks like the following:

xxxxx.yyyyy.zzzzz

The header typically consists of two parts: the type of the token, which is JWT, and the signing

algorithm being used, such as HMAC SHA256 or RSA.

The second part of the token is the payload, which contains the claims. Claims are statements

about an entity (typically, the user) and additional data.

To create the signature part you have to take the encoded header, the encoded payload, a secret,

the algorithm specified in the header, and sign that.

A picture containing diagram Description automatically generated

Graphical user interface, text, application, email Description automatically generated

C:\Users\SANJAY~1\AppData\Local\Temp\SNAGHTML492a4f88.PNG

The ‘>’ shown in the output above indicates that the path with a next hop of 192.168.101.2 is the

current best path.

Path Selection Attributes: Weight > Local Preference > Originate > AS Path > Origin > MED >

External > IGP Cost > eBGP Peering > Router ID

BGP prefers the path with highest weight but the weights here are all 0 (which indicate all routes

that are not originated by the local router) so we need to check the Local Preference. Answer

'192.168.101.18' path without LOCAL_PREF (LocPrf column) means it has the default value of 100.

Therefore we can find the two next best paths with the next hop of 192.168.101.18 and

192.168.101.10.

We have to move to the next path selection attribute: Originate. BGP prefers the path that the

local router originated (which is indicated with the “next hop 0.0.0.0”). But none of the two best

paths is self-originated.

The AS Path of the next hop 192.168.101.18 is shorter than the AS Path of the next hop

192.168.101.10 then the next hop 192.168.101.18 will be chosen as the next best path.

The Southbound API is used to communicate with network devices.

Graphical user interface, text, application, chat or text message Description automatically generated

During operation, an Egress Tunnel Router (ETR) sends periodic Map-Register messages to all its configured map servers.

A picture containing timeline Description automatically generated

OMP is the control protocol that is used to exchange routing, policy, and management information between Cisco vSmart Controllers and Cisco IOS XE SD-WAN devices in the overlay network. These devices automatically initiate OMP peering sessions between themselves, and the two IP end points of the OMP session are the system IP addresses of the two devices.

Cisco Express Forwarding (CEF) switching is a proprietary form of scalable switching intended to tackle the problems associated with demand caching. With CEF switching, the information which is conventionally stored in a route cache is split up over several data structures. The CEF code is able to maintain these data structures in the Gigabit Route Processor (GRP), and also in slave processors such as the line cards in the 12000 routers. The data structures that provide optimized lookup for efficient packet forwarding include:

• The Forwarding Information Base (FIB) table - CEF uses a FIB to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and these changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table.

Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with switching paths such as fast switching and optimum switching.

• Adjacency table - Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

CEF can be enabled in one of two modes:

• Central CEF mode - When CEF mode is enabled, the CEF FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding. You can use CEF mode when line cards are not available for CEF switching, or when you need to use features not compatible with distributed CEF switching.
• Distributed CEF (dCEF) mode - When dCEF is enabled, line cards maintain identical copies of the FIB and adjacency tables. The line cards can perform the express forwarding by themselves, relieving the main processor - Gigabit Route Processor (GRP) - of involvement in the switching operation. This is the only switching method available on the Cisco 12000 Series Router.

dCEF uses an Inter-Process Communication (IPC) mechanism to ensure synchronization of FIBs and adjacency tables on the route processor and line cards.

For more information about CEF switching, see Cisco Express Forwarding (CEF) White Paper.

 Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN).When Inline Pair Mode is in use, packets can be blocked since they are processed inline When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified

Graphical user interface, text, application, email Description automatically generated

Graphical user interface, text, application Description automatically generated

The Design area is where you create the structure and framework of your network, including the physical topology, network settings, and device type profiles that you can apply to devices throughout your network. Use the Design workflow if you do not already have an existing infrastructure. If you have an existing infrastructure, use the Discovery feature.

https://www.cisco.com/c/en/us/td/docs/clou d-systems-management/network-automation-and-management/dna-center/2-1-2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_0110.html

As these wireless networks grow especially in remote facilities where IT professionals may not always be onsite, it becomes even more important to be able to quickly identify and resolve potential connectivity issuesideally before the users complain or notice connectivity degradation. To address these issues we have created Cisco’s Wireless Service Assurance and a new AP mode called “sensor”mode. Cisco’s Wireless Service Assurance platform has three components, namely, Wireless PerformanceAnalytics, Real-time Client Troubleshooting, and Proactive Health Assessment. Using a supported AP ordedicated sensor the device can actually function much like a WLAN client would associating andidentifying client connectivity issues within the network in real time without requiring an IT or technician to beon site.

From the output exhibit, we notice that the key-string of R1 is ―Cisco123!‖ (letter ―C‖ is in capital) while that of R2 is ―cisco123!‖. This causes a mismatch in the authentication so we have to fix their key-strings.

key-string [encryption-type] text-string: Configures the text string for the key. The text-string argument is alphanumeric, case-sensitive, and supports special characters.

Text Description automatically generated

A picture containing diagram Description automatically generated

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host

is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the

IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a

TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value

is not negotiated between hosts. The sending host is required to limit the size of data in a single

TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not

handle the case where there is a smaller MTU link in the middle between these two endpoints.

PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is

Deny

Permit

Action drop

Action forward

The TCP port 6514 has been allocated as the default port for syslog over Transport Layer Security

(TLS).

Diagram, line chart Description automatically generated

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BR KEWN-3010.pdf

Graphical user interface Description automatically generated with low confidence

When you click Deploy, Cisco DNA Center requests the Cisco Identity Services Engine (Cisco ISE) to send notifications about the policy changes to the network devices.

Local preference is an indication to the AS about which path has preference to exit

the AS in order to reach a certain network. A path with a higher local preference is

preferred. The default value for local preference is 100.

Unlike the weight attribute, which is only relevant to the local router, local

preference is an attribute that routers exchange in the same AS. The local

preference is set with the “bgp default local-preference value” command.

In this case, both R3 & R4 have exit links but R4 has higher local-preference so R4

will be chosen as the preferred exit point from AS 200.

The ―autocommand‖ causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line ―username CCNP autocommand show running-config‖.

SW3 does not have VLAN 60 so it should not receive traffic for this VLAN (sent from SW2).

Therefore we should configure VTP Pruning on SW3 so that SW2 does not forward VLAN 60 traffic

to SW3. Also notice that we need to configure pruning on SW1 (the VTP Server), not SW2.

VXLAN uses an 8-byte VXLAN header that consists of a 24-bit VNID and a few reserved bits. The VXLAN header together with the original Ethernet frame goes in the UDP payload. The 24-bit VNID is used to identify Layer 2 segments and to maintain Layer 2 isolation between the segments.

The Option 43 hexadecimal string is assembled as a sequence of the TLV values for the Option 43 suboption: Type + Length + Value. Type is always the suboption code 0xf1. Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex.

On this question, there is 1 controller with management interface IP addresses 172.16.50.5/24. The type is 0xf1. The length is 1 * 4 = 8 = 0x04. The mgmt IP addresses 172.16.50.5 translate to ac.10.32.05 (0xac103205). When the string is assembled, it yields f108c0a80a05c0a80a14. The Cisco IOS command that is added to the DHCP scope is:

option 43 hex f104ac103205

Support Virtual Switching System (VSS) to provide resiliency, and increased operational efficiency with a single point of management;

VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. – Single configuration file and node to manage. Removes the need to configure redundant switches twice with identical policies.

We cannot filter traffic that is originated from the local router (R3 in this case) so

we can only configure the ACL on R1 or R2. “Weekend hours” means from Saturday

morning through Sunday night so we have to configure: “periodic weekend 00:00

to 23:59”.

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0

to 23 and the minutes range from 0 to 59.

Map resolver (MR): The MR performs the following functions: Receives MAP requests, which are encapsulated by ITRs. Provides a service interface to the ALT router, de-encapsulates MAP requests, and forwards on the ALT topology. 

+ Fabric edge node: This fabric device (for example, access or distribution layer

device) connects

HTTP Status 204 (No Content) indicates that the server has successfully fulfilled the request and that there is no content to send in the response payload body.

Table Description automatically generated

There are four messages sent between the DHCP Client and DHCP Server: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST and DHCPACKNOWLEDGEMENT.

This process is often abbreviated as DORA (for Discover, Offer, Request, Acknowledgement).

This JSON can be written as follows:

{

'switch': {

'name': 'dist1',

'interfaces': ['gig1', 'gig2', 'gig3']

}

}

The most common implementations of OAuth (OAuth 2.0) use one or both of these tokens:

+ access token: sent like an API key, it allows the application to access a user’s data;

optionally, access tokens can expire.

+ refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access

token if they have expired. OAuth2 combines Authentication and Authorization to allow

more sophisticated scope and validity control.

Diagrama Descripción generada automáticamenteMED Attribute:+ Optional nontransitive attribute (nontransitive means that we can only advertise MED to routers that are one AS away)+ Sent through ASes to external BGP neighbors+ Lower value is preferred (it can be considered the external metric of a route)+ Default value is 0

Fabric wireless controllers manage and control the fabric-mode APs using the same general model as the traditional local-mode controllers which offers the same operational advantages such as mobility control and radio resource management. A significant difference is that client traffic from wireless endpoints is not tunnelled from the APs to the wireless controller. Instead, communication from wireless clients is encapsulated in VXLAN by the fabric APs which build a tunnel to their first-hop fabric edge node. Wireless traffic it tunneled to the edge nodes as the edge nodes provide fabric services such as the Layer 3 Anycast Gateway, policy, and traffic enforcement. https://www.cisco.com/c/en/us/td/docs/sol utions/CVD/Campus/cisco-sda-design-guide.html

Type of service, when we talk about PACKET, means layer 3