New ENCOR Questions – Part 4
Question 1
After a redundant route processor failure occurs on a Layer 3 device, which mechanism allows for packets to be forwarded from a neighboring router based on the most recent tables?
A. RPVST+ B. RP failover C. BFD D. NSF
Answer: D
Explanation
Routers specifically designed for high availability include hardware redundancy, such as dual power supplies and route processors (RPs). An RP is responsible for learning the network topology and building the route table (RIB). An RP failure can trigger routing protocol adjacencies to reset, resulting in packet loss and network instability. During an RP failure, it may be more desirable to hide the failure and allow the router to continue forwarding packets using the previously programmed CEF table entries rather than temporarily drop packets while waiting for the secondary RP to reestablish the routing protocol adjacencies and rebuild the forwarding table.
Enabling nonstop forwarding (NSF) or nonstop routing (NSR) high availability capabilities informs the router(s) to maintain the CEF entries for a short duration and continue forwarding packets through an RP failure until the control plane recovers.
Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide
Question 2
What is the differences between TCAM and the MAC address table?
A. Router prefix lookups happens in CAM. MAC address table lookups happen in TCAM B. The MAC address table supports partial matches. TCAM requires an exact match C. The MAC address table is contained in CAM. ACL and QoS information is stored in TCAM D. TCAM is used to make Layer 2 forwarding decisions. CAM is used to build routing tables
Answer: C
Explanation
When using Ternary Content Addressable Memory (TCAM) inside routers it’s used for faster address lookup that enables fast routing.
In switches Content Addressable Memory (CAM) is used for building and lookup of mac address table that enables L2 forwarding decisions.
Besides Longest-Prefix Matching, TCAM in today’s routers and multilayer Switch devices are used to store ACL, QoS and other things from upper-layer processing.
Question 3
Which two southbound interfaces originate from Cisco DNA Center and terminate at fabric underlay switches? (Choose two)
A. UDP 67: DHCP B. ICMP: Discovery C. TCP 23: Telnet D. UDP 162: SNMP E. UDP 6007: NetFlow
Answer: B C
Explanation
According to this Cisco link (Table 5), the following ports are from Cisco DNA Center to fabric underlay switches:
+ TCP 22: From Cisco DNA Center to fabric switches’ loopbacks for SSH + TCP 23: From Cisco DNA Center to fabric switches’ loopbacks for TELNET + UDP 161: From Cisco DNA Center to fabric switches’ loopbacks for SNMP device discovery + ICMP: From Cisco DNA Center to fabric switches’ loopbacks for SNMP device discovery + TCP 443: From Cisco DNA Center to fabric switches for software upgrades (also to the internet if there is no proxy) + UDP 6007: From Cisco DNA Center to switches and routers for NetFlow + UDP 123: From Cisco DNA Center to fabric switches for the initial period during LAN automation
So in fact there are three correct answers for this question, including TCP 23, ICMP and UDP 6007 but there are two best answers TCP 23 and ICMP (which match “fabric switches” in the question).
Question 4
What is the function of a control-plane node in a Cisco SD-Access solution?
A. to connect APs and wireless endpoints to the SD-Access fabric B. to connect external Layer 3 networks to the SD Access fabric C. to implement policies and communicate with networks outside the fabric D. to run a mapping system that manages endpoint to network device relationships
Answer: D
Explanation
Control-Plane Nodes – Map System that manages endpoint-to-location (EID-to-RLOC) relationships Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric
Question 5
Refer to the exhibit. What is the result when a switch that is running PVST+ is added to this network?
A. Spanning tree is disabled automatically on the network B. DSW2 operates in Rapid PVST+ and the new switch operates in PVST+ C. Both switches operate in the PVST+ mode D. Both switches operate in the Rapid PVST+ mode
Answer: B
Explanation
From the output we see DSW2 is running in RSTP mode (in fact Rapid PVST+ mode as Cisco does not support RSTP alone). When a new switch running PVST+ mode is added to the topology, they keep running the old STP instances as RSTP (in fact Rapid PVST+) is compatible with PVST+.
Question 6
What is a characteristic of a next-generation firewall?
A. required in each layer of the network B. filters traffic using Layer 3 and Layer 4 information only C. only required at the network perimeter D. provides intrusion prevention
Answer: D
Explanation
A next generation firewall adds additional features such as application control, integrated intrusion prevention (IPS) and often more advanced threat prevention capabilities like sandboxing.
Question 7
Which measure is used by an NTP server to indicate its closeness to the authoritative time source?
A. stratum B. hop count C. time zone D. latency
Answer: A
Explanation
The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server…
Question 8
Which two resu lts occur if Cisco DNA Center loses connectivity to devices in the SD-Access fabric? (Choose two)
A. All devices reload after detecting loss of connection to Cisco DNA Center B. Already connected users are unaffected, but new users cannot connect C. Users lose connectivity D. Cisco DNA Center is unable to collect monitoring data in Assurance E. User connectivity is unaffected
Answer: D E
Explanation
If you have Cisco SD-Access implemented and DNA Center becomes unreachable then the wired and wireless network will continue to forward packets as usual. There will be no impact to network performance or behavior. Yes you will be able to SSH / telnet / console into switches and wireless network infrastructure as usual. For the period DNA Center is unreachable, Assurance data will be lost, and you will not be able to make configuration changes to the Cisco SD-Access network.
Question 9
Which two components are supported by LISP? (Choose two)
A. proxy ETR B. HMAC algorithm C. route reflector D. egress tunnel router E. spoke
Answer: A D
Explanation
An Egress Tunnel Router (ETR) connects a site to the LISP-capable part of a core network (such as the Internet), publishes EID-to-RLOC mappings for the site, responds to Map-Request messages, and decapsulates and delivers LISP-encapsulated user data to end systems at the site.
A LISP proxy ETR (PETR) implements ETR functions on behalf of non-LISP sites. A PETR is typically used when a LISP site needs to send traffic to non-LISP sites but the LISP site is connected through a service provider that does not accept nonroutable EIDs as packet sources. PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites.
Question 10
Drag and drop the virtual component from the left onto their descriptions on the right.
Answer:
+ configuration file containing settings for a virtual machine such as guest OS: VMX + component of a virtual machine responsible for sending packets to the hypervisor: vNIC + zip file containing a virtual machine configuration file and a virtual disk: OVA + file containing a virtual machine disk drive: VMDK
Explanation
The VMX file simply holds the virtual machine configuration.
VMDK (short for Virtual Machine Disk) is a file format that describes containers for virtual hard disk drives to be used in virtual machines like VMware Workstation or VirtualBox.
An OVA file is an Open Virtualization Appliance that contains a compressed, “installable” version of a virtual machine. When you open an OVA file it extracts the VM and imports it into whatever virtualization software you have installed on your computer.
Question 11
How does EIGRP differ from OSPF?
A. EIGRP is more prone to routing loops than OSPF B. EIGRP supports equal or unequal path cost, and OSPF supports only equal path cost. C. EIGRP has a full map of the topology, and OSPF only knows directly connected neighbors D. EIGRP uses more CPU and memory than OSPF
Answer: B
Explanation
Both EIGRP and OSPF is not susceptible to routing loops and EIGRP is not more prone to routing loops than OSPF -> Answer A is not correct.
Both EIGRP and OSPF has a full map of the topology -> Answer C is not correct.
OSPF maintains information about all the networks and running routers in its area. Each time there is a change within the area, all routers need to re-sync their database and then run SPF again. This process makes it more CPU intensive. EIGRP, on the other hand, has triggered and incremental updates. Therefore EIGRP is more efficient in terms of CPU usage and memory.
Question 12
Refer to the exhibit.
What does the output confirm about the switch’s spanning tree configuration?
A. The spanning-tree mode stp ieee command was entered on this switch B. The spanning-tree operation mode for this switch is PVST C. The spanning-tree operation mode for this switch is IEEE D. The spanning-tree operation mode for this switch is PVST+
Answer: D
Explanation
The default spanning-tree mode in Cisco switch is PVST+. This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. PVST+ is same as standard IEEE 802.1D but it runs on each VLAN. In the output we see the line “Spanning tree enabled protocol ieee” under “VLAN 20” so it can say the switch is running in PVST+ mode.
Question 13
A customer has recently implemented a new wireless infrastructure using WLC-5520S at a site directly next to a large commercial airport Users report that they intermittently lose Wi-Fi connectivity, and troubleshooting reveals it is due to frequent channel changes. Which two actions fix this issue? (Choose two)
A. Remove UNII-2 and Extended UNII-2 channels from the 5 GHz channel list B. Restore the DCA default settings because this automatically avoids channel interference C. Disable DFS channels to prevent interference with Doppler radar D. Enable DFS channels because they are immune to radar interference E. Configure channels on the UNII-2 and the Extended UNII-2 sub-bands of the 5 GHz band only
Answer: A C
Explanation
In the 5GHz spectrum some of the channels used by 802.11 are subject to Dynamic Frequency Selection (DFS) requirements. This is due to our clients coexistence with other RF technologies such as Maritime, Aviation and Weather RADAR.
Dynamic Frequency Selection (DFS) is the process of detecting radar signals that must be protected against interference from 5.0 GHz (802.11a/h) radios, and upon detection switching the operating frequency of the 5.0 GHz (802.11a/h) radio to one that is not interfering with the radar systems.
Reference: https://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/RadioChannelDFS.pdf
Although DFS helps reduce interference with radar systems but “DFS channels” refer to the 5GHz channels that require DFS check. In other words, DFS channels are channels that may interfere with radar signal. Therefore we should disable these DFS channels -> Answer C is correct.
UNII-2 (5.250-5.350 GHz and 5.470-5.725 GHz) which contains channels 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, and 140 are permitted in the United States, but shared with radar systems. Therefore, APs operating on UNII-2 channels are required to use Dynamic Frequency Selection (DFS) to avoid interfering with radar signals. If an AP detects a radar signal, it must immediately stop using that channel and randomly pick a new channel.
Reference: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Channel_Planning_Best_Practices
-> Therefore we should remove UNII-2 channels from 5GHz channel list.
Question 14
What is a characteristic of para-virtualization?
A. Para-virtualization guest servers are unaware of one another B. Para-virtualization allows direct access between the guest OS and the hypervisor C. Para-virtualization lacks support for containers D. Para-virtualization allows the host hardware to be directly accessed
Answer: B
Explanation
Paravirtualization is an enhancement of virtualization technology in which a guest operating system (guest OS) is modified prior to installation inside a virtual machine. Paravirtualization works differently from the full virtualization. It doesn’t need to simulate the hardware for the virtual machines. The hypervisor is installed on a physical server (host) and a guest OS is installed into the environment. Virtual guests aware that it has been virtualized, unlike the full virtualization (where the guest doesn’t know that it has been virtualized) to take advantage of the functions.
In full virtualization, guests will issue a hardware calls but in paravirtualization, guest OS will directly communicate with the host (hypervisor) using drivers.
Note: hypervisor is a software that creates and manages virtual machines.
Question 15
Drag and drop the characteristics from the left onto the QoS components they describe on the right.
Answer:
+ marking: applied on traffic to convey information to a downstream device + shaping: process used to buffer traffic that exceeds a predefined rate + classification: distinguishes traffic types + trust: permits traffic to pass through the device while retaining DSCP/COS value
Question 16
A customer requests a network design that supports these requirements: * FHRP redundancy * multivendor router environment * IPv4 and IPv6 hosts
Which protocol does the design include?
A. GLBP B. VRRP version 2 C. VRRP version 3 D. HSRP version 2
Answer: C
Explanation
Unlike HSRP or GLBP, VRPP is an open standard. Only VRRPv3 supports both IPv4 and IPv6.
Question 17
Refer to the exhibit.
vlan 222
remote-span
!
vlan 223
remote-span
!
monitor session 1 source interface FastEthernet0/1 tx
monitor session 1 source interface FastEthernet0/2 rx
monitor session 1 source interface port-channel 5
monitor session 1 destination remote vlan 222
What happens to access interfaces where VLAN 222 is assigned?
A. They are placed into an inactive state B. A description “RSPAN” is added C. STP BPDU guard is enabled D. They cannot provide PoE
Answer: A
Explanation
Access ports (including voice VLAN ports) on the RSPAN VLAN are put in the inactive state.
Question 18
Which solution do IaaS service providers use to extend a Layer 2 segment across a Layer 3 network?
A. VXLAN B. VTEP C. VLAN D. VRF
Answer: A
Question 19
What is a characteristic of MACsec?
A. 802.1AE provides encryption and authentication services B. 802.1AE is built between the host and switch using the MKA protocol, which negotiates encryption keys based on the master session key from a successful 802.1X session C. 802.1AE is built between the host and switch using the MKA protocol using keys generated via the Diffie-Hellman algorithm (anonymous encryption mode) D. 802.1AE is negotiated using Cisco AnyConnect NAM and the SAP protocol
Answer: B
Explanation
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.
-> MACsec only provides encryption, not authentication -> Answer A is not correct.
Successful IEEE 802.1X authentication is the first step in establishing a MACsec session. IEEE 802.1X provides primary key material to the supplicant and switch that will subsequently be used by MACsec -> Answer B is correct.
If an MKA cryptographic algorithm is not configured, a default cryptographic algorithm of AES-CMAC-128 (Cipher-based Message Authentication Code with 128-bit Advanced Encryption Standard) is used -> Answer C is not correct.
802.1AE is negotiated using MKA Protocol so answer D is not correct.
Question 20
Which unit measures the power of a radio signal with reference to 1 milliwatt?
A. dBw B. dBi C. mW D. dBm
Answer: D
Explanation
dBm is an abbreviation for “decibels relative to one milliwatt,” where one milliwatt (1 mW) equals 1/1000 of a watt. It follows the same scale as dB. Therefore 0 dBm = 1 mW, 30 dBm = 1 W, and -20 dBm = 0.01 mW
'보안 > 이론' 카테고리의 다른 글
1) 네트워크 보안 (0) | 2021.11.23 |
---|---|
TCP 계층별 주소 체계 (0) | 2021.11.23 |
[CCNP] New ENCOR Questions Part 5-2 (0) | 2021.11.12 |
[CCNP] New ENCOR Questions Part 5 (0) | 2021.11.12 |
[CCNP] New ENCOR Questions Part 6 (0) | 2021.11.12 |