Exam Topic Questions
Lightweight Access Point
- Configured and managed by a WLC - Supports different operational modes
Which encryption method is used by WPA3?
AES
Which type of wireless encryption is used for WPA2 in preshared key mode?
AES-128
OSPF Timers
By default, the timers on a broadcast network (Ethernet, point-to-point and point-to-multipoint) are 10 seconds hello and 40 seconds dead. The timers on a non- broadcast network are 30 seconds hello 120 seconds dead.
Which protocol is used for secure remote CLI access?
SSH
HSRP State: Active
The router currently forwards packets that are sent to the group virtual MAC address. The router sends periodic hello messages. With the exclusion of transient conditions, there must be, at most, one router in active state in the group. The router won the election. Is forwarding packets.
Which wireless security protocol relies on Perfect Forward Secrecy?
WPA3
Which configuration command can you apply to a HSRP router so that its local interface becomes active if all other routers in the group fail?
no additional config is required Simply because that will be the default behavior routers would follow in the event all other routers in the HSRP group fail, then it would not keep attributes such as priority or preemption. What preemption does in summary is to make sure that the configured Priority on all routers within the same HSRP group is always respected. That is, if R1 is configured on the HSRP group with a priority of 150 but he stands as active since all other routers currently subscribed to that group have a priority 150, then will router will preempt the current active router and will take over hence becoming the new active router.With preemption disabled, the new router does not preempt the current active router, unless routers in the group have to renegotiate their roles based on each router's priority at the time of negotiation.
A user configured OSPF in a single area between two routers. A serial interface connecting R1 and R2 is running encapsulation PPP. By default, which OSPF network type is seen on this interface when the user types show ip ospf interface on R1 or R2?
point-to-point Broadcast default for Ethernet, Point to Point default for Serial link The default OSPF network type for HDLC and PPP on Serial link is point-to-point (while the default OSPF network type for Ethernet link is Broadcast).
What is a function of Opportunistic Wireless Encryption in an environment?
protect traffic on open networks
Which enhancement is implemented in WPA3?
protects against brute force attacks
If the network environment is operating normally, which type of device must be connected to interface fastethernet 0/1? ip arp inspection vlan 2-10 int f0/1 ip arp inspection trust
router
What is a function of Wireless LAN Controller?
send LWAPP packets to access points Lightweight APs (LAPs) is devices require no initial configuration. LAPs use the Lightweight Access Point Protocol (LWAPP) to communicate with a WLAN controller (WLC), as shown in the below figure. Controller-based APs are useful in situations where many APs are required in the network. As more APs are added, each AP is automatically configured and managed by the WLC.
Which WLC interface provides out-of-band management in the Cisco Unified Wireless Network Architecture?
service port The service port is used for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is important to note that the service port does not support VLAN trunking or VLAN tagging and is therefore required to connect to an access port on the switch. It is also recommended not to connect the service port to the same VLAN as the wired clients network because by doing so, administrators will not be able to access the management interface (analysed later) of the controller.
Which command is used to display the collection of OSPF link states?
show ip ospf database
LACP (Link Aggregation Control Protocol) EtherChannels
(open standard) have two modes: Active and *Passive* The following LACP mode combinations will result in a valid LACP port channel: active + active ; active + passive
An engineer must configure a WLAN using the strongest encryption type for WPA2-PSK. Which cipher fulfills the configuration requirement?
- AES Many routers provide WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) as options. TKIP is actually an older encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn't be using it. AES is a more secure encryption protocol introduced with WPA2 and it is currently the strongest encryption type for WPA2-PSK/.
When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two formats are available to select?
- ASCII - hexadecimal
You have two paths for the 10.10.10.0 network - one that has a feasible distance of 3072 and the other of 6144.What do you need to do to load balance your EIGRP routes?
- Change the configuration so they both have the same feasible distance - Change the variance for the path that has a feasible distance of 3072 to 2
Rapid PVST+ forwarding state actions:
- Forwards frames received from the attached segment. - Forwards frames switched from another port for forwarding. - Incorporates the end station location information into its address database. - Receives BPDUs and directs them to the system module. - Processes BPDUs received from the system module. - Receives and responds to network management messages
An engineer configured an OSPF neighbor as a designated router. Which state verifies the designated router is in the proper mode?
- Full
The OSPF Hello protocol performs which of the following tasks?
- It provides dynamic neighbor discovery. - It maintains neighbor relationships.
Which statements describe the routing protocol OSPF?
- It supports VLSM - It confines network instability to one area of the network. - It allows extensive control of routing updates.
Cloud-Based Access Point
- Managed from a Web-based dashboard - Supports automatic deployment
Things that must match for a OSPF neighborship to establish:
- The devices must be in the same area - The devices must have the same authentication configuration - The devices must be on the same subnet - The devices hello and dead intervals must match - The devices must have matching stub flags
Which two conditions must be met before SSH operates normally on a Cisco IOS switch? (Choose two.)
- The switch must be running a k9 (crypto) IOS image. - The ip domain-name command must be configured on the switch.
Which two outcomes are predictable behaviors for HSRP?
- The two routers negotiate one router as the active router and the other as the standby router. - The two routers share a virtual IP address that is used as the default gateway for devices on the LAN.
Which two outcomes are predictable behaviors for HSRP? (Choose two.)
- The two routers negotiate one router as the active router and the other as the standby router. - The two routers share a virtual IP address that is used as the default gateway for devices on the LAN. Hide Solution
TACAS+
- Uses TCP - Encrypts the entire body of the access-request packet - Separates all three AAA operations
RADIUS
- Uses UDP - Encrypts only the password when it sends an access request - Combines Authentication and Authorization
Which two wireless security standards use counter mode cipher block chaining Message Authentication Code Protocol for encryption and data integrity? (Choose two.)
- WPA2 - WPA3
An engineer must configure an OSPF neighbor relationship between router R1 and R3. The authentication configuration has been configured and the connecting interfaces are in the same 192.168.1.0/30 subnet. What are the next two steps to complete the configuration? (Choose two.)
- configure the interfaces as OSPF active on both sides - configure both interfaces with the same area ID
What are two reasons for an engineer to configure a floating static route?
- to enable fallback static routing when the dynamic routing protocol fails - to automatically route traffic on a secondary path when the primary path goes down
(Which three) describe the reasons large OSPF networks use a hierarchical design
- to speed up convergence - to reduce routing overhead - to confine network instability to single areas of the network
Which two actions influence the EIGRP route selection process?
1. The router calculates the feasible distance of all paths to the destination route. 2. The router calculates the best backup path to the destination route and assigns it as the feasible successor.
When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum number of characters that is required in ASCII format?
8
Which access layer threat-mitigation technique provides security based on identity?
802.1x
Which technology prevents client devices from arbitrarily connecting to the network without state remediation?
802.1x
Hot Standby Router Protocol (HSRP)
A Cisco proprietary protocol that allows two (or more) routers to share the duties of being the default router on a subnet, with an active/standby model, with one router acting as the default router and the other sitting by waiting to take over that role if the first router fails HSRP Protocol Cisco proprietary "Number of groups" 16 groups maximum Active/Standby "1 active, 1 standby and multiple candidates." "Virtual IPAddress" "Different from real IP addresses on interfaces" Multicast address 224.0.0.2 Tracking Interfaces or Objects HSRP virtual Mac address will start with 0000.0c07.acXX 07.ac is the hexadecimal conversion of the HSRP group Id. XX is Group number virtual Mac for hsrp group 2 = 0000.0c07.ac02 virtual Mac for hsrp group12 = 0000.0c07.ac0C
Which two values or settings must be entered when configuring a new WLAN in the Cisco Wireless LAN Controller GUI?
A. QoS settings B. IP address of one or more access points C. SSID <<< D. profile name <<< E. management interface settings Click Add New WLAN. The Add New WLAN window appears. In the General tab, perform the following: a) The WLAN Id is automatically selected but you can change it. b) Enter the Profile Name for the WLAN. (*) must be set c) Enter the SSID. (*) must be set d) Choose Admin State for the WLAN from the drop-down list. The default Admin State is Enabled. e) Choose Radio Policy from the drop-down list. The default Radio Policy is ALL C, D right answers
Port Status and Condition
A. There is a protocol mismatch - UP/DOWN B. There is a duplex mismatch - UP/UP C. The interface is shut down - ADMINISTRATIVELY DOWN/DOWN D. The interface is error-disabled Most Voted - DOWN/DOWN E. There is a speed mismatch - DOWN/DOWN
When a WLAN with WPA2 PSK is configured in the Wireless LAN Controller GUI, which format is supported?
ASCII
Dynamic RF Feature
Access points auto adjust signal strength
Sniffer Access-point Mode
Access points in sniffer AP mode act as a dedicated 802.11 wireless traffic receiver. The traffic is then forwarded to a machine running a network analyzer software such as Wireshark or OmniPeek for storage and further analysis. Sniffer AP mode won't broadcast an SSID, and clients can't connect to it, but it is helpful in troubleshooting on remote sites.
What is the benefit of configuring PortFast on an interface?
After the cable is connected, the interface is available faster to send and receive user data.
Which configuration is needed to generate an RSA key for SSH on a router?
Assign a DNS domain name
What must a network administrator consider when deciding whether to configure a new wireless network with APs in autonomous mode or APs running in cloud- based mode?
Autonomous mode APs are less dependent on an underlay but more complex to maintain than APs in cloud-based mode.
A network engineer is implementing a corporate SSID for WPA3-Personal security with a PSK. Which encryption cipher must be configured?
CCMP128
PAgP EtherChannels
CISCO proprietary have two modes: Desirable and *Auto* The following LACP mode combinations will result in a valid LACP port channel: desirable + desirable , desirable + auto
Which channel-group mode must be configured when multiple distribution interfaces connected to a WLC are bundled?
Channel-group mode on
Which protocol does an access point use to draw power from a connected switch?
Cisco Discovery Protocol
Routing Administrative Distance
Connected: 0 Static: 1 EIGRP summary route = 5 eBGP (external) = 20 EIGRP (Internal) = 90 OSPF = 110 IS-IS =115 RIP =120 EIGRP (external) =170 iBGP (internal BGP) = 200
Easy upgrade process
Controller image auto deployed to access Points
Easy Deployment Process
Controller provides centralized management of users and VLANs
Optimized user performance
Controller uses loadbalancing to maximize throughput
When an access point is seeking to join wireless LAN controller, which message is sent to the AP-Manager interface?
Discovery request
Benefits of a Cisco Wireless Lan Controller from the left onto the correct examples on the right.
Dynamic RF - Access points auto adjust signal strength Easy Deployment - Controller provides centralized management of users and VLANs Optimized User Performance - Controller uses load balancing to maximize throughput Easy upgrade process - Controller image auto deployed to access points.
An administrator must secure the WLC from receiving spoofed association requests. Which steps must be taken to configure the WLC to restrict the requests and force the user to wait 10 ms to retry an association request?
Enable the Protected Management Frame service and set the Comeback timer to 10.
Which protocol prompts the Wireless LAN Controller to generate its own local web administration SSL certificate for GUI access?
HTTPS This one is self-explaining - web(http) GUI + SSL = HTTPS
if the router ID has not been manually set, what router ID will OSPF use for this router?
If router ID is not manually setup, the highest loopback IP is selected and if there is no loopback, highest IP from the interface IPs is selected.
A customer wants to provide wireless access to contractors using a guest portal on Cisco ISE. The portal is also used by employees. A solution is implemented, but contractors receive a certificate error when they attempt to access the portal. Employees can access the portal without any errors. Which change must be implemented to allow the contractors and employees to access the portal?
Install a trusted third-party certificate on the Cisco ISE.
When OSPF learns multiple paths to a network, how does it select a route?
It divides a reference bandwidth of 100 Mbps by the actual bandwidth of the exiting interface to calculate the route with the lowest cost.
What is a function of store-and forward switching?
It produces an effective level of error-free network traffic using CRCs.
How does WPA3 improve security?
It uses SAE for authentication.
How does HSRP provide first hop redundancy?
It uses a shared virtual MAC and a virtual IP address to a group of routers that serve as the default gateway for hosts on a LAN.
What is a difference between local AP mode and FlexConnect AP mode?
Local AP mode creates two CAPWAP tunnels per AP to the WLC *"In local mode, an AP creates two CAPWAP tunnels to the WLC. One is for management, the other is data traffic. This behavior is known as "centrally switched" because the data traffic is switched(bridged) from the ap to the controller where it is then routed by some routing device."
Which statement about Link Aggregation when implemented on a Cisco Wireless LAN Controller is true?
One functional physical port is needed to pass client traffic Reveal Solution
You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface. Which action can you take to correct the problem in the least disruptive way?
Reload the OSPF process
Which value is used to determine the active router in an HSRP default configuration?
Router IP address The priority field is used to elect the active router and the standby router for the specific group. In the case of an equal priority, the router with the highest IP address for the respective group is elected as active. Furthermore, if there are more than two routers in the group, the second highest IP address determines the standby router and the other router/routers are in the listen state.
Which WPA3 enhancement protects against hackers viewing traffic on the Wi-Fi network?
SAE encryption The third version of a Wi-Fi Alliance standard introduced in 2018 that requires pre-shared key or 802.1x authentication, GCMP, SAE, and forward secrecy. Simultaneous Authentication of Equals (SAE) A strong authentication method used in WPA3 to authenticate wireless clients and APs and to prevent dictionary attacks for discovering pre-shared keys.
Which value is the unique identifier that an access point uses to establish and maintain wireless connectivity to wireless network devices?
SSID An SSID (Service Set Identifier) is a unique name that is assigned to a wireless network. It serves as a "network name" for wireless devices to identify and connect to a specific wireless network. Access points broadcast their SSIDs so that wireless devices can detect and connect to them. The SSID is used by wireless devices to establish and maintain connectivity to the appropriate wireless network.
What must be configured to enable 802.11w on the WLAN? PMD disabled
Set PMF to Required.
Switch A is newly configured. All VLANs are present in the VLAN database. The IP phone and PC A on Gi0/1 must be configured for the appropriate VLANs to establish connectivity between the PCs. Which command set fulfills the requirement?
Switch-A(config-if)#switchport mode access Switch-A(config-if)#switchport access vlan 50 Switch-A(config-if)#switchport voice vlan 51
A network engineer must update the configuration on Switch2 so that it sends LLDP packets every minute and the information sent via LLDP is refreshed every 3 minutes. Which configuration must the engineer apply?
Switch2(config)#lldp timer 60 Switch2(config)#lldp holdtime 180
What is the difference between RADIUS and TACACS+?
TACACS+ separates authentication and authorization, and RADIUS merges them. *TACAS+ A-Authentictaion | A-Authorization (Both A's are sperated by a C) = TACAS+ seperates Authentication and Authorization.
Which type of encryption does WPA1 use for data protection?
TKIP WPA1 (Wi-Fi Protected Access 1) uses TKIP (Temporal Key Integrity Protocol) encryption for data protection. TKIP is an encryption protocol that was designed to provide stronger security than the previous WEP (Wired Equivalent Privacy) encryption standard, which was known to have vulnerabilities. TKIP uses a combination of encryption techniques, including a per-packet key mixing function, to provide data confidentiality and integrity. However, TKIP is now considered insecure and has been replaced by AES (Advanced Encryption Standard) in modern Wi-Fi security protocols such as WPA2 and WPA3.
What is a feature of WPA?
TKIP/MIC encryption Uses TKIP (temporal key integrity protocol) for encryption TKIP adds the following features using legacy hardware and underlying WEP encryption MIC Timestamp Sender's mac add Tkip sequence counter Key mixing algorithm Longer initializing vector Short term replacement for WEP -Released in 2003 and Replaced in 2004
When a floating static route is configured, which action ensures that the backup route is used when the primary route fails?
The floating static route must have a higher administrative distance than the primary route so it is used as a backup Reveal Solution
The SW1 interface g0/1 is in the down/down state. What are two reasons for the interface condition? (Choose two.)
The interface is error-disabled There is a speed mismatch
Monitor Access-point mode
The monitor AP mode doesn't transmit at all. It doesn't broadcast an SSID. However, it acts as a dedicated sensor to monitor and detect the WiFi channel for IDS events, rogue access points, and it also determines the position of wireless stations via location-based services.
If a switch port receives a new frame while it is actively transmitting a previous frame, how does it process the frames?
The new frame is placed in a queue for transmission after the previous frame
Refer to the exhibit. What is the result if Gig1/11 receives an STP BPDU? SW1(config)#int g1/1 SW1(config-if)#switchport mode access SW1(config-if)#spanning-tree portfast SW1(config-if)#spanning-tree bpduguard enable
The port goes into error-disable state
HSRP State: Standby
The router currently forwards packets that are sent to the group virtual MAC address. The router sends periodic hello messages. With the exclusion of transient conditions, there must be, at most, one router in active state in the group. Is ready to forward packets if the device that is currently forwarding packets fails
HSRP State: Learn
The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router. Is waiting to hear from the neighbor device
HSRP State: Listen
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers. Has heard from the neighbor device and is receiving hello packets
HSRP State: Speak
The router sends periodic hello messages and actively participates in the election of the active and/or standby router. A router cannot enter speak state unless the router has the virtual IP address Is transmitting and receiving hello packets
What happens when a switch receives a frame with a destination MAC address that recently aged out?
The switch floods the frame to ALL PORTS in the VLAN except the port that received the frame.
HSRP State: Initial
This is the state at the start. This state indicates that HSRP does not run. This state is entered through a configuration change or when an interface first becomes available.
Which Layer 2 switch function encapsulates packets for different VLANs so that the packets transverse the same port and maintain traffic separation between the VLANs?
VLAN tagging VLAN tagging is the Layer 2 switch function that encapsulates packets for different VLANs so that they can traverse the same physical port while maintaining traffic separation between the VLANs. VLAN tagging involves adding additional information to the Ethernet frame, specifically a VLAN tag, which indicates the VLAN to which the frame belongs. This allows the receiving switch to correctly associate the frame with the appropriate VLAN.
Which implementation provides the strongest encryption combination for the wireless environment?
WPA2 + AES
Which technology is used to improve web traffic performance by proxy caching?
WSA
WSA
Web Security Appliance
Which enhancements were implemented as part of WPA3?
forward security and SAE in personal mode for secure initial key exchange
Which mode must be set for Aps to communicate to a Wireless LAN Controller using the Control and Provisioning of Wireless Access Points (CAPWAP) protocol?
lightweight
Which access point mode relies on a centralized controller for management, roaming, and SSID configuration?
lightweight mode
Which command on a port enters the forwarding state immediately when a PC is connected to it?
switch(config)#spanning-tree portfast default
If all OSPF routers in a single area are configured with the same priority value, what value does a router use for the OSPF router ID in the absence of a loopback interface?
the highest IP address among its active interfaces
What is one reason to implement LAG on a Cisco WLC?
to provide link redundancy and load balancing
