Cisco Exam. Implementing Cisco Enterprise Network Core Technologies

Question 1

Guidelines

Implementing Cisco Enterprise Network Core Technologies. This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.
• Refer to the Topology tab to access the device console(s) and perform the tasks.
• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
• All necessary pre-configurations have been applied.
• Do not remove any existing configurations from the devices, only those necessary to make the appropriate changes required to fulfill the listed tasks.
• Do not change the enable password or hostname for any device.
• Save your configurations to NVRAM before moving to the next item.
• Click Next at the bottom of the screen to submit this lab and move to the next question.
• When Next is clicked, the lab closes and cannot be reopened.

Task

eBGP is configured on R1 and R3. Configure R2 to complete these tasks.

1. Using the address-family command, configure eBGP according to the topology. Use Loopback 0 for the router-id.
2. Advertise R2’s Loopback 0, 1, and 2 networks to AS 65100 and AS 65300.

Topology

• AS 65100
  • R1
    • e0/0 (.225) connects to R2 e0/0 via 209.165.200.224/30
    • e0/1 (.129) connects to R3 e0/0 via 209.165.202.128/30
• AS 65200
  • R2
    • e0/0 (.226) connects to R1 e0/0 via 209.165.200.224/30
    • e0/1 (.230) connects to R3 e0/1 via 209.165.200.228/30
• AS 65300
  • R3
    • e0/0 (.130) connects to R1 e0/1 via 209.165.202.128/30
    • e0/1 (.229) connects to R2 e0/1 via 209.165.200.228/30

Question 2

EIGRP is preconfigured on all routers. Configure R2 and R3 to complete these tasks.

Task 1: Modify the existing ACL on R2 so that EIGRP routes are received from R1 and R3.

• The modification should only allow EIGRP routes to pass.
• Do not remove any configuration from R2 to achieve this task.

Task 2: Configure CoPP on R3 to achieve these results:

• Permit SSH traffic from 192.168.210.0/24.
• Limit traffic to 10,000 bps.
• Discard additional packets.

Answer

For R2 (Task 1): Identify the active ACL or prefix-list matching your EIGRP process and append the missing network hosts.

If an extended ACL is used:

Plaintext

R2# configure terminal
R2(config)# ip access-list extended <ACL_NAME_OR_NUMBER>
R2(config-ext-nacl)# permit ip host 192.168.213.1 host 224.0.0.10
R2(config-ext-nacl)# permit ip host 192.168.213.3 host 224.0.0.10
R2(config-ext-nacl)# end
R2# copy running-config startup-config

If a standard ACL is used: Implementing Cisco Enterprise Network Core Technologies

Plaintext

R2# configure terminal
R2(config)# access-list <NUMBER> permit 192.168.213.1
R2(config)# access-list <NUMBER> permit 192.168.213.3
R2(config)# end
R2# copy running-config startup-config

For R3 (Task 2):

Plaintext

R3# configure terminal
R3(config)# ip access-list extended ACL_SSH
R3(config-ext-nacl)# permit tcp 192.168.210.0 0.0.0.255 any eq 22
R3(config-ext-nacl)# exit
R3(config)# class-map match-all CLASS_SSH
R3(config-cmap)# match access-group name ACL_SSH
R3(config-cmap)# exit
R3(config)# policy-map COPP_POLICY
R3(config-pmap)# class CLASS_SSH
R3(config-pmap-c)# police 10000 conform-action transmit exceed-action drop
R3(config-pmap-c)# exit
R3(config-pmap)# exit
R3(config)# control-plane
R3(config-cp)# service-policy input COPP_POLICY
R3(config-cp)# end
R3# copy running-config startup-config

Question 3

OSPF is preconfigured on all devices except R20. Configure R20 to complete these tasks.

Task 1: Configure OSPF according to the topology using these requirements:

• Use Process ID 20.
• Use Loopback0 for the Router ID.
• Advertise all networks into OSPF.
  • Do not use network statements under the OSPF process to accomplish this task.

Task 2: Configure a /18 summary route for Area 40.

Answer

For R20: (Note: Replace X.X.X.X with the actual IP address found on your Loopback0 interface via show ip interface brief)

Plaintext

R20# configure terminal
R20(config)# router ospf 20
R20(config-router)# router-id X.X.X.X
R20(config-router)# exit

R20(config)# interface Loopback0
R20(config-if)# ip ospf 20 area 0
R20(config-if)# exit

R20(config)# interface ethernet 0/0
R20(config-if)# ip ospf 20 area 0
R20(config-if)# exit

R20(config)# interface ethernet 0/1
R20(config-if)# ip ospf 20 area 0
R20(config-if)# exit

R20(config)# interface ethernet 0/2
R20(config-if)# ip ospf 20 area 40
R20(config-if)# exit

R20(config)# router ospf 20
R20(config-router)# area 40 range 10.0.0.0 255.255.192.0
R20(config-router)# end
R20# copy running-config startup-config

Question 4

What are two benefits of using Cisco TrustSec? (Choose two.)

• unknown file analysis using sandboxing
• advanced endpoint protection against malware
• consistent network segmentation
• end-to-end traffic encryption
• simplified management of network access

Question 5

Which function is handled by vManage in the Cisco Catalyst SD-WAN fabric? Implementing Cisco Enterprise Network Core Technologies

• Distributes policies that govern data forwarding.
• Establishes IPsec tunnels with nodes.
• Performs remote software upgrades for WAN Edge, vSmart, and vBond.
• Establishes BFD sessions to test liveliness of links and nodes.

Question 6

What is YANG used for?

• processing SNMP read-only polls
• scraping data via CLI
• describing data models
• providing a transport for network configuration data between client and server

Question 7

An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?

• aaa authorization exec default local group radius none
• aaa authorization exec default group radius local
• aaa authorization exec default group radius local none
• aaa authorization exec default local group tacacs+

Question 8

Which technology is the Cisco SD-Access fabric control plane based on?

• Cisco TrustSec
• VXLAN
• IS-IS
• LISP

Question 9

What is one primary REST security design principle?

• adding a timestamp in requests
• password hash
• OAuth
• fail-safe defaults

Question 10

A script contains the statement “while loop != 999:” Which value terminates the loop?

• A value less than or equal to 999.
• A value greater than or equal to 999.
• A value equal to 999.
• A value not equal to 999.

Question 11

Which network design should be considered for an enterprise campus that contains many access switches?

• simplified Layer 2 topology with stacking technology in the access layer
• simplified Layer 3 topology with stacking technology in the access layer
• simplified Layer 2 topology with stacking technology in the aggregation layer
• simplified Layer 3 topology with stacking technology in the aggregation layer

Question 12

Plaintext

R3#show policy-map interface Multilink2
Multilink2
  Service-policy output: SHAPE_256K
    Class-map: class-default (match-any)
      63 packets, 2266 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 57/4874
      shape (average) cir 256000, bc 1536, be 1536
      target shape rate 256000
      Service-policy : CBWFQ
        queue stats for all priority classes:
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 5/510
        Class-map: VOICE (match-all)
          5 packets, 420 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip dscp ef (46)
          Priority: 64 kbps, burst bytes 1500, b/w exceed drops: 0
        Class-map: SIGNALING (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip dscp cs3 (24)
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
          bandwidth 48 kbps
        Class-map: class-default (match-any)
          61 packets, 1576 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
          (pkts output/bytes output) 61/4234
          bandwidth 134 kbps

What can be determined about the QoS service policy applied to the interface?

• 63 packets totaling 2266 bytes were assigned to the class-default policy and this traffic was not policed at the time the command was issued.
• The class map class-default policy allows 256 kbps of traffic not assigned to other classes to flow through it.
• No traffic was flowing out of the interface when the command was issued. Implementing Cisco Enterprise Network Core Technologies
• The policy will match all voice-related traffic including signaling and non-DSCP EF traffic due to use of the match-all statement in the class map.

Question 13

What is the function of the statement “import actions” in this script?

• It imports the functions that are not available natively in Python.
• It imports a Python module.
• It imports an external reference.
• It imports the functions of a third-party module.

Question 14

Refer to the exhibit. Which configuration must be applied for the TACACS+ server to grant access-level rights to remote users?

• R1(config)# aaa authentication login enable
• R1(config)# aaa authorization exec default group tacacs+
• R1(config)# aaa accounting commands 15 default start-stop group tacacs+
• R1(config)# aaa authorization exec default local if-authenticated

Question 15

What is one difference between Ansible and Puppet?

• Ansible requires agents to be installed on managed nodes, and Puppet is agentless.
• Ansible excels in simplicity and flexibility, and Puppet is designed for managing complex, large-scale environments.
• Ansible uses a proprietary scripting language, and Puppet uses YAML for its configurations.
• Ansible provides automated provisioning, and Puppet provides cloud automation.

Question 16

What occurs when a Cisco SD-Access fabric is connected to a traditional campus network?

• A fabric intermediate node is used to connect the fabric with the traditional campus network.
• Only Layer 3 connectivity is supported between the fabric and the traditional campus network.
• All clients must be migrated to new IP addresses that match the IP pool within the fabric.
• Traditional campus clients are seen as fabric clients when a Layer 2 border node is used for the VLAN segment.

Question 17

Script

import ncclient

with ncclient.manager.connect(host='192.168.1.1', port=830, username='root', password='test123!',
                              allow_agent=False) as m:
    print(m.get_config('running').data_xml)

Output

$ python get_config.py
Traceback (most recent call last):
  File "get_config.py", line 3, in <module>
    with ncclient.manager.connect(host='192.168.1.1', port=830, username='root',
AttributeError: 'module' object has no attribute 'manager'

Running the script causes the output in the exhibit. What should be the first line of the script?

• ncclient manager import
• from ncclient import *
• import manager
• from ncclient import manager

Question 18

Python

from json import dumps
interface_config = {
    "GigabitEthernet0/0": {"ip_address": "192.168.1.1", "subnet_mask": "255.255.255.0"},
    "GigabitEthernet0/1": {"ip_address": "192.168.1.2", "subnet_mask": "255.255.255.0"}
}
json_string = [                                      ]

Which Python code snippet completes the script and serializes this dictionary to a JSON string, ensuring that it is ready to be written to a file?

• loads(interface_config)
• JSONEncoder().encode(interface_config)
• dumps(interface_config)
• json.loads(interface_config)

Question 19

What are two benefits of implementing a Cisco Catalyst SD-WAN architecture? (Choose two.)

• It simplifies endpoint provisioning through standalone router management.
• It provides resilient and effective traffic flow using MPLS.
• It enforces a single, scalable, hub-and-spoke topology.
• It improves endpoint protection by integrating embedded and cloud security features.
• It allows configuration of application-aware policies with real time enforcement.

Question 20

EEM Applet Configuration:

event manager applet Enable_Loopback0
event syslog pattern "Interface Loopback0, changed state to administratively down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface loopback 0"
action 4.0 cli command "no shutdown"
action 5.0 syslog msg "Loopback0 has been enabled"
action 6.0 cli command "end"

Drag and drop the command snippets from the right onto the blanks in the configuration to create an EEM applet that will enable interface Loopback0 and log a message when the logging message “Interface Loopback0, changed state to administratively down” is received. Not all commands are used.

• event manager applet Enable_Loopback0
• event syslog pattern “Interface Loopback0, changed state to administratively down”
• action 1.0 cli command “enable”
• action 2.0 cli command “configure terminal”
• action 3.0 cli command “interface loopback 0”
• action 4.0 cli command “no shutdown”
• action 5.0 syslog msg “Loopback0 has been enabled”
• action 6.0 cli command “end”

Question 21

Which component handles the orchestration plane of the Cisco Catalyst SD-WAN? Cisco Exam. Implementing Cisco Enterprise Network Core Technologies.

• WAN Edge
• vManage
• vBond
• vSmart

Question 22

Router Running Configuration excerpt:

username user password 0 user
!
line con 0
 password cisco
line vty 0 4
 login local
!

Which configuration enables password checking on the console line, using only a password?

• router(config)# line con 0 router(config-line)# exec-timeout 0 0
• router(config)# line con 0 router(config-line)# login
• router(config)# line vty 0 4 router(config-line)# login
• router(config)# line con 0 router(config-line)# login local

Question 23

What does Cisco Cyber Threat Defense provide visibility into?

• user stored data and internal dependencies for the user’s running programs
• network software vulnerabilities through continuous scan probes in the network
• command and control traffic on the communication channel between compromised hosts and attackers
• security threats based on log messages and telemetry information

Question 24

A customer requests a network design that supports these requirements: FHRP redundancy, multivendor router environment, IPv4 and IPv6 hosts. Which protocol does the design include?

• HSRP version 2
• VRRP version 3
• GLBP
• VRRP version 2

Question 25

JSON

{
    [                                   ]
        "uuid": "Upgrade_Software",
        "one-shot": true,
        "path": "flash:cat9k_iosxe.17.03.04.SPA.bin"
    }
}

An engineer is securing REST API calls to be made for “one-shot” software upgrades on multiple Cisco IOS XE switches. Which line must be part of the JSON body to be successful?

• “uuid”: “Upgrade_IOS-XE”,
• “path”: “cat9k_iosxe.17.03.04.SPA.bin”
• “one-shot”: yes,
• “Cisco-IOS-XE-install-rpc:input”: {

Question 26

Which First Hop Redundancy Protocol should be used to meet a design requirement for more efficient default gateway bandwidth usage across multiple devices?

• VRRP
• GLBP
• LACP
• HSRP

Question 27

Which encoding is used to protect a username and login with RESTful API basic authentication?

• Base64
• Type-7
• MD5
• SHA-1

Question 28

Which characteristic applies to the endpoint security aspect of the Cisco Threat Defense architecture?

• blocking of fileless malware in real time
• detect and block ransomware in email attachments
• user context analysis
• outbound URL analysis and data transfer controls