Cisco CCNP Enterprise 350-401 Questions & Answers

• Question 1091:

  Which action is the vSmart controller responsible for in an SD-WAN deployment?

  A. onboard vEdge nodes into the SD-WAN fabric

  B. distribute security information for tunnel establishment between vEdge routers

  C. manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric

  D. gather telemetry data from vEdge routers

  Correct Answer: B

  +

  Orchestration plane (vBond) assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay (-> Therefore answer "onboard vEdge nodes into the SD-WAN fabric" mentioned about vBond). The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information. + Management plane (vManage) is responsible for central configuration and monitoring. The vManage controller is the centralized network management system that provides a single pane of glass GUI interface to easily deploy, configure, monitor and troubleshoot all Cisco SD-WAN components in the network. (-> Answer "manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric" and answer "gather telemetry data from vEdge routers" are about vManage)

  +

  Control plane (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement (-> Answer "distribute security information for tunnel establishment between vEdge routers" is about vSmart)

• Question 1092:

  When configuration WPA2 Enterprise on a WLAN, which additional security component configuration is required?

  A. NTP server

  B. PKI server

  C. RADIUS server

  D. TACACS server

  Correct Answer: C

  Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100708-wpa-uwn-config.html#conf

• Question 1093:

  Refer to me exhibit.

  

  What is the cause of the log messages?

  A. hello packet mismatch

  B. OSPF area change

  C. MTU mismatch

  D. IP address mismatch

  Correct Answer: B

• Question 1094:

  A network engineer is configuring Flexible Netflow and enters these commands:

  1.

  Sampler Netflow1

  2.

  Mode random one-out-of 100

  3.

  Interface fastethernet 1/0

  4.

  Flow-sampler netflow1

  Which are two results of implementing this feature instead of traditional Netflow? (Choose two.)

  A. CPU and memory utilization are reduced.

  B. Only the flows of top 100 talkers are exported

  C. The data export flow is more secure.

  D. The number of packets to be analyzed are reduced

  E. The accuracy of the data to be analyzed is improved

  Correct Answer: AD

  Flow sampling reduces the CPU overhead of analyzing traffic with Flexible NetFlow by reducing the number of packets that are analyzed. Flow samplers are used to reduce the load on the device that is running by limiting the number of packets that are selected for analysis.

  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/use-fnflow-redce-cpu.pdf

• Question 1095:

  Refer to the exhibit.

  

  Which HTTP JSON response does the Python code output give?

  A. NameError: name 'json' is not defined

  B. KeyError 'kickstart_ver_str'

  C. 7.61

  D. 7.0(3)I7(4)

  Correct Answer: D

• Question 1096:

  Which two components are supported by LISP? (choose two )

  A. proxy ETR

  B. egress tunnel router

  C. route reflector

  D. HMAC algorithm

  E. spoke

  Correct Answer: AB

  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-overview.html

• Question 1097:

  Which two network problems indicate a need to implement QoS in a campus network? (Choose two)

  A. port flapping

  B. excess jitter

  C. misrouted network packets

  D. duplicate IP addresses

  E. bandwidth-related packet loss

  Correct Answer: BE

• Question 1098:

  Which statement about TLS is true when using RESTCONF to write configurations on network devices?

  A. It is provided using NGINX acting as a proxy web server.

  B. It is no supported on Cisco devices.

  C. It required certificates for authentication.

  D. It is used for HTTP and HTTPs requests.

  Correct Answer: A

  When a device boots up with the startup configuration, the nginx process will be running. NGINX is an internal webserver that acts as a proxy webserver. It provides Transport Layer Security (TLS)-based HTTPS. RESTCONF request sent via HTTPS is first received by the NGINX proxy web server, and the request is transferred to the confd web server for further syntax/semantics check.

  Reference: https://www.cisco.com/c/en/us/td/docs/iosxml/ ios/prog/configuration/168/b_168_programmability_cg/RESTCONF.html https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/166/b_166_programmability_cg/b_166_programmability_cg_chapter_01011.html

  The https-based protocol-RESTCONF (RFC 8040), which is a stateless protocol, uses secure HTTP methods to provide CREATE, READ, UPDATE and DELETE (CRUD) operations on a conceptual datastore containing YANG-defined data > RESTCONF only uses HTTPs.

• Question 1099:

  Which algorithms are used to secure REST API from brute attacks and minimize the impact?

  A. SHA-512 and SHA-384

  B. MD5 algorithm-128 and SHA-384

  C. SHA-1, SHA-256, and SHA-512

  D. PBKDF2, BCrypt, and SCrypt

  Correct Answer: D

  One of the best practices to secure REST APIs is using password hash. Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing

  algorithms which can prove really effective for password security e.g. PBKDF2, bcrypt and scrypt algorithms.

  Other ways to secure REST APIs are: Always use HTTPS, Never expose information on URLs (Usernames, passwords, session tokens, and API keys should not appear in the URL), Adding Timestamp in Request, Using OAuth, Input

  Parameter Validation.

  Reference: https://restfulapi.net/security-essentials/

  We should not use MD5 or any SHA (SHA-1, SHA-256, SHA-512...) algorithm to hash password as they are not totally secure. Note: A brute-force attack is an attempt to discover a password by systematically trying every possible

  combination of letters, numbers, and symbols until you discover the one correct combination that works.

• Question 1100:

  Refer to the exhibit.

  

  What is the effect of this configuration?

  A. The device will allow users at 192.168.0.202 to connect to vty lines 0 through 4 using the password ciscotestkey

  B. The device will allow only users at 192 168.0.202 to connect to vty lines 0 through 4

  C. When users attempt to connect to vty lines 0 through 4. the device will authenticate them against TACACS* if local authentication fails

  D. The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+

  Correct Answer: D