Cisco CCIE Enterprise Wireless 350-401 Questions & Answers

• Question 971:

  Which threat defence mechanism, when deployed at the network perimeter, protects against zero-day attacks?

  A. intrusion prevention

  B. stateful inspection

  C. sandbox

  D. SSL decryption

  Correct Answer: C

  Reference: https://www.cisco.com/c/en/us/products/collateral/security/amp-appliances/datasheet-c78-733182.html

  "File analysis and sandboxing: Secure Malware Analytics' highly secure environment helps you execute, analyze, and test malware behavior to discover previously unknown ZERO-DAY threats. The integration of Secure Malware Analytics' sandboxing technology into Malware Defense results in more dynamic analysis checked against a larger set of behavioral indicators. "

• Question 972:

  Refer to the exhibit. An engineers reaching network 172 16 10 0/24 via the R1-R2-R4 path. Which configuration forces the traffic to take a path of R1-R3-R4?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: D

  https://community.cisco.com/t5/networking-documents/understanding-bgp-best-path-selection-manipulation/ta-p/3150576

• Question 973:

  Refer to the exhibit. An engineer must configure static NAT on R1 lo allow users HTTP access to the web server on TCP port 80. The web server must be reachable through ISP 1 and ISP 2. Which command set should be applied to R1 to fulfill these requirements?

  

  A. ip nat inside source static tcp 10.1.1.100 80 209.165.200.225 80 extendable ip nat inside source static tcp 10.1.1.100 80 209.165.201.1 80 extendable

  B. ip nat inside source static tcp 10.1.1.100 80 209.165.200.225 80 ip nat inside source static tcp 10.1.1.100 80 209.165.201.1 80

  C. ip nat inside source static tcp 10.1.1.100 80 209.165.200.225 80 ip nat inside source static tcp 10.1.1.100 8080 209.165.201.1 8080

  D. ip nat inside source static tcp 10.1.1.100 80 209.165.200.225 80 no-alias ip nat inside source static tcp 10.1.1.100 80 209.165.201.1 80 no-alias

  Correct Answer: A

  the "extendable" keyword should be added if the same Inside Local is mapped to different Inside Global Addresses (the IP address of an inside host as it appears to the outside network). An example of this case is when you have two connections to the Internet on two ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside local IP address.

• Question 974:

  In a Cisco SD-WAN solution, how is the health of a data plane tunnel monitored?

  A. with IP SLA

  B. ARP probing

  C. using BFD

  D. with OMP

  Correct Answer: C

• Question 975:

  The login method is configured on the VTY lines of a router with these parameters.

  1.

  The first method for authentication is TACACS

  2.

  If TACACS is unavailable, login is allowed without any provided credentials

  Which configuration accomplishes this task?

  A. R1#sh run | include aaa aaa new-model aaa authentication login VTY group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 R1#sh run | include username R1#

  B. R1#sh run | include aaa aaa new-model aaa authentication login telnet group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 R1#sh run | include username R1#

  C. R1#sh run | include aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 R1#sh run | include username R1#

  D. R1#sh run | include aaa aaa new-model aaa authentication login default group tacacs+ aaa session-id common R1#sh run | section vty line vty 0 4 transport input none R1#

  Correct Answer: C

  According to the requirements (first use TACACS+, then allow login with no authentication), we have to use "aaa authentication login ... group tacacs+ none" for AAA command. The next thing to check is the if the "aaa authentication login default" or "aaa authentication login list-name" is used. The `default' keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don't need to configure anything else under tty, vty and aux lines. If we don't use this keyword then we have to specify which line(s) we want to apply the authentication feature. From above information, we can find out answer 'R1#sh run | include aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 password 7 0202039485748 If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial ?Part 2. For your information, answer 'R1#sh run | include aaa aaa new-model aaa authentication login telnet group tacacs+ none aaa session-id common R1#sh run | section vty line vty 0 4 R1#sh run | include username R1#' would be correct if we add the following command under vty line ("line vty 0 4"): "login authentication telnet" ("telnet" is the name of the AAA list above)

• Question 976:

  Why is an AP joining a different WLC than the one specified through option 43?

  A. The WLC is running a different software version.

  B. The AP is joining a primed WLC.

  C. The AP multicast traffic unable to reach the WLC through Layer 3.

  D. The APs broadcast traffic is unable to reach the WLC through Layer 2.

  Correct Answer: B

  Reference: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/119286-lap-notjoin-wlc-tshoot.html#:~:text=on%20document%20conventions.-,Overview%20of%20the%20Wireless%20LAN%20Controller%20(WLC)% 20Discovery%20and%20Join%20Process,-In%20a%20Cisco

• Question 977:

  Which NGFW mode block flows crossing the firewall?

  A. Passive

  B. Tap

  C. Inline tap

  D. Inline

  Correct Answer: D

  Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN). When Inline Pair Mode is in use, packets can be blocked since they are processed inline When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified

  https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuringfirepower-threat-defense-int.html

• Question 978:

  Refer to the exhibit.

  

  A GRE tunnel has been created between HO and BR routers. What is the tunnel IP on the HQ router?

  A. 10.111.111.1

  B. 10.111.111.2

  C. 209.165.202.130

  D. 209.165.202.134

  Correct Answer: A

  In the above output, the IP address of "209.165.202.130" is the tunnel source IP while the IP 10.111.1.1 is the tunnel IP address.

• Question 979:

  Refer to the exhibit.

  

  Which command is required to verify NETCONF capability reply messages?

  A. show netconf | section rpc-reply

  B. show netconf rpc-reply

  C. show netconf xml rpc-reply

  D. show netconf schema | section rpc-reply

  Correct Answer: D

  The output of the show netconf schema command displays the element structure for a NETCONF request and the resulting reply. This schema can be used to construct proper NETCONF requests and parse the resulting replies.

• Question 980:

  An engineer is implementing a route map to support redistribution within BGP. The route map must configured to permit all unmatched routes. Which action must the engineer perform to complete this task?

  A. Include a permit statement as the first entry

  B. Include at least one explicit deny statement

  C. Remove the implicit deny entry

  D. Include a permit statement as the last entry

  Correct Answer: D