×

Quiz Session - Attempts With Random Questions

Cisco CCNP Exam Questions

Page 4 of 25

61.

You are comparing the power of a 400 mW antenna to a reference 5 mW antenna. Which of the following is the dB difference between them?

  • 19

  • 80

  • 16

  • 22

Correct answer: 19

Radio Frequency (RF) power is the strength of the signal. Absolute power is measured in watts (W). Differences can be calculated in decibels as dB = 10(log10(P2)-log10(P1)) = 10(log10(P2/P1)). Some key “laws” to remember include:

  • 0 dB difference means that two signals have the same absolute power.
  • +/-3 dB means that the power level of interest has double/half the power of the reference value.
  • +/-10 dB means that the power level of interest has 10 times/one-tenth the power of the reference value.

With this in mind, the problem can be broken up using the following steps:

5 mW x 2 = 10 mW

10 mW x 2 = 20 mW

20 mW x 2 = 40 mW

40 mW x 10 = 400 mW

5 mW x 2 x 2 x 2 x 10 = 400 mW

Doubling equals 3 dB, and 10x is 10 dB, so the difference is

3 + 3 + 3 + 10 = 19 dB

62.

Which of the following is not one of the key components of Cisco’s Locator/ID Separation Protocol (LISP)?

  • Management Plane

  • Control Plane

  • Routing Architecture

  • Data Plane

Correct answer: Management Plane

Cisco’s Locator/ID Separation Protocol (LISP) doesn't have a management plane. It has three main components:

  • LISP Routing Architecture: Traditionally, an IP address identifies a particular device at a specific location. LISP breaks it into separate Endpoint Identifiers (EIDs) and Routing Locators (RLOCs). If a device changes location, its EID stays the same while its RLOC changes.
  • LISP Control Plane: LISP converts EIDs to RLOCs by making a map request to the Map Resolver (MR). This pull-based model is more efficient than Border Gateway Protocol (BGP) or Open Shortest Path First (OSPF), which pushes route data, even for unused routes.
  • LISP Data Plane: An IP packet received from an EID is encapsulated in an Internet Protocol (IP)/User Datagram Protocol (UDP) packet using an IP address in the RLOC IP space.

63.

Which of the following are used for authentication with Cisco APIs? (Choose three.)

  • Username and password

  • API KEY

  • JSESSIONID

  • JWT

  • Digital certificate

Cisco's DNA Center Token Application Programming Interface (API) and vManage Authentication API take a username and password for authentication. They produce an API key and Java session ID (JSESSIONID) respectively, which are used to authenticate to other API endpoints.

JSON Web Tokens (JWTs) and digital certificates are valid authentication options but are not used by Cisco APIs.

64.

An attacker is performing a credential stuffing attack against the Cisco DNA Center Token Application Programming Interface (API). The majority of the responses that they receive should have which Hypertext Transfer Protocol (HTTP) status code?

  • 401

  • 200

  • 403

  • 404

Correct answer: 401

The 401 Unauthorized status code indicates that incorrect credentials were included in a request. Since most guesses in a credential stuffing attack will have the wrong credentials, this is the expected status code.

200 OK indicates a successful request and that the attacker has guessed the right password.

403 Forbidden is used when an authenticated user isn't authorized to make a particular request.

404 indicates that the requested webpage doesn't exist.

65.

Which of the following commands can be used to change the topology of a spanning tree by changing the roles of various ports? (Choose two.)

  • spanning-tree [vlan vlan-id] cost cost

  • spanning-tree [vlan vlan-id] port-priority priority

  • spanning-tree [vlan vlan-id] system-priority priority

  • spanning-tree [vlan vlan-id] rebuild

The command spanning-tree [vlan vlan-id] cost cost can be used to modify port costs and the Spanning Tree Protocol (STP) forwarding path. Can change designated to alternate port or turn a designated port into a blocking port.

The command spanning-tree [vlan vlan-id] port-priority priority changes the priority of a port, which can define which port is the alternate port vs. the root port.

The other two commands are fabricated.

66.

In YANG, which of the following types of nodes emulates a database by storing a collection of records?

  • List

  • Leaf

  • Leaf-List

  • Container

Correct answer: List

The Yet Another Next Generation (YANG) data model language defines four types of nodes:

  • Leaf Node: Leaf nodes contain a single value of a particular type and have no children.
  • Leaf-List Node: Leaf-list nodes are sequences of leaf nodes with a single value of a particular type for each leaf node.
  • Container Node: Container nodes collect multiple related nodes into a subtree. Container nodes have child nodes but no value and contain an unlimited number of child nodes of any type.
  • List Node: List nodes hold a series of list entries, which act as records and are identified by their key leaves. A list node can have multiple keys and an unlimited number of child nodes of any type.

67.

In the PIM Bootstrap Router (BSR) protocol, which multicast address is used for announcements?

  • 224.0.0.13

  • 224.0.1.39

  • 224.0.1.40

  • 224.0.0.5

  • 224.0.0.6

Correct answer: 224.0.0.13

Protocol Independent Multicast (PIM) Bootstrap Router (BSR) is a non-proprietary Rendezvous Point (RP) discovery and distribution algorithm. A BSR learns the RP set information for all group prefixes and announces it to all routers in the PIM domain. Announcements are flooded out all PIM-enabled interfaces with PIM neighbors to the 224.0.0.13 address (all PIM routers).

224.0.1.39 and 224.0.1.40 are associated with Cisco's Auto-RP protocol.

224.0.0.5 and 224.0.0.6 are associated with the Open Shortest Path First (OSPF) protocol.

68.

Which of the following is a type of memory designed to store the MAC address table and enable rapid searches of it on a Cisco switch?

  • CAM

  • RIB

  • FIB

  • CEF

Correct answer: CAM

Content Addressable Memory (CAM) holds the Media Access Control (MAC) address table and uses specialized search techniques to enable addresses to be found faster than with Random Access Memory (RAM).

Cisco Express Forwarding (CEF) is a packet-switching protocol developed by Cisco and used by default on the majority of Cisco platforms.

The Routing Information Base (RIB) is Cisco’s term for a routing table, which stores information on how to reach different devices or networks.

The Forwarding Information Base (FIB) (part of software CEF) stores the next-hop information for each network destination and is used to make Internet Protocol (IP) destination prefix-based decisions about how to route packets.

69.

In which of the following BGP neighbor states is a router waiting for a KEEPALIVE message to transition to the next state?

  • OpenConfirm

  • OpenSent

  • Idle

  • Connect

  • Active

Correct answer: OpenConfirm

The Border Gateway Protocol (BGP) defines six neighbor states, including:

  1. Idle: Initial state of the BGP Finite State Machine (FSM), where the router sends Transport Control Protocol (TCP) connection requests and listens for connection requests from peers. If reentered due to error, resets ConnectRetryTimer to 60 and waits until it reaches 0 before trying again. Further failures cause the timer to double.
  2. Connect: Router initiates the TCP three-way handshake. If successful, sends an Open message to a neighbor, resets ConnectRetryTimer, and transitions to OpenSent. If ConnectRetryTimer expires, attempts a new TCP connection and will transition to Active if the connection fails or Idle if other errors occur.
  3. Active: Starts a new three-way TCP handshake. If successful, sends an Open message, sets hold timer to four minutes, and moves to OpenSent. If fails, reverts to Connect and resets ConnectRetryTimer.
  4. OpenSent: Originating router waiting for an Open message from the receiving router. Once received, Open messages are checked for any errors. If no errors, hold time is negotiated, KEEPALIVE is sent, and moves to OpenConfirm. Errors cause a NOTIFICATION message and reversion to Idle state. TCP disconnect causes closed connection, reset ConnectRetryTimer, and move to Active. Other events cause reversion to Idle.
  5. OpenConfirm: Router waits for KEEPALIVE or NOTIFICATION. If KEEPALIVE received, moves to Established. If an error occurs (hold timer expiration, stop event, or received NOTIFICATION message), it reverts to Idle.
  6. Established: BGP session established and neighbors exchange routes via UPDATE messages. UPDATEs and KEEPALIVES cause hold timer resets, and hold timer expiration causes error and reversion to Idle.

70.

Which of the following is used to specify which application to use in IPSLA?

  • Operation number

  • Probe number

  • Feature number

  • Protocol number

Correct answer: Operation number

IPSLA uses operation numbers to define which application to run Internet Control Message Protocol (ICMP) echo probe, Hypertext Transfer Protocol (HTTP) GET, etc..

The other answers are fabricated.

71.

In 802.1X, which of the following roles are directly involved in the authentication process? (Choose two.)

  • Supplicant

  • AS

  • Authenticator

  • Controller

In 802.1X, the supplicant and Authentication Server (AS) perform the actual authentication.

The authenticator, which is the Wireless Local Area Network (LAN) Controller (WLC), acts as an intermediary but is not directly involved in authentication.

A controller is not an 802.1X role.

72.

Which of the following types of authentication is used by the Cisco DNA Center Token API?

  • Basic Authentication

  • API Keys

  • JSON Web Token

  • Digital certificates

Correct answer: Basic Authentication

The Cisco DNA Center Token Application Programming Interface (API) accepts POST requests and expects data to be in a JSON format. It uses Basic Authentication to authenticate the user via username and password. After authentication, a user will receive an API key that can be used for authentication in future requests within that session.

The other authentication methods are not used by this API.

73.

In Flexible NetFlow, which of the following is configured last while assume that all records will be collected?

  • Flow monitor

  • Flow record

  • Flow exporter

  • Flow sampler

Correct answer: Flow monitor

Flow monitors are set up after a flow record and exporter. The record defines what to collect, the exporter defines where to send it, and the monitor sets this up on a particular interface.

Flow samplers are used to sample data rather than collect all records.

74.

Which of the following RESTful API security best practices ensures request confidentiality and integrity?

  • HTTPS encryption

  • Authentication and authorization

  • Rate limiting

  • Input validation

  • Keeping APIs updated

Correct answer: HTTPS encryption

Some best practices for protecting RESTful Application Programming Interfaces (APIs) against attack include:

  • Implementing Strong Authentication and Authorization: APIs can use JSON Web Tokens (JWTs), OAuth, API Keys, Basic Authentication, or other means. Authorization schemes include Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).
  • Using HTTPS Encryption: HyperText Transfer Protocol Secure (HTTPS) encryption protects API requests and responses against eavesdropping and modification by an attacker.
  • Rate Limiting and Throttling: Rate limiting and throttling protect against API abuse and Denial of Service (DoS) attacks by limiting the number of requests that a user can make.
  • Input Validation: Input validation protects against injection attacks. Methods include input validation, data sanitization, and output encoding.
  • Keeping APIs Updated: APIs may contain vulnerabilities that could be exploited by an attacker. Applying prompt updates helps to protect against this.

75.

Which of the following types of Cisco IOS XE passwords use password hashing and salting? (Choose three.)

  • Type 8

  • Type 9

  • Type 5

  • Type 0

  • Type 7

Cisco IOS XE offers support for five types of passwords, including:

  • Type 0: Stored in plaintext in the device configuration without encryption or hashing. The enabled password command uses a type 0 password that is insecure.
  • Type 7: Uses a Cisco-proprietary version of the insecure Vigenere cipher, which is easily decrypted. Enabled by the command service password-encryption for commands that would otherwise use type 0 passwords (enable password, username password, and line password). It is insecure.
  • Type 5: Performs password hashing and salting using Message Digest 5 (MD5), which is an insecure and easily crackable algorithm. It is insecure.
  • Type 8: Uses the Password-Based Key Derivation Function 2 (PBKDF2), a SHA-256 hashed secret and password salting. It is secure and recommended.
  • Type 9: Use the scrypt hashing algorithm and password salting. It is secure, recommended, and preferred by Cisco.

76.

Which of the following Switch Port Analyzer (SPAN) types requires a specific VLAN?

  • RSPAN

  • SPAN

  • ERSPAN

  • ESPAN

Correct answer: RSPAN

Switched Port Analyzer (SPAN) solutions send a copy of network traffic to another port for analysis of Layer 2 issues. Some techniques include:

  • Local SPAN: Capture traffic flowing over the local network on a switch and send to a port with a traffic analyzer attached.
  • Remote SPAN (RSPAN): Capture local traffic on a switch and send it to another switch via Layer 2 (switching) to a port on another switch with a traffic analyzer attached. Requires the RSPAN Virtual Local Area Network (VLAN) to be defined to carry the SPAN traffic over the network.
  • Encapsulated RSPAN (ERSPAN): Same as RSPAN but sending traffic over Layer 3 (routing) rather than Layer 2.

ESPAN is a fabricated term.

77.

Which of the following Cisco SD-WAN solutions work together to define and enforce policies on the SD-WAN network? (Choose two.)

  • vManage

  • vSmart

  • vBond

  • vAnalytics

  • Edge devices

Cisco's Software-Defined Wide Area Network (SD-WAN) solutions include several different components:

  • vManage is used for centralized visibility and management, including policy definitions.
  • vSmart implements and enforces the policies created in vManage.
  • vBond performs tasks such as authentication, Network Address Translation (NAT) detection, and load balancing.
  • vAnalytics is an optional analytics service.
  • SD-WAN edge devices make up the data plane and are responsible for forwarding traffic between locations via various media.

78.

Which of the following types of routing protocols uses hop count as the sole metric for selecting a route?

  • Distance vector

  • Enhanced distance vector

  • Link state

  • Path vector

Correct answer: Distance vector

Distance vector routing protocols use vectors to specify the Internet Protocol (IP) address of the next hop to reach the destination. The distance can be measured as hop count and is the metric for choosing a route.

Enhanced distance vector algorithms like the Diffusing Update Algorithm (DUAL) used by Enhanced Interior Gateway Routing Protocol (EIGRP) can incorporate other metrics, such as bandwidth, reliability, delay, and load.

Link state algorithms like Open Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) advertise link states and metrics for all connected links and directly-connected routers to the entire network. With a complete map of the network, routers use Dijkstra’s Shortest Path First (SPF) algorithm to identify the best path to various destinations.

Path vector algorithms, such as the Border Gateway Protocol (BGP), are similar to link vectors but use a set of BGP path attributes to choose the best path.

79.

Which of the following Simple Network Management Protocol (SNMP) versions perform authentication using community strings? (Choose two.)

  • SNMPv1

  • SNMPv2c

  • SNMPv3 noAuthNoPriv

  • SNMPv3 authNoPriv

  • SNMPv3 authPriv

SNMPv1 and SNMPv2c perform authentication via community strings.

SNMPv3 introduces support for authentication using usernames (noAuthNoPriv) or the Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) hash algorithms in SNMPv3 authNoPriv and authPriv.

80.

Which of the following deployment models are not an option with a Cisco lightweight AP? (Choose two.)

  • Autonomous

  • Controllerless

  • Centralized

  • Distributed

  • Cloud-based

Autonomous deployments require standalone Access Points (APs), while most Cisco wireless APs are lightweight and require a Wireless Local Area Network (LAN) Controller (WLC) to operate. Some APs have an Embedded Wireless Controller (EWC) that allows them to be used in controllerless deployments.

Controller-based wireless deployments have a standalone WLC that can be deployed under the following models:

  • Centralized: The WLC is placed in a centralized location, such as the network core, enabling it to support many APs. WLC is likely near commonly-used resources (Internet, data center, etc.) and enables centralized policy enforcement.
  • Distributed: Multiple WLCs are located alongside each switch in the access layer. This design makes sense for geographically distributed sites.
  • Cloud-Based: Similar to the centralized model, except the WLC is located in a public or private cloud, rather than on-premises.
×