×

Quiz Session - Attempts With Random Questions

Cisco CCNP Exam Questions

Page 5 of 25

81.

Which of the following is an example of an agentless automation tool?

  • Ansible

  • Puppet

  • Chef

  • SaltStack

Correct answer: Ansible

Ansible is an agentless automation tool, meaning that it doesn't require software to be installed on monitored clients.

Puppet and Saltstack have agentless versions (Puppet Bolt and Salt SSH), but they and Chef are agent-based by default.

82.

Path Trace in Cisco DNA Center replaces which of the following tools? (Choose two.)

  • ping

  • traceroute

  • debugs

  • syslog

Path Trace is a tool in Cisco Assurance that performs traceroute within the Graphical User Interface (GUI) and can be used to identify reachability issues, such as a misconfigured Access Control List (ACL). This can replace the OS version of ping and traceroute.

The debugs tool is a Cisco tool for debugging various issues, and syslog is used for centralized logging.

83.

Which of the following types of ACLs can make access decisions based only on the source network?

  • Numbered standard ACLs

  • Numbered extended ACLs

  • Named ACLs

  • Port ACLs

  • VLAN ACLs

Correct answer: Numbered standard ACLs

Access Control Lists (ACLs) are an ordered list of Access Control Entries (ACEs) where the system starts at the top and works its way down to find one that matches a packet. Several types of ACLs exist:

  • Numbered Standard ACLs: Look only at the source network and use numbered entries in the ranges 0-99 and 1300-1999.
  • Numbered Extended ACLs: Look at various packet attributes (source, destination, protocol, port, etc.) and use the numbered entries 100-199 and 2000-2699.
  • Named ACLs: Allow ACLs to be named rather than numbered, which increases usability.
  • Port ACLs (PACLs): Perform filtering on Layer 2 switch ports using numbered or named, standard or extended Media Access Control (MAC) ACLs.
  • VLAN ACLs (VACLS): Perform filtering of Virtual Local Area Network (VLAN) traffic using numbered or named, standard or extended MAC ACLs.

84.

Which of the following IPSec protocols offers data confidentiality?

  • ESP

  • IKE

  • ISAKMP

  • AH

Correct answer: ESP

Internet Protocol Security (IPSec) is a set of protocols used to create Virtual Private Networks (VPNs). Some key elements include:

  • Authentication Header (AH): The AH protects against replay attacks and ensures data integrity and peer authentication using digital signatures. It doesn’t provide data confidentiality via encryption. It has a protocol number of 51.
  • Encapsulating Security Payload (ESP): ESP provides data integrity, confidentiality, peer authentication, and replay protection. It has a protocol number of 50 and can carry packets either in tunnel mode (old packet’s headers are encrypted and new IPSec headers are added) or transport mode (only the original packet payload is encrypted).
  • Internet Key Exchange (IKE): IKE performs mutual authentication and allows the creation of Security Associations (SAs), which are tunnels that carry data and control plane traffic for IPsec. IKEv2 is the modern version of the protocol, which is more efficient, supports asymmetric authentication, and offers improved protocols and cryptographic algorithms.

IKE is a particular implementation of the Internet Security Association and Key Management Protocol (ISAKMP).

85.

A new switch has just joined a VTP domain. Which of the following messages will be sent?

  • Client requests

  • Summary

  • Subset

  • Update

Correct answer: Client requests

The Virtual Local Area Network (VLAN) Trunking Protocol (VTP) uses three types of multicast advertisements, including:

  • Summary: Reports the VTP version, domain, configuration revision number, and timestamp. Sent every 300 seconds or when a change occurs.
  • Subset: Provides information about a change to the VLANs in the VTP domain and includes all information needed to make the change on a switch.
  • Client Requests: Clients can request a subset advertisement if, for example, they’ve just joined the VTP domain and the latest summary message has a higher configuration revision number than their latest version.

Update is not a VTP message type.

86.

Using 802.1X means that which of the following EAP versions will be used?

  • EAPOL

  • LEAP

  • PEAP

  • EAP-TLS

  • EAP-FAST

Correct answer: EAPOL

The Extensible Authentication Protocol (EAP) is an authentication framework built into the 802.11 standard. Multiple EAP-based protocols exist, and EAP can integrate with 802.1X port-based access control. When this occurs, it uses EAP Over LAN (EAPOL).

LEAP (Lightweight Extensible Authentication Protocol), PEAP (Protected Extensible Authentication Protocol), EAP-TLS (Transport Layer Security), and EAP-FAST (Flexible Authentication via Secure Tunneling) are  EAP versions but aren't used for 802.1X.

87.

Cisco TrustSec Scalable Group Tags (SGTs) are used by which plane of Cisco's SD-Access?

  • Policy Plane

  • Control Plane

  • Data Plane

  • Management Plane

  • Orchestration Plane

Correct answer: Policy Plane

Cisco's Sofware-Defined Access (SD-Access) includes three different planes:

  • Control Plane: Uses the Locator/ID Separation Protocol (LISP), which uses a central Map Server (MS) to track remote destination data, enabling routers to only manage local routes and ask the MS for remote routes.
  • Data Plane: Uses Virtual Extensible Local Area Network (VXLAN) to encapsulate traffic and perform tunneling while preserving the original Ethernet packet header. This enables the protocol to support overlays at Layers 2 and 3 and work on Internet Protocol (IP)-based networks that incorporate network segmentation and group-based policy.
  • Policy Plane: Uses Cisco TrustSec Scalable Group Tags (SGTs) to encode information about groups, and these tags are used to apply corporate policies.

Management and orchestration are not valid SD-Access planes.

88.

In RSTP, which of the following port types provides connectivity to downstream switches or devices?

  • Designated

  • Root

  • Alternate

  • Backup

Correct answer: Designated

The Rapid Spanning Tree Protocol (RSTP) has four port roles:

  • Root Port (RP): Connects upstream to root switch or upstream switch and includes one per switch.
  • Designated Port (DP): Receives and forwards frames to other switches and connects to downstream devices; one per link.
  • Alternate Port: Provides an alternate route to the root switch via a different switch.
  • Backup Port: Offers link redundancy toward a shared segment within a single collision domain, usually a network hub.

89.

Which of the following Python modules could be used to communicate with a RESTful API?

  • Requests

  • JSON

  • XML

  • Query

Correct answer: Requests

The requests module can be used to make Hypertext Transfer Protocol/Secure (HTTP/S) requests. This enables it to be used to query RESTful Application Programming Interfaces (APIs).

The JSON and XML modules are used for parsing different data types.

Query is not a commonly-used module in Python.

90.

Which of the following is not true of Layer 2 roaming?

  • The local and foreign WLCs connect via a CAPWAP tunnel to forward data

  • The client may be able to keep their own IP address

  • The old and new WLCs must be on the same subnet

  • The old and new WLCs must be on the same VLAN

Correct answer: The local and foreign WLCs connect via a CAPWAP tunnel to forward data

Roaming between Access Points (APs) on different Wireless LAN Controllers (WLCs) is intercontroller roaming. When changing between WLCs with the same Virtual LAN (VLAN) and subnet, the client can keep their existing IP address (Layer 2 roam) and perform a fast roam.

In a Layer 3 roam, the client changes between WLCs on different VLANs and subnets. To handle this, a new Control And Provisioning of Wireless Access Points (CAPWAP) tunnel is set up between the two WLCs, allowing the client’s traffic to travel from its new WLC (foreign controller) to the original WLC (anchor controller). This enables the client to keep its IP address.

91.

Which of the following forms of authentication is used by Cisco's Network Device API?

  • API Key

  • Basic Authentication

  • JSON Web Token

  • Digital Certificate

Correct answer: API Key

The Network Device Application Programming Interface (API) accepts GET requests to retrieve a list of devices currently managed by the Cisco DNA Center controller. To authenticate, pass the API key by specifying the X-Auth-Token header.

Basic authentication, JavaScript Object Notation (JSON) Web Token, and digital certificates are all valid authentication forms but are not used by this API.

92.

Which of the following algorithms are keying options for MACsec? (Choose two.)

  • SAP

  • MKA

  • SXP

  • MAB

MACsec offers two keying mechanisms:

  • Security Association Protocol (SAP): Cisco-proprietary protocol that only works with Cisco switches.
  • MACsec Key Agreement (MKA) Protocol: Manages session keys and required encryption keys. Allows encryption between endpoints and switches as well as between switches.

Cisco’s SGT Exchange Protocol (SXP) is a peer-to-peer protocol for sending IP-to-SGT mappings from a “speaker” to a “listener” over one or more hops.

Media Access Control (MAC) Authentication Bypass (MAB) is an authentication algorithm.

93.

Which of the following can be measured using IP SLA? (Choose four.)

  • Website download time

  • Delay

  • Connectivity

  • Packet loss

  • Network bandwidth

IP SLA can be used to measure website download time, delay, connectivity, and packet loss.

It doesn't provide a means of measuring network bandwidth.

94.

Which of the following WebAuth LWA modes is closest to CWA?

  • LWA with remote database

  • LWA with local database on WLC

  • LWA with post-auth external redirect

  • LWA with local redirect and external redirect

  • LWA with passthrough

Correct answer: LWA with remote database

WebAuth can be set up on a Wireless Local Area Network (LAN) Controller (WLC) via Local Web Authentication (LWA). Potential configuration modes include:

  • LWA with a local database on the WLC
  • LWA with remote database hosted on a Remote Authentication Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) server. This is the most logical choice with multiple WLCs and a single database. Central Web Authentication (CWA) hosts both the database and the WebAuth page on a single central server accessed by several WLCs.
  • LWA with a post-authentication external redirect
  • LWA with a local database on the WLC and an external splash page redirect
  • LWA with passthrough, which requires user acknowledgment

95.

Which of the following is the correct command to assign an IP address on an interface for a VRF?

  • ip address ip-address subnet-mask

  • vrf address ip-address subnet mask

  • vrf address ipv4 ip-address subnet-mask

  • address ipv4 ip-address subnet-mask

  • address ipv6 ip-address subnet-mask

Correct answer: ip address ip-address subnet-mask

The command "ip address ip-address subnet-mask" assigns an Internet Protocol version 4 (IPv4) address to an interface for Virtual Routing and Forwarding (VRF).

Alternatively, IPv6 addresses can be assigned with "ipv6 address ipv6-address/prefix-length."

The other commands are fabricated.

96.

AES is the preferred algorithm option for which of the following IPsec protocols?

  • ESP

  • IKE

  • ISAKMP

  • AH

  • IKEv2

Correct answer: ESP

Internet Protocol Security (IPSec) is a set of protocols used for creating Virtual Private Networks (VPNs). Some key elements include:

  • Authentication Header (AH): The AH protects against replay attacks and ensures data integrity and peer authentication using digital signatures. It doesn’t provide data confidentiality via encryption. It has a protocol number of 51.
  • Encapsulating Security Payload (ESP): ESP provides data integrity, confidentiality, peer authentication, and replay protection. It has a protocol number of 50 and can carry packets either in tunnel mode (old packet’s headers are encrypted and new IPsec headers are added) or transport mode (only the original packet payload is encrypted). The Advanced Encryption Standard (AES) is the preferred algorithm for data encryption.
  • Internet Key Exchange (IKE): IKE performs mutual authentication and allows the creation of Security Associations (SAs), which are tunnels that carry data and control plane traffic for IPsec. Internet Key Exchange version two (IKEv2) is the modern version of the protocol, which is more efficient, supports asymmetric authentication, and offers improved protocols and cryptographic algorithms.

IKE is a specific implementation of the Internet Security Association and Key Management Protocol (ISAKMP).

97.

Which of the following BEST describes a protocol that offers load balancing across multiple different routers called Active Virtual Forwarders (AVFs)?

  • GLBP

  • FHRP

  • VRRP

  • HSRP

Correct answer: GLBP

First-Hop Redundancy Protocols (FHRP) help ensure network resiliency by creating a Virtual Internet Protocol (VIP) gateway linked to multiple physical gateways. If a gateway goes down, then the device’s traffic will be sent via another gateway. The three main FHRPs include:

  • Hot Standby Router Protocol (HSRP): A protocol developed by Cisco that creates a virtual IP and Media Access Control (MAC) address usually held by the active router. If the active router fails, a standby router takes over these addresses and acts as the gateway.
  • Virtual Router Redundancy Protocol (VRRP): Industry standard protocol that operates similarly to HSRP but names the routers “master” and “backup”. This protocol allows preemption by default and uses a particular MAC address structure for the VIP gateway.
  • Gateway Load Balancing Protocol (GLBP): Offers both redundancy and load balancing. The network has up to four Active Virtual Forwarders (AVFs) responsible for forwarding traffic for their assigned hosts and a single Active Virtual Gateway (AVG) that responds to Address Resolution Protocol (ARP) requests with the virtual MAC of the assigned AVF. Failure of the AVG or an AVF causes another system to take over its role.

98.

How many bytes does MACsec add to a packet header?

  • 32

  • 16

  • 8

  • 1

  • 2

Correct answer: 32

Media Access Control security (MACsec) includes a 16-byte MACsec Security Tag field and a 16-byte Integrity Check Value field. In total, it adds 32 bytes to the packet header.

The other answers are incorrect numbers.

99.

Which of the following are benefits of SD-WAN? (Choose two.)

  • Centralize device configuration and management

  • Provide seamless connectivity to public cloud

  • Optimize user experience for on-prem applications

  • Ensure optimal usage of a single transport medium

Software-Defined Wide Area Network (SD-WAN) is designed to offer centralized device configuration and management, and simplifies expansion to the public cloud.

It optimizes the user experience for cloud applications and the usage of multiple different transport media.

100.

Which of the following Wi-Fi bands has overlapping channels?

  • 2.4 GHz

  • 5 GHz

  • 6 GHz

  • 2 GHz

Correct answer: 2.4 GHz

Channels are sections of a frequency band that are typically numbered and can be used for different Wi-Fi networks in the same area. The 2.4 GHz band contains 14 channels, but adjacent channels (or even nearby channels) may overlap. A Wi-Fi signal has a 22 MHz bandwidth, but the 2.4 GHz band has 5 MHz channel widths, creating overlap.

The 5 and 6 GHz bands are spaced 20 MHz apart, making them non-overlapping.

2 GHz is not a Wi-Fi band.

×