No products in the cart.
Cisco CCNP Exam Questions
Page 6 of 25
101.
You make a request to an API using the command response = requests.get
It responds with the following JSON object.
{
"name": "John",
"age": "25",
"pets": [
"Spot",
"Rover"
]
}
Which of the following commands would allow you to access the value "Spot"?
-
response.json()["pets"][0]
-
response.json()["pets"][1]
-
response.json(){"pets"}[0]
-
request.json()["pets"][0]
-
request.json(){"pets"}[0]
Correct answer: response.json()["pets"][0]
The response from the Application Programming Interface (API) is stored in the response variable, and the .json() command converts it to JavaScript Object Notation (JSON). Square brackets are used to indicate keys (so ["pets"]) is correct, and the first position in the pets array is position 0.
102.
Which of the following OSPF packet types contain information from a router's Link-State Database (LSDB)? (Choose two.)
-
DBD
-
LSU
-
Hello
-
LSR
-
Link-state ack
The Open Shortest Path First (OSPF) protocol includes five types of network packets:
- Hello: Hello packets are sent out regularly to discover new OSPF neighbors and ensure that adjacent neighbors are still online.
- Database Description (DBD or DDP): Packets exchanged when forming an OSPF adjacency that summarizes the contents of a router’s Link State Database (LSDB).
- Link-State Request (LSR): A router can use this packet to request a database download from a neighbor if it thinks part of its LSDB is out of date.
- Link-State Update (LSU): Typically a response to an LSR, this contains LSDB updates sent over a network link.
- Link-State Ack: Acknowledgement flooded out in response to a flooded Link State Advertisement (LSA).
103.
Which of the following PAgP modes listens for messages to establish an EtherChannel adjacency but doesn't send them out?
-
Auto
-
Desirable
-
Passive
-
Active
Correct answer: Auto
The Port Aggregation Protocol (PAgP) is a Cisco-proprietary dynamic link aggregation protocol. It advertises using multicast Media Access Control (MAC) address 0100:0CCC:CCCC, uses the protocol code 0x0104, and has two modes including:
- Auto: This interface doesn’t initiate EtherChannel establishment or send PAgP messages. If it receives a PAgP message, it responds and can form an adjacency. Two devices set to PAgP auto won’t form adjacencies.
- Desirable: Interface tries to establish EtherChannels and sends PAgP messages. Can form adjacency with auto or desirable interfaces.
Passive and active are Link Aggregation Control Protocol (LACP) modes.
104.
Which of the following set of settings for the conform, exceed, and violate actions is considered best practice when first configuring CoPP for vital classes?
-
transmit, transmit, transmit
-
transmit, transmit, drop
-
transmit, drop, drop
-
drop, drop, drop
-
transmit, drop, transmit
Correct answer: transmit, transmit, transmit
Policy maps for Control Plane Policing (CoPP) are defined using the police command and specifying the conform, exceed, and violate actions (transmit or drop). Often, it’s best to set everything to transmit at first for vital classes until baselines for normal traffic are established. Then, policies can be updated based on these baselines.
105.
Which of the following API security best practices protects against DoS attacks?
-
Rate limiting
-
Authentication and authorization
-
HTTPS encryption
-
Input validation
-
Keeping APIs updated
Correct answer: Rate Limiting
Some best practices for protecting RESTful Application Programming Interfaces (APIs) against attack include:
- Implementing Strong Authentication and Authorization: APIs can use JSON Web Tokens (JWTs), OAuth, API Keys, Basic Authentication, or other means. Authorization schemes include Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).
- Using HTTPS Encryption: HyperText Transfer Protocol Secure (HTTPS) encryption protects API requests and responses against eavesdropping and modification by an attacker.
- Rate Limiting and Throttling: Rate limiting and throttling protect against API abuse and Denial of Service (DoS) attacks by limiting the number of requests that a user can make.
- Input Validation: Input validation protects against injection attacks. Methods include input validation, data sanitization, and output encoding.
- Keeping APIs Updated: APIs may contain vulnerabilities that could be exploited by an attacker. Applying prompt updates helps to protect against this.
106.
Which of the following STP states allows a port to send/receive BDPUs but not forward traffic or change the MAC address table?
-
Listening
-
Blocking
-
Learning
-
Forward
-
Broken
Correct answer: Listening
In 802.1D Spanning Tree Protocol (STP), a switch port can be in the following states:
- Disabled: Turned off.
- Blocking: Port is turned on but doesn’t forward traffic to protect against loops. Receives Bridge Protocol Data Units (BPDUs) but doesn’t send or change the Media Access Control (MAC) address table.
- Listening: Next state after blocking where port can send and receive BPDUs but can’t forward network traffic or modify the MAC address table. Duration depends on STP forwarding time.
- Learning: Can modify the MAC address table based on received traffic but still can’t forward traffic. Duration depends on STP forwarding time.
- Forward: Port can now forward traffic and can perform any updates to MAC address table.
- Broken: Port has a configuration or operational issue and discards packets until this is corrected.
107.
Which of the following are planes defined within Cisco's SD-WAN solution? (Choose two.)
-
Control
-
Data
-
Management
-
Policy
Cisco’s Software-Defined Wide Area Network (SD-WAN) solution implements various planes, including the control and data planes. The control plane is implemented using vSmart, which is responsible for defining the network topology and advertising routes and data policies to SD-WAN edge devices. These SD-WAN edge devices make up the data plane and are responsible for forwarding traffic between locations via various media.
Cisco’s vManage Network Management System (NMS) and vBond orchestrator implement the management and orchestration planes respectively.
Policy isn't a plane in SD-WAN.
108.
Which of the following commands is used last when setting up a Flow Exporter in Flexible NetFlow?
-
transport udp port
-
export-protocol version
-
destination ip-address
-
description description
-
flow exporter name
Correct answer: transport udp port
When setting up a Flow Exporter in Flexible NetFlow, take the following steps:
- Name the flow exporter (flow exporter name)
- Set a description (description description)
- Specify the destination to be used (destination ip-address)
- Specify the NetFlow version to export (export-protocol version)
- Specify the User Datagram Protocol (UDP) port to be used (transport udp port)
109.
Which of the following are planes defined in Cisco's SD-Access solution? (Choose three.)
-
Control
-
Data
-
Policy
-
Management
-
Orchestration
SD-Access includes three different planes:
- Control Plane: Uses the Locator/ID Separation Protocol (LISP), which uses a central Map Server (MS) to track remote destination data, enabling routers to only manage local routes and ask the MS for remote routes.
- Data Plane: Uses Virtual Extensible Local Area Network (VXLAN) to encapsulate traffic and perform tunneling while preserving the original Ethernet packet header. This enables the protocol to support overlays at Layers 2 and 3 and work on Internet Protocol (IP)-based networks that incorporate network segmentation and group-based policy.
- Policy Plane: Uses Cisco TrustSec Scalable Group Tags (SGTs) to encode information about groups, and these tags are used to apply corporate policies.
Management and orchestration planes are part of Software-Defined Wide Area Network (SD-WAN), not SD-Access.
110.
Which of the following commands is used to associate a virtual router with a particular interface?
-
vrf forwarding
-
vrf definition
-
address-family
-
ip or ipv6
Correct answer: vrf forwarding
Virtual Routing and Forwarding (VRF) is:
- Initialized with the vrf definition vrf-name command.
- Set to Internet Protocol version four (IPv4) or IP version six (IPv6) with the address-family {ipv4|ipv6} command.
- Associated to a particular router interface with vrf forwarding vrf-name in that interface’s configuration submodule (entered using the interface interface-id command).
- Assigned an IP address using the ip address ip-address subnet-mask and/or ipv6 address ipv6-address/prefix-length commands in the interface’s configuration submodule.
111.
It's safe to use adjacent channels in which of the following Wi-Fi bands? (Choose two.)
-
5 GHz
-
6 GHz
-
2.4 GHz
-
4 GHz
The 5 and 6 GHz bands are spaced 20 MHz apart, making them non-overlapping and making it safe to use adjacent channels.
Channels are sections of a frequency band that are typically numbered and can be used for different Wi-Fi networks in the same area. The 2.4 GHz band contains 14 channels, but adjacent channels (or even nearby channels) may overlap. A Wi-Fi signal has a 22 MHz bandwidth, but the 2.4 GHz band has 5 MHz channel widths, creating overlap.
4 GHz is not a Wi-Fi band.
112.
Privilege escalation is a top threat in which of the following PINs according to Cisco SAFE?
-
Data center
-
Edge
-
Branch
-
Campus
-
Cloud
Correct answer: Data center
The Cisco Secure Architectural Framework (SAFE) helps with security design for certain places in the network (PINs), including:
- Data Center: Data centers contain many servers and hold the organization's most valuable data, applications, and other IT resources. Data exfiltration, unauthorized network access, malware propagation, botnet infestation, reconnaissance, and privilege escalation are top threats.
- Branch: Branch locations often have weaker security than the headquarters and are at risk of endpoint malware, rogue Access Points (APs) for Man-in-the-Middle (MitM) and Denial of Service (DoS) attacks, trust exploitation, and malicious/unauthorized client activity.
- Campus: Campuses have many users and are prime targets for phishing, malware propagation, botnet infestations, unauthorized network access, and web-based attacks.
- Edge: Network edges are where traffic enters and leaves the Internet and is high-risk. Threats include data loss, Distributed DoS (DDoS) attacks, MitM attacks, and web application and server vulnerabilities.
- Cloud: Cloud security depends on service-level agreements and third-party audits of cloud providers. The top threats are web application and server vulnerabilities, data loss, malware, lost access, and MitM attacks.
- Wide Area Network (WAN): WANs link the various parts of the corporate network together. The top threats are unauthorized network access, malware propagation, MitM attacks, and WAN sniffing.
113.
Which of the following Python commands would be used to convert a string into a JSON object to access its fields? (Choose two.)
-
import json
-
json.loads
-
json.get
-
json.parse
The import json and json.loads commands are used to convert a string into a JavaScript Object Notation (JSON) object in Python. The first command makes JSON functionality accessible, and the second loads the string into JSON.
The other two commands are fabricated.
114.
Some routing algorithms have the ability to distribute traffic over multiple paths that are equally good. Which of the following best describes this?
-
Equal-Cost Multipathing
-
Equal-Path Load Balancing
-
Equal-Cost Load Balancing
-
Equivalent Multipathing
Correct answer: Equal-Cost Multipathing
Equal-Cost Multipathing (ECMP) allows multiple different routes to be included in a routing table if they are equally good. Traffic is load-balanced across all of these routes, increasing available bandwidth. Routing Information Protocol version two (RIPv2), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) can all use ECMP.
The other options are fabricated terms.
115.
Which of the following should be the value of the Content_Type header when accessing the Cisco vManage Authentication API?
-
application/x-www-form-urlencoded
-
application/json
-
text/plain
-
application/xml
-
multipart/form-data
Correct answer: application/x-www-form-urlencoded
Cisco vManage’s Authentication Application Programming Interface (API) takes POST requests with application/x-www-form-urlencoded content-type. Its body includes keys with j_username devnetuser and j_Password Cisco123!. A successful authentication will include a Java session ID (JSESSIONID), which is used for authentication of future requests.
The other answers are valid content types but incorrect.
116.
Which of the following is true of VRFs on a router?
-
A router will have more routing tables than VRFs
-
A router will have an equal number of VRFs and routing tables
-
A router will always have a single routing table
-
All VRFs share a single routing table
-
A VRF may use multiple routing tables
Correct answer: A router will have more routing tables than VRFs
A router will have more routing tables than Virtual Router Functions (VRFs). This is because each VRF will have its own routing table, and a global routing table will exist for all traffic not flowing over a VRF.
117.
Which of the following ports is used by TACACS+?
-
49
-
1645
-
1646
-
1812
-
1813
Correct answer: 49
Terminal Access Controller Access-Control System Plus (TACACS+) uses Transmission Control Protocol (TCP) port 49.
Cisco's implementation of Remote Authentication Dial-In User Service (RADIUS) uses User Datagram Protocol (UDP) port 1645 for authentication and authorization and port 1646 for accounting. The industry standard uses ports 1812 and 1813 respectively.
118.
Different virtual routers created via VRF will have their own copies of all of the following, except:
-
Global routing table
-
Routing table
-
Router interface
-
Forwarding table
Correct answer: Global routing table
Virtual Route Forwarding (VRF) splits a single physical router into multiple virtual routers. Each virtual router has its own router interface, routing table, and forwarding table, keeping them isolated from one another. The router will also have a global routing table, which is the routing table for all traffic not assigned to a particular VRF.
119.
Which of the following are true of Area Border Routers (ABRs) in OSPF? (Choose three.)
-
They must be connected to Area 0
-
They are responsible for advertising routes across area boundaries
-
They have multiple SPF trees
-
They can only be connected to two areas
-
They can't be the Designated Router (DR)
In the Open Shortest Path First (OSPF) protocol, Area Border Routers (ABRs) have an interface on Area 0 (backbone) and on at least one other area. They advertise routes across area boundaries. An ABR has a Shortest Path First (SPF) tree for all connected areas.
They can be connected to more than two areas and can be the Designated Router (DR).
120.
Which of the following types of antennas consists of a thick cylinder with multiple antennas hidden inside running perpendicular to its length?
-
Yagi-Uda
-
Parabolic dish
-
Dipole
-
Patch
-
Integrated
Correct answer: Yagi-Uda
Directional antennas focus the signal in a particular direction, making them a good fit for hallways or other long, thin spaces. Some common types include:
- Yagi-Uda is a type of antenna where multiple, parallel antennas are hidden in a thick cylinder (perpendicular to its length) and generate 10 to 14 dBi gain.
- Patch antennas have a flat, rectangular shape and create a gain of 6-8 dBi and 7-10 dBi in the 2.4 and 5 GHz ranges in a particular direction.
- Parabolic dish antennas collect signal in the dish and focus it to an antenna at the center, offering gains of 20-30 dBi.
Omnidirectional antennas radiate signals equally in all directions around a cylindrical antenna. Types include:
- Dipole antennas are a common type of omnidirectional antenna, where an Access Point (AP) has two antennas that radiate signal and a gain of +2-5 dBi.
- Many routers have integrated antennas in which several antennas are hidden within a small case. They generally have a 2 dBi gain in the 2.4 GHz band and 5 dBi in the 5 GHz band.