Cisco CCNP Exam Questions

Correct answer: Container

The Yet Another Next Generation (YANG) data model language defines four types of nodes:

• Leaf Node: Leaf nodes contain a single value of a particular type and have no children.
• Leaf-List Node: Leaf-list nodes are sequences of leaf nodes with a single value of a particular type for each leaf node.
• Container Node: Container nodes collect multiple related nodes into a subtree. Container nodes have child nodes but no value and contain an unlimited number of child nodes of any type.
• List Node: List nodes hold a series of list entries, which act as records and are identified by their key leaves. A list node can have multiple keys and an unlimited number of child nodes of any type.

In IPSLA, jitter, packet loss, and connectivity are directional probes.

Delay can be measured either one-way or round-trip.

The collect command is used to specify non-key fields in a Flexible NetFlow Flow Record. Internet Protocol (IP) source mask and counter bytes are examples of non-key fields.

Interface input, flow sampler ID, and IP Type of Service (ToS) are key fields configured with the match command.

Correct answer: SSO

Stateful Switchover (SSO) enables a router that has multiple Router Processors (RPs) to synchronize the router configuration, Layer 2 protocol state information, and line card operation from the active to the standby RP.

An RP is responsible for the routing table or Routing Information Base (RIB), control plane, and (in centralized forwarding architectures) the adjacency table and Forwarding Information Base (FIB).

Correct answer: Recipe

Recipes are the Chef equivalent of Puppet manifests.

Puppet modules include manifests, templates, and files.

Correct answer: Segmentation

The Cisco Secure Architectural Framework (SAFE) includes several secure domains for protecting places in the network (PINs), including:

• Segmentation: Manual network segmentation uses addresses, Virtual Local Area Networks (VLANs), and Access Control Lists (ACLs) to break the network into chunks. Cisco TrustSec uses identity-aware infrastructure to automatically perform software-defined segmentation and policy enforcement at scale.
• Management: Organizations should centrally manage devices and systems via consistent policy deployment, patching, and workflow change management. Policies, objects, and alerts fall under this domain.
• Security Intelligence: Security intelligence provides insight into new and emerging threats and supports rapid and accurate threat detection.
• Compliance: Compliance with regulations such as Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA).
• Threat Defense: Threat defense monitors various data sources (network traffic, file reputation, etc.) to identify potentially suspicious activity and assess its associated risk and potential impacts on the organization.
• Secure Services: Secure services are designed to protect insecure services and include Virtual Private Networks (VPNs), access controls, and encryption.

Correct answer: Controllerless

Cisco wireless Access Points (APs) are lightweight and require a Wireless Local Area Network (LAN) Controller (WLC) to operate, which it connects to via a pair of Control and Provisioning of Wireless Access Points (CAPWAP)  tunnels.

Controllerless deployments integrate the WLC into an AP, which is called an Embedded Wireless Controller (EWC). These can be used in distributed deployments as well.

Controller-based wireless deployments have a standalone WLC that can be deployed under the following models:

• Centralized: The WLC is placed in a centralized location, such as the network core, enabling it to support many APs. WLC is likely near commonly-used resources (Internet, data center, etc.) and enables centralized policy enforcement.
• Distributed: Multiple WLCs are located alongside each switch in the access layer. This design makes sense for geographically distributed sites.
• Cloud-Based: Similar to the centralized model, except the WLC is located in a public or private cloud, rather than on-premises.

Autonomous deployments use standalone APs.

Correct answer: HTTP header

Sensitive information included in a request to a RESTful Application Programming Interface (API) should be placed in the Hypertext Transfer Protocol (HTTP) header. This prevents it from being included in webserver logs.

HTTP query parameters are part of the URL, which may be logged by a webserver. This can result in sensitive data leakage.

Correct answer: Type 1

A hypervisor is software that allows multiple Virtual Machines (VMs) to run on the same hardware. There are two types of hypervisors:

• Type 1: A Type I, bare-metal, or native hypervisor runs directly on the device hardware with no operating system, making it the more efficient type of hypervisor. Examples of Type 1 hypervisors include VMware vSphere, Citrix Hypervisor, and Red Hat Kernel-based Virtual Machine (KVM).
• Type 2: Type 2 hypervisors are software that runs within a host operating system. VirtualBox and VMware Fusion are examples of Type 2 hypervisors, which are typically used by client machines.

There are no Type 0 or Type 3 hypervisors.

An Embedded Event Manager (EEM) applet’s action list should start with the enable and configure terminal commands to switch the applet from exec mode (default) to privileged exec mode where configuration management is possible.

The event manager session cli username username command can be included to use AAA command authorization to prevent commands from failing.

tcl config.tcl is a valid command if config.tcl exists, but it isn't necessary for EEM applets to function.

Correct answer: Single-Rate, Two-Color

Cisco supports three types of traffic policing algorithms:

• Single-Rate, Two-Color: Traffic has a single Committed Information Rate (CIR), and traffic exceeding that rate (using up all tokens in the bucket) is downgraded in priority.
• Single-Rate, Three-Color: This is a two-bucket algorithm in which traffic for which there are no tokens available in the first bucket might use tokens in a second bucket designed to handle temporary bursts (which is filled using excess tokens from the first bucket). This traffic is usually marked down (but can be dropped), and any traffic beyond that is likely dropped (but can be marked down).
• Two-Rate, Three-Color: Introduces a Peak Information Rate (PIR) in addition to the CIR, which defines the rate at which tokens are added to the second bucket. Otherwise operates similarly to Single-Rate Three-Color.

Two-rate, two-color is not a traffic policing algorithm.

Correct answer: vSwitches are used by both VMs and containers

Virtual switching is when software emulates a physical, layer-2 switch, just like a Virtual Machine (VM) emulates a physical computer.

A virtual switch (vSwitch) allows communication between VMs and the outside world via the computer’s physical Network Interface Cards (pNICs). A computer can host multiple vSwitches, but a pNIC can only host one vSwitch, and all traffic between vSwitches needs to travel over the physical network (out one pNIC and in another).

Correct answer: Data Loss Prevention (DLP)

Data loss prevention (DLP) is not a required Next-Generation Firewall (NGFW) capability.

Cisco NGFWs combine traditional firewall capabilities, such as packet filtering and stateful inspection, with advanced security features. These include the integrated Intrusion Prevention System (IPS), application-level inspection, and threat intelligence integration that are required for Gartner's definition of an NGFW.

Correct answer: Network Device API

The Network Device Application Programming Interface (API) accepts GET requests to retrieve a list of devices currently managed by the Cisco DNA Center controller.

The Token and Authentication APIs handle authentication to the Cisco DNA Center and vManage respectively.

The Fabric API inventories fabric devices within vManage.

Within the Cisco Embedded Wireless Controller on Catalyst Access Points GUI, the Client view's General tab has several tabs including:

• Client Properties: Provides information on connected clients, including their Internet Protocol (IP) and Media Access Control (MAC) address, Access Point (AP) Basic Service Set ID (BSSID), transmit rate, etc.
• AP Properties: Provides information on the AP’s wired MAC address, name, client’s association status, channel number, and 802.11 protocol in use.
• Security Information: Identifies the security type in use (WPA2, etc.), encryption algorithm, authentication key management system, and session timeout.

Radioactive Trace is under the high-level Troubleshooting menu.

Correct answer: ETR

Cisco’s Locator/ID Separation Protocol (LISP) Egress Tunnel Routers (ETRs) send a map register message to the Map Server (MS) to register Endpoint Identifiers (EIDs).

Proxy ETRs (PETRs) don't register EIDs, and Ingress Tunnel Routers (ITRs) and Proxy ITRs (PITRs) request EIDs, not register them.

The MS is the recipient of the map registration packet, not the sender.

Correct answer: trap

The Simple Network Management Protocol (SNMP) trap operation sends data about an event from the SNMP agent to an SNMP manager.

Other SNMP operations are initiated by the SNMP manager. Requests are sent by the manager, and responses are sent back from the agent.

Correct answer: Cisco Umbrella

Endpoint security involves protecting devices against potential threats. Cisco offers many solutions and services designed to implement endpoint security in a campus environment, including:

• Cisco Umbrella: Formerly OpenDNS, Cisco Umbrella blocks Domain Name System (DNS) requests for known malicious domains, preventing malware from being downloaded from or communicating with malicious sites.
• Cisco Secure Client: Formerly Cisco AnyConnect Secure Mobility Client, this provides a Virtual Private Network (VPN) and can verify that an endpoint complies with corporate policies regarding the use of antivirus, antispyware, and firewall software before granting network access.
• Cisco Talos: Talos is Cisco’s security research team that generates threat intelligence used by Cisco products.
• Cisco Secure Malware Analytics: Formerly ThreatGrid, Cisco Secure Malware Analytics performs static and dynamic malware analysis within a sandboxed environment, comparing it to millions of samples. It also performs behavioral analytics and uses threat intelligence to determine the purpose of the malware and its potential impacts.
• Cisco Advanced Malware Protection (AMP): Cisco AMP provides malware protection throughout the attack lifecycle by identifying inbound malware using threat intelligence and Secure Malware Analytics, detecting active malware using file reputation and sandbox analysis, and retrospective analysis to identify malware that has slipped through the cracks. AMP connects to many other Cisco security solutions.
• Cisco Secure Web Appliance: A web gateway that uses threat intelligence to block malware downloads and communication, visits to risky sites, data exfiltration, and other web-related threats.
• Cisco Secure Email: Uses threat intelligence to block spam, forged emails, phishing attacks, malware, and data exfiltration via email.
• Cisco Secure Intrusion Prevention System (IPS): Formerly FirePOWER NGIPS, this system monitors network traffic for potential attacks and blocks it. It also offers real-time contextual awareness, advanced threat protection and remediation, intelligent security automation, Application Visibility and Control (AVC), and URL filtering.

Correct answer: Type 1

A hypervisor is software that allows multiple Virtual Machines (VMs) to run on the same hardware. There are two types of hypervisors:

• Type 1: A Type I, bare-metal, or native hypervisor runs directly on the device hardware with no Operating System (OS). Examples of Type 1 hypervisors include VMware vSphere, Citrix Hypervisor, and Red Hat Kernel-based Virtual Machine (KVM).
• Type 2: Type 2 hypervisors are software that runs within a host operating system. VirtualBox and VMware Fusion are examples of Type 2 hypervisors, which are typically used by client machines.

Type 0, A, and B hypervisors do not exist.

Correct answer: Distributed

Cisco wireless Access Points (APs) are lightweight and require a Wireless Local Area Network (LAN) Controller (WLC) to operate, which it connects to via a pair of Control And Provisioning of Wireless Access Points (CAPWAP) tunnels. Controller-based wireless deployments have a standalone WLC that can be deployed under the following models:

• Centralized: The WLC is placed in a centralized location, such as the network core, enabling it to support many APs. WLC is likely near commonly-used resources (Internet, data center, etc.) and enables centralized policy enforcement.
• Distributed: Multiple WLCs are located alongside each switch in the access layer. This design makes sense for geographically-distributed sites.
• Cloud-Based: Similar to the centralized model, but WLC is located in a public or private cloud, rather than on-premises.

Controllerless deployments integrate the WLC into an AP, which is called an Embedded Wireless Controller (EWC). These can be used in distributed deployments as well.

Autonomous deployments use standalone APs, not lightweight ones.