Organizations that embrace Zero Trust initiatives ranging from business policies to technology infrastructure can reap business and security benefits. Which two domains should be covered under Zero Trust initiatives? (Choose two)
A. workload
B. work domain
C. workplace
D. workgroup
E. workspace
Explanation:
1. Workload (A)
Why?
Zero Trust for workloads ensures microsegmentation between applications/VMs (e.g., cloud, containers).
Example: Mutual TLS (mTLS) between microservices, even within the same data center.
2. Workspace (E)
Why?
Secures end-user access to apps/data (e.g., via SASE, conditional access).
Example: Enforcing MFA and device compliance for remote workers.
Why Other Options Are Incorrect?
B) Work domain: Not a standard Zero Trust term (likely a distractor).
C) Workplace: Focuses on physical office security, not a core Zero Trust domain.
D) Workgroup: Legacy IT concept (e.g., Windows AD groups), irrelevant to Zero Trust.
Reference:
NIST SP 800-207 (Zero Trust Architecture): Defines workload and workspace as key pillars.
Cisco Zero Trust Model: Aligns with SASE for workspace security.
Company XYZ wants to deploy OSP F. The design plan requires that two OSPF networks be mutually redistributed at multiple locations and ensure end-to-end connectivity to all of the company's networks. Which technology can be used to fulfill the requirements while avoiding the creation of routing loops?
A. Create a virtual link between ASBRs.
B. Change the router ID for both ASBRs.
C. Redistribute routes as external type 2 routes.
D. Use route maps on ASBRs to filter routes with tags so they are not redistributed.
Explanation:
Why Route Maps with Tags Prevent Routing Loops?
Problem:
Mutual redistribution between two OSPF domains can cause routing loops if routes are re-advertised back into their original domain.
Example: A route from OSPF Area 1 redistributed into OSPF Area 2 might leak back into Area 1 via another ASBR.
Solution:
Tag routes during redistribution (e.g., tag=100 for Area 1 routes, tag=200 for Area 2 routes).
Why Other Options Fail?
A) Virtual links: Used for Area 0 connectivity, not redistribution.
B) Changing Router IDs: Doesn’t affect route propagation.
C) External Type 2 routes:Influences metric calculation but doesn’t prevent loops.
Reference:
Cisco OSPF Configuration Guide: Recommends route tags for safe redistribution.
RFC 2328 (OSPFv2): Standard for loop prevention.
You are designing a network running both IPv4 and IPv6 to deploy QoS. Which consideration is correct about the QoS for IPv4 and IPv6?
A. IPv4 and IPv6 traffic types can use queuing mechanisms such as LLQ, PQ, and CQ.
B. IPv6 packet classification is only available with process switching, whereas IPv4 packet classification is available with both process switching and CEF
C. IPv6 and IPv4 traffic types can use a single QoS policy to match both protocols.
D. Different congestion management mechanisms need to be used for IPv4 and IPv6 traffic types.
Explanation:
Why Option A is Correct?
Queuing Mechanisms Are Protocol-Agnostic:
QoS queuing mechanisms like LLQ (Low Latency Queuing), PQ (Priority Queuing), and CQ (Custom Queuing) operate at Layer 3 and above, independent of IPv4/IPv6
They prioritize traffic based on DSCP (IPv4/IPv6), ToS, or other markings, not the IP version.
Example:
VoIP traffic (marked with DSCP EF) gets priority in LLQ, whether it’s IPv4 or IPv6.
Why Other Options Are Incorrect?
B) IPv6 classification works with CEF (Cisco Express Forwarding), not just process switching.
C) While some QoS policies can match both (e.g., DSCP), IPv4 and IPv6 often require separate class-maps due to different header structures.
D) Congestion management (e.g., WRED, queuing) is not protocol-dependent.
Reference:
Cisco QoS for IPv6 Deployment Guide: Confirms LLQ/PQ/CQ compatibility.
RFC 6437 (IPv6 Flow Label): Notes QoS parity with IPv4.
Which two mechanisms avoid suboptimal routing in a network with dynamic mutual redistribution between multiple OSPFv2 and EIGRP boundaries? (Choose two.)
A. AD manipulation
B. Matching OSPF external routes
C. Route tagging
D. Route filtering
E. Matching EIGRP process ID
Explanation:
1. AD Manipulation (A)
Why?
Administrative Distance (AD) determines route preference when the same prefix is learned via multiple protocols.
Example: Lower EIGRP’s AD for redistributed routes to prevent OSPF from overriding them (or vice versa).
2. Route Tagging (C)
Why?
Tags (e.g., OSPF route tags) block redistributed routes from re-entering their original domain.
Example: Tag OSPF-external routes during redistribution into EIGRP, then filter tagged routes at other redistribution points.
Why Other Options Are Less Effective?
B) Matching OSPF external routes: Helps identify routes but doesn’t prevent suboptimal paths.
D) Route filtering: Useful but static—doesn’t dynamically handle route feedback.
E) Matching EIGRP process ID: Irrelevant to OSPF redistribution.
Reference:
Cisco OSPF/EIGRP Redistribution Guide: Recommends AD + tagging for loop prevention.
RFC 2328 (OSPF): Route tags for redistribution control.
Which two statements explain the operation of BFD asynchronous mode? (Choose two.)
A. BFD asynchronous mode with echo packets combines the control packets and echo packets into a single packet.
B. BFD asynchronous mode without echo packets uses control packets, and BFD asynchronous mode with echo packets does not.
C. BFD asynchronous mode with and without echo packets use control packets.
D. BFD asynchronous without echo packets has control packets sent back to the originating router, which echoes the control packet to detect failures.
E. BFD asynchronous mode with echo packets uses separate control packets and echo packets.
Explanation:
1. BFD Asynchronous Mode Basics
Control Packets: Always used in asynchronous mode to detect failures via bidirectional hello exchanges.
Echo Packets: Optional addition for faster failure detection (local loopback test).
Key Statements:
C) Correct
With or without echo packets, BFD asynchronous mode always uses control packets for neighbor liveness checks.
E) Correct
When echo packets are enabled, they are separate from control packets (sent as unicast loopback probes).
Why Other Options Are Wrong?
A) Echo and control packets are never combined into one.
B)Incorrect—echo packets supplement (don’t replace) control packets.
D) Echo packets are locally looped back, not sent to the peer.
Reference:
RFC 5880 (BFD): Defines asynchronous mode and echo packets.
Cisco BFD Configuration Guide: Clarifies echo/control packet roles.
During a pre-sales meeting with a potential customer, the customer CTO asks a question about advantages of controller-based networks versus a traditional network. What are two advantages to mention? (Choose two)
A. Per device forwarding tables
B. Programmatic APIs available per device
C. Abstraction of individual network devices
D. Distributed control plane
E. Consistent device configuration
Explanation:
1. Abstraction of Individual Network Devices (C)
Why?
Controller-based networks hide device-level complexity (e.g., CLI, protocols) behind a centralized controller.
Operators manage policies/intent (e.g., "Prioritize VoIP") rather than per-device commands.
Example: Cisco DNA Center abstracts VLAN/security policies across switches.
2. Consistent Device Configuration (E)
Why?
Controllers enforce uniform configurations (e.g., QoS, security) across all devices.
Eliminates human errors from manual CLI updates.
Example: Zero-touch provisioning ensures all branch routers get identical base configs.
Why Other Options Are Less Relevant?
A) Per-device forwarding tables: Traditional networks also use this (e.g., FIB on routers).
B) Programmatic APIs per device: Controllers centralize APIs, avoiding per-device scripts.
D) Distributed control plane: A traditional network trait (e.g., OSPF/BGP on each router).
Reference:
Cisco Digital Network Architecture (DNA): Highlights abstraction/consistency.
ONF SDN Principles: Contrasts centralized vs. distributed control.
You have been tasked with designing a data center interconnect to provide business continuity. You want to encrypt the traffic over the DCI using IEEE 802.1AE MACsec to prevent the deployment of any firewall or IPS. Which two interconnect technologies support MACsec? (Choose two.)
A. EoMPLS
B. MPLS Layer 3 VPN
C. DMVPN
D. GET VPN
E. KVPLS
Explanation:
Why EoMPLS and KVPLS Support MACsec?
EoMPLS (A)
Extends Layer 2 Ethernet over MPLS.
MACsec (IEEE 802.1AE) encrypts Ethernet frames at Layer 2, making it ideal for EoMPLS.
KVPLS (E)
A VPLS flavor (Kompella-style) that also transports Ethernet frames.
MACsec can secure these frames end-to-end.
Why Other Options Don’t Support MACsec?
B) MPLS L3 VPN: Encrypts at Layer 3 (IPsec), not Layer 2 (MACsec).
C) DMVPN: Uses IPsec (Layer 3), not MACsec.
D) GET VPN: Also relies on IPsec (Group Encrypted Transport).
Reference:
IEEE 802.1AE (MACsec): Standard for Ethernet encryption.
Cisco DCI Encryption Guide: Recommends MACsec for EoMPLS/VPLS.
Company XYZ is running OSPF in their network. They have merged with another company that is running EIGRP as the routing protocol. Company XYZ now needs the two domains to talk to each other with redundancy, while maintaining a loop-free environment. The solution must scale when new networks are added into the network in the near future. Which technology can be used to meet these requirements?
A. multipoint route-redistribution with route filtering using ACLs
B. DUMP multipoint route-redistribution with route filtering using route tags
C. DUMP multipoint route-redistribution with route filtering using route tags
D. DUMPS single point route-redistribution with route filtering using ACLs
Explanation:
Why Multipoint Redistribution with Route Tags?
Requirements Met:
Redundancy: Multiple redistribution points (ASBRs) between OSPF and EIGRP.
Loop Prevention:Route tags block re-advertised routes from re-entering their original domain.
Scalability: Tags dynamically handle new networks without manual ACL updates.
How It Works:
Tag routes during redistribution (e.g., tag OSPF routes as "100" when sent to EIGRP).
Why Other Options Fail?
A/C/D) ACL-based filtering:
Static and non-scalable—requires manual updates for new networks.
Single-point redistribution lacks redundancy.
"DUM" Typos: Likely meant to describe dual/mutual redistribution best practices.
Reference:
Cisco OSPF/EIGRP Redistribution Guide: Recommends route tags for loop-free designs.
RFC 2328 (OSPF): Route tagging standards.
SDN emerged as a technology trend that attracted many industries to move from traditional networks to SDN. Which challenge is solved by SDN for cloud service providers?
A. Need for intelligent traffic monitoring
B. Exponential growth of resource-intensive applications
C. Complex and distributed management flow
D. Higher operating expense and capital expenditure
Explanation:
Why SDN Solves Management Complexity for Cloud Providers?
Centralized Control
SDN decouples the control plane (e.g., OpenFlow, Cisco ACI) from data forwarding, replacing distributed protocols (OSPF, BGP) with a single management point.
Example: A cloud provider can program VXLAN tunnels across switches via an SDN controller, avoiding manual VLAN/VRF configurations.
Automation & Orchestration
SDN enables API-driven automation (e.g., Kubernetes + OpenStack integration) to:
Spin up/down virtual networks on-demand.
Enforce security policies globally.
Eliminates per-device CLI management.
Cloud-Specific Benefits
Multi-tenancy: Isolate customer networks programmatically.
Elastic scaling: Dynamically adjust bandwidth/paths for workloads.
Why Other Options Are Secondary?
A) Traffic monitoring: SDN helps (via NetFlow/sFlow), but not the primary driver.
B) Resource-intensive apps: Handled by compute/storage scaling, not purely SDN.
D) OpEx/CapEx: SDN reduces costs, but solving management complexity is the core value.
Reference:
ONF SDN for Cloud Providers: Highlights centralized management.
Cisco ACI/OpenDaylight Case Studies: Show 60% faster provisioning.
Which extensions to GRE tunneling provide session tracking and in-order packet delivery in exchange for additional state stored in tunnel endpoints?
A. GRE Protocol Type and Checksum extension fields.
B. GRE Version and Reserved0 extension fields.
C. No extension fields are available in the GRE header to track session data and packet sequences.
D. GRE Key and Sequence number extensions.
Explanation:
Why GRE Key and Sequence Number Extensions?
Session Tracking (Key Field)
The GRE Key field (32-bit) identifies unique sessions/tunnels between endpoints.
Example: Multiplexing multiple flows over a single GRE tunnel (e.g., DMVPN).
In-Order Delivery (Sequence Number Field)
The GRE Sequence Number field (32-bit) ensures packets are delivered in sequence.
Used for stateful tracking (e.g., Cisco WAAS, VoIP over GRE).
State Storage Trade-off
Tunnel endpoints store sequence states, adding overhead but enabling reliability.
Why Other Options Are Incorrect?
A) Protocol Type/Checksum:
Protocol Type specifies payload (e.g., IPv4/IPv6).
Checksum verifies header integrity (no session tracking).
B) Version/Reserved0:
Version indicates GRE header format (e.g., GRE RFC 2784 vs. 2890).
Reserved0 is unused.
C) "No extensions": False—GRE RFC 2890 defines Key/Sequence extensions.
Reference:
RFC 2890 (GRE Extensions): Defines Key/Sequence fields.
Cisco DMVPN Design Guide: Uses GRE Key for NHRP session tracking.
In search of a system capable of hosting, monitoring, compiling, and testing code in an automated way, what can be recommended to the organization?
A. Jenkins
B. Ansible
C. Perl
D. Chef
Explanation:
Why Jenkins?
Hosting, Monitoring, Compiling, and Testing Code
Jenkins is a continuous integration/continuous delivery (CI/CD) tool designed to:
Host code repositories (integrates with Git, SVN, etc.).
Monitor builds and tests in real-time (dashboard with logs/analytics).
Compile code (via plugins for Java, Python, etc.).
Automate testing (unit, integration, regression tests).
Automation Capabilities
Pipeline-as-Code: Define workflows (build → test → deploy) in Jenkinsfiles.
Extensible Plugins: 1,500+ plugins for tools like Maven, Docker, JUnit.
Why Not Other Options?
B) Ansible / D) Chef: Configuration management tools (not CI/CD).
C) Perl: A scripting language (no built-in CI/CD features).
Reference:
Jenkins Official Docs: CI/CD automation use cases.
Gartner CI/CD agic Quadrant: Jenkins as a leader.
Which architecture does not require an explicit multicast signaling protocol, such as PIM or P2MP, to signal the multicast state hop-by-hop, but instead uses a link state protocol to advertise the multicast forwarding state?
A. Binary indexed explicit routing
B. Binary intermediate enhanced routing
C. Bit indexed explicit replication
D. Bi-directional implicit replication
Explanation:
Why BIER?
No Traditional Multicast Signaling (PIM/P2MP)
BIER eliminates the need for protocols like PIM by encoding multicast paths in bitstrings within packet headers.
Routers use link-state protocols (IS-IS/OSPF extensions) to advertise topology, not multicast state.
How It Works:
Bitstring: Each bit represents a router in the network. A "1" means "forward to this node."
Link-State Advertisements (LSAs): Routers share BIER-specific info (e.g., BFR-ID, subdomain) via IS-IS/OSPF.
No per-flow state: Unlike PIM, BIER routers don’t store (*S,G) entries.
Why Other Options Are Incorrect?
A/B/D) These are fictional terms (likely distractors).
Reference:
RFC 8279 (BIER Architecture): Standard for stateless multicast.
Cisco BIER White Paper: Contrasts BIER with PIM.
| Page 3 out of 17 Pages |
| Previous |