A software-defined network exposes an API to the RIB and forwarding engine, allowing off-box control of routing—what SDN model is used?
A. Replace
B. Augmented
C. Hybrid
D. Distributed
Explanation:
Why the "Replace" Model?
Full Control-Plane Centralization
The Replace SDN model removes the traditional distributed control plane (e.g., OSPF, BGP) and replaces it with centralized software control.
The SDN controller directly programs the RIB (Routing Information Base) and forwarding engine via APIs (e.g., OpenFlow).
Key Traits of the Scenario:
Off-box control: Routing decisions are made externally (SDN controller), not by individual routers.
API exposure: The RIB/forwarding engine is manipulated programmatically (northbound APIs).
No reliance on legacy protocols: The network does not use distributed routing protocols.
Why Not Other Models?
B) Augmented: Keeps traditional routing protocols but enhances them with SDN (e.g., PCE for traffic engineering).
C) Hybrid: Combines centralized SDN control with distributed protocols (e.g., some devices run OSPF while others use OpenFlow).
D) Distributed: Traditional networking (no SDN)—routing decisions are made locally on each device.
Reference:
ONF (Open Networking Foundation) SDN Architecture: Defines the Replace model for full control-plane centralization.
RFC 7426 (SDN Taxonomy): Clarifies hybrid vs. replace models.
A business requirement stating that failure of WAN access for dual circuits into an MPLS provider for a Data Centre cannot happen due to related service credits that would need to be paid has led to diversely routed circuits to different points of presence on the provider’s network. What should a network designer also consider as part of the requirement?
A. Provision of an additional MPLS provider
B. Out of band access to the MPLS routers
C. Ensuring all related remote branches are dual-homed to the MPLS network
D. Dual PSUs & Supervisors on each MPLS router
Explanation:
Why Dual PSUs & Supervisors?
Business Requirement:
The primary goal is to avoid WAN access failure (to prevent service credits).
Diversely routed circuits already address external path redundancy, but internal device failures (e.g., power supply, supervisor engine) could still disrupt connectivity.
Key Consideration:
Dual Power Supplies (PSUs): Prevent outages due to power failures.
Dual Supervisor Engines: Ensure redundancy if the primary supervisor fails.
This complements the diversely routed circuits by eliminating single points of failure within the routers themselves.
Why Other Options Are Less Critical?
A) Additional MPLS Provider: Overkill—diverse PoPs already mitigate provider-side risks.
B) Out-of-Band (OOB) Access: Useful for management but doesn’t prevent traffic loss.
C) Dual-Homed Branches: Focuses on remote sites, not the Data Center’s own redundancy.
Reference:
Cisco High Availability Design Guide: Recommends dual PSUs/supervisors for critical nodes.
ITU-T G.8031 (Ethernet Protection Switching): Aligns with hardware redundancy principles.
An enterprise network has two core routers that connect to 200 distribution routers and uses full-mesh IBGP peering between these routers as its routing method. The distribution routers are experiencing high CPU utilization due to the BGP process. Which design solution is the most cost effective?
A. Implement route reflectors on the two core routers
B. Increase the memory on the core routers
C. Implement eBGP between the core and distribution routers
D. Increase the memory on the distribution routers
E. Increase bandwidth between the core routers
Explanation:
Why Route Reflectors (RRs)?
Problem:
Full-mesh IBGP among 200+ routers requires n(n-1)/2 = 19,900 peerings, causing high CPU/memory usage.
Distribution routers are overwhelmed by BGP update processing.
Solution:
Route Reflectors (RRs) reduce peerings to O(n) complexity:
Core routers act as RRs.
Distribution routers peer only with RRs, not each other.
Cost-Effective: No hardware upgrades needed—just BGP configuration changes.
Why Other Options Are Less Effective?
B/D) Increasing memory: Doesn’t solve the scalability issue of full-mesh BGP.
C) eBGP: Requires AS renumbering and complicates policy control.
E) Bandwidth: Irrelevant—CPU is the bottleneck, not link capacity.
Reference:
RFC 4456 (BGP Route Reflection): Standard for RR design.
Cisco BGP Scalability Guide: Recommends RRs for >100 peers.
Which two actions must merchants do to be compliant with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose two.)
A. Conduct risk analyses
B. Install firewalls
C. Use antivirus software
D. Establish monitoring policies
E. Establish risk management policies
Explanation:
Why These Are PCI DSS Requirements?
B) Install Firewalls
PCI DSS Requirement 1: Mandates firewalls to isolate cardholder data environments (CDE) from untrusted networks
Example: Configure firewalls to restrict inbound/outbound traffic to only necessary ports (e.g., HTTPS for payments).
C) Use Antivirus Software
PCI DSS Requirement 5: Requires anti-malware on all systems affected by malware (especially those handling cardholder data).
Example: Deploy endpoint protection on POS systems and servers.
Why Other Options Are Not Direct PCI DSS Mandates?
A/D/E) Risk Analyses/Monitoring/Risk Management Policies:
Part of general security best practices but not explicit PCI DSS requirements for all merchants.
Required only for higher-tier merchants (e.g., those handling large volumes).
Reference:
PCI DSS v4.0: Requirements 1 (firewalls) and 5 (antivirus).
PCI SSC Official Site: Lists 12 core requirements for compliance.
A network security team observes phishing attacks on a user machine from a remote location. The organization has a policy of saving confidential data on two different systems using different types of authentication. What is the next step to control such events after the security team verifies all users in Zero Trust modeling?
A. Enforce risk-based and adaptive access policies.
B. Assess real-time security health of devices.
C. Apply a context-based network access control policy for users.
D. Ensure trustworthiness of devices.
Explanation:
Why Risk-Based & Adaptive Access Policies?
Phishing Attack Context:
Even with Zero Trust user verification, attackers can compromise credentials.
Risk-based policies dynamically adjust access based on:
User behavior anomalies (e.g., login from a new country).
Device security posture (e.g., missing patches).
PCI DSS Alignment (Confidential Data Protection):
Adaptive policies limit access to sensitive systems if risk is detected (e.g., block access to financial data post-phishing).
Why Other Options Are Secondary?
B) Device health checks: Part of Zero Trust but reactive—adaptive policies act proactively.
C) Context-based NAC: Too static—doesn’t address real-time risk scoring.
D) Device trustworthiness: Covered under risk assessment (Option A).
Reference:
NIST SP 800-207 (Zero Trust): Advocates risk-based access.
PCI DSS v4.0: Requires dynamic access controls for sensitive data.
A network design includes a long signaling delay in notifying the Layer 3 control plane that an interface has failed. Which two of these actions would reduce that delay? (Choose two.)
A. Increase network stability.
B. Reduce the time for the network to reconverge.
C. Increase the notification of interface flaps
D. Enable lower data link layer recovery systems to have an opportunity to restore the interface.
Explanation:
1. Reduce Reconvergence Time (B)
Why?
Faster Layer 3 protocol timers (e.g., BGP keepalives, OSPF dead intervals) minimize delays in detecting failures and recalculating routes.
Example: Adjust OSPF timers to hello=1s, dead=3s for sub-second failure detection.
2. Enable Data Link Layer Recovery (D)
Why?
Lower-layer mechanisms (e.g., Ethernet OAM, BFD for L2) can detect and restore links before Layer 3 protocols react.
Example: BFD microsecond-level detection for LAG member failures.
Why Other Options Are Incorrect?
A) Increase stability: Generic and doesn’t address delay reduction.
C) Increase flap notifications: Counterproductive—flaps add instability without fixing root causes.
Reference:
RFC 5880 (BFD): Fast failure detection at L2/L3.
Cisco OSPF Optimization Guide: Recommends aggressive timers for critical networks.
Company XYZ branch offices connect to headquarters using two links, MPLS and Internet. The company wants to design traffic flow so voice traffic uses MPLS and all other traffic uses either link, avoiding process switching. Which technique can be used?
A. Policy-based routing
B. Virtual links
C. Visualization
D. Floating static route
Explanation:
Why Policy-Based Routing (PBR)?
Traffic Steering Requirements:
Voice traffic must use MPLS: PBR can override the routing table to force voice packets (e.g., DSCP EF) onto the MPLS link.
Other traffic uses either link: PBR can load-balance remaining traffic across MPLS/Internet.
Avoids Process Switching:
PBR is CEF-switched (hardware-accelerated) when configured properly, unlike process switching.
How PBR Works:
Match traffic (e.g., VoIP with ACL or DSCP).
Why Other Options Fail?
B) Virtual links: Used for OSPF connectivity, not traffic engineering.
C) Visualization: Irrelevant to routing decisions.
D) Floating static routes: Cannot selectively route voice vs. data.
Reference:
Cisco PBR Configuration Guide: Traffic classification/steering.
RFC 2474 (DSCP): Voice traffic marking (EF)
Various teams in different organizations within an enterprise are preparing low-level design documents using a Waterfall project model. Input from relevant stakeholders was captured at the start of the project, and the scope has been defined. What impact will it have if stakeholders ask for changes before documentation is complete?
A. This provides more opportunity to think outside the box.
B. Rework is expected before the delivery
C. Significant effort and time are required.
D. This provides a flexible approach to incorporate changes.
Explanation:
Why Waterfall Model Struggles with Late Changes?
Sequential Phases:
Waterfall follows rigid stages (requirements → design → implementation → testing).
Changes after the design phase force revisiting prior stages, causing:
Rework: Redesign documents, update dependencies.
Delays: Reapprovals, retesting.
Impact on Stakeholder Requests:
Unlike Agile, Waterfall lacks flexibility for mid-project changes.
Example: A new compliance requirement could invalidate completed designs, adding weeks of effort.
Why Other Options Are Less Accurate?
A) "Think outside the box": Waterfall discourages creativity post-requirements.
B) "Rework is expected": True but secondary—the core issue is time/cost impact.
D) "Flexible approach": Waterfall is inflexible by design.
Reference:
IEEE 1074 (SDLC): Waterfall’s linear constraints.
PMBOK 6th Ed.: Highlights change management challenges in predictive models..
Cost is often one of the motivators for a business to migrate from a traditional network to a software-defined network. Which design decision is directly influenced by CAPEX drivers?
A. Scalability
B. Stability
C. Complexity
D. Manageability
Explanation:
Why Scalability is a CAPEX Driver in SDN?
CAPEX Reduction via SDN:
Traditional Networks: Scaling requires expensive hardware upgrades (e.g., bigger routers, more licenses).
SDN: Scales programmatically (e.g., adding virtual switches/routers) with lower-cost commodity hardware.
Direct CAPEX Impact:
Example: A business can scale from 100 to 1,000 devices without buying dedicated ASICs—just deploy software controllers.
Why Other Options Are Less Relevant?
B) Stability: Primarily an OPEX concern (downtime costs).
C) Complexity: Increases initial CAPEX/OPEX but isn’t a direct cost driver.
D) Manageability: Reduces OPEX (labor costs), not CAPEX.
Reference:
Cisco SDN ROI Study: Shows 40% CAPEX savings via scalability.
IDC White Paper: SDN cuts hardware costs by 30–50%.
How can EIGRP topologies be designed to converge as fast as possible in the event of a point-to-point link failure?
A. Limit the query domain by use of distribute lists.
B. Build neighbor adjacencies in a triangulated fashion.
C. Build neighbor adjacencies in squared fashion
D. Limit the query domain by use of summarization.
E. Limit the query domain by use of default routes.
Explanation:
Why Summarization Speeds Up EIGRP Convergence?
Query Domain Reduction:
EIGRP queries propagate to find alternate paths after a failure.
Route summarization (e.g., at distribution layers) stops queries at the summarization point, preventing them from flooding the entire network.
Example: Summarizing 10.1.0.0/16 at a router blocks queries for subnets like 10.1.1.0/24 from spreading further.
Faster Convergence:
Smaller query domains mean fewer routers participate in recomputation, reducing convergence time.
Why Other Options Are Less Effective?
A) Distribute lists: Filter routes but don’t limit query scope like summarization.
B/C) Triangulated/squared adjacencies: Topology design doesn’t directly impact query propagation.
E) Default routes: Hides specifics but doesn’t stop queries for known subnets.
Reference:
Cisco EIGRP Optimization Guide: Recommends summarization for fast convergence.
RFC 7868 (EIGRP): Query handling mechanics.
Which option is a fate-sharing characteristic in regards to network design?
A. A failure of a single element causes the entire service to fail
B. It protects the network against failures in the distribution layer
C. It acts as a stateful forwarding device
D. It provides data sequencing and acknowledgment mechanisms
Explanation:
Why Fate-Sharing Matches Option A?
Definition of Fate-Sharing:
A design principle where components critical to a service share the same failure domain.
If one element fails, the entire dependent service fails (no partial functionality).
Example:
A single router handling all encrypted VPN tunnels. If it crashes, all VPN access is lost (no backup path).
Why Other Options Are Incorrect?
B) Describes redundancy (opposite of fate-sharing).
C) Stateful devices (e.g., firewalls) can failover (not fate-sharing).
D) TCP features, unrelated to failure domains.
Reference:
RFC 3439 (Internet Architecture): Defines fate-sharing.
Cisco SAFE Architecture: Contrasts fate-sharing with redundancy.
An enterprise solution team is analyzing multilayer architecture and multicontroller SDN solutions for multisite deployments. The analysis focuses on the ability to run tasks on any controller via a standardized interface. Which requirement addresses this ability on a multicontroller platform?
A. Deploy a root controller to gather a complete network-level view.
B. Use the East-West API to facilitate replication between controllers within a cluster.
C. Build direct physical connectivity between different controllers.
D. Use OpenFlow to implement and adapt new protocols.
Explanation:
Why East-West APIs Enable Task Distribution?
Multicontroller Coordination:
East-West APIs allow SDN controllers in a cluster to sync state (e.g., network topology, flow rules) and distribute tasks.
Example: If Controller A fails, Controller B takes over its workloads seamlessly.
Standardized Interface Requirement:
APIs like OpenDaylight’s clustering RPCs or ONOS Gossip Protocol ensure controllers share a unified view, enabling any controller to execute tasks.
Why Other Options Are Incorrect?
A) Root controller: Centralizes control (opposite of distributed tasking).
C) Physical connectivity: Necessary but doesn’t standardize logical coordination.
D) OpenFlow: Manages switches, not inter-controller communication.
Reference:
OpenDaylight Clustering Guide: East-West APIs for state sync.
ONOS Distributed Architecture: Uses gossip protocols for task distribution.
| Page 4 out of 17 Pages |
| Previous |