What are two examples of components that are part of an SDN architecture? (Choose two.)
A. Software plane
B. Control plane
C. Application plane
D. Management plane
E. Network plane
Explanation:
1. Control Plane (B)
Role in SDN:
The control plane is centralized in SDN (e.g., OpenFlow controller, Cisco ACI APIC).
Makes forwarding decisions (e.g., flow rules) and programs the data plane.
2. Application Plane (C)
Role in SDN:
Hosts network applications (e.g., firewall, load balancer) that define policies via northbound APIs.
Example: A QoS app instructs the controller to prioritize VoIP traffic.
Why Other Options Are Incorrect?
A) Software plane: Not a standard SDN term.
D) Management plane: Exists but is separate from core SDN layers (handles monitoring/analytics).
E) Network plane: Ambiguous—SDN uses data plane (switches/routers).
Reference:
ONF SDN Architecture: Defines control/application planes.
RFC 7426 (SDN Taxonomy): Clarifies SDN layers.
A service provider hires you to design its new managed CE offering to meet these requirements: The CEs cannot run a routing protocol with the P E. Provide the ability for equal or unequal ingress load balancing in dual-homed CE scenarios. Provide support for IPv6 customer routes. Scale up to 250,000 CE devices per customer. Provide low operational management to scale customer growth. Utilize low-end (inexpensive) routing platforms for CE functionality. Which tunneling technology do you recommend?
A. FlexVPN
B. point-to-point GRE
C. DMVPN
D. LISP
Explanation:
Why DMVPN Meets All Requirements?
No CE-PE Routing Protocol:
DMVPN uses NHRP (Next Hop Resolution Protocol) for dynamic spoke-to-hub/spoke-to-spoke tunnels, eliminating the need for CE-PE routing protocols.
Equal/Unequal Load Balancing:
Supports per-flow/per-destination load balancing across dual-homed CEs (e.g., via IP SLA tracking).
IPv6 Support:
DMVPN Phase 3 supports IPv6 over IPv4 tunnels (or native IPv6).
Scalability (250,000 CEs):
Hierarchical DMVPN designs (e.g., hub-of-hubs) scale massively.
Low-Cost CEs:
DMVPN runs on low-end routers (e.g., ISR 1000 series) with minimal hardware requirements.
Low Operational Overhead:
Zero-touch deployment (auto-tunneling) reduces manual configs.
Why Other Options Fail?
A) FlexVPN: Complex for low-end CEs; better for high-security sites.
B) GRE: Manual configs, no dynamic scaling.
D) LISP: Designed for IP mobility, not managed CE services.
Reference:
Cisco DMVPN Design Guide: Scaling to 250K nodes.
RFC 5565 (NHRP): Dynamic tunneling for CEs.
SD-WAN can be used to provide secure connectivity to remote offices, branch offices, campus networks, data centers, and the cloud over any type of IP-based underlay transport network. Which two statements describe SD-WAN solutions? (Choose two.)
A. SD-WAN networks are inherently protected against slow performance.
B. Control and data forwarding planes are kept separate.
C. Improved operational efficiencies result in cost savings
D. Solutions include centralized orchestration, control, and zero-touch provisioning.
E. Solutions allow for variations of commodity and specialized switching hardware.
Explanation:
1. Separation of Control and Data Planes (B)
SD-WAN decouples the control plane (centralized controller) from the data plane (forwarding devices).
Enables dynamic traffic steering (e.g., path selection based on application policies).
2. Centralized Orchestration & Zero-Touch Provisioning (D)
Orchestration: Single pane of glass for policy management (e.g., Cisco vManage).
Zero-touch: Devices auto-configure via cloud (no manual CLI).
Why Other Options Are Incorrect?
A) SD-WAN optimizes performance but isn’t "inherently protected" (e.g., ISP outages still affect underlays).
C) True but outcome, not a defining feature.
E) SD-WAN uses commodity hardware (no specialized switches).
Reference:
Cisco SD-WAN Architecture: Control/data plane separation.
Gartner SD-WAN Market Guide: Highlights zero-touch benefits.
Which two design solutions ensure sub-50 msec of the convergence time after a link failure in the network? (Choose two)
A. BFD
B. Ti-LFA
C. Minimal BGP scan time
D. MPLS-FRR
E. IGP fast hello
Explanation:
1. BFD (A)
Why?
Provides sub-second failure detection (e.g., 50ms intervals) for IGP/BGP/MPLS.
Works with OSPF, EIGRP, BGP to trigger fast reconvergence.
2. MPLS-FRR (D)
Why?
Precomputes backup LSPs (Label Switched Paths) to reroute traffic within 50ms after a link/node failure.
Uses PLR (Point of Local Repair) and NHOP/NNHOP bypass tunnels.
Why Other Options Are Less Effective?
B) TI-LFA: Fast but typically >50ms due to SPF computation.
C) BGP scan time: Reduces convergence but not sub-50ms.
E) IGP fast hello: Speeds up detection but not alone sufficient for sub-50ms.
Reference:
RFC 5880 (BFD): Microsecond-level detection.
RFC 4090 (MPLS-FRR): Standards for 50ms failover.
A multicast network is using Bidirectional PIM. Which two combined actions achieve high availability so that two RPs within the same network can act in a redundant manner? (Choose two)
A. Use two phantom RP addresses
B. Manipulate the administration distance of the unicast routes to the two RPs
C. Manipulate the multicast routing table by creating static mroutes to the two RPs
D. Advertise the two RP addresses in the routing protocol
E. Use anycast RP based on MSDP peering between the two RPs
F. Control routing to the two RPs through a longest match prefix
Explanation:
1. Advertise RP Addresses in Routing Protocol (D)
Why?
Ensures routers dynamically learn multiple RPs via the IGP (e.g., OSPF, EIGRP).
Allows failover if one RP becomes unreachable.
2. Anycast RP with MSDP Peering (E)
Why?
Anycast RP: Both RPs use the same virtual IP, so sources/receivers connect to the nearest RP.
MSDP Peering: Syncs active sources between RPs, ensuring continuity if one RP fails.
Why Other Options Are Incorrect?
A) Phantom RPs: Not a standard PIM feature.
B/C) Manipulate AD/mroutes: Static hacks that don’t scale or handle failures gracefully.
F) Longest prefix match: Irrelevant—RP redundancy relies on anycast + MSDP.
Reference:
RFC 4610 (Anycast RP): Best practices for PIM redundancy.
Cisco Multicast Design Guide: MSDP for RP synchronization.
You are designing an Out of Band Cisco Network Admission Control Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?
A. authentication VLAN
B. user VLAN
C. untrusted VLAN
D. management VLAN
Explanation:
Why the Authentication VLAN is Required?
Purpose of the Authentication VLAN:
In an Out-of-Band (OOB) NAC deployment, the Clean Access Server (CAS) must communicate with devices before they are authenticated.
The Authentication VLAN is used to:
Redirect unauthenticated users to the CAS for posture assessment (e.g., checking antivirus status).
Isolate unauthenticated traffic until compliance is verified.
Trunking to the CAS:
The Authentication VLAN must be trunked from the access switch to the CAS to ensure:
Unauthenticated devices can reach the CAS.
The CAS can enforce policies before granting access to the User VLAN.
Why Other Options Are Incorrect?
B) User VLAN: Carries traffic after authentication (not needed for initial redirection).
C) Untrusted VLAN: A generic term, not specific to Cisco NAC.
D) Management VLAN: Used for device management, not user authentication.
Reference:
Cisco ISE/ISE-PIC Design Guide: Out-of-Band NAC VLAN requirements.
Cisco Clean Access Server (CAS) Documentation: Authentication VLAN setup.
An MPLS service provider is offering a standard EoMPLS-based VPLS service to Customer A, providing Layer 2 connectivity between a central site and approximately 100 remote sites. Customer A wants to use the VPLS network to carry its internal multicast video feeds which are sourced at the central site and consist of 20 groups at Mbps each. Which service provider recommendation offers the most scalability?
A. EoMPLS-based VPLS can carry multicast traffic in a scalable manner
B. Use a mesh of GRE tunnels to carry the streams between sites
C. Enable snooping mechanisms on the provider PE routers
D. Replace VPLS with a Layer 3 MVPN solution to carry the streams between sites
Explanation:
Why MVPN (Multicast VPN) is the Best Choice?
Scalability Issues with VPLS for Multicast:
VPLS (EoMPLS) floods multicast traffic to all sites (like a giant LAN), causing:
Bandwidth waste: Remote sites receive streams they don’t need.
State overload: PE routers must replicate traffic for 100+ sites.
MVPN Advantages:
Efficient Replication: Uses PIM (Protocol Independent Multicast) to build optimal multicast trees (e.g., SPT, RPT).
Scalability: Only sites with active receivers get traffic (no flooding).
MPLS Integration: Uses MDT (Multicast Distribution Trees) in the core.
Why Other Options Fail?
A) VPLS: Floods multicast, not scalable for 100+ sites.
B) GRE tunnels: Manual mesh is operationally complex.
C) Snooping: Doesn’t solve VPLS’s flooding problem.
Reference:
RFC 6513 (MVPN): Standards for MPLS-based multicast.
Cisco Multicast VPN Design Guide: Compares MVPN vs. VPLS.
What is a web-based model in which a third-party provider hosts applications that are available to customers over the Internet?
B. PaaS
C. SaaS
D. IaaS
E. WaaS
Explanation:
Why SaaS?
Definition of SaaS:
A cloud model where third-party providers host and manage applications, delivering them over the Internet to customers.
Users access the software via browsers/APIs without managing servers, storage, or infrastructure.
Examples:
Microsoft 365, Salesforce, Google Workspace.
Why Not Other Options?
A) PaaS (Platform as a Service): Provides development platforms (e.g., AWS Elastic Beanstalk), not end-user apps.
C) IaaS (Infrastructure as a Service): Offers virtualized compute/storage (e.g., AWS EC2), not hosted apps.
D) WaaS (Workplace as a Service): Niche term (not a standard cloud model).
Reference:
NIST SP 800-145 (Cloud Computing): Defines SaaS/PaaS/IaaS.
Gartner SaaS Market Guide: Lists top SaaS providers.
An architect receives a functional requirement for a NAC system from a customer security policy stating that if a corporate Wi-Fi device does not meet current AV definitions, it cannot access the network until updated. Which component should be built into the NAC design?
A. Posture assessment with remediation VLAN
B. Quarantine SGTs
C. dACLs with SGTs
D. Quarantine VLAN
Explanation:
Why Posture Assessment + Remediation VLAN?
Security Policy Requirement:
Devices must pass compliance checks (e.g., up-to-date AV) before accessing the network.
Posture assessment (via agents or dissolvable clients) verifies AV definitions.
Remediation VLAN Function:
Non-compliant devices are redirected to a restricted VLAN where they can:
Download updates.
Access only patch servers (e.g., Windows WSUS).
Blocks access to production networks until compliant.
Why Other Options Are Less Suitable?
B) Quarantine SGTs: SGTs (Scalable Group Tags) enforce policies but don’t remediate.
C) dACLs with SGTs: Filters traffic but no remediation path.
D) Quarantine VLAN: Similar but lacks posture assessment (just isolation).
Reference:
Cisco ISE Posture Assessment Guide: Remediation workflows.
NIST SP 800-53 (Security Controls): Mandates device compliance.
What are two examples of business goals to be considered when a network design is built? (Choose two.)
A. standardize resiliency
B. minimize operational costs
C. integrate endpoint posture
D. ensure faster obsolescence
E. reduce complexity
Explanation:
1. Minimize Operational Costs (B)
Why?
A core business goal is to reduce OpEx (e.g., power, maintenance, staffing).
Example: Automating network configs cuts manual labor costs.
2. Reduce Complexity (E)
Why?
Simplifying designs lowers troubleshooting time and speeds up deployments.
Example: Using SD-WAN instead of complex VPN meshes.
Why Other Options Are Less Relevant?
A) Standardize resiliency: A technical (not business) goal.
C) Endpoint posture: Part of security, not business strategy.
D) Faster obsolescence: Counterproductive—businesses aim to extend asset lifespans.
Reference:
ITIL 4 (Business Alignment): Links OpEx to design.
Cisco Enterprise Architecture: Highlights simplicity for ROI.
Which undesired effect of increasing the jitter compensation buffer is true?
A. The overall transport jitter decreases and quality improves.
B. The overall transport jitter increases and quality issues can occur.
C. The overall transport delay increases and quality issues can occur.
D. The overall transport delay decreases and quality improves.
Explanation:
Why Jitter Buffer Increases Delay?
Role of Jitter Buffer:
Compensates for packet arrival time variations (jitter) by storing packets briefly before playback.
Larger buffer = more delay: Packets are held longer to smooth out jitter.
Undesired Effect:
Increased latency: Real-time apps (e.g., VoIP, video calls) suffer if delay exceeds 150–200ms.
Example: A 500ms buffer causes noticeable lag in conversations.
Why Other Options Are Incorrect?
A/B) Jitter decrease/increase: Buffers hide jitter but don’t affect actual network jitter.
D) Delay decrease: False—buffers add delay.
Reference:
ITU-T G.114: Recommends max 150ms one-way delay for VoIP.
Cisco QoS Design Guide: Jitter buffer trade-offs.
According to the CIA triad principles for network security design, which principle should be priority for a Zero Trust network?
A. requirement for data-in-motion encryption and 2FA authentication
B. requirement for data-at-rest encryption for user identification within the VPN termination hardware
C. categorization of systems, data, and enterprise BYOD assets that are connected to network zones based on individual privacy needs
D. ensuring that authorized users have high-availability system access from defined zones to defined systems or zones
Explanation:
Why This Aligns with CIA Triad in Zero Trust?
CIA Triad Priorities:
Confidentiality (Data-in-Motion Encryption): Prevents eavesdropping (e.g., TLS, IPsec).
Integrity (2FA): Ensures users/devices are authentic (not compromised).
Availability: Implied by strict access controls (but not the primary focus here).
Zero Trust Core Tenets:
"Never trust, always verify": 2FA and encryption enforce least-privilege access.
Microsegmentation: Encrypted tunnels limit lateral movement.
Why Other Options Are Less Relevant?
B) Data-at-rest encryption: Important but secondary to real-time access controls.
C) Privacy categorization: Part of data governance, not core Zero Trust.
D) High-availability access: Contradicts Zero Trust’s "deny by default" principle.
Reference:
NIST SP 800-207 (Zero Trust): Mandates encryption + MFA.
CIA Triad (ISO 27001): Confidentiality as top priority.
| Page 6 out of 17 Pages |
| Previous |