Which two aspects are considered when designing a dual hub dual DMVPN cloud topology? (Choose two.)
A. will only work with single-tier headend architecture
B. hub sites must connect to both DMVPN clouds
C. recommended for high availability
D. spoke-to-spoke traffic will transit the hub unless spokes exchange dynamic routing directly
E. requires all sites to have dual Internet connections
Explanation:
1. High Availability (C)
Why?
Dual hub dual DMVPN provides redundancy:
If one hub (or cloud) fails, the other takes over.
Example: Primary hub uses MPLS, backup uses Internet.
2. Spoke-to-Spoke Traffic (D)
Why?
By default, spokes communicate via hubs (hairpinning).
Direct spoke-to-spoke tunnels require:
Dynamic routing (e.g., EIGRP, OSPF) between spokes.
NHRP shortcut switching.
Why Other Options Are Incorrect?
A) Single-tier headend: Dual hubs work with multi-tier (core/distribution) designs.
B) Hubs connecting to both clouds: Hubs connect to their own cloud (spokes dual-connect).
E) Dual Internet at all sites: Only hubs need dual clouds (spokes can have single links).
Reference:
Cisco DMVPN Design Guide: Dual hub/cloud HA best practices.
RFC 5565 (NHRP): Spoke-to-spoke dynamic routing.
You are designing a network for a branch office. In order to improve convergence time, you are required to use the BFD feature. Which four routing protocols can you use to facilitate this? (Choose four.)
A. IS-IS
B. static
C. RIP
D. EIGRP
E. BGP
Explanation:
Why These Protocols Support BFD?
BFD (Bidirectional Forwarding Detection) is a lightweight protocol that provides sub-second failure detection for routing protocols. It works with:
A) IS-IS: Fast convergence in ISP/Large Enterprise networks.
D) EIGRP: Cisco’s proprietary protocol with BFD integration.
E) BGP: Critical for WAN/Internet edge failover.
C) RIP: Less common but supports BFD (RFC 5882).
Why Static Routing (B) is Incorrect?
Static routes do not dynamically detect failures—BFD is irrelevant here.
Reference:
RFC 5880 (BFD): Standard for fast failure detection.
Cisco BFD Configuration Guide: Lists supported protocols.
Which design benefit of bridge assurance is true?
A. It supposes a spanning-tree topology change upon connecting and disconnecting a station on a port
B. It prevents switched traffic from traversing suboptimal paths on the network.
C. It allows small, unmanaged switches to be plugged into ports of access switches without the risk of switch loops.
D. It prevents switch loops caused by unidirectional point-to-point link condition on Rapid PVST+ and MST
Explanation:
Why Bridge Assurance Prevents Unidirectional Link Loops?
Problem:
Unidirectional links (where one side of a connection fails silently) can cause STP loops because BPDUs are only received in one direction.
Bridge Assurance Solution:
Requires BPDUs to be exchanged bidirectionally on point-to-point links.
If BPDUs stop flowing in either direction, the port is blocked (preventing loops).
Supported in Rapid PVST+ and MST.
Why Other Options Are Incorrect?
A) Bridge Assurance doesn’t trigger topology changes for end-station connections (only for uplinks).
B) Suboptimal paths are handled by STP path cost, not Bridge Assurance.
C) Bridge Assurance doesn’t protect against rogue switches—use BPDU Guard instead.
Reference:
Cisco Bridge Assurance Configuration Guide: Blocks unidirectional links.
IEEE 802.1D-2004: STP enhancements.
IPFIX data collection via standalone IPFIX probes is an alternative to flow collection from routers and switches. Which use case is suitable for using IPFIX probes?
A. performance monitoring
B. security
C. observation of critical links
D. capacity planning
Explanation:
Why IPFIX Probes Are Ideal for Critical Links?
Precision Monitoring:
Standalone IPFIX probes provide granular, real-time traffic analysis on high-priority links (e.g., data center interconnects, WAN edges).
Example: Detect microbursts or anomalies that routers might miss due to sampling.
Advantages Over Router-Based Collection:
No impact on router CPU/memory (probes offload flow processing).
Full packet capture (optional) for deep inspection.
Why Other Options Are Less Suitable?
A) Performance monitoring: Probes can do this, but routers/switches suffice for most cases.
B) Security: Probes lack real-time enforcement (better for IDS/IPS).
D) Capacity planning: Router NetFlow/IPFIX data is sufficient for long-term trends.
Reference:
RFC 7011 (IPFIX): Standards for flow monitoring.
Cisco Network Analysis Module (NAM): Probe-based use cases.
Sometimes SDN leverages various overlay networking technologies to create layer(s) of network abstraction. What describes an overlay network?
A. It transmits packets that traverse over network devices like switches and routers
B. It encapsulates packets at source and destination, which incurs additional overhead
C. Packet delivery and reliability occurs at Layer 3 and Layer 4
D. It is responsible for the delivery of packets; NAT- or VRF-based segregation is required
Explanation:
What is an Overlay Network?
Definition:
An overlay network creates a virtual topology on top of an existing (underlay) network by encapsulating packets (e.g., VXLAN, GRE, IPsec).
Example: SD-WAN overlays use IPsec tunnels over the Internet/MPLS.
Key Traits:
Encapsulation overhead: Adds headers (e.g., VXLAN adds 50+ bytes).
Decoupled from underlay: Overlay paths are independent of physical routes.
Why Other Options Are Incorrect?
A) Describes underlay (physical devices), not overlay.
C) Overlays operate above L3/L4 (e.g., VXLAN is L2 over L3).
D) NAT/VRF are segmentation tools, not overlay requirements.
Reference:
RFC 7348 (VXLAN): Overlay encapsulation standard.
Cisco SDN Overlay Design Guide: Use cases and trade-offs.
A key to maintaining a highly available network is building in the appropriate redundancy to protect against failure. This redundancy is carefully balanced with the inherent complexity of redundant systems. Which design consideration is relevant for enterprise WAN use cases when it comes to resiliency?
A. Design in a way that expects outages and attacks on the network and its protected resources
B. The design approach should consider simple and centralized management aspect
C. Design in a way that it simplifies and improves ease of deployment
D. Design automation tools wherever it is appropriate for greater visibility
Explanation:
Why Expecting Outages/Attacks is Critical for WAN Resiliency?
Enterprise WAN Challenges:
Outages: ISP failures, fiber cuts, hardware faults.
Attacks: DDoS, ransomware targeting WAN links.
Design Implications:
Redundant paths: Dual ISPs, SD-WAN with failover.
Security layers: IPSec encryption, ZBFW (Zone-Based Firewall).
Automated remediation: BFD for fast failover, QoS for attack mitigation.
Why Other Options Are Secondary?
B) Centralized management: Useful but doesn’t directly address resiliency.
C) Simplified deployment: Ease ≠ resilience (can conflict with redundancy).
D) Automation tools: Supports resilience but is a means, not the principle.
Reference:
Cisco High Availability Design Guide: WAN redundancy best practices.
NIST SP 800-53 (Resiliency Controls): Mandates outage/attack preparedness.
Which two benefits can software defined networks provide to businesses? (Choose two.)
A. Provides additional redundancy
B. Decentralized management
C. Reduced latency
D. Enables innovation
E. Reduction of OpEx/CapEx
F. Meets high traffic demands
Explanation:
1. Enables Innovation (D)
Why?
SDN’s programmability (APIs, automation) allows rapid deployment of new services (e.g., IoT, edge computing).
Example: Intent-based networking (Cisco DNA) lets businesses define policies in plain language.
2. Reduces OpEx/CapEx (E)
Why?
OpEx savings: Automation cuts manual config/troubleshooting costs.
CapEx savings: Commodity hardware replaces proprietary devices.
Why Other Options Are Less Core?
A) Redundancy: Achievable without SDN (e.g., dual routers).
B) Decentralized management: SDN centralizes control.
C) Reduced latency: SDN optimizes paths but doesn’t inherently lower latency.
F) High traffic demands: Handled via scaling, not unique to SDN.
Reference:
ONF SDN Business Case Studies: Highlights innovation/cost savings.
Gartner SDN ROI Analysis: Quantifies OpEx/CapEX reductions.
As a network designer, you need to support an enterprise with hundreds of remote sites connected over a single WAN network that carries different types of traffic, including VoIP, video, and data applications. Which of the following design considerations will not impact design decision?
A. Focus on the solution instead of the problem, which helps to reduce downtime duration
B. The location of the data collection
C. What direction the data or flows should be metered
D. Identify traffic types and top talkers over this link
Explanation:
Why Option A is Irrelevant to Design Decisions?
Design Philosophy vs. Practical Impact:
"Focus on the solution instead of the problem" is a vague, abstract approach that doesn’t translate to actionable design choices (e.g., QoS, routing, redundancy).
Downtime reduction requires specific technical measures (e.g., BFD, SD-WAN failover), not generic advice.
Why Other Options Directly Impact Design?
B) Data collection location: Affects monitoring/troubleshooting (e.g., NetFlow at WAN edges vs. core).
C) Flow metering direction: Critical for QoS policies (e.g., prioritizing VoIP upstream/downstream).
D) Traffic types/top talkers: Drives bandwidth allocation (e.g., LLQ for VoIP, scavenger class for backups).
Reference:
Cisco QoS Design Guide: Traffic classification/metering.
ITU-T Y.1541 (QoS for WAN): Highlights flow-direction importance.
Company XYZ has implemented policy-based routing in their network. Which potential problem must be kept in mind about network reconvergence and PBR?
A. It can limit network scalability
B. It can create microloops during reconvergence
C. It increases convergence time.
D. It reduces convergence time.
Explanation:
Why PBR Causes Microloops?
How PBR Works:
Policy-Based Routing overrides the normal routing table, forcing packets onto specific paths.
During a topology change (e.g., link failure), routers using PBR may temporarily disagree on the best path.
Microloops Occur When:
Router A forwards traffic to Router B (per PBR), but Router B’s IGP (e.g., OSPF) hasn’t converged yet and sends it back to Router A.
This loop lasts until the IGP fully reconverges.
Why Other Options Are Incorrect?
A) Scalability limits: PBR adds per-packet processing but doesn’t inherently limit scale.
C/D) Convergence time: PBR doesn’t directly slow or speed up IGP convergence.
Reference:
RFC 5715 (Microloop Prevention): Explains IGP/PBR interactions.
Cisco PBR Configuration Guide: Warns of microloop risks.
You are designing the routing design for two merging companies that have overlapping IP address space. Which of these must you consider when developing the routing and NAT design?
A. Local to global NAT translation is done after routing
B. Global to local NAT translation is done before routing
C. Local to global NAT translation is done before policy-based routing
D. Global to local NAT translation is done after policy-based routing
Explanation:
Why NAT Order Matters for Merging Networks with Overlapping IPs?
Problem:
Overlapping IPs (e.g., both companies use 10.0.0.0/24) require NAT to avoid conflicts.
Traffic must be translated correctly before/after routing decisions.
Key Consideration:
Global-to-local NAT (destination NAT) must happen after policy-based routing (PBR).
PBR first: Routes traffic based on policies (e.g., "Send VoIP to MPLS").
NAT after: Translates the destination IP (e.g., 192.168.1.1 → 10.0.0.1) post-routing.
Why Other Options Are Incorrect?
A) Local-to-global NAT after routing: Source NAT (e.g., 10.0.0.1 → 203.0.113.1) typically happens before routing (to ensure proper egress path selection).
B) Global-to-local NAT before routing: Breaks routing—destinations aren’t resolved yet.
C) Local-to-global NAT before PBR: Correct for source NAT, but question focuses on destination NAT.
Reference:
Cisco NAT Order of Operations: Details pre/post-routing NAT.
RFC 3022 (Traditional NAT): Standards for translation timing.
The major business applications of an enterprise are largely monolithic and hard-coded. As part of a major modernization and overhaul of the applications, the goal is to move to a modular and containerized application architecture model. At the same time, decoupling from the hardware is desired to move to an on-demand provisioning. However, the CyberOps team mandated that the final architecture must provide the same security levels as an air-gapped data center. Which cloud architecture meets these requirements?
A. IaaS
B. Private cloud
C. PaaS
D. Hybrid cloud
E. Public cloud
Explanation:
Why Private Cloud Meets All Requirements?
Modular/Containerized Apps:
Private clouds (e.g., OpenStack, VMware) support Kubernetes/containers for modularization.
On-Demand Provisioning:
Self-service portals automate resource allocation (CPU/storage/network).
Air-Gapped Security:
Isolated infrastructure (on-premises or hosted) ensures:
No shared tenancy (unlike public clouds).
Full control over firewalls, encryption, and access policies.
Why Other Options Fail?
A) IaaS: Provides hardware abstraction but locks you into managing OS/security.
C) PaaS: Abstracts too much (no OS control), conflicting with air-gapped security.
D) Hybrid cloud: Mixes public/private, violating the air-gap mandate.
E) Public cloud: Multi-tenant (AWS/Azure) can’t match air-gapped security.
Reference:
NIST SP 800-144 (Private Cloud Security): Highlights isolation benefits.
Cisco Private Cloud Design Guide: Container/Kubernetes integration.
What is a country-specific requirement that data is subject to the laws of the country in which it is collected or processed and must remain within its borders?
A. Data sovereignty
B. Data rationality
C. Data inheritance
D. Data replication
Explanation:
Why Data Sovereignty?
Definition:
Data sovereignty mandates that data is subject to the laws of the country where it’s collected/stored and must remain within its borders.
Examples:
EU GDPR: Requires EU citizen data to stay in the EU unless equivalent protections exist
.
Russia’s Data Localization Law: Forces personal data to be stored on Russian servers.
Impact on Design:
Requires local data centers or cloud regions in-country.
Limits use of global CDNs/public clouds without local presence.
Why Other Options Are Incorrect?
B) Data rationality: Not a legal term.
C) Data inheritance: Pertains to data ownership transfer (e.g., after death).
D) Data replication: A technical process, unrelated to legal jurisdiction.
Reference:
GDPR Article 3 (Territorial Scope): Defines data sovereignty rules.
Cisco Data Localization Guide: Compliance strategies.
| Page 7 out of 17 Pages |
| Previous |