1.0 Architecture Flashcards

Question

Which field was added to the VXLAN header to allow it to carry SGT tags? 1. Group Policy ID 2. Scalable Group ID 3. Group Based Tag 4. Group Based Policy

Answer 1

1. Group Policy ID

Answer 2

1. WLCs 2. Cisco routers 4. Cisco switches 5. Access points 6. Cisco ISE 7. Cisco DNA Center

Answer 3

1. vManage network management system (NMS) 2. vSmart controller 3. SD-WAN routers 4. vBond orchestrato

Answer 4

3. vManage

Answer 5

2. To authenticate the vSmart controllers and the SD-WAN routers and orchestrate connectivity between them

Answer 6

C. The access point is part the fabric overlay Explanation Access Points + AP is directly connected to FE (or to an extended node switch) + AP is part of Fabric overlay

Answer 7

C. Identity Service Engine

Answer 8

B. vManage Your answers are shown below: Question 1 Which description of an SD-Access wireless network infrastructure deployment is true? A. The access point is part of the fabric underlay B. The wireless client is part of the fabric overlaywrong C. The access point is part the fabric overlaycorrect D. The WLC is part of the fabric underlay Explanation Access Points + AP is directly connected to FE (or to an extended node switch) + AP is part of Fabric overlay Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKEWN-2020.pdf Question 2 When a wired client connects to an edge switch in an SDA fabric, which component decides whether the client has access to the network? A. RADIUS server B. control-plane node C. Identity Service Enginecorrect D. edge nodewrong Question 3 Which controller is the single plane of management for Cisco SD-WAN? A. vEdge B. vManagecorrect C. vSmart D. vBond Explanation The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane). + vManage – This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network. + vSmart controller – This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture. + vBond orchestrator – This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT). + vEdge router – This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.

Answer 9

A. APIC uses a policy agent to translate policies into instruction **Explanation** The southbound protocol used by APIC is OpFlex that is pushed by Cisco as the protocol for policy enablement across physical and virtual switches. Southbound interfaces are implemented with some called Service Abstraction Layer (SAL), which talks to the network elements via SNMP and CLI. Note: Cisco OpFlex is a southbound protocol in a software-defined network (SDN).

Answer 10

A. performs route leaking between user-defined virtual networks and shared services **Explanation** Today the Dynamic Network Architecture Software Defined Access (DNA-SDA) solution requires a fusion router to perform VRF route leaking between user VRFs and Shared-Services, which may be in the Global routing table (GRT) or another VRF. Shared Services may consist of DHCP, Domain Name System (DNS), Network Time Protocol (NTP), Wireless LAN Controller (WLC), Identity Services Engine (ISE), DNAC components which must be made available to other virtual networks (VN’s) in the Campus

Answer 11

A. VXLAN **Explanation** The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN encapsulation is UDP-based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not. Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy.

Answer 12

B. Connects endpoints to the fabric and forwards their traffic **Explanation** There are five basic device roles in the fabric overlay: + Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay. + Fabric border node: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric. + Fabric edge node: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric. + Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric. + Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services

Answer 13

C. distribute security information for tunnel establishment between vEdge routers **Explanation** + **Orchestration plane** (vBond) assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay (-\> Therefore answer "onboard vEdge nodes into the SD-WAN fabric" mentioned about vBond). The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information. + **Management plane** (vManage) is responsible for central configuration and monitoring. The vManage controller is the centralized network management system that provides a single pane of glass GUI interface to easily deploy, configure, monitor and troubleshoot all Cisco SD-WAN components in the network. (-\> Answer "manage, maintain, and gather configuration and status for nodes within the SD-WAN fabric" and answer "gather telemetry data from vEdge routers" are about vManage) + **Control plane** (vSmart) builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement (-\> Answer "distribute security information for tunnel establishment between vEdge routers" is about vSmart)

Answer 14

C. It is in local mode an must connected directly to the fabric edge switch ## Footnote **Explanation** Fabric mode APs continue to support the same wireless media services that traditional APs support; apply AVC, quality of service (QoS), and other wireless policies; and establish the CAPWAP control plane to the fabric WLC. **Fabric APs join as local-mode APs and must be directly connected to the fabric edge node switch** to enable fabric registration events, including RLOC assignment via the fabric WLC. The fabric edge nodes use CDP to recognize APs as special wired hosts, applying special port configurations and assigning the APs to a unique overlay network within a common EID space across a fabric. The assignment allows management simplification by using a single subnet to cover the AP infrastructure at a fabric site.

Answer 15

B. edge node E. border node **Explanation** There are five basic device roles in the fabric overlay: + Control plane node: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for the fabric overlay. + **Fabric border node**: This fabric device (for example, core layer device) connects external Layer 3 networks to the SDA fabric. + **Fabric edge node**: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric. + Fabric WLAN controller (WLC): This fabric device connects APs and wireless endpoints to the SDA fabric. + Intermediate nodes: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services

Answer 16

A. using BFDcorrect **Explanation** The BFD (Bidirectional Forwarding Detection) is a protocol that detects link failures as part of the Cisco SD-WAN (Viptela) high availability solution, is enabled by default on all vEdge routers, and you cannot disable it.

Answer 17

D. The access point is part the fabric overlay **Explanation** Access Points + AP is directly connected to FE (or to an extended node switch) + AP is part of Fabric overlay

Answer 18

A. overlay network **Explanation** An overlay network creates a logical topology used to virtually connect devices that are built over an arbitrary physical underlay topology. An overlay network is created on top of the underlay network through virtualization (virtual networks). The data plane traffic and control plane signaling are contained within each virtualized network, maintaining isolation among the networks and an independence from the underlay network. SD-Access allows for the extension of Layer 2 and Layer 3 connectivity across the overlay through the services provided by through LISP.

Answer 19

D. It holds a comprehensive database that tracks endpoints and networks in the fabric. **Explanation** Fabric control plane node (C): One or more network elements that implement the LISP Map-Server (MS) and Map-Resolver (MR) functionality. The control plane node’s host tracking database keep track of all endpoints in a fabric site and associates the endpoints to fabric nodes in what is known as an EID-to-RLOC binding in LISP.

Answer 20

D. fabric control plane node **Explanation** SD-Access Wireless Architecture Control Plane Node –A Closer Look Fabric Control-Plane Node is based on a LISP Map Server / Resolver Runs the LISP Endpoint ID Database to provide overlay reachability information + A simple Host Database, that tracks Endpoint ID to Edge Node bindings (RLOCs) + Host Database supports multiple types of Endpoint ID (EID), such as IPv4 /32, IPv6 /128\* or MAC/48 + Receives prefix registrations from Edge Nodes for wired clients, and from Fabric mode WLCs for wireless clients + Resolves lookup requests from FE to locate Endpoints + Updates Fabric Edge nodes, Border nodes with wireless client mobility and RLOC information

Answer 21

D. distribute policies that govern data forwarding performed within the SD-WAN fabric **Explanation** **Control plane** **(vSmart)** builds and maintains the network topology and makes decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies, and distributes data plane policies to network devices for enforcement.

Answer 22

A. vBond **Explanation** + **Orchestration plane (vBond)** assists in securely onboarding the SD-WAN WAN Edge routers into the SD-WAN overlay. The vBond controller, or orchestrator, authenticates and authorizes the SD-WAN components onto the network. The vBond orchestrator takes an added responsibility to distribute the list of vSmart and vManage controller information to the WAN Edge routers. vBond is the only device in SD-WAN that requires a public IP address as it is the first point of contact and authentication for all SD-WAN components to join the SD-WAN fabric. All other components need to know the vBond IP or DNS information.

Answer 23

D. to connect wired endpoint to the SD-Access fabric **Explanation** + **Fabric edge node**: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.

Answer 24

B. It manages the control plane. **Explanation** + **Control plane** **(vSmart)** builds and maintains the network topology and make decisions on the traffic flows. The vSmart controller disseminates control plane information between WAN Edge devices, implements control plane policies and distributes data plane policies to network devices for enforcement.

Answer 25

C. VXLAN **Explanation** The tunneling technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN encapsulation is UDP based, meaning that it can be forwarded by any IP-based network (legacy or third party) and creates the overlay network for the SD-Access fabric. Although LISP is the control plane for the SD-Access fabric, it does not use LISP data encapsulation for the data plane; instead, it uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header to perform MAC-in-IP encapsulation, while LISP does not. Using VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IP-based network with built-in network segmentation (VRF instance/VN) and built-in group-based policy.

Answer 26

B. inter-xTR **Explanation** SDA supports two additional types of roaming, which are Intra-xTR and Inter-xTR. In SDA, xTR stands for an access-switch that is a fabric edge node. It serves both as an ingress tunnel router as well as an egress tunnel router. When a client on a fabric enabled WLAN, roams from an access point to another access point on the same access-switch, it is called Intra-xTR. Here, the local client database and client history table are updated with the information of the newly associated access point. When a client on a fabric enabled WLAN, **roams from an access point to another access point on a different access-switch, it is called Inter-xTR**. Here, the map server is also updated with the client location (RLOC) information. Also, the local client database is updated with the information of the newly associated access point.

Answer 27

D. VXLAN **Explanation** Cisco SD-WAN uses Overlay Management Protocol (OMP) which manages the overlay network. OMP runs between the vSmart controllers and WAN Edge routers (and among vSmarts themselves) where control plane information, such as the routing, policy, and management information, is exchanged over a secure connection.

Answer 28

C. The Port Cos value is 0

Answer 29

C. QOS Group **Explanation** Cisco routers allow you to mark two internal values (qos-group and discard-class) that travel with the packet within the router but do not modify the packet’s contents.

Answer 30

C. Policing drops traffic that exceeds the defined rate E. Policing should be performed as close to the source as possible **Explanation** Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate (or committed information rate), excess traffic is dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs. Unlike traffic shaping, traffic policing does not cause delay. Classification (which includes traffic policing, traffic shaping and queuing techniques) should take place at the network edge. It is recommended that classification occur as close to the source of the traffic as possible. Also according to this [Cisco link](https://www.ciscopress.com/articles/article.asp?p=357102&seqNum=8), “policing traffic as close to the source as possible”

Answer 31

C. WRED **Explanation** Weighted Random Early Detection (WRED) is just a congestion avoidance mechanism. WRED drops packets selectively based on IP precedence. Edge routers assign IP precedences to packets as they enter the network. When a packet arrives, the following events occur: 1. The average queue size is calculated. 2. If the average is less than the minimum queue threshold, the arriving packet is queued. 3. If the average is between the minimum queue threshold for that type of traffic and the maximum threshold for the interface, the packet is either dropped or queued, depending on the packet drop probability for that type of traffic. 4. If the average queue size is greater than the maximum threshold, the packet is dropped. WRED reduces the chances of tail drop (when the queue is full, the packet is dropped) by selectively dropping packets when the output interface begins to show signs of congestion (thus it can mitigate congestion by preventing the queue from filling up). By dropping some packets early rather than waiting until the queue is full, WRED avoids dropping large numbers of packets at once and minimizes the chances of global synchronization. Thus, WRED allows the transmission line to be used fully at all times. WRED generally drops packets selectively based on IP precedence. Packets with a higher IP precedence are less likely to be dropped than packets with a lower precedence. Thus, the higher the priority of a packet, the higher the probability that the packet will be delivered. Reference: [https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos\_conavd/configuration/15-mt/qos-conavd-15-mt-book/qos-conavd-cfg-wred.html](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conavd/configuration/15-mt/qos-conavd-15-mt-book/qos-conavd-cfg-wred.html) WRED is only useful when the bulk of the traffic is TCP/IP traffic. With TCP, dropped packets indicate congestion, so the packet source will reduce its transmission rate. With other protocols, packet sources may not respond or may resend dropped packets at the same rate. Thus, dropping packets does not decrease congestion.

Answer 32

B. COS of 5 to DSCP 46 **Explanation** CoS value 5 is commonly used for VOIP and CoS value 5 should be mapped to DSCP 46. DSCP 46 is defined as being for EF (Expedited Forwarding) traffic flows and is the value usually assigned to all interactive voice and video traffic. This is to keep the uniformity from end-to-end that DSCP EF (mostly for VOICE RTP) is mapped to COS 5. Note: + CoS is a L2 marking contained within an 802.1q tag,. The values for CoS are 0 – 7 + DSCP is a L3 marking and has values 0 – 63 + The default DSCP-to-CoS mapping for CoS 5 is DSCP 40

Answer 33

D. It buffers and queue packets above the committed rate. **Explanation** **Traffic shaping retains excess packets in a queue and then schedules the excess for later transmission** over increments of time. The result of traffic shaping is a smoothed packet output rate.

Answer 34

B. Marking **Explanation** QoS Packet Marking refers to changing a field within a packet either at Layer 2 (802.1Q/p CoS, MPLS EXP) or Layer 3 (IP Precedence, DSCP and/or IP ECN).

Answer 35

B. FIFO **Explanationthe** **First-in, first-out** (FIFO): FIFO entails no concept of priority or classes of traffic. With FIFO, transmission of packets out the interface occurs in the order the packets arrive, which means no QoS.

Answer 36

D. The FIB is populated based on RIB content **Explanation** CEF uses a Forwarding Information Base (FIB) to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with earlier switching paths such as fast switching and optimum switching. Note: In order to view the Routing information base (RIB) table, use the “show ip route” command. To view the Forwarding Information Base (FIB), use the “show ip cef” command. RIB is in Control plane while FIB is in Data plane.

Answer 37

D. Cisco Express Forwarding uses a FIB to make IP destination prefix-based switching decisions **Explanation** The Forwarding Information Base (FIB) table – CEF uses a FIB to make IP destination prefix-based switching decisions. The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and these changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table.

Answer 38

B. It maintains two tables in the data plane the FIB and adjacency table

Answer 39

A. Each hash maps directly to a single entry in the adjacency table D. It combines the source and destination IP addresses to create a hash for each destination **Explanation** Cisco IOS software basically supports two modes of CEF load balancing: On a per-destination or per-packet basis. **For per destination load balancing a hash is computed out of the source and destination IP address** (-\> Answer 'It combines the source and destination IP addresses to create a hash for each destination' is correct). **This hash points to exactly one of the adjacency entries in the adjacency table** (-\> Answer 'Each hash maps directly to a single entry in the adjacency table is correct), providing that the same path is used for all packets with this source/destination address pair. If per-packet load balancing is used the packets are distributed round-robin over the available paths. In either case, the information in the FIB and adjacency tables provide all the necessary forwarding information, just like for non-load balancing operation. The number of paths used is limited by the number of entries the routing protocol puts in the routing table, the default in IOS is 4 entries for most IP routing protocols with the exception of BGP, where it is one entry. **The maximum number that can be configured is 6 different paths** -\> Answer 'Cisco Express Forwarding can load-balance over a maximum of two destinations' is not correct.

Answer 40

A. The RIB is a database of routing prefixes, and the FIB is the information used to choose the egress interface for each packet. D. The RIB is derived from the control plane, and the FIB is derived from the RIB.

Answer 41

A. CEF uses the FIB and the adjacency table to make forwarding decisions, whereas process switching punts each packet. **Explanation** “Punt” is often used to describe the action of moving a packet from the fast path (CEF) to the route processor for handling. Cisco Express Forwarding (CEF) provides the ability to switch packets through a device in a very quick and efficient way while also keeping the load on the router’s processor low. CEF is made up of two different main components: the **Forwarding Information Base** (FIB) and the **Adjacency** **Table**. Process switching is the slowest switching methods (compared to fast switching and Cisco Express Forwarding) because it must find a destination in the routing table. Process switching must also construct a new Layer 2 frame header for every packet. With process switching, when a packet comes in, the scheduler calls a process that examines the routing table, determines which interface the packet should be switched to and then switches the packet. The problem is, this happens for the every packet.

Answer 42

C. The RIB includes many routes to the same destination prefix. The FIB contains only the best route.

Answer 43

C. radar D. rogue AP **Explanation** According to the [Meraki webpage](https://documentation.meraki.com/@api/deki/pages/2100/pdf/Common%2bSources%2bof%2bWireless%2bInterference.pdf), radar and rogue AP are two sources of Wireless Interference. Interference between different WLANs occurs when the access points within range of each other are set to the same RF channel. Note: Microwave ovens (not conventional oven) emit damaging interfering signals at up to 25 feet or so from an operating oven. Some microwave ovens emit radio signals that occupy only a third of the 2.4-GHz band, whereas others occupy the entire band. Reference: [https://www.ciscopress.com/articles/article.asp?p=2351131&seqNum=2](https://www.ciscopress.com/articles/article.asp?p=2351131&seqNum=2) So answer 'conventional oven' is not a correct answer.

Answer 44

D. When connected to the controller, FlexConnect APs can tunnel traffic back to the controller E. FlexConnect mode is a wireless solution for branch office and remote office deployments **Explanation** FlexConnect is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. The FlexConnect access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller. In the connected mode, the FlexConnect access point can also perform local authentication.

Answer 45

A. DHCP Option 43 E. broadcasting on the local subnet **Explanation** A Cisco lightweight wireless AP needs to be paired with a WLC to function. An AP must be very diligent to discover any controllers that it can join—all without any preconfiguration on your part. To accomplish this feat, several methods of discovery are used. The goal of discovery is just to build a list of live candidate controllers that are available, using the following methods: + Prior knowledge of WLCs + DHCP and DNS information to suggest some controllers (DHCP Option 43) + Broadcast on the local subnet to solicit controllers Reference: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide If you do not tell the LAP where the controller is via DHCP option 43, DNS resolution of “Cisco-capwap-controller.local\_domain”, or statically configure it, the LAP does not know where in the network to find the management interface of the controller. In addition to these methods, the LAP does automatically look on the local subnet for controllers with a 255.255.255.255 local broadcast

Answer 46

C. RADIUS server **Explanation** Deploying WPA2-Enterprise requires a RADIUS server, which handles the task of authenticating network users access. The actual authentication process is based on the 802.1X policy and comes in several different systems labeled EAP. Because each device is authenticated before it connects, a personal, encrypted tunnel is effectively created between the device and the network.

Answer 47

D. Layer 3 intercontroller **Explanation** If the clients roam between APs registered to different controllers and the client WLAN on the two controllers is on different subnet, then it is called inter-controller L3 roam. In this situation as well controllers exchange mobility messages. Client database entry change is completely different that to L2 roam(instead of move, it will copy). In this situation the original controller marks the client entry as “**Anchor**” where as new controller marks the client entry as “Foreign“.The two controllers now referred to as “Anchor controller” & “Foreign Controller” respectively. Client will keep the original IP address & that is the real advantage. Note: Inter-Controller (normally layer 2) roaming occurs when a client roam between two APs registered to two different controllers, where each controller has an interface in the client subnet.

Answer 48

B. noise floor D. RSSI **Explanation** Signal to Noise Ratio (SNR) is defined as the ratio of the transmitted power from the AP to the ambient (noise floor) energy present. To calculate the SNR value, we add the Signal Value to the Noise Value to get the SNR ratio. answer 'EIRP' positive value of the SNR ratio is always better. Here is an example to tie together this information to come up with a very simple RF plan calculator for a single AP and a single client. + Access Point Power = 20 dBm + 50 foot antenna cable = – 3.35 dB Loss + Signal attenuation due to glass wall with metal frame = -6 dB + External Access Point Antenna = + 5.5 dBi gain + RSSI at WLAN Client = -75 dBm at 100ft from the AP + Noise level detected by WLAN Client = -85 dBm at 100ft from the AP Based on the above, we can calculate the following information. + EIRP of the AP at source = 20 – 3.35 + 5.5 = 22.15 dBm + Transmit power as signal passes through glass wall = 22.15 – 6 = 16.15 dBm + **SNR at Client = -75 + -85 = 10 dBm** (difference between Signal and Noise) Reference: [https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless\_Networks/Unified\_Access/CMX/CMX\_RFFund.html](https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/CMX/CMX_RFFund.html) Receive Signal Strength Indicator (RSSI) is a measurement of how well your device can hear a signal from an access point or router. It’s a value that is useful for determining if you have enough signal to get a good wireless connection. EIRP tells you what’s the actual transmit power of the antenna in milliwatts. dBm is an abbreviation for “decibels relative to one milliwatt,” where one milliwatt (1 mW) equals 1/1000 of a watt. It follows the same scale as dB. Therefore 0 dBm = 1 mW, 30 dBm = 1 W, and -20 dBm = 0.01 mW

Answer 49

D. text string

Answer 50

B. It does not require a RADIUS server certificate **Explanation** The EAP-FAST protocol is a publicly accessible IEEE 802.1X EAP type that Cisco developed to support customers that cannot enforce a strong password policy and want to deploy an 802.1X EAP type that does not require digital certificates. EAP-FAST is also designed for simplicity of deployment since it does not require a certificate on the wireless LAN client or on the RADIUS infrastructure yet incorporates a built-in provisioning mechanism.

Answer 51

B. Mobility express **Explanation** Mobility Express is the ability to use an access point (AP) as a controller instead of a real WLAN controller. But this solution is only suitable for small to midsize, or multi-site branch locations where you might not want to invest in a dedicated WLC. answer 'Autonomous' Mobility Express WLC can support up to 100 APs. Mobility Express WLC also uses CAPWAP to communicate to other APs. Note: Local mode is the most common mode that an AP operates in. This is also the default mode. In local mode, the LAP maintains a CAPWAP (or LWAPP) tunnel to its associated controller.

Answer 52

C. Patch **Explanation** A patch antenna, in its simplest form, is just a single rectangular (or circular) conductive plate that is spaced above a ground plane. Patch antennas are attractive due to their low profile and ease of fabrication. The azimuth and elevation plane patterns are derived by simply slicing through the 3D radiation pattern. In this case, **the azimuth plane pattern is obtained by slicing through the x-z plane, and the elevation plane pattern is formed by slicing through the y-z plane**. Note that there is one main lobe that is radiated out from the front of the antenna. There are three back lobes in the elevation plane (in this case), the strongest of which happens to be 180 degrees behind the peak of the main lobe, establishing the front-to-back ratio at about 14 dB. That is, the gain of the antenna 180 degrees behind the peak is 14 dB lower than the peak gain.

Answer 53

A. local WLC **Explanation** This paragraph was taken from the link [https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html#c5](https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html#c5): “The next step is to configure the WLC for the Internal web authentication. **Internal web authentication is the default web authentication type on WLCs**.” In step 4 of the link above, we will configure Security as described in this question. Therefore we can deduce this configuration is for Internal web authentication.

Answer 54

A. The hidden SSID was not manually configured on the client.

Answer 55

B. CISCO-CAPWAP-CONTROLLER.local **Explanation** The Lightweight AP (LAP) can discover controllers through your domain name server (DNS). For the access point (AP) to do so, you must configure your DNS to return controller IP addresses in response to **CISCO-LWAPP-CONTROLLER.localdomain**, where localdomain is the AP domain name. When an AP receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the AP sends discovery requests to the controllers. The AP will attempt to resolve the DNS name **CISCO-CAPWAP-CONTROLLER.localdomain**. When the AP is able to resolve this name to one or more IP addresses, the AP sends a unicast CAPWAP Discovery Message to the resolved IP address(es). Each WLC that receives the CAPWAP Discovery Request Message replies with a unicast CAPWAP Discovery Response to the AP.

Answer 56

A. On **Explanation** Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller’s distribution system ports into a single 802.3ad port channel. Restriction for Link aggregation: + LAG requires the EtherChannel to be configured for ‘mode on’ on both the controller and the Catalyst switch.

Answer 57

D. adaptive R **Explanation** 802.11r Fast Transition (FT) Roaming is an amendment to the 802.11 IEEE standards. It is a new concept for roaming. The initial handshake with the new AP occurs before the client roams to the target AP. Therefore it is called Fast Transition. 802.11r provides two methods of roaming: + Over-the-air: With this type of roaming, the client communicates directly with the target AP using IEEE 802.11 authentication with the Fast Transition (FT) authentication algorithm. + **Over-the-DS** (distribution system): With this type of roaming, the client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the controller. But both of these methods do not deal with legacy clients. The **802.11k** allows 11k capable clients to request a neighbor report containing information about known neighbor APs that are candidates for roaming. Reference: [https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html](https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html) IEEE **802.11v** is an amendment to the IEEE 802.11 standard which describes numerous enhancements to wireless network management. One such enhancement is Network assisted Power Savings which helps clients to improve the battery life by enabling them to sleep longer. Another enhancement is Network assisted Roaming which enables the WLAN to send requests to associated clients, advising the clients as to better APs to associate to. This is useful for both load balancing and in directing poorly connected clients. Reference: [https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b\_wl\_16\_10\_cg/802-11v.pdf](https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/802-11v.pdf) Cisco 802.11r supports three modes: + Pure mode: only allows 802.11r client to connect + Mixed mode: allows both clients that do and do not support FT to connect + Adaptive mode: does not advertise the FT AKM at all, but will use FT when supported clients connect Therefore “Adaptive mode” is the best answer here.

Answer 58

B. Yagi **Explanation** A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipole-like antenna, and shaping the beam using a well-chosen series of non-driven elements whose length and spacing are tightly controlled. ![]() Reference: [https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/prod\_white\_paper0900aecd806a1a3e.html](https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/prod_white_paper0900aecd806a1a3e.html)

Answer 59

D. Not all of the controllers within the mobility group are using the same virtual interface IP address **Explanation** A prerequisite for configuring Mobility Groups is “All controllers must be configured with the same virtual interface IP address”. If all the controllers within a mobility group are not using the same virtual interface, inter-controller roaming may appear to work, but the handoff does not complete, **and the client loses connectivity for a period of time**. -\> Answer 'Not all of the controllers within the mobility group are using the same virtual interface IP address' is correct. Reference: [https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b\_cg85/mobility\_groups.html](https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/mobility_groups.html) Answer 'Not all of the controllers in the mobility group are using the same mobility group name' is not correct because when the client moves to a different mobility group (with different mobility group name), that client would be connected (provided that the new connected controller had information about this client in its mobility list already) or drop (if the new connected controller have not had information about this client in its mobility list). For more information please read the note below. Note: A mobility group is a set of controllers, identified by the same mobility group name, that defines the realm of seamless roaming for wireless clients. By creating a mobility group, you can enable multiple controllers in a network to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers in the same mobility group can share the context and state of client devices as well as their list of access points so that they do not consider each other’s access points as rogue devices. ![]() Let’s take an example: The controllers in the ABC mobility group share access point and client information with each other. The controllers in the ABC mobility group do not share the access point or client information with the XYZ controllers, which are in a different mobility group. Therefore if a client from ABC mobility group moves to XYZ mobility group, **and the new connected controller does not have information about this client in its mobility list,** that client will be dropped. Note: Clients may roam between access points in different mobility groups if the controllers are included in each other’s mobility lists.

Answer 60

A. intra-controller **Explanation** Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. Three popular types of client roaming are: **Intra-Controller Roaming**: Each controller supports same-controller client roaming across access points managed by the same controller. This roaming is transparent to the client as the session is sustained, and the client continues using the same DHCP-assigned or client-assigned IP address. **Inter-Controller Roaming**: Multiple-controller deployments support client roaming across access points managed by controllers in the same mobility group and on the same subnet. This roaming is also transparent to the client because the session is sustained and a tunnel between controllers allows the client to continue using the same DHCP- or client-assigned IP address as long as the session remains active. **Inter-Subnet Roaming**: Multiple-controller deployments support client roaming across access points managed by controllers in the same mobility group on different subnets. This roaming is transparent to the client because the session is sustained and a tunnel between the controllers allows the client to continue using the same DHCP-assigned or client-assigned IP address as long as the session remains active. Reference: [https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b\_cg74\_CONSOLIDATED/b\_cg74\_CONSOLIDATED\_chapter\_01100.html](https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01100.html)

Answer 61

A. The AP is joining a primed WLC

Answer 62

B. increase the dynamic channel assignment interval **Explanation** These message logs inform that the radio channel has been reset (and the AP must be down briefly). With dynamic channel assignment (DCA), the radios can frequently switch from one channel to another but it also makes disruption. The default DCA interval is 10 minutes, which is matched with the time of the message logs. By increasing the DCA interval, we can reduce the number of times our users are disconnected for changing radio channels.

Answer 63

A. EIRP **Explanation** Once you know the complete combination of transmitter power level, the length of cable, and the antenna gain, you can figure out the actual power level that will be radiated from the antenna. This is known as the effective isotropic radiated power (EIRP), measured in dBm. EIRP is a very important parameter because it is regulated by governmental agencies in most countries. In those cases, a system cannot radiate signals higher than a maximum allowable EIRP. To find the EIRP of a system, simply add the transmitter power level to the antenna gain and subtract the cable loss. ![]() **EIRP = Tx Power – Tx Cable + Tx Antenna** Suppose a transmitter is configured for a power level of 10 dBm (10 mW). A cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The resulting EIRP of the system is 10 dBm – 5 dB + 8 dBi, or 13 dBm. You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an isotropic antenna (dBi), and decibel (dB) values. Even though the units appear to be different, you can safely combine them because they are all in the dB “domain”. Reference: CCNA Wireless 640-722 Official Cert Guide

Answer 64

B. Option 43

Answer 65

C. the interface specified on the WLAN configuration

Answer 66

C. unicast discovery request to each WLC **Explanation** The AP will attempt to resolve the DNS name CISCO-CAPWAP-CONTROLLER.localdomain. When the AP is able to resolve this name to one or more IP addresses, the AP sends a unicast CAPWAP Discovery Message to the resolved IP address(es). Each WLC that receives the CAPWAP Discovery Request Message replies with a unicast CAPWAP Discovery Response to the AP. Reference: [https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107606-dns-wlc-config.html](https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107606-dns-wlc-config.html)

Answer 67

B. sensor mode **Explanation** As these wireless networks grow especially in remote facilities where IT professionals may not always be on site, it becomes even more important to be able to quickly identify and resolve potential connectivity issues ideally before the users complain or notice connectivity degradation. To address these issues we have created Cisco’s Wireless Service Assurance and a new AP mode called “sensor” mode. Cisco’s Wireless Service Assurance platform has three components, namely, Wireless Performance Analytics, Real-time Client Troubleshooting, and Proactive Health Assessment. Using a supported AP or dedicated sensor **the device can actually function much like a WLAN client would associating and identifying client connectivity issues** within the network in real time without requiring an IT or technician to be on site. Reference: [https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/dam/en/us/td/docs/wireless/controller/technotes/8-5/b\_Cisco\_Aironet\_Sensor\_Deployment\_Guide.html.xml](https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/dam/en/us/td/docs/wireless/controller/technotes/8-5/b_Cisco_Aironet_Sensor_Deployment_Guide.html.xml)

Answer 68

D.syslog level errors and less severity messages **Explanation** At first, we thought "greater severity" means higher prioriry (or severity with smaller value) in the Syslog level table below: **Level****Keyword****Description**0emergenciesSystem is unusable1alertsImmediate action is needed2criticalCritical conditions exist3errorsError conditions exist4warningsWarning conditions exist5notificationNormal, but significant, conditions exist6informationalInformational messages7debuggingDebugging messages For example, levels 0 to 4 are "greater severity" than level 5. But according to this [Cisco link](https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html): "If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Notifications (severity level 5), only those messages whose severity is betwen 0 and 5 are sent to the syslog servers." The correct answer for this question should be "equal or less severity".

Answer 69

A. fish tank D. mirrored wall **Explanation** Windows can actually block your WiFi signal. How? Because the signals will be reflected by the glass. Some new windows have transparent films that can block certain wave types, and this can make it harder for your WiFi signal to pass through. Tinted glass is another problem for the same reasons. They sometimes contain metallic films that can completely block out your signal. Mirrors, like windows, can reflect your signal. They’re also a source of electromagnetic interference because of their metal backings. Reference: [https://dis-dot-dat.net/what-materials-can-block-a-wifi-signal/](https://dis-dot-dat.net/what-materials-can-block-a-wifi-signal/) An incandescent light bulb, incandescent lamp or incandescent light globe is an electric light with a wire filament heated until it glows. WiFi operates in the gigahertz microwave band. The FCC has strict regulations on RFI (radio frequency interference) from all sorts of things, including light bulbs -\> Incandesent lights do not interfere Wi-Fi networks. Note: + Many baby monitors operate at 900MHz and won’t interfere with Wi-Fi, which uses the 2.4GHz band. + DECT cordless phone 6.0 is designed to eliminate wifi interference by operating on a different frequency. There is essentially no such thing as DECT wifi interference.

Answer 70

D. The client database entry moves from controller A to controller B **Explanation** This is called Inter Controller-L2 Roaming. Inter-Controller (normally layer 2) roaming occurs when a client roam between two APs registered to two different controllers, where each controller has an interface in the client subnet. In this instance, controllers exchange mobility control messages (over UDP port 16666) and the client database entry is moved from the original controller to the new controller.

Answer 71

A. saquery-retry-time C. mandatory F. association-comeback

Answer 72

A. configure option 43 Hex F104.AC10.3205 **Explanation** We will have the answer from this paragraph: “TLV values for the Option 43 suboption: Type + Length + Value. Type is always the suboption code 0xf1. Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex. For example, suppose there are two controllers with management interface IP addresses, 192.168.10.5 and 192.168.10.20. The type is 0xf1. The length is 2 \* 4 = 8 = 0x08. The IP addresses translates to c0a80a05 (192.168.10.5) and c0a80a14 (192.168.10.20). When the string is assembled, it yields f108c0a80a05c0a80a14. The Cisco IOS command that is added to the DHCP scope is option 43 hex f108c0a80a05c0a80a14.” Reference: [https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html](https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html) Therefore in this question the option 43 in hex should be “F104.AC10.3205 (the management IP address of 172.16.50.5 in hex is AC.10.32.05).

Answer 73

D. mW **Explanation** Output power is measured in mW (milliwatts). A milliwatt is equal to one thousandth (10⁻³) of a watt.

Answer 74

D. When the AP is in connected mode, the client will be placed in VLAN 15. E. While the AP is in standalone mode, the client will be placed in VLAN 10. F. When the AP transitions to connected mode, the client will be de-authenticated. **Explanation** + From the output of WLC “show interface summary”, we learned that the WLC has four VLANs: 999, 14, 15 and 16. + From the “show ap config general FlexAP1” output, we learned that FlexConnect AP has four VLANs: 10, 11, 12 and 13. Also the WLAN of FlexConnect AP is mapped to VLAN 10 (from the line “WLAN 1: …… 10 (AP-Specific)). From the reference at: [https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise\_Mobility\_8-1\_Deployment\_Guide/ch7\_HREA.html](https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html) **FlexConnect VLAN Central Switching Summary** Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows: + If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC. (-\> as VLAN 15 exists on the WLC so the client in connected mode would be assigned this VLAN -\> Answer 'When the AP is in connected mode, the client will be placed in VLAN 15' is correct) + If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC. + If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally. + If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally. Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows: + If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP) (-\> Therefore answer 'While the AP is in standalone mode, the client will be placed in VLAN 10' is correct). When the AP connects back, this client is de-authenticated (-\> Therefore answer 'When the AP transitions to connected mode, the client will be de-authenticated' is correct) and will switch traffic centrally.

Answer 75

B. antenna cable loss **Explanation** Once you know the complete combination of transmitter power level, the length of cable, and the antenna gain, you can figure out the actual power level that will be radiated from the antenna. This is known as the effective isotropic radiated power (EIRP), measured in dBm. EIRP is a very important parameter because it is regulated by governmental agencies in most countries. In those cases, a system cannot radiate signals higher than a maximum allowable EIRP. To find the EIRP of a system, simply add the transmitter power level to the antenna gain and subtract the cable loss. ![]() **EIRP = Tx Power – Tx Cable + Tx Antenna** Suppose a transmitter is configured for a power level of 10 dBm (10 mW). A cable with 5-dB loss connects the transmitter to an antenna with an 8-dBi gain. The resulting EIRP of the system is 10 dBm – 5 dB + 8 dBi, or 13 dBm. You might notice that the EIRP is made up of decibel-milliwatt (dBm), dB relative to an isotropic antenna (dBi), and decibel (dB) values. Even though the units appear to be different, you can safely combine them because they are all in the dB “domain”. Reference: CCNA Wireless 640-722 Official Cert Guide

Answer 76

D. omnidirectional antenna **Explanation** **Directional antennas** Directional antennas come in many different styles and shapes. An antenna does not offer any added power to the signal; it simply redirects the energy it receives from the transmitter. By redirecting this energy, it has the effect of providing more energy in one direction and less energy in all other directions. As the gain of a directional antenna increases, the angle of radiation usually decreases, providing a greater coverage distance but with a reduced coverage angle. Directional antennas include patch antennas and parabolic dishes. Parabolic dishes have a very narrow RF energy path, and the installer must be accurate in aiming these types of antennas at each other. ![]()Directional patch antenna Reference: [https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/product\_data\_sheet09186a008008883b.html](https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/product_data_sheet09186a008008883b.html) **Omnidirectional antennas** An omnidirectional antenna is designed to provide a 360-degree radiation pattern. This type of antenna is used when coverage in all directions from the antenna is required. The standard 2.14-dBi “rubber duck” is one style of omnidirectional antenna. ![]()Omnidirectional antenna -\> Therefore Omnidirectional antenna is best suited for a high-density wireless network in a lecture hall.

Answer 77

D. It registers the LAPs if the primary controller fails. **Explanation** When the primary controller (WLC-1) goes down, the APs automatically get registered with the secondary controller (WLC-2). The APs register back to the primary controller when the primary controller comes back on line. Reference: [https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html](https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html)