Appendix A. Answers to the “Do I Know This Already?” Quizzes
Chapter 1
1. B. The area ID, authentication, hello/dead intervals, stub flag, and maximum transmission unit (MTU) size must match to form OSPF adjacencies.
2. B, C. The router with the highest OSPF priority will be elected as the DR. If there is a tie, the router with the higher ID will be elected as the DR.
3. B, C. When multiple OSPF routers are connected to a multi-access medium such as Ethernet or nonbroadcast multiple access (NBMA), a designated router (DR), and a backup designated router (BDR) are elected. DRs reduce network traffic because only they maintain the complete OSPF database and then send updates to the other routers on the shared network segment.
4. B, D. The OSPF IPv6 interface to a link can have more than one IPv6 address. In fact, a single link can belong to multiple subnets, and two interfaces attached to the same link but belonging to different IPv6 subnets can still communicate. OSPFv3 changes the OSPFv2 language of “subnet” to “link” and allows the exchange of packets between two neighbors on the same link but belonging to different IPv6 subnets.
5. A. IPv6 routing uses link-local addresses to form routing adjacencies.
6. C. BGP path selection 1. Weigh, 2. Local_Pref, 3. Local path, 4. AS_Path, 5. Origin type, 6. multi-exit discriminator (MED), 7. eBGP/iBGP, 8. Metric.
7. D. The show ip bgp summary command displays summarized information about the status of all BGP connections.
8. A. External BGP (eBGP) is used to establish sessions and exchange route information between two or more autonomous systems. Internal BGP (iBGP) is used by routers that belong to the same autonomous system (AS).
9. C. A detect multiplier is the number of missing BFD hello messages from another BFD device before this local device detects a fault in the forwarding path.
10. B. MLDv1 is similar to IGMPv2, and MLDv2 is similar to IGMPv3.
11. A, C. In multicast routing, the decision to forward traffic is based on the source address, not on the destination address as in unicast routing.
12. A, D, E. The HSRP default hello time is 3 seconds, and the default hold time is 10 seconds. Virtual IP must be on same subnet as the interface IP address. HSRP version 1 supports group numbers from 0 to 255.
13. B. VRRP object tracking provides a way to ensure the best VRRP router is the virtual router master for the group by altering VRRP priorities to the status of tracked objects, such as the interface or IP route states.
14. A. The standby preempt command enables the Hot Standby Router Protocol (HSRP) router with the highest priority to immediately become the active router.
15. A. In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095.
Chapter 2
1. C. The smallest numeric bridge ID wins the election.
2. E. Enabling the PortFast feature causes a switch or a trunk port to enter the STP forwarding state immediately or upon a linkup event, thus bypassing the listening and learning states.
3. B, D. The IEEE 802.1w standard, called Rapid STP or RSTP, provides faster STP.
4. B. When Rapid PVST+ detects a topology change, the protocol does the following: it starts the topology change (TC) while a timer with a value equal to twice the hello time for all the non-edge root and designated ports, if necessary, then flushes the MAC addresses associated with all these ports.
5. A, C, D. The Link Aggregation Control Protocol (LACP) is part of the IEEE specification 802.3ad, so it can be used on non-Cisco devices.
With the mode active, the switch sends LACP packets, initiates negotiations with remote ports, and can form a port channel if it receives a response.
The LACP uses the port priority with the port number to form the port identifier. The port priority determines which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
6. A. The port channel interface represents the whole bundle, and all the configurations on this interface are applied to all physical ports that are assigned to this logical interface.
7. A, C. Fabric Extender (FEX) supports the port channel and virtual port channel for uplink aggregation.
8. B. vPC peers use the Cisco Fabric Services protocol to synchronize forwarding-plane information and implement necessary configuration checks.
9. B. There are two types of consistency check failures: the ones that will bring down the entire port channel (these are type 1s) and the ones that only cause an error or keep a single VLAN or group of VLANs from becoming active on the port channel (type 2). MTU is type 1 consistency check failure, whereas QoS, SVI, and ACL all are type 2.
10. B, D. From vPC general guidelines, a vPC must be configured on a pair of Cisco Nexus switches of the same type. For example, you can deploy a vPC on a pair of Cisco Nexus 5000 Series switches or Cisco Nexus 7000 Platform switches but not on a combination of them. A vPC keepalive should not run across a vPC peer link. A vPC domain, by definition, consists of a pair of switches that are identified by a shared vPC domain ID. You can use vPC as a Layer 2 link to establish a routing adjacency between two external routers.
Chapter 3
1. A. Overlay transportation introduces the concept of “MAC routing,” which will encapsulate Layer 2 traffic over the OTV tunnel.
2. C. The join interface is used to source the OTV-encapsulated traffic and send it to the Layer 3 domain of the data center network.
3. D. IS-IS control-plane traffic exchanges reachability information between remote sites to build up a table that maps MAC addresses to the IP address of the edge device that is local to the MAC address.
4. C. The underlay network—the bottom of that layer—provides a foundation for all other network services. The underlay transmits VXLAN and other overlay packets, so administrators must understand a different way to address connectivity issues.
5. D. Virtual Extensible LAN extends the VLAN address space and adds a 24-bit segment ID, increasing available IDs to 16 million. Millions of isolated Layer 2 VXLAN networks can coexist on a common Layer 3 infrastructure because the VXLAN segment ID in each frame segregates individual logical networks.
6. B. The port channel interface represents the whole bundle, and all the configurations on this interface are applied to all physical ports that are assigned to this logical interface.
Chapter 4
1. C, D. In a two-tier CLOS architecture, every lower-tier switch (leaf layer) is connected to each of the top-tier switches (spine layer) in a full-mesh topology. APIC connects to leaf devices only.
2. C, D. The Cisco APIC uses the concept of endpoints and policies. The endpoints are virtual machines (VMs) or physical servers.
3. C. The APIC discovers the IP address and node information of other Cisco APIC controllers in the cluster using the Link Layer Discovery Protocol (LLDP)-based discovery process.
4. D. All traffic in the ACI fabric is normalized as VXLAN packets. At ingress, the ACI encapsulates external VLAN, VXLAN, and NVGRE packets in a VXLAN packet.
5. B. The APIC manages the fabric. It is recommended to have a minimum of three APIC controllers in a cluster (N+2 redundancy).
6. A. The Virtual Machine Manager (VMM) domain profile groups VM controllers with similar networking policy requirements. For example, VM controllers can share VLAN pools and application endpoint groups (EPGs). The APIC communicates with the controller to publish network configurations such as port groups that are then applied to the virtual workloads.
7. A, C. Contract filters are used to classify traffic based on Layer 2 to Layer 4 attributes (such as Ethernet type, protocol type, TCP flags, and ports).
Chapter 5
1. A. The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
2. D. NIST identifies cloud computing with five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
3. A, B, D. The most popular cloud computing service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
4. B. PaaS delivers the Networking, Storage, Servers, Virtualization, Operating System, Middleware, and Runtime layers as a service to cloud consumers.
5. A, B, C. The four most popular cloud deployment models are the private cloud, public cloud, hybrid cloud, and community cloud.
6. D. In the private cloud, the infrastructure is provisioned for a single organization; therefore, it provides better data security and regulatory compliance compared to the public, hybrid, and community clouds where the infrastructure is shared between multiple cloud consumers.
Chapter 6
1. B, D. When a boot is successful, you can use the setup utility to build an initial configuration file using the System Configuration dialog. The setup starts automatically when a device has no configuration file in NVRAM. The dialog guides you through the initial configuration.
2. B, C. For POAP, Cisco offers sample configuration scripts that were developed using the Python programming language and Tool command language (Tcl).
3. A, C. Cisco NX-OS can automatically generate system checkpoints to help you avoid a loss of configuration information. System checkpoints are generated by the following events:
• When an enabled feature is disabled with the no feature command
• When an instance of a Layer 3 protocol is removed, such as with the no router bgp command or the no ip pim sparse-mode command
• When a feature’s license expires
4. B. The default NTP port is UDP 161.
5. B. Because Cisco NX-OS cannot connect to a radio or atomic clock and act as a stratum 1 server, Cisco recommends that you use the public NTP servers available on the Internet.
6. A, B. Cisco NX-OS streaming telemetry allows you to push data off the device to a defined endpoint as JavaScript Object Notation (JSON) or using Google Protocol Buffers (GPB) at a much higher frequency and more efficiently.
7. A, D. With the Cisco Network Assurance Engine, you can predict the impact of changes, verify networkwide behavior, and assure network security policy and compliance.
Chapter 7
1. D. The fabric initialization process consists of four phases: principal switch selection, domain ID distribution, FCID allocation, and fabric reconfiguration.
2. A. The lowest run-time priority is considered the highest priority during the principal switch selection process. By default, the configured priority is 128. The valid range to set the priority is between 1 and 254.
3. A, D. FLOGI happens between the N port and an F port. After an FC device (host) is attached to the FC fabric, it performs fabric login. The host (N port) sends the FLOGI request to the well-known fabric login server address 0xfffffe. The FLOGI frame contains its node name, N port name, and service parameters.
4. A. CFS is a peer-to-peer protocol with no client/server relationship.
5. A, C, D. CFS uses three modes of distribution: coordinated distributions, uncoordinated distributions, and unrestricted uncoordinated distributions. Coordinated distributions allow only one distribution in the fabric at any given time. Uncoordinated distributions allow multiple parallel distributions in the fabric except when a coordinated distribution is in progress. Unrestricted uncoordinated distributions allow multiple parallel distributions in the fabric in the presence of an existing coordinated distribution.
6. A. Multiple VSANs can share the same physical topology.
7. B. Theoretically, up to 256 VSANs can be configured in a switch. Of these, one is a default VSAN (VSAN 1), and another is an isolated VSAN (VSAN 4094). User-specified VSAN IDs range from 2 to 4093.
8. C. Port channel can be formed between E ports and TE ports, F ports and NP ports, and TF ports and TNP ports. E ports and F ports will not form a port channel because the E port is used to connect to another switch and the F port is used to connect a peripheral device (host or disk).
9. B, C. In Active mode, when you add or modify a port channel interface, the SAN port channel automatically recovers. Also, the ON mode is the default mode in SAN port channels, not the Active mode.
10. A. Devices can belong to more than one zone.
11. A, B, D. Zone membership can be defined using the port World Wide Name (pWWN), Fabric pWWN, FCID, interface and switch WWN (sWWN), interface and domain ID, domain ID and port number, IPv4 address, IPv6 address, and symbolic-nodename.
12. C. The device alias information is independent of the VSAN configuration. The device alias configuration and distribution are independent of the zone server and the zone server database. A device alias name is restricted to 64 alphanumeric characters.
13. B. When you commit the changes made to the pending database of the device alias, the pending database content overwrites the effective database content. The pending database is distributed to the switches in the fabric, and the effective database on those switches is overwritten with the new changes. Also, the fabric lock is released.
14. B. When an NP uplink is established, the edge switch sends a fabric login message (FLOGI) to the core switch, and then (if the FLOGI is successful) it registers itself with the name server on the core switch. Subsequent FLOGIs from end devices connected to this NP uplink are converted to fabric discovery messages (FDISCs).
Chapter 8
1. D. IEEE 802.1Q defines eight priorities but not a simple, effective, and consistent scheduling mechanism between them. IEEE 802.11 Qaz ETS (Enhanced Transmission Selection) allows assignment of bandwidth to each priority group.
2. A. FCoE is implemented by encapsulating an FC frame in an Ethernet packet with the dedicated Ethertypes 0x8906(FCoE) and 0x8914(FIP).
3. A. In the VLAN discovery phase, an end device (CNA) broadcasts a request for FCoE VLAN. The request occurs on the native VLAN. In the FCF discovery phase, the CNA broadcasts a solicitation to find FCF to log in to. Broadcasts go out on the FCoE VLAN. In the FLOGI/DISC phase, CNA performs a fabric login using FLOGI or FLOGI with NPV FDISC. In the FC commands phase, the CNA begins normal FC data commands using Ethertype 0x8906.
4. A, C, D. Each virtual Fibre Channel interface is associated with only one VSAN.
5. D. Three single-hop solutions are possible when FCoE is deployed using Cisco Nexus switches: FCoE direct-attached topology, FCoE FEX topology, and FCoE remote-attached topology.
6. A. DCBX allows the switch to send a LAN Logical Link Status (LLS) message to a directly connected CNA. To disable LAN traffic on an FCoE link, you can use the shutdown lan command to send an LLS-Down message to the CNA. This command causes all VLANs on the interface that are not enabled for FCoE to be brought down. If a VLAN on the interface is enabled for FCoE, it continues to carry SAN traffic without any interruption.
7. A, C, D. Connectivity from an FCoE NPV bridge to the FCF is supported only over point-to-point links.
Chapter 9
1. D. NFS version 3 introduced support for larger files and file systems such as 64-bit file sizes and offsets. NFSv4.1 introduced pNFS extension and NFS multipathing (or session trunking mechanism). NFSv4.2 introduced the server-side clone and copy feature, which allows a file to be copied between servers without copying it to the client first.
2. D. NFS versions 2 and 3 support both TCP and UDP. NFS version 4 supports only TCP as its transport protocol.
3. A, D. NAS supports two file- and data-sharing protocols: Common Internet File System (CIFS) and Network File System (NFS).
4. C. Network-attached storage (NAS) is a centralized file-level (as opposed to block-level) external data storage server connected to a network providing data access to a heterogeneous group of clients.
Chapter 10
1. D. You can configure both in-band and out-of-band configuration using the Cisco MDS NX-OS Setup Utility.
2. A, B. The Cisco MDS NX-OS software consists of two images: the kickstart image and the system image.
3. B. The show incompatibility-all system bootflash: system image filename command determines which features are incompatible with the destination upgrade release.
4. A, C. You can upgrade any switch in the Cisco MDS 9000 Family by using the automated, one-step upgrade using the install all command or by doing a manual upgrade by changing the boot statements to point to the destination upgrade image and using the reload command. An automated upgrade using the install all command is nondisruptive and doesn’t require a switch reload, but it disrupts the control plane for about 80 seconds.
5. D. Log messages are not saved across system reboots. However, a maximum of 100 log messages with a severity level of critical and below (levels 0, 1, and 2) is saved in NVRAM.
6. A, C. Each SPAN session represents an association of one destination with a set of sources along with various other parameters that you specify to monitor the network traffic. One destination can be used by one or more SPAN sessions. The SD port does not have a VSAN port.
Chapter 11
1. A, B. The Cisco UCS Mini solution extends the Cisco UCS architecture into environments that require smaller domains, including branch and remote offices, point-of-sale locations, and smaller IT environments. The Cisco UCS Mini has three main infrastructure components:
• Cisco UCS 6324 Fabric Interconnect
• Cisco UCS blade server chassis
• Cisco UCS blade or rack-mount servers
2. A, D. In a blade chassis, the FEX fabric link (the link between the FEX and the FI) supports two different types of connections:
• Discrete mode
• Port channel mode
3. C. A service profile typically includes four types of information:
• Server definition: It defines the resources (for example, a specific server or a blade inserted to a specific chassis) that are required to apply to the profile.
• Identity information: Identity information includes the universally unique identifier (UUID), Media Access Control (MAC) address for each virtual network interface card (vNIC), and World Wide Name (WWN) specifications for each host bus adapter (HBA).
• Firmware revision specifications: These specifications are used when a certain tested firmware revision is required to be installed or for some other reason a specific firmware is used.
• Connectivity definition: This definition is used to configure network adapters, Fabric Extenders, and parent interconnects; however, this information is abstract because it does not include the details of how each network component is configured.
4. C, D. The command-line interface cluster verification commands are show cluster extended-state and show cluster state.
5. F. You can verify the server status by clicking the Equipment tab, Chassis, and then the Server General tab.
6. D. When you delete a specified VLAN, the ports associated with that VLAN are shut down and no traffic flows from it.
7. C, D. Unicast traffic in Cisco UCS has the following characteristics:
• Each server link is pinned to exactly one uplink port (or port channel).
• Server-to-server Layer 2 traffic is locally switched.
• Server-to-network traffic goes out on its pinned uplink port.
8. C. The Cisco Unified Computing System model supports multiple ways to connect with centralized storage. The first storage connectivity method uses a pure Ethernet IP network to connect the servers to both their user community and the shared storage array. Communication between the servers and storage over IP can be accomplished by using a Small Computer System Interface over IP (iSCSI).
9. D. A storage-area network (SAN) introduces the flexibility of networking to enable one server or many heterogeneous servers to share a common storage utility. A network might include many storage devices, including disk, tape, and optical storage. Additionally, the storage utility might be located far from the servers that it uses. This type of storage provides maximum reliability, expandability, and performance. The SAN is the most resilient, highly scalable, and high-performance storage.
Chapter 12
1. A, C. The type of destination port determines what kind of monitoring session you need. For an Ethernet traffic monitoring session, the destination port must be an unconfigured physical port. For a Fibre Channel traffic monitoring session, the destination port must be a Fibre Channel uplink port, except when you are using Cisco UCS 6454 Fabric Interconnects and 6300 Series Fabric Interconnects.
2. D. Audit logs record system events that occurred, where they occurred, and which users initiated them.
3. C. The SELs are stored in the CIMC NVRAM through an SEL log policy. It is best practice to periodically download and clear the SELs. The SEL file is approximately 40 KB in size, and no further events can be recorded when it is full. It must be cleared before additional events can be recorded.
4. B, C. Only Essential and Advanced support the Intersight virtual appliance.
5. B. Upgrades to Intersight are delivered automatically and do not require any resources.
Chapter 13
1. A, C. The two types of backup polices are All configuration and Full state.
2. C. In a logical configuration, an XML file includes all logical configuration settings such as service profiles, VLANs, VSANs, pools, and policies. You can use the file generated from this backup to import these configuration settings to the original fabric interconnect or to a different fabric interconnect. You cannot use this file for a system restore.
3. A, D. The Cisco UCS Manager supports two methods to restore or import backup data. You can use one of the following methods to import and update a system configuration through the Cisco UCS:
• Merge: The information in the imported configuration file is compared with the existing configuration information. If there are conflicts, the import operation overwrites the information on the Cisco UCS domain with the information in the import configuration file.
• Replace: The current configuration information is replaced with the information in the imported configuration file one object at a time.
4. B. You can use Auto Install to upgrade the infrastructure components to one version of Cisco UCS and upgrade the chassis and server components to a different version.
5. A. You cannot cancel a server firmware upgrade process after you complete the configuration in the Install Server Firmware wizard. The Cisco UCS Manager applies the changes immediately. However, the timing of the actual reboot of servers depends on the maintenance policy in the service profile associated with the server.
Chapter 14
1. A. The HyperFlex system offers one-click integration with VMware vSphere, allowing your IT staff to extend their virtualization skills to storage and management; the purpose is to get better visibility into and control over your computing, network, and storage resources from a single console.
2. D. HyperFlex delivers
• Intelligent end-to-end automation, including networking
• Unified management
• Resource scaling
• Bigger virtual machine density and lower jitter and latency
3. B, C. You can automate processes yourself with interfaces to the Cisco UCS Manager through Microsoft PowerShell and Python.
4. B. You can perform deep learning on GPU-only nodes in the data center and drive inferencing with up to two NVIDIA Tesla T4 and P6 GPUs in edge nodes and up to six NVIDIA Tesla GPUs in Cisco HyperFlex HX240c nodes.
5. A, B, E. Cisco UCS provides a single point of connectivity that integrates Cisco HyperFlex HX-Series All-Flash or hybrid nodes and a variety of Cisco UCS servers into a single unified cluster. Cisco offers you the flexibility to choose a combination of CPU, flash memory, graphics acceleration, and disk storage resources.
6. B. Cisco provides an architectural performance edge with NVMe drives connected directly to the CPU rather than through a latency-inducing PCIe switch.
Chapter 15
1. A, C. In the EEM, event statements monitor events on Cisco NX-OS components that may require some action, workaround, or notification. Action statements take action, such as sending an email or disabling an interface, to recover from an event.
2. A, B, D. EEM supports the following actions in action statements: generate a syslog message, reload the device, and update a counter. EEM can’t generate a Python script by itself.
3. A, B. The Scheduler does not apply a default timetable. If you create a schedule and assign jobs and do not configure item, the job is not started. Scheduler features need to be enabled first before a Scheduler can be configured.
4. A, C, D. You can configure only Daily, Weekly, Monthly, Delta (the job begins at a specified start time and then at specified intervals), and one-time mode intervals for job scheduling in the Scheduler.
5. B. You enable the Bash shell by running the command feature bash-shell. The run bash command loads Bash and begins at the home directory for the user.
6. C. The Guest Shell runs within a Linux Container (LXC), a decoupled execution space on the underlying Linux environment. It doesn’t support Windows applications.
7. A, D. Each XML document must have one and only one root element. Also, XML is case sensitive. For example, <Device> and <device> are considered two different elements.
8. C. XML is more verbose than JSON and usually uses more characters to express the same data than JSON. JSON includes arrays, whereas XML doesn’t include arrays. A proper JSON object begins with a left brace { and ends with a right brace }
9. A, B, D. GET, POST, PUT, and DELETE are the allowed HTTP methods for REST API requests.
10. A. NX-API response elements consist of version, type, sid, outputs, output, input, body, code and msg; chunk belongs to the NX-API request element.
Chapter 16
1. C. Ansible playbooks are written in YAML structured format.
2. C, D. Ansible playbooks are written in YAML structured format and contain Ansible domain-specific language (DSL). Ansible is agentless; therefore, Ansible playbooks are deployed to an Ansible control station and not an Ansible agent.
3. D. Puppet agent installation is supported only on Bash shell, Guest shell, and Open Agent Container (OAC).
4. D. Executing the puppet agent command (with no arguments) starts the Puppet agent process with a default run interval of 30 minutes. The -t option runs the Puppet agent in test mode, which runs the agent a single time and stops.
5. A. The python package for Cisco is named cisco. The cisco package contains various modules, including cisco_secret, cisco_socket, and acl.
6. C. clip() prints the output of the CLI command directly to stdout and returns nothing to Python. cli() returns the raw output of CLI commands, including control or special characters. clid() returns JSON output for the CLI command, if XML support exists for the command; otherwise, an exception is thrown. clistdout() is not an API.
7. B, C. Checking for a USB device containing the configuration script file in POAP mode is NOT supported on the Cisco Nexus 9000 series switches. POAP requires a minimum DHCP lease period of 3600 seconds (1 hour). POAP checks the DHCP lease period. If the DHCP lease period is set to less than 3600 seconds (1 hour), POAP does not complete the DHCP negotiation.
8. B. The POAP process has the following phases: (1) Power-up phase, (2) USB discovery phase, (3) DHCP discovery phase, (4) Script execution phase, and (5) Post-installation phase.
9. A, B, D. DCNM can be deployed in four variants—namely, classic LAN, LAN Fabric, Media Controller, and SAN management.
10. B. DCNM Classic LAN deployment has the following menus: Dashboard, Topology, Inventory, Monitor, Configure, Administration, and Applications.
11. C. With the Cisco UCS Director, you can automate a wide array of tasks and use cases across a wide variety of supported Cisco and non-Cisco hardware and software data center components.
12. A. CloudSense Analytics in Cisco UCS Director provides visibility into the infrastructure resources utilization, critical performance metrics across the IT infrastructure stack, and capacity in real time. CloudSense significantly improves capacity trending, forecasting, reporting, and planning of virtual and cloud infrastructures.
13. D. The PowerShell agent returns the output to the Cisco UCS Director as the payload in an HTTP response and not HTTPS response.
Chapter 17
1. B, C. Nexus devices support local and remote AAA. Remote AAA services are provided through the RADIUS and TACACS+ protocols. TCP/IP is not an AAA protocol, and LDAP is not commonly used for network authentication.
2. B. The aaa authentication login default group tacacs+ local command uses AAA as a default login and tries the TACACS+ group because it is first in the list; then it tries the local account.
3. B, D. RADIUS uses the UDP 1645/1646 and 1812/1813 ports.
4. A, B. By default, the user accounts without an administrator role can access only the show, exit, end, and configure terminal commands. You can add rules to allow users to configure features.
5. B. The device validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The device forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):
• The device receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.
• The device receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
• The device receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
6. B. ARP inspections allow a network administrator to intercept, log, and discard ARP packets with invalid MAC address-to-IP address bindings.
7. D. When port security is enabled, the default maximum number of permitted MAC address is one.
8. A. The Cisco NX-OS device provides CoPP to prevent denial-of-service (DoS) attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.
9. A. When the network is microsegmented, there are fewer end devices per subnetwork, thus minimizing traffic flow and optimizing the network.
10. B. While different endpoint groups (EPGs) can only communicate with other endpoint groups based on the contract rules defined, no contract is required for intra-endpoint group communication. Intra-endpoint group communication from endpoint to endpoint in the same endpoint group is allowed by default.
Chapter 18
1. B, C. Two-factor authentication is supported by associating RADIUS or TACACS+ provider groups with designated authentication domains and enabling two-factor authentication for those domains. Two-factor authentication does not support IPM and is not supported when the authentication realm is set to LDAP, local, or none.
2. A. For RADIUS and TACACS+ configurations, you must configure a user attribute in each remote authentication provider through which users log in to the Cisco UCS Manager. This user attribute holds the roles and locales assigned to each user. This step is not required for LDAP configurations that use LDAP group mapping to assign roles and locales.
3. C. LDAP uses STARTTLS. This allows encrypted communication using port 389. Cisco UCS negotiates a TLS session on port 636 for SSL, but initial connection starts unencrypted on 389.
4. B. Start time: The absolute time that the lifetime begins.
End time: The end time can be defined in one of the following ways:
• The absolute time that the lifetime ends
• The number of seconds after the start time that the lifetime ends
• Infinite lifetime (no end time)
Chapter 19
1. C, D. TACACS+ is a Cisco proprietary protocol. TACACS+ encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. RADIUS encrypts passwords only.
2. C. The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements.
3. A, C. Each user role can contain multiple rules, and each user can have multiple roles. Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, the VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
4. B, D. Port security binds devices at the interface level. Port security can be distributed by CFS.
5. A, B, D. Fabric binding binds the fabric at the switch level, whereas port security binds devices at the interface level.
6. A, B. Fabric binding cannot be distributed by CFS and must be configured manually on each switch in the fabric. Fabric binding uses a set of sWWNs.
7. A, C. The fabric binding feature maintains a configuration database (config-database) and an active database. The config-database is a read-write database that collects the configurations you perform. These configurations are enforced only upon activation. This activation overwrites the active database with the contents of the config-database. The active database is read-only and is the database that checks each switch that attempts to log in.