400-351 CCIE Wireless (v3.1)

Page 1   
Question 1

You have been hired to install new Cisco switches at ACME Corporation. The company
has an existing Cisco network comprised of access layer switches that use multiple VLANs
and VLAN trunking protocol to distribute the VLANs to the switches throughout the network.
Which two methods are best to accomplish your task? (Choose two.)

  • A. Configure the VLAN Trunking Protocol pruning on the new switches because they may not need all of the VLANs.
  • B. Prior to installation, ensure that all switches are running the same Cisco IOS software version as the VTP server.
  • C. Ensure that all the new Cisco switches have their VTP domain name set to the default value of null
  • D. Configure one of the new switches as a VTP server to distribute the VLANs appropriately.
  • E. Ensure that all switches have the same VLAN Trunking Protocol password and encryption level.
  • F. Configure all new switches as VTP clients and relocated switches as VTP server because the already have all the VLANs in their database.
  • G. Ensure that all switches are running the same VTP version.


Answer : E,G

Explanation: From:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12- 2/25ew/configuration/guide/conf/vtp.html#wp1034490

Question 2

You are the network administrator at ACME Corporation and currently troubleshooting a
Central Web Authentication issue where the guest users are not being redirected to the ISE
guest login portal. You have verified that all configuration on the ISE is correct and that the
ISE is sending the redirect URL for the client. Which configuration check can help to
resolve the issue?

  • A. Verify if DADIUS accounting interim update is enabled on the guest SSID.
  • B. Verify if SNMP NAC is enabled on the guest SSID.
  • C. Verify if the SSID is configured for VVPA2-AES Layer 2 security.
  • D. Verify if AAA override is enabled for the guest SSID.
  • E. Verify if the RFC 3567 support is enabled under ISE configuration on the Cisco WLC.
  • F. Verify if authentication priority for web-auth is set to RADIUS.


Answer : D

Explanation:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732- central-web-auth-00.html

Question 3

You want to set up Prime Infrastructure to be notified when a device configuration has
changed. Which option is available in Prime Infrastructure 2.2?

  • A. Set up Prime Infrastructure to send an email containing the change audit report on a regularity scheduled basis.
  • B. Set up Prime Infrastructure to send an email containing the configuration changes(s) immediately after the configuration change is detected.
  • C. Set up Prime Infrastructure to send an email containing the change audit report immediately after the configuration change is detected.
  • D. Set up Prime Infrastructure to send an email containing the device configuration change(s) on a regularly scheduled basis.


Answer : A

Explanation: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2- 2/user/guide/pi_ug.pdf

Question 4

Which IEEE protocol can help a wireless client device to identify nearby APs that are
available as roaming targets?

  • A. 802.11h
  • B. 802.11ac
  • C. 802.11k
  • D. 802.11n
  • E. 802.11w


Answer : C

Explanation: https://support.apple.com/en-gb/HT202628 https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802 .11r_Overview

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1- Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/wlanrf.html

Question 5

On a Cisco 5760 WLC, which of the below is not part of the initial setup script?

  • A. Wireless management interface
  • B. Host name
  • C. HTTP server login account
  • D. SNMP Network Management
  • E. NTP server
  • F. Enable password
  • G. Default routing protocol


Answer : G

Explanation: From: CT5760ControllerandCatalyst3850SwitchConfigurationExample-Cisco http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/116342-config- wlc- 00.html 5760 WLC Initial Configuration This section outlines the steps to succesfully configure the 5760 WLC in order to host wireless services. Configure Setup Script --- System Configuration Dialog --- Enable secret warning ---------------------------------- In order to access the device manager, an enable secret is required If you enter the initial configuration dialog, you will be prompted for the enable secret If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret, please set an enable secret using the following CLI in configuration mode- enable secret 0 <cleartext password> ---------------------------------- Would you like to enter the initial configuration dialog? [yes/no]: yes At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: yes Configuring global parameters: Enter host name [Controller]: w-5760-1 The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: cisco The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: cisco The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: cisco Configure a NTP server now? [yes]: Enter ntp server address : 192.168.1.200 Enter a polling interval between 16 and 1310

Question 6

Which two features were added as part of the 802.llh amendment?

  • A. Dynamic Frequency Selection and Direct Link Setup.
  • B. Dynamic Frequency Selection and Transmit Power control.
  • C. Dynamic Frequency Selection and Wireless Performance Prediction.
  • D. Dynamic Frequency Selection and Inter-Access Point Protocol.


Answer : B

Explanation:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200069-Overview-on- 802-11h-Transmit-Power-Cont.html http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1- Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/wlanrf.html

Question 7

Which option describes the function of the Intercloud Fabric Extender?

  • A. It provides the network overlay functionality between the used clouds or cloud models.
  • B. It establishes a secure site-to-site tunnel to the intercloud fabric agent in the private cloud.
  • C. It applies network policies and collects and reports VEM-related intercloud statistics.
  • D. It establishes a secure site-to-site tunnel to the intercloud fabric switch in the provider cloud.


Answer : D

Explanation: From:

http://www.cisco.com/c/en/us/td/docs/cloud-systems-management/cisco-intercloud- fabric/cisco-intercloud-fabric-for-business/2-3-1/getting-started- guide/b_Cisco_Intercloud_Fabric_Getting_Started_Guide_Release_2_3_1/b_Cisco_Intercl oud_Fabric_Getting_Started_Guide_Release_2_3_1_chapter_00.pdf Cisco Inter cloud Fabric Architectural Overview - Cisco http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/I ntercloud_Fabric_2.html Cisco Intercloud Fabric Secure Extension All data in motion is cryptographically isolated and encrypted within the Cisco Intercloud Fabric Secure Extender. This data includes traffic exchanged between the private and public clouds (site to site) and the virtual machines running in the cloud (VM to VM). A Datagram Transport Layer Security (DTLS) tunnel is created between these endpoints to more securely transmit this data. DTLS is a User Datagram Protocol (UDP)-based highly secure transmission protocol. The Cisco Intercloud Fabric Extender always initiates the creation of a DTLS tunnel. The encryption algorithm used is configurable, and different encryption strengths can be used depending on the level of security desired. The encryption algorithm used is configurable, and different encryption strengths can be used depending on the level of security desired.

Question 8

Your customer has a Cisco Unified Wireless Network running AireOS 8.0 and wants to
learn about the FlexConnect mode that is available on his APs. Which two statements are
true? (Choose two.)

  • A. A newly connected AP can be booted in FlexConnect mode.
  • B. When an AP is changed from Local mode to FlexConnect mode, a reboot is required.
  • C. Enhanced FlexConnect mode allows to enable wIPS on FlexConnect APs.
  • D. When an AP is changed from Local mode to FlexConnect mode, reboot is not required.
  • E. Using CCKM with FlexConnect APs requires the use of FlexConnect Groups.
  • F. FlexConnect was previously know as "H-TEEP"


Answer : D,E

Explanation: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_ chapter_01000010.html http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7 _HREA.html

Question 9

When configuration an autonoumous access point, which configuration broadcasts two
SSIDs?

  • A. dot11 ssid data1 vlan 10 authentication open authentication key-managerment wpa version 1 wpa-psk ascii cisco123 end ! dot11 ssid data2 vlan 11 authentication open authentication key-management wpa version 2 wps-psk accii Cisco12345 end
  • B. dot11 ssid data1 vlan 10 authentication open authentication key-management wpa version 1 wpa-psk ascii cisco123 mbssid guest-mode end ! dot11 ssid data2 vlan 11 authentication open authentication key-management wpa version 2 wpa-psk accii Cisco12345 mbssid guest-mode end
  • C. mbssid ! dot11 ssid data1 vlan 10 authentication open authentication key-management wpa version 1 wpa-psk ascii cisco123 end ! dot11 ssid data2 vlan 11 authentication open authentication key-management wpa version 2 wpa-psk accii Cisco12345 end
  • D. dot11 ssid data1 vlan 10 authentication open authentication key-management wpa version 1 wpa-psk ascii cisco123 guest-mode end ! dot11 ssid data2 vlan 11 authentication open authentication key-management wpa version 2 wpa-psk ascii cisco12345 guest-mode end
  • E. dot11 ssid data1 vlan 10 authentication open authentication key-management wpa version 1 wpa-psk ascii cisco123 mbssid end ! dot11 ssid data2 vlan 11 authentication open authentication key-management wpa version 2 wpa-psk accii Cisco12345 mbssid end


Answer : B

Explanation:

http://www.cisco.com/c/en/us/td/docs/routers/access/1800/wireless/configuration/guide/awg /s37ssid.pdf

Question 10

You are the network administrator of a Cisco Autonomous AP deployment. You want to
stop a client with MAC address 5057.a89e.b1f7 and IP address 10.0.0.2 from
associating to your APs. Which configuration do you use ?

  • A. access-list 700 permit 5057.a89e.b1f7 0000.0000.0000 ! dot11 association mac-list 700
  • B. ip access-list 25 deny host 10.0.0.2 ! interface Dot11Radio0 ip access-group 25 out ! interface Dot11Radio1 ip access-group 25 out
  • C. ip access-list 25 deny host 10.0.0.2 ! interface Dot11Radio0 ip access-group 25 in ! interface Dot11Radio1 ip access-group 25 in
  • D. access-list 700 deny 5057.a89e.b1f7 0000.0000.0000 ! dot11 association on mac-list 700


Answer : D

Question 11

802.11k and 802.Ilk-enabled client devices send a request for a list of neighbor Aps (a
neighbor list) from the APs they are currently associated with What is this 802.11
management frame also known as?

  • A. Association packet
  • B. Beacon frame
  • C. Action frame
  • D. Reassociation response.


Answer : C

Explanation: http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/i os_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_rel ease33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_010.html

Question 12

Which two statements about accessing the GUI and CLI of Cisco WLC are true? (Choose
two.)

  • A. The feature "Management using Dynamic Interfaces" can be applied to one of the Dynamic Interfaces only.
  • B. Wireless management access is only possible through the default management WLAN "thazz"
  • C. The wireless clients can access the Cisco WLC only when the option " Enable Controller Management to be accessible from Wireless Clients" is checked.
  • D. The feature "Management using Dynamic Interfaces" can be configured in CLI onlyWireless management access is only possible through the default management WLAN - WLAN ID
  • E. Wired clients |can have only CLI access with the dynamic interface of the Cisco WLC, while wireless clients have both CLI and GUI access with the dynamic interface when the feature "Management using Dynamic Interfaces" is enabled.


Answer : A,C

Question 13

Which two IETF RADIUS attributes sent by the Cisco WLC can be used to differentiate
authentication requests based on the user location?(Choose two.)

  • A. RADIUS attribute [31] Calling-Station-ld
  • B. RADIUS attribute [4] NAS-IP-Address
  • C. RADIUS attribute [95] NAS-IPv6-Address
  • D. RADIUS attribute [32] NAS-ldentifier
  • E. RADIUS attribute [303] Source-IP
  • F. RADIUS attribute [30] Called-Station-ld


Answer : D,F

Explanation:

https://supportforums.cisco.com/sites/default/files/ise_location-based_web_portals-v2.pdf

Question 14

While troubleshooting a failed central web authentication configuration on Cisco WLC, you
discover that the Cisco WLC Policy Manager State is showing RUN for new clients and not
CENTRAL_WEB_AUTH. Which of the below is most likely causing this issue?

  • A. The WLAN NAC state should be set to RADIUIS NAC.
  • B. The WLAN Layer 2 security should be set to WPA+WPA2.
  • C. The WLAN Layer 3 security should be set to Web Policy with Conditional Web Redirect.
  • D. The Web Login Page under the Cisco WLC security settings should be set to External(Redirect to external server).


Answer : A

Explanation:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732- central-web-auth-00.html http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web- auth-config.html

Question 15

Which two statements about AP Local Authentication by FlexConnect AP in standalone
mode are true? (Choose two)

  • A. From AireOS release 8.0, Cisco Extended Keying Groups (CEKG) is a supported Local Authentication Protocol when deploying FlexConnect.
  • B. Only LEAP, EAP-FAST, PEAP, and EAP-TLS authentications are supported.
  • C. Cisco Wireless LAN Controller must generate a certificate signing request by itself for submitting to a certificate authority for signing.
  • D. Only the vendor Certificate Authority (CA) certificate has to be downloaded to the Cisco Wireless LAN Controller for EAP-TLS authentication.
  • E. When using EAP-TLS, a FlexConnect Group must be created so that the Cisco Wireless LAN Controller can push the certificates to the FlexConnect AP in the FlexConnect Group.


Answer : B,E

Page 1