642-997 Implementing Cisco Data Center Unified Fabric

Page 1   
Question 1

Which statement is true if password-strength checking is enabled?

  • A. Short, easy-to-decipher passwords will be rejected.
  • B. The strength of existing passwords will be checked.
  • C. Special characters, such as the dollar sign ($) or the percent sign (%), will not be allowed.
  • D. Passwords become case-sensitive.

Answer : A

Explanation: If a password is trivial (such as a short, easy-to-decipher password), the cisco NX_OS software will reject your password configuration if password-strength checking is enabled. Be sure to configure a strong password. Passwords are case sensitive. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7- x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x_chapter_01000.pdf

Question 2

When a local RBAC user account has the same name as a remote user account on an
AAA server, what happens when a user with that name logs into a Cisco Nexus switch?

  • A. The user roles from the remote AAA user account are applied, not the configured local user roles.
  • B. All the roles are merged (logical OR).
  • C. The user roles from the local user account are applied, not the remote AAA user roles.
  • D. Only the roles that are defined on both accounts are merged (logical AND).

Answer : C

Explanation: If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx- os/security/configuration/guide/sec_nx-os-cfg/sec_rbac.html

Question 3

Which statement about RBAC user roles on a Cisco Nexus switch is true?

  • A. If you belong to multiple roles, you can execute only the commands that are permitted by both roles (logical AND).
  • B. Access to a command takes priority over being denied access to a command.
  • C. The predefined roles can only be changed by the network administrator (superuser).
  • D. The default SAN administrator role restricts configuration to Fibre Channel interfaces.
  • E. On a Cisco Nexus 7000 Series Switch, roles are shared between VDCs.

Answer : B

Explanation: If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also have RoleB, which has access to the configuration commands. In this case, the users have access to the configuration commands. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid e/cli/CLIConfigurationGuide/sec_rbac.html

Question 4

Which statement about implementation of Cisco TrustSec on Cisco Nexus 5546 or 5548
switches are true?

  • A. Cisco TrustSec support varies depending on Cisco Nexus 5500 Series Switch model.
  • B. The hardware is not able to support MACsec switch-port-level encryption based on IEEE 802.1AE.
  • C. The maximum number of RBACL TCAM user configurable entries is 128k.
  • D. The SGT Exchange Protocol must use the management (mgmt 0) interface.

Answer : B

Reference: https://scadahacker.com/library/Documents/Manuals/Cisco%20- %20TrustSec%20Solution%20Overview.pdf

Question 5

Which statement about the implementation of Cisco TrustSec on Cisco Nexus 7000 Series
Switches is true?

  • A. While SGACL enforcement and SGT propagation are supported on the M and F modules, 802.1AE (MACsec) support is available only on the M module.
  • B. SGT Exchange Protocol is required to propagate the SGTs across F modules that lack hardware support for Cisco TrustSec.
  • C. AAA authentication and authorization is supported using TACACS or RADIUS to a Cisco Secure Access Control Server.
  • D. Both Cisco TrustSec and 802.1X can be configured on an F or M module interface.

Answer : A

Explanation: The M-Series modules on the Nexus 7000 support 802.1AE MACSEC on all ports, including the new M2-series modules. The F2e modules will have this feature enabled in the future. It is important to note that because 802.1AE MACSEC is a link-level encryption, the two MACSEC-enabled endpoints, Nexus 7000 devices in our case, must be directly L2 adjacent. This means we direct fiber connection or one facilitated with optical gear is required. MACSEC has integrity checks for the frames and intermediate devices, like another switch, even at L2, will cause the integrity checks to fail. In most cases, this means metro-Ethernet services or carrier-provided label switched services will not work for a MACSEC connection. Reference: http://www.ciscopress.com/articles/article.asp?p=2065720

Question 6

After enabling strong, reversible 128-bit Advanced Encryption Standard password type-6
encryption on a Cisco Nexus 7000, which command would convert existing plain or weakly
encrypted passwords to type-6 encrypted passwords?

  • A. switch# key config-key ascii
  • B. switch(config)# feature password encryption aes
  • C. switch# encryption re-encrypt obfuscated
  • D. switch# encryption decrypt type6

Answer : C

Explanation: This command converts existing plain or weakly encrypted passwords to type-6 encrypted passwords. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx- os/security/configuration/guide/b_Cisco_Nexus_7000_NX- OS_Security_Configuration_Guide__Release_5-x/b_Cisco_Nexus_7000_NX- OS_Security_Configuration_Guide__Release_5-x_chapter_010101.html Topic 3, Manage the Unified Fabric in a Cisco Data Center Architecture

Question 7

Which Cisco Nexus feature is best managed with DCNM-SAN?

  • A. VSS
  • B. domain parameters
  • C. virtual switches
  • D. AAA

Answer : B

Explanation: The Fibre Channel domain (fcdomain) feature performs principal switch selection, domain ID distribution, FC ID allocation, and fabric reconfiguration functions as described in the FC-SW-2 standards. The domains are configured on a per VSAN basis. If you do not configure a domain ID, the local switch uses a random ID. This section describes each fcdomain phase:

Principal switch selection This phase guarantees the selection of a unique principal switch across the fabric.
Domain ID distribution This phase guarantees each switch in the fabric obtains a unique domain ID.
FC ID allocation This phase guarantees a unique FC ID assignment to each device attached to the corresponding switch in the fabric. Fabric reconfiguration This phase guarantees a resynchronization of all switches in the fabric to ensure they simultaneously restart a new principal switch selection phase. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_2/configuration/g uides/sysmgnt/DCNM-SAN/sysmgmt_dcnm/sysmgmt_overview.html#wp1051962

Question 8

Which option is a restriction of the unified ports on the Cisco UCS 6200 Series Fabric
Interconnect when connecting to the unified fabric network?

  • A. Direct FC connections are not supported to Cisco MDS switches
  • B. The FCoE or Fibre Channel port allocations must be contiguous on the 6200.
  • C. 10-G Fibre Channel ports only use SFP+ interfaces.
  • D. vPC is not supported on the Ethernet ports.

Answer : B

Explanation: When you configure the links between the Cisco UCS 2200 Series FEX and a Cisco UCS 6200 series fabric interconnect in fabric port channel mode, the available VIF namespace on the adapter varies depending on where the FEX uplinks are connected to the fabric interconnect ports. Inside the 6248 fabric interconnect there are six sets of eight contiguous ports, with each set of ports managed by a single chip. When uplinks are connected such that all of the uplinks from an FEX are connected to a set of ports managed by a single chip, Cisco UCS Manager maximizes the number of VIFs used in service profiles deployed on the blades in the chassis. If uplink connections from an IOM are distributed across ports managed by separate chips, the VIF count is decreased. Reference: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/hw/6200-install- guide/6200_HIG/6200_HIG_chapter_01.html

Question 9

The Connectivity Management Processor monitors the active supervisor module on a
Cisco Nexus 7000 switch and will reboot the device in the event of a lights-out
management issue. However, which option includes features that provide similar benefits in
the absence of the Connectivity Management Processor?

  • A. high-availability functionality from features such as vPC and NSF
  • B. traditional system connectivity models like SNMP, GUI, or SSH
  • C. Cisco FabricPath
  • D. VDC failover

Answer : A

Explanation: vPC uses the vPC peer-keepalive link to run hello messages that are used to detect a dual- active scenario. A Gigabit Ethernet port can be used to carry the peer-keepalive messages. A dedicated VRF is recommended to isolate these control messages from common data packets. When an out-of-band network infrastructure is present, the management interfaces of the Cisco Nexus 7000 supervisor could be also used to carry keep-alive connectivity using the dedicated management VRF. When the vPC peer-link is no longer detected, a dual-active situation occurs, and the system disables all vPC port channel member on the "secondary" vPC peer (lower vPC role priority value). Also SVI interfaces associated to a vPC VLAN are suspended on the secondary switch. As a result, in this condition only the primary vPC peer actively forwards traffic on the vPC VLANs. Multiple peer-keepalive links can be used to increase resiliency of the dual-active detection mechanism. Both the Cisco Catalyst 6500 and the Cisco Nexus 7000 offer a variety of high-availability features. Some of the primary features to highlight are In Service Software Upgrade (ISSU), Stateful Switchover (SSO), and Nonstop Forwarding (NSF). The operation and the behavior of these features are unique to the respective platform and can be independently executed without affecting the interoperability between the two platforms. Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series- switches/white_paper_c11_589890.html

Question 10

Drag the description on the left to the most appropriate Nexus product on the right.

Answer :

Question 11

Which of the following Cisco Nexus features is best managed with DCNM-LAN?

  • A. VSS
  • B. Domain parameters
  • C. Virtual switches
  • D. AAA

Answer : C

Explanation: DCNM-LAN supports the following platforms:

Cisco Nexus 1000V switches
Cisco Nexus 2000 Fabric Extenders
Cisco Nexus 3000 Series switches
Cisco Nexus 4000 Series switches
Cisco Nexus 5000 Series switches
Catalyst 6500
DCNM-LAN provides limited support for the Catalyst 6500 Series switches that runs classic IOS version 12.2(33)SXI or higher. DCNM-LAN supports the viewing of the current configuration attributes of the device. DCNM-LAN does not support changing the configuration of the device. DCNM-LAN supports the Firewall Service Module (FWSM) version 4.0 or higher for the Catalyst 6500 Series switches. Cisco Nexus 7000 Series switches Reference:

Question 12

Topic 4, Implement High Availability Features on Cisco Unified Fabric Products in a
Cisco Data Center Architecture

What is effect of the command fabricpath load-balance unicast Iayer3?

  • A. It configures F2 VDC FabricPath unicast load balancing
  • B. The command automatically load balances broadcast traffic
  • C. It configures F1/MI VDC FabricPath unicast load balancing
  • D. It configures M1 VDC FabricPath unicast load balancing

Answer : C

Explanation: The F1 cards are complemented by M1 card for routing purposes. When using M1 cards in the same virtual device context (VDC) as the F1 card, routing is offloaded to the M1 cards, and more routing capacity is added to the F1 card by putting more M1 ports into the same VDC as the F1 card.

Question 13

A Cisco Nexus 2000 Series Fabric Extender is connected to two Cisco Nexus 5000 Series
switches via a vPC link. After both Cisco Nexus 5000 Series switches lose power, only one
switch is able to power back up. At this time, the Cisco Nexus 2000 Series Fabric Extender
is not active and the vPC ports are unavailable to the network.
Which action will get the Cisco Nexus 2000 Series Fabric Extender active when only one
Cisco Nexus 5000 Series switch is up and active?

  • A. Move the line from the failed Cisco Nexus 5000 Series switch to the switch that is powered on, so the port channel forms automatically on the switch that is powered on.
  • B. Shut down the peer link on the Cisco Nexus 5000 Series switch that is powered on.
  • C. Configure reload restore or auto-recovery reload-delay on the Cisco Nexus 5000 Series switch that is powered on.
  • D. Power off and on the Cisco Nexus 2000 Series Fabric Extender so that it can detect only one Cisco Nexus 5000 Series switch at power up.

Answer : C

Explanation: The vPC consistency check message is sent by the vPC peer link. The vPC consistency check cannot be performed when the peer link is lost. When the vPC peer link is lost, the operational secondary switch suspends all of its vPC member ports while the vPC member ports remain on the operational primary switch. If the vPC member ports on the primary switch flaps afterwards (for example, when the switch or server that connects to the vPC primary switch is reloaded), the ports remain down due to the vPC consistency check and you cannot add or bring up more vPCs. Beginning with Cisco NX-OS Release 5.0(2)N2(1), the auto-recovery feature brings up the vPC links when one peer is down. This feature performs two operations:

If both switches reload, and only one switch boots up, auto-recovery allows that switch to assume the role of the primary switch. The vPC links come up after a configurable period of time if the vPC peer-link and the peer-keepalive fail to become operational within that time. If the peer-link comes up but the peer-keepalive does not come up, both peer switches keep the vPC links down. This feature is similar to the reload restore feature in Cisco NX- OS Release 5.0(2)N1(1) and earlier releases. The reload delay period can range from 240 to 3600 seconds. When you disable vPCs on a secondary vPC switch because of a peer-link failure and then the primary vPC switch fails, the secondary switch reenables the vPCs. In this scenario, the vPC waits for three consecutive keepalive failures before recovering the vPC links. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_v pc_ops.html

Question 14

Which SCSI terminology is used to describe source and destination nodes?

  • A. hosts and targets
  • B. initiators and targets
  • C. HBA and disks
  • D. initiators and disks
  • E. HBA and targets

Answer : B

Explanation: In computer data storage, a SCSI initiator is the endpoint that initiates a SCSI session, that is, sends a SCSI command. The initiator usually does not provide any Logical Unit Numbers (LUNs). initiate sessions, but instead waits for initiators' commands and provides required input/output data transfers. The target usually provides to the initiators one or more LUNs, because otherwise no read or write command would be possible. Reference: http://en.wikipedia.org/wiki/SCSI_initiator_and_target

Question 15

Refer to the exhibit.

Which three statements about the Cisco Nexus 7000 switch are true? (Choose three.)

  • A. An emulated switch ID must be unique when the vPC+ feature is used.
  • B. Switches with FabricPath and vPC+ consume two switch IDs.
  • C. Emulated switch IDs must be numbered from 1 to 99.
  • D. Each switch ID must be unique in the FabricPath topology.
  • E. Switch IDs must be configured manually.

Answer : B,D,E

Explanation: To understand this feature, please refer to the link given below. Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series- switches/guide_c07-690079.html#wp9000065

Page 1