Free ENCOR 350-401 Practice Exam – 2025 Updated

Cisco's Endpoint Detection and Response (EDR) solution, now known as Cisco Secure Endpoint, integrates multiple advanced capabilities to protect endpoints. Its core functionality relies on a combination of machine learning and behavioral analytics to detect unknown threats, leveraging threat intelligence from Cisco Talos for comprehensive threat awareness. A critical response feature is the ability to contain or isolate a compromised endpoint, preventing the threat from spreading across the network while allowing for further investigation. These three elements machine learning, threat intelligence, and containment are fundamental to its detection and response framework.

B. firewalling and intrusion prevention: These terms primarily describe network security functions, characteristic of Next-Generation Firewalls (NGFW) and Intrusion Prevention Systems (IPS), not the core features of an endpoint-centric EDR solution. C. container-based agents: This describes a potential deployment architecture for the agent, not a core security feature for threat detection or response. The agent's capabilities, not how it's packaged, are the key features. D. cloud analysts and endpoint firewall controls: "Cloud analysts" refers to a managed service (MDR) that uses the EDR tool, not a feature of the tool itself. While endpoint firewall control can be part of a larger security suite, it is not a defining feature of EDR's advanced detection and response cycle.

1. Cisco, "Cisco Secure Endpoint Data Sheet": This document explicitly

details the product's features. It mentions "Advanced Endpoint Detection

and Response," "Machine Learning," "Cisco Talos threat intelligence," and

"Host Isolation" (containment).

o Source URL:

https://www.cisco.com/c/en/us/products/collateral/security/amp-forendpoints/datasheet-c78-745509.html

o Specific Sections: See sections "Advanced Endpoint Detection

and Response" and the features table which lists "Machine learning

analysis" and "Isolate an endpoint".

2. Cisco, "What Is Endpoint Detection and Response (EDR)?": This page

defines EDR and highlights its key components, including threat hunting,

behavioral protection, and response capabilities like isolation. It reinforces

the concepts of advanced analysis (machine learning) and the use of

threat intelligence.

o Source URL:

https://www.cisco.com/c/en/us/products/security/endpointsecurity/what-is-endpoint-detection-and-response-edr.html

o Specific Sections: See paragraphs under "How does EDR work?"

and "Key capabilities of an EDR solution."

When a Lightweight Access Point (AP) boots up, it initiates a discovery process to find a Wireless LAN Controller (WLC). One of the methods used is DNS resolution. The AP will attempt to resolve the hostname CISCO-CAPWAP- CONTROLLER.localdomain. If the DNS server returns one or more IP addresses for this hostname, the AP will send a unicast CAPWAP Discovery Request message to each IP address it receives. It does not stop after the first one, nor does it immediately send a join request. A broadcast request is a different step in the discovery process and is not a response to a successful DNS lookup.

A. broadcast discover request: A broadcast discovery is a separate method sent to the local subnet (255.255.255.255). It is not initiated as a result of a successful DNS resolution for a specific controller hostname. B. join request to all the WLCs: An AP sends a Join Request only after it has received a Discovery Response from a WLC and has selected a controller to join. The initial contact after DNS resolution is a Discovery Request. D. Unicast discovery request to the first WLS that resolves the domain name: This is incorrect because the AP will send a discovery request to all IP addresses returned by the DNS server for the controller hostname, not just the first one, to ensure it discovers all available controllers.

1. Cisco, "Wireless LAN Controller (WLC) Discovery and Join Process,"

Document ID: 107606.

o This document outlines the AP discovery process. In the "WLC

Discovery on a Layer 3 Network" section, step 4 explicitly states:

"The APs can discover controllers through your domain name

server (DNS)... The AP sends a unicast CAPWAP discovery request

to every address."

o URL: https://www.cisco.com/c/en/us/support/docs/wireless/4400series-wireless-lan-controllers/107606-wlc-lap.html (Under the

section "WLC Discovery on a Layer 3 Network")

2. Cisco, "Deploying the Cisco 5760 Wireless LAN Controller," Release

3.6E.

o In the "Information About AP-Controller Communication" chapter,

the section "How the Access Point Finds the Controller" details the

DNS discovery method: "If the DNS returns a list of controller IP

addresses, the access point sends a unicast discovery request to

each controller on the list."

o URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/5760/soft

ware/release/36e/configuration_guide/b_cg36e/b_cg36e_chapter_0

101111.html (Under the section "How the Access Point Finds the

Controller")

3. Cisco, "Lightweight AP (LAP) Registration to a Wireless LAN

Controller (WLC)," Document ID: 70333.

o This guide reinforces the discovery steps. The "LAP States" section

explains that discovery precedes the join state. The "DNS

Discovery" part clarifies that the AP resolves CISCO-CAPWAP-

CONTROLLER.localdomain and sends discovery messages to the

resulting IP addresses.

o URL: https://www.cisco.com/c/en/us/support/docs/wireless/wirelesslan-controller-wlc/70333-lap-registration.html (Under the section

"DNS Discovery")

The objective is to complete a Python script that reads device data from a user and updates a JSON file. The provided code snippets correctly fill the blanks to achieve the required functionality based on standard Python syntax and library usage. • import json: This statement is placed at the top to import the necessary json module. This module provides the json.load() and json.dump() functions used later in the script to parse and write JSON data. • while True:: This creates an infinite loop, satisfying the requirement that the script should continue to read user input "Until interrupted from the keyboard." except: This keyword is required to begin the exception handling block. It catches the KeyboardInterrupt (e.g., from pressing Ctrl+C) or EOFError (e.g., from pressing Ctrl+D), which is the designated signal to stop gathering input. File = open: This statement correctly opens the specified file, devicesData.json, in "r+" mode (read and write) and assigns the file object to the variable File. This is necessary to both read the existing device data and write the updated data back. File.close(): This statement is placed at the end to close the file. It is a crucial best practice to release the file resource after all operations are complete, ensuring data integrity and preventing resource leaks.

1. Python json Module Documentation: The official documentation details

the functions json.load() for reading from a JSON file and json.dump() for

writing to one.

o Source: Python Software Foundation, Python 3.12.3

documentation.

o URL: https://docs.python.org/3/library/json.html (See sections

19.2.1. Basic Usage)

2. Python Control Flow Statements: The while statement and try...except

compound statements are fundamental control flow structures in Python.

The documentation specifies their syntax and usage.

o Source: Python Software Foundation, Python 3.12.3

documentation.

o URL: https://docs.python.org/3/tutorial/controlflow.html#morecontrol-flow-tools (for loops) and

https://docs.python.org/3/tutorial/errors.html#handling-exceptions

(for try...except).

3. Python File I/O: The official tutorial explains the use of the open() function

for file access, the different modes like "r+", and the importance of the

.close() method.

o Source: Python Software Foundation, Python 3.12.3

documentation.

o URL: https://docs.python.org/3/tutorial/inputoutput.html#readingand-writing-files (See section 7.2).

The question asks for a solution that simplifies the management of secure network access. Cisco TrustSec is the most precise answer because it is an architecture specifically designed to achieve this simplification. TrustSec decouples network access from IP addresses by classifying endpoints into logical groups (roles) and assigning them Security Group Tags (SGTs). Policies are then defined based on these role-based SGTs (e.g., "Doctors can access Patient Records"), which is significantly simpler to manage than creating and maintaining thousands of IP-based Access Control Lists (ACLs). This logical grouping is the core mechanism of simplification.

B. ISE to automate network access control leveraging RADIUS AV pairs This is incorrect because while the Cisco Identity Services Engine (ISE) is the central policy engine that implements the TrustSec architecture, TrustSec is the actual framework that provides the simplification through logical grouping. This option describes the tool, whereas option A describes the architectural solution that achieves the goal. C. RFC 3580-based solution to enable authenticated access leveraging RADIUS and AV pairs This is incorrect as RFC 3580 is a standard that provides guidelines for using RADIUS with IEEE 802.1X. It is a foundational protocol specification, not a comprehensive solution designed to simplify policy management across an enterprise. D. 802 1AE to secure communication in the network domain This is incorrect because IEEE 802.1AE, also known as MACsec, is a standard for Layer 2 data encryption. It ensures data confidentiality and integrity on a wired network but does not provide a framework for simplifying user and device access policy management.

1. Cisco Systems, "Cisco TrustSec Solution Design Guide": "Cisco

TrustSec technology provides a new paradigm for secure networking,

simplifying the provisioning and management of network access...

The goal of the Cisco TrustSec solution is to assign a Security Group Tag

(SGT) to a user/device... This simplifies policy management by reducing

the number of access control entries."

o Source URL:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/

TrustSec/2-1/TS_2-1_DG/tsd_2-1_overview.html

o Section: "Cisco TrustSec Solution Overview"

2. Cisco Systems, "TrustSec Security Group Tagging Design and

Implementation Guide": "The goal of the TrustSec solution is to assign a

Security Group Tag (SGT) to a user/device when it connects to the

network... This SGT is then used as a source and destination in the access

policies... This simplifies policy management by reducing the number

of access control entries that would have been required if using IP

addresses."

o Source URL:

https://www.cisco.com/c/en/us/support/docs/security/trustsec/11613

2-config-sgt-00.html

o Section: "Introduction"

3. IETF, RFC 3580, "IEEE 802.1X Remote Authentication Dial In User

Service (RADIUS) Usage Guidelines": This document describes the use

of RADIUS in conjunction with IEEE 802.1X authenticators, focusing on

protocol attributes and behavior. It is a technical specification, not a

management solution.

o Source URL: https://datatracker.ietf.org/doc/html/rfc3580

o Section: Abstract

4. IEEE Standards Association, "IEEE Standard for Local and

metropolitan area networks-Media Access Control (MAC) Security":

This standard specifies the provision of connectionless user data

confidentiality, data integrity, and data origin authenticity. Its focus is on

Layer 2 encryption.

o Source URL: https://standards.ieee.org/ieee/802.1AE/3439/

o Identifier: IEEE Std 802.1AE™ -2006

Cisco Catalyst SD-WAN routers, which function as the data plane or "WAN Edge" devices in the architecture, can be deployed in multiple form factors to fit various site requirements. These include hardware appliances for physical locations like branches and data centers, virtualized instances that can run on standard hypervisors or enterprise network virtualization platforms, and as instances within public cloud infrastructures like AWS, Azure, and Google Cloud to extend the SD-WAN fabric to cloud workloads. This flexibility allows for a consistent SD-WAN policy and architecture across a hybrid environment of physical, virtual, and cloud-based resources.

A. virtualized instances: This option is incorrect because it is incomplete. It omits the very common hardware appliance and cloud deployment models. B. hardware, software, cloud, and virtualized instances: This option is less precise than C. In this context, a "virtualized instance" is the "software" form factor. The term "virtualized" is more specific to the deployment model, distinguishing it from a physical appliance. Including both is redundant. D. hardware and virtualized instances: This option is incorrect because it is incomplete. It fails to include the crucial capability of deploying SD- WAN routers directly within public cloud environments, a key feature known as Cloud OnRamp.

1. Cisco Catalyst 8000V Edge Software Data Sheet: This document

explicitly states that the Catalyst 8000V is a "virtual-form-factor router" that

can be deployed in "virtual and cloud environments." It lists supported

hypervisors (VMware ESXi, KVM) for on-premises virtualization and public

clouds (Amazon EC2, Microsoft Azure, Google Cloud Platform) as

deployment locations.

o Source: Cisco, "Cisco Catalyst 8000V Edge Software Data Sheet"

o URL:

https://www.cisco.com/c/en/us/products/collateral/routers/catalyst8000v-edge-software/nb-06-cat8000v-edge-sw-data-sheet-ctp-

en.html (Refer to "Product overview" and "Benefits" sections).

2. Cisco SD-WAN Solution Overview: This document describes the

"endpoint flexibility" of the solution, covering physical platforms for

branches, aggregation sites, and virtual platforms. It explicitly mentions

extending the SD-WAN fabric to "data centers, branches, campuses,

colocation facilities, and clouds."

o Source: Cisco, "Cisco SD-WAN Solution Overview"

o URL: https://fe5e0932bbdbee188a67ade54de1bba9a4fe61c120942a09245b.ssl.cf1.rackcdn.com/nb-06-

sd-wan-sol-overview-cte-en.pdf (Refer to Page 4, "Endpoint

flexibility" and Figure 8, "Cisco SD-WAN portfolio").

3. Cisco SD-WAN Cloud OnRamp for IaaS White Paper: This paper details

the process of extending the enterprise WAN to public clouds by deploying

virtual SD-WAN routers within the cloud provider's infrastructure. It

confirms the "cloud" deployment model for edge devices.

o Source: Cisco, "Cisco SD-WAN Cloud OnRamp for Infrastructure

as a Service (IaaS) White Paper"

o URL: https://www.cisco.com/c/en/us/solutions/collateral/enterprisenetworks/sd-wan/white-paper-c11-743126.html (Refer to the

"Introduction" and "Solution" sections).

Auto anchor, also known as Mobility Anchor, is the feature specifically designed to ensure a wireless client maintains its original IP address when performing a Layer 3 roam between controllers, particularly when they are in different mobility groups. When a client roams to a new "foreign" controller, the foreign controller establishes an Ethernet-over-IP (EoIP) tunnel back to the client's original "anchor" controller. All of the client's traffic is sent through this tunnel to the anchor, from which it enters the wired network. This makes the client's physical location transparent and preserves its IP address, ensuring seamless session continuity.

A. interface groups: This feature is used on a single WLC to load-balance clients across a group of VLANs (interfaces). It does not provide the tunneling mechanism required for maintaining an IP address during an inter-controller roam. B. RF groups: This feature, also known as an RF domain, is used for coordinating Radio Resource Management (RRM) algorithms among a group of controllers. It manages radio settings like channel and power, and is unrelated to client IP address management during roaming. C. AAA override: This allows a RADIUS server to dynamically assign specific attributes, such as a VLAN ID, to a client upon authentication. It does not provide a mechanism to maintain that client's IP address when it roams to a different controller and subnet.

1. Cisco, "Enterprise Mobility 8.5 Design Guide"

o Details: In the "Mobility Architecture" chapter, the "Mobility Anchor"

section states: "Mobility anchoring, also known as guest tunneling,

is a feature where a controller is designated as the anchor point for

a particular WLAN... All client traffic is tunneled from the foreign

controller to the anchor controller over a Layer 3 tunnel (Ethernet-

over-IP). This allows a client to maintain its IP address when

roaming between controllers." It also notes this is useful for roaming

between different mobility groups.

o URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide/ch3_mobility_arch.html#_Ref518882092

2. Cisco, "Wireless Controller Configuration Guide, Release 8.10"

o Details: In the "Configuring Mobility Groups" chapter, the section

"Information About Mobility Anchor" explains: "In a mobility anchor

setup, a client can roam to any controller in the mobility list, but its

point of presence on the wired network is always the anchor

controller... This feature is also referred to as 'guest tunneling' or

'auto anchoring'."

o URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/810/config-guide/b_cg810/configuring_mobility_groups.html#ID347

The Python script requires three parts to correctly serialize a Python dictionary into a JSON formatted string and print it. 1. import json: The first blank requires importing Python's built-in json module, which provides the necessary tools for working with JSON data. 2. json_string = json.dumps(data): The second blank uses the json.dumps() function to perform the conversion. This function takes a Python object (the data dictionary) and returns it as a JSON formatted string. This string is then assigned to the json_string variable. 3. print(json_string): The third blank prints the value of the json_string variable, which now holds the JSON representation of the original Python object.

Python Software Foundation. (2025). json — JSON encoder and

decoder. Python 3.13.3 documentation. This official documentation states,

"To use this module, import json" and describes the json.dumps() function

as the method to "serialize obj to a JSON formatted str".

o URL: https://docs.python.org/3/library/json.html#basic-usage

Guttag,

J. V. (2016). Lecture 10: Files. 6.0001 Introduction to Computer

Science and Programming in Python, Fall 2016. Massachusetts Institute of

Technology: MIT OpenCourseWare. The principles of handling different

data formats like JSON are covered in university-level computer science

introductions.

o URL: https://ocw.mit.edu/courses/6-0001-introduction-to-computerscience-and-programming-in-python-fall-2016/resources/lecture-10-

files/

A primary benefit of a data modeling language, such as YANG, is to create a standardized, vendor-neutral definition for the configuration and state data of network devices. This allows for the abstraction of device management away from proprietary, vendor-specific command-line interfaces (CLIs) or APIs. By using these common models, organizations can create configurations and automation workflows that are "widely compatible" across different hardware platforms and vendors, effectively refactoring what would otherwise be platform-specific code. This approach simplifies network automation and management at scale.

A: This is imprecise. The data model itself is a definition, not a "machine- friendly code" that is deployed. It defines the structure for management protocols to use, enabling machine-to-machine communication for management, but the core benefit is the standardization it provides. B: This is misleading. While data models describe device status, modern management protocols that use them (like NETCONF and RESTCONF) are often positioned as more capable alternatives to SNMP for configuration, not merely as augmentations for its subscription features. C: This is incorrect. The fundamental purpose of adopting a standardized data modeling language is to move away from vendor-centric models and operations toward a common, interoperable framework, thereby reducing vendor lock-in.

1. IETF RFC 7950: The YANG 1.1 Data Modeling Language:

o Quote/Concept: "YANG is a data modeling language used to

model configuration data, state data, Remote Procedure Calls

(RPCs), and notifications for network management protocols... This

allows a clean separation between the data models and the

management protocols..."

o Location: Abstract, Page 4.

o URL: https://www.rfc-editor.org/rfc/rfc7950.html

2. Cisco IOS XE Programmability Configuration Guide:

o Quote/Concept: "YANG is a standards-based, data modeling

language that is used to model the configuration and operational

state of a network device. The use of a standards-based model

provides a vendor-neutral way of programming a network device

and helps in managing a multivendor network."

o Location: Chapter: "YANG Data Models".

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/prog/configuration/1612/b_1612_prog_config_guide/yang_d

ata_models.html

3. IETF RFC 8340: YANG Tree Diagrams:

o Quote/Concept: "A YANG data model defines a hierarchy of data

that can be used for configuration, to report operational state, and

for invoking operations on network devices... The YANG language...

is protocol independent." This independence is key to creating

compatible configurations across different platforms.

o Location: Section 1: Introduction, Paragraph 1.

o URL: https://www.rfc-editor.org/rfc/rfc8340.html

During a Layer 2 inter-controller roam, the primary goal is to maintain a seamless connection for the client device. This is achieved by ensuring the client retains its original IP address, as the roam occurs within the same subnet (Layer 2 domain). Furthermore, to avoid disrupting the session and forcing a full re-authentication, the client's security context (which includes security keys and authentication status) is transferred from the original "anchor" controller to the new "foreign" controller. This allows the client to continue communicating securely without interruption.

A. A new security context is applied for each controller to which the client is associated, but the IP address remains the same. This is incorrect because applying a new security context would require a full re- authentication, which seamless roaming protocols (like 802.11r) are designed to avoid. The existing context is transferred, not replaced. B. The client must be associated to a new controller where a new IP address and security context are applied. This is incorrect as it describes a Layer 3 roam. A defining characteristic of a Layer 2 roam is that the client keeps the same IP address. D. The client is marked as foreign in the database of each new controller to which it is connected. While it is true that the new controller is termed the "foreign" controller and maintains a "foreign" entry for the client, this is an architectural detail of how the roam is managed. Option C more accurately and completely describes the primary outcome and experience for the client's session, which is the core of the roaming event itself.

1. Cisco, Enterprise Mobility 8.5 Design Guide. This guide details the

mobility architecture. It states, "In the case of inter-controller L2 roam, the

client maintains its IP address... The WLCs exchange mobility messages

and the client database entry is moved from the anchor WLC to the foreign

WLC. This includes the security context of the client."

o Source: Cisco, "Enterprise Mobility 8.5 Design Guide", Chapter:

Mobility Architecture. (A specific URL is difficult as these guides are

updated, but the concept is fundamental in all versions of the Cisco

Wireless LAN Controller Design Guides). A representative

document is available at:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide.html, see the "Inter-Controller Roaming"

section.

2. IEEE Std 802.11™ -2020, IEEE Standard for Information Technology—

Telecommunications and information exchange between systems

Local and metropolitan area networks— Specific requirements - Part

11: Wireless LAN Medium Access Control (MAC) and Physical Layer

(PHY) Specifications. The mechanisms for Fast BSS Transition (FT),

defined in section 12.5, are designed to allow a station (client) to quickly

transition between access points while maintaining security and

connectivity. This involves transferring security key information, thus

preserving the security context.

o Source: IEEE Std 802.11™ -2020, DOI:

10.1109/IEEESTD.2021.9363693, Section 12.5 "Fast BSS

transition".

Configuring a wireless network for WPA2+WPA3 transition mode (also called mixed mode) requires enabling cipher suites that are compatible with both WPA2 and WPA3 clients. According to the IEEE 802.11-2020 standard and Wi- Fi Alliance specifications, CCMP-128 (Counter Mode Cipher Block Chaining Message Authentication Code Protocol with a 128-bit key) is the mandatory cipher for WPA2-Personal. For WPA3-Personal, CCMP-128 is also a mandatory baseline cipher, even though stronger optional ciphers exist. Therefore, to ensure that both WPA2 and WPA3 clients can connect to the same SSID, the network must be configured to use CCMP-128. This allows WPA2 clients to connect using PSK and WPA3 clients to connect using SAE, both leveraging the common CCMP-128 cipher.

A. Configure the GCMP256 encryption cipher: GCMP-256 is an optional, stronger cipher for WPA3 and is not supported by WPA2 clients. Configuring only this would prevent WPA2 clients from connecting, defeating the purpose of a mixed-mode policy. C. Configure the GCMP128 encryption cipher: GCMP-128 is defined as an optional cipher suite for use with WPA3, particularly for management frames, but it is not the standard data encryption cipher for WPA2. Relying on it would not guarantee compatibility. D. Configure the CCMP256 encryption cipher: This cipher suite does not exist within the context of the IEEE 802.11 standard for WPA2 or WPA3 security. The standard specifies CCMP with a 128-bit key (CCMP- 128) and GCMP with a 256-bit key (GCMP-256).

1. Wi-Fi Alliance, "Wi-Fi CERTIFIED WPA3™ Specification," Version 3.1,

January 2023.

o Section 3.2.1 (Cipher Suites): This section specifies that for

WPA3-Personal, the mandatory cipher suite is CCMP-128. It also

lists GCMP-256 as optional. For a mixed WPA2-WPA3 mode, the

AP must support the mandatory cipher suites for both security

protocols.

o URL: https://www.wi-fi.org/file/wi-fi-certified-wpa3-specification-v3-1

2. IEEE Standard for Information Technology— Telecommunications and

information exchange between systems Local and metropolitan area

networks— Specific requirements - Part 11: Wireless LAN Medium

Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE

Std 802.11™ -2020.

o Section 12.7.2 (Cipher suites): This section details the valid cipher

suites. It defines "CCMP-128" for use in Robust Security Network

Associations (RSNAs), which is the foundation for WPA2 and

WPA3. The standard mandates CCMP-128 for RSN-capable

stations.

o DOI: https://doi.org/10.1109/IEEESTD.2021.9363693

3. Cisco, "WPA3 Deployment Guide," December 19, 2022.

o Section: WPA3 Transition Mode (WPA3-Personal): The guide

explicitly states, "The WPA3 transition mode enables a graceful

migration from WPA2 to WPA3... The AP broadcasts a single SSID

that both WPA2 and WPA3 capable clients can use to connect. The

mandatory cipher for WPA2 is AES/CCMP128... WPA3 also

mandates the use of AES/CCMP128 cipher."

o URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/173/config-

guide/b_cg_9800_17_3_1_book/wpa3_deployment_guide.html

Stateful Switchover (SSO) is the correct feature that allows for a seamless transition between a failed active route processor (RP) and a standby RP within the same chassis. SSO synchronizes critical state information (e.g., protocol states, session data) between the two RPs. If the active RP fails, the standby RP can take over immediately without losing data or requiring network protocols like HSRP to reconverge. This maintains the forwarding path and makes the switchover transparent to adjacent network devices.

A. Preemption: This is an HSRP setting that allows a router with a higher priority to forcibly take over the active role from a currently active router with a lower priority. It does not relate to the failover between route processors within a single device. B. IP SLA tracking: This mechanism is used to monitor the reachability of a specific IP address or path. It can trigger an HSRP failover to a different router if the tracked object becomes unavailable, but it is not the mechanism for an intra-chassis RP failover. D. HSRP tracking: This feature monitors the state of a router's interface. If the tracked interface goes down, the router's HSRP priority is reduced, potentially causing a failover to a separate standby router. This is distinct from an internal RP switchover.

1. Cisco Systems, Inc., "High Availability Configuration Guide, Cisco IOS XE

Bengaluru 17.6.x (Catalyst 9500 Switches)." This guide defines SSO as

the feature that monitors the active RP and switches to the standby RP

upon a fault. It explicitly states, "SSO, in conjunction with NSF (Nonstop

Forwarding), ensures that data traffic is not interrupted during a

switchover."

o Source: Cisco High Availability Configuration Guide

o Section: "Stateful Switchover (SSO)"

2. Cisco Systems, Inc., "IP Application Services Configuration Guide, Cisco

IOS Release 15M&T." This document details HSRP features. It

describes preemption and tracking as mechanisms that influence which

router in an HSRP group becomes active, differentiating them from intra-

chassis redundancy.

o Source: Cisco IP Application Services Configuration Guide

o Sections: "HSRP Preemption" and "HSRP Interface Tracking".

Layer 3 roaming is specifically designed to allow a wireless client to move between Access Points (APs) that are managed by different controllers and are on different IP subnets, without losing its original IP address. This process is managed within a pre-configured mobility group (also known as a mobility domain). The controllers within this group share client security and session context, allowing the new (foreign) controller to tunnel the client's traffic back to the original (anchor) controller. This ensures session persistence for the client.

A. Clients must obtain a new IP address when they roam between APs. This is incorrect. The primary goal of Layer 3 roaming is to preserve the client's original IP address to prevent the disruption of applications and sessions. The tunneling mechanism makes the subnet change transparent to the client device. B. It provides seamless roaming between APs that are connected to different Layer 3 networks and different mobility groups. This is incorrect. Standard Layer 3 roaming operates within a single mobility group. Roaming between different mobility groups is a more complex process, often called inter-mobility group roaming, and is not the defining characteristic of standard Layer 3 roaming. C. It is only supported on controllers that run SSO. This is incorrect. Stateful Switchover (SSO) is a high-availability feature that provides controller redundancy. Layer 3 roaming is a mobility function that can operate independently of SSO. A single controller can support Layer 3 roaming between APs on different subnets connected to it.

1. Cisco, Enterprise Mobility 8.5 Design Guide. "A mobility group is a

group of controllers that have established a dynamic and trusted

relationship with each other, which allows them to share context and state

about clients, and to forward data traffic on behalf of clients that are

roaming between APs that are associated to different controllers... When a

client roams between APs that are joined to different controllers, and the

client WLAN is on different VLANs/subnets, the client traffic is tunneled

between the two controllers... This process is transparent to the wireless

client, and the client maintains its original IP address."

o Source URL:

[https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide/ch3_mobility_architecture.html](https://www.g

oogle.com/search?q=https://www.cisco.com/c/en/us/td/docs/wireles

s/controller/8-5/Enterprise-Mobility-8-5-Design-

Guide/Enterprise_Mobility_8-

5_Deployment_Guide/ch3_mobility_architecture.html)

o Reference Section: Chapter: Mobility Architecture, "Inter-Controller

Roaming— Layer 3" section.

2. Cisco, Mobility Fundamentals - WLC. "Layer 3 roaming occurs when a

client moves between two WLCs that are in the same mobility group, but

the WLCs are on different subnets. The client maintains its original IP

address and the traffic is tunneled from the foreign WLC to the anchor

WLC."

o Source URL: https://www.cisco.com/c/en/us/support/docs/wirelessmobility/wireless-lan-wlan/80921-mobility-fundamentals-wlc.html

o Reference Section: Introduction and diagrams illustrating Layer 3

roaming.

The objective is to create a Cisco Embedded Event Manager (EEM) applet that activates OSPF debugging commands when a neighborship transitions to the DOWN state. The core of this functionality lies in the event syslog pattern command, which must precisely match the syslog message generated by the router for this specific event. According to Cisco's official documentation, the system message for an OSPFv2 adjacency change is %OSPF-5-ADJCHG. The script must trigger on the state change from FULL to DOWN. Therefore, the only pattern that correctly identifies the required trigger is "%OSPF-5-ADJCHG: ... from FULL to DOWN". Option A is the only choice that uses this exact, correct pattern. While the action 1.0 cli command "enable" is technically redundant as EEM applets execute in privileged EXEC mode by default, the trigger itself is correct, making it the only functional option for the stated goal.

B. This option is incorrect because the syslog pattern from LOADING to FULL triggers when an OSPF neighbor comes up and establishes a full adjacency, which is the opposite of the required scenario. C. This option uses an incorrect severity level in its pattern (%OSPF-1- ADJCHG). The standard, default severity level for this message is 5 (Notification), not 1 (Alerts). The pattern would fail to match the router's generated message. D. This option is incorrect for the same reason as B; the trigger pattern from LOADING to FULL monitors for a neighbor coming up, not going down. The inclusion of the redundant enable command does not fix the fundamental logic error in the trigger.

Cisco Systems, Inc. (2023). Cisco IOS XE Amsterdam 17.3.x System

Message Guide. This guide documents the format and severity of system

messages. For OSPF, it specifies:

o Message: %OSPF-5-ADJCHG: Process [dec], Nbr [ip-addr] on

[chars] from [chars] to [chars], [chars]

o Explanation: "An OSPF neighbor has changed state... The severity

level is 5 (notification)."

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/iproute_ospf/message/iro-msgs/os-ir-msgs.html (Refer to

the %OSPF-5-ADJCHG section).

Cisco Systems, Inc. (2019). Embedded Event Manager Configuration

Guide, Cisco IOS XE Release 3S. This guide explains the configuration

and operation of EEM.

o Reference: It notes that EEM applet CLI actions are executed in

privileged EXEC mode by default.

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/eem/configuration/xe-3s/eem-xe-3s-book/eem-overview.html

(See the "Benefits of Using Embedded Event Manager" section).

The core of the question is how to allow an external RADIUS server (ISE) to dynamically assign a VLAN to a wireless user after authentication. The specific feature on a Cisco Wireless LAN Controller (WLC) that enables this is AAA Override. When this feature is enabled for a specific WLAN, the WLC will accept and apply RADIUS attributes sent by ISE, such as the VLAN ID, effectively overriding the default VLAN configured on the WLC for that SSID. This is a fundamental mechanism for dynamic, policy-based network access control in centralized authentication scenarios like the one described.

A. Set RADIUS Profiling: RADIUS Profiling is a feature within ISE used to identify and classify the type of device connecting (e.g., iPhone, Windows laptop). While this information can be used as a condition within an ISE policy, it does not enable the WLC to accept the VLAN assignment from ISE. B. Set AAA Policy name: This is a superficial configuration step. Naming a policy is for administrative identification and organization; it does not enable the functional capability for the WLC to accept dynamic RADIUS attributes. C. Enable Network Access Control State: This is too generic. "Network Access Control" (NAC) describes the overall security approach. It is not a specific, actionable configuration setting on the WLC that permits the RADIUS server to override the VLAN. The precise feature name is "AAA Override."

1. Cisco, Central Web Authentication on the WLC and ISE Configuration

Example: This official Cisco configuration guide, in a nearly identical

scenario, explicitly states the requirement. In Step 1: Configure the WLAN,

under the "Advanced" tab settings, the guide directs the administrator to:

"check the Allow AAA Override check box." This confirms it is the direct

action needed.

o Source: Cisco Official Documentation

o URL: https://www.cisco.com/c/en/us/support/docs/security/identityservices-engine/115732-central-web-auth-wlc-ise-config-00.html

(See Step 1, WLAN Configuration section)

2. Cisco, Cisco Catalyst 9800 Series Wireless Controller Software

Configuration Guide, Cisco IOS XE Cupertino 17.9.x: The official

controller documentation defines the feature's purpose. "AAA override

enables you to apply VLAN tagging, QoS, and ACLs to individual clients

based on the returned RADIUS attributes from the AAA server."

o Source: Cisco Official Vendor Documentation

o URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/179/config-guide/b_wl_17_9_cg/m_aaa_override.html (See the

"Information About AAA Override" section)

3. Cisco, Identity Services Engine Administrator Guide, Release 3.1: The

ISE documentation clarifies its role in sending attributes that require the

override setting on the network access device (NAD), such as the WLC.

Authorization profiles in ISE are configured to send attributes like Tunnel-

Private-Group-ID (for VLAN), which the NAD will only apply if configured to

do so.

o Source: Cisco Official Vendor Documentation

o URL: https://www.cisco.com/c/en/us/td/docs/security/ise/31/admin_guide/b_ise_admin_guide_31/b_ISE_admin_31_policy.htm

l (See the chapter on "Manage Policies and Rules," specifically

sections discussing authorization profiles and results).

MACsec (IEEE 802.1AE) is a Layer 2 security protocol that provides confidentiality, integrity, and data origin authenticity on a hop-by-hop basis for Ethernet frames. A primary and direct benefit of this protocol is securing the links between network devices. In a multilayered LAN, the trunk links between switches are critical pathways that carry traffic for multiple VLANs. Applying MACsec to these Layer 2 trunk links encrypts all data traversing them, protecting against threats like passive wiretapping, man-in-the-middle attacks, and content manipulation for all traffic on that link.

A. There is no requirement to run IEEE 802.1X when MACsec is enabled on a switch port. This is incorrect. While MACsec can be configured with static keys, the standard and most secure method for key exchange is the MACsec Key Agreement (MKA) protocol. MKA typically uses the 802.1X/EAP framework as its control plane for authentication and key distribution. Therefore, 802.1X is often a prerequisite for a dynamic and scalable MACsec deployment. C. Application flows between hosts on the LAN to remote destinations can be encrypted. This is incorrect. MACsec provides security on a single link or hop (hop-by-hop). It does not provide end-to- end encryption for an entire communication path from a LAN host to a remote destination across the internet or a WAN. That function is performed by higher-layer protocols like TLS or IPsec. D. Layer 3 links between switches can be secured. This is incorrect because MACsec is explicitly a Layer 2 protocol (IEEE 802.1AE). It operates on Ethernet frames. While these frames carry Layer 3 packets (like IP), the security mechanism itself is applied at Layer 2. The protocol designed for securing links at Layer 3 is IPsec.

1. Cisco Systems, "MACsec and MACsec Key Agreement (MKA)

Configuration Guide": This guide states, "MACsec, defined in 802.1AE,

is an IEEE standard that provides data confidentiality, data integrity, and

data origin authenticity... MACsec is a Layer 2 hop-to-hop encryption that

encrypts the entire data, except for the source and destination MAC

addresses of an Ethernet packet." It also clarifies the common use for

"Switch-to-switch security using MACsec with a pre-shared key".

o Source URL:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/sof

tware/release/17-

9/configuration_guide/sec/b_179_sec_9600_cg/macsec_and_macs

ec_key_agreement_mka.html (See "Information About MACsec and

MACsec Key Agreement (MKA)" section).

2. IEEE 802.1AE-2018 Standard, "Media Access Control (MAC)

Security": The official standard defines MACsec as providing security

services for MAC clients. The entire standard is focused on securing the

connectionless data service provided by the MAC layer.

o Source URL: https://doi.org/10.1109/IEEESTD.2018.8585421 (See

Section 1 "Overview").

3. Juniper Networks, "Understanding Media Access Control Security

(MACsec)": This documentation specifies, "MACsec is a Layer 2 feature...

It secures all traffic on a point-to-point Ethernet link between two MACsec-

capable devices...". This highlights its application on L2 links, such as

trunks. It also explains the relationship with 802.1X for key management.

o Source URL:

https://www.juniper.net/documentation/us/en/software/junos/security

-services/topics/concept/macsec-overview.html (See the "Overview"

and "MACsec in a VLAN Environment" sections).

DHCP Option 43 is designated for vendor-specific information. It allows vendors like Cisco, Aruba, and others to provide custom data to their devices, such as the IP address of a Wireless LAN Controller (WLC) for an Access Point (AP). The DHCP standard itself (RFC 2132) defines Option 43 as an opaque field— a sequence of bytes. In practice, when network administrators configure a DHCP server to deliver this option, they must enter this byte sequence as a hexadecimal string. For instance, to direct a Cisco AP to a controller at IP 10.0.0.1, the value is not entered as ASCII text but as a hex string like f1040a000001. This string encodes vendor-specific sub-options, lengths, and values.

A. ASCII: This is incorrect. The data required is a structured byte stream, not a simple text string. While an IP address can be represented in ASCII, Option 43 requires a specific binary format that is entered in hex. C. Base64: This is incorrect. Base64 is an encoding scheme to represent binary data in ASCII strings, often used in other contexts like email attachments. However, the standard and universally documented method for configuring Option 43 on network infrastructure is hexadecimal. D. MD5: This is incorrect. MD5 is a cryptographic hash function used to verify data integrity. It is a one-way hash and is not used for encoding configuration data like an IP address for an AP to use.

1. Cisco Wireless Controller Configuration Guide: This official Cisco

documentation explicitly shows the configuration of DHCP Option 43 using

hexadecimal values. It details how to construct the hex string based on the

controller's IP address.

o Source: Cisco, "Cisco Wireless Controller Configuration Guide,

Release 8.5"

o Reference: Chapter: "Configuring DHCP Option 43"

o URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/config-guide/b_cg85/deploying_the_wlan.html#ID1316 (Note: The

specific section shows the hex value f104c0a80a05 as an example

for the IP 192.168.10.5).

2. Aruba (an HPE company) Documentation: Aruba's official

documentation also specifies using a hexadecimal string for configuring

DHCP Option 43 to direct APs to an Aruba Mobility Conductor.

o Source: Aruba Networks, "Configuring DHCP Option 43 on a

Windows DHCP Server"

o Reference: The guide instructs entering the value as a "string value

in hexadecimal."

o URL:

https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/

Content/arubaos-solutions/dhcp-options/conf-dhcp-opt-43-wind.htm

3. IETF RFC 2132: This RFC defines the DHCP options. It specifies Option

43 as "Vendor Specific Information," where the data is a sequence of

encapsulated vendor-specific options. The representation of this binary

data in configuration is left to the implementation, which is standardized in

practice as hex.

o Source: IETF, "RFC 2132: DHCP Options and BOOTP Vendor

Extensions"

o Reference: Section 8.4, "Vendor Specific Information"

o URL: https://datatracker.ietf.org/doc/html/rfc2132#section-8.4

A Cisco SD-Access fabric design fundamentally relies on two key components for its operation: a controller for automation and a policy engine for identity and access control. Cisco Catalyst Center (which was formerly known as DNA Center) serves as the centralized network controller. It provides a single pane of glass for design, provisioning, policy application, and network assurance. The Identity Services Engine (ISE) is the required policy engine. It integrates with Catalyst Center to provide dynamic and secure access control, handling user/device authentication and authorization, and enforcing micro-segmentation policies using Scalable Group Tags (SGTs).

B. Firepower Threat Defense: This is a next-generation firewall. While it can be integrated into an SD-Access fabric for advanced security and threat inspection at the fabric edge, it is not a mandatory component for the core fabric functionality. D. Cisco Data Center Network Manager: DCNM is the management platform specifically for Cisco's data center solutions, such as Nexus switches and the Application Centric Infrastructure (ACI) fabric. It is not used for the campus-focused SD-Access solution. E. Cisco Prime Infrastructure: Cisco Prime was a network management platform that predates Catalyst Center. For SD-Access, the automation and assurance capabilities of Cisco Catalyst Center are required, making Prime Infrastructure an incorrect and legacy option for this solution.

1. Cisco Systems, "Cisco SD-Access Solution Design Guide (CVD) -

Cisco Catalyst Center 2.3.7.x and Cisco IOS XE 17.12.x." This guide

explicitly identifies the core components of the solution.

o Reference: In the "Solution Components" chapter, the document

states, "The Cisco SD-Access solution is composed of the following

major software and hardware components: ■ Cisco DNA Center

(controller) ■ Cisco Identity Services Engine (identity and policy

engine)..."

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco

-sd-access-design-guide-2-3-7.html

2. Cisco Systems, "SD-Access for Distributed Campus Design Guide."

This document reinforces the roles of Catalyst Center and ISE.

o Reference: The "Solution Components" section details the roles:

"Cisco DNA Center— Centralized management system for the SD-

Access solution... The controller for automation, policy, provisioning,

and assurance." and "Cisco Identity Services Engine (ISE)— Identity

and policy engine for the SD-Access solution."

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sdadistributed-campus-design-guide.html

3. Cisco Press, "Cisco SD-Access: The Complete Guide to Cisco's

Software-Defined Campus." This book provides an in-depth architectural

overview.

o Reference: Chapter 2, "Cisco SD-Access Architecture," describes

the foundational pillars of the architecture, consistently highlighting

Cisco DNA Center as the controller and ISE as the identity/policy

platform.

o URL: https://www.ciscopress.com/store/cisco-sd-access-thecomplete-guide-to-ciscos-software-9780136532485

Cisco Catalyst SD-WAN architecture is fundamentally based on the principles of Software-Defined Networking (SDN), which involves separating the control, data, and management planes. Option A is correct because secure communication is paramount in the architecture. Control plane connections between the WAN Edge devices and the vSmart controllers are established over authenticated and encrypted DTLS or TLS tunnels. This ensures the integrity and confidentiality of routing and policy information being exchanged throughout the overlay fabric. Option E is correct because a primary benefit of the solution is the centralization of policy and management. Using the vManage platform, administrators can create and enforce comprehensive policies for routing (reachability), security (e.g., firewalling, IPS), and application quality of service (QoS) from a single point. These policies are then distributed to all WAN Edge devices, ensuring consistent enforcement across the entire network.

B. time-consuming configuration and maintenance: This is incorrect. A core value proposition of SD-WAN is the simplification and acceleration of WAN deployment and management through centralized control and zero- touch provisioning, reducing the time required for these tasks compared to traditional WANs. C. distributed control plane: This is incorrect. The solution's architecture is defined by a centralized control plane, orchestrated by the vSmart controllers. This is a key differentiator from traditional WANs where the control plane is distributed across every router. D. unified data plane and control plane: This is incorrect. Cisco SD- WAN adheres to the SDN model of separating the control plane from the data plane. The control plane (vSmart) makes decisions, while the data plane (WAN Edge routers) executes them by forwarding packets.

1. Cisco Systems, "Cisco SD-WAN Overlay Network Security" (2023).

o This document states, "The Cisco SD-WAN solution uses a

Datagram Transport Layer Security (DTLS) or a Transport Layer

Security (TLS) tunnel to provide security and authentication for the

control plane that runs between Cisco WAN Edge routers and Cisco

vSmart controllers."

o URL:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/

security/vedge/security-book/overlay-network-security.html

2. Cisco Systems, "Cisco SD-WAN Design Guide" (2022).

o Section: Cisco SD-WAN Architecture and Components: This

guide explains the separation of planes and the role of each

component. It describes the vSmart Controller as the "central brain

of the solution" (centralized control plane) and vManage for

"centralized configuration, provisioning, monitoring, and

troubleshooting." This supports the correctness of option E and the

incorrectness of C and D.

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco

-sdwan-design-

guide.html#CiscoSDWANArchitectureandComponents

3. Cisco Systems, "Cisco SD-WAN End-to-End Deployment Guide"

(2020).

o Section: Centralized Policies: This guide details how "Centralized

policies are provisioned on the vSmart and affect the entire fabric."

This directly confirms that policies for reachability and other

functions are centralized, validating option E.

o URL:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/

policies/17-2/policies-book/centralized-policy.html

To configure a WLAN for WPA2-Enterprise, an external authentication server using the RADIUS protocol is required to handle the 802.1X/EAP (Extensible Authentication Protocol) authentication process. The exhibit displays the WLAN-specific 'AAA Servers' configuration tab. This tab is used to override the WLC's global server settings for a particular WLAN. The most critical and mandatory action on this screen to enable WPA2-Enterprise authentication for the 'ciscoTest' WLAN is to select a configured RADIUS server from the 'Authentication Servers' dropdown list, which is currently set to 'None'. This directly associates the WLAN with the server that will validate user credentials.

A. Enable EAP parameters: EAP parameters are used for advanced tuning of the EAP protocol, such as setting timeouts or configuring EAP- FAST settings. While related, selecting the authentication server itself is the primary and prerequisite action. B. Apply CISCO ISE default settings: Cisco ISE is a specific type of RADIUS server. The configuration requires selecting any compatible RADIUS server that has been pre-configured on the WLC; it is not limited to Cisco ISE or its default settings. C. Disable the RADIUS server accounting interim update: RADIUS Accounting is a separate function from Authentication. Accounting tracks user session data (e.g., connection time, data usage) after a user has been successfully authenticated. It is not required to enable the authentication process itself.

1. Cisco, "WPA2-Enterprise with RADIUS Server on Cisco WLC

Configuration Example": This official configuration example explicitly

details the process. In Step 3: Configure the WLAN for WPA2-

Enterprise, the guide instructs the user to navigate to the WLANs >

WLAN_ID > Security > AAA Servers tab and "Choose the appropriate

RADIUS server from the Server 1 drop-down list under Authentication

Servers." This directly confirms that selecting the server is the required

action.

o URL: https://www.cisco.com/c/en/us/support/docs/wireless/4400series-wireless-lan-controllers/115982-wpa2-ent-wlc-00.html

o Section: Step 3: Configure the WLAN for WPA2-Enterprise.

2. Cisco, "Cisco Wireless LAN Controller Configuration Guide, Release

8.5": This guide explains the purpose of the WLAN-specific AAA server

settings. It clarifies that these settings are used to override the global

RADIUS server configuration for a specific WLAN. The primary function of

this section is to assign the servers that will handle authentication and

accounting.

o URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/config-guide/b_cg85/configuring_wlan.html

o Section: "Configuring AAA Servers for a WLAN" (and preceding

sections on "Information About AAA Servers on WLANs"). This

section states, "You can configure the authentication and

accounting servers that are to be used by a particular WLAN. You

can also override the global server settings."

A source-specific membership report is a valid and defining message type in IGMPv3. The primary enhancement of IGMPv3 over its predecessors is the introduction of source filtering. This allows a host to signal to its local router that it wants to receive multicast traffic from a group and only from a specific list of source addresses. This information is carried within an IGMPv3 Membership Report message (Type 0x22), which is fundamentally source- specific in its design and purpose.

A. leave group: The explicit "Leave Group" message is a feature of IGMPv2. In IGMPv3, leaving a group is handled by sending a new Membership Report that updates the source list for that group (e.g., excluding all sources or changing to an empty include list). B. hello: "Hello" packets are characteristic of routing protocols like OSPF and EIGRP, which use them for neighbor discovery and keepalives. They are not part of the IGMP specification. C. graft: "Graft" messages are used in multicast routing protocols, such as Protocol Independent Multicast - Dense Mode (PIM-DM). A router sends a graft message to rejoin a pruned branch of a multicast distribution tree. IGMP is a host-to-router protocol.

1. IETF RFC 3376: Internet Group Management Protocol, Version 3.

o Quote/Paraphrase: The introduction states, "Version 3 adds

support for 'source filtering', that is, the ability for a system to report

interest in receiving packets only from specific source addresses...".

Section 4.1 specifies the "Version 3 Membership Report" (Type

0x22) as the message that carries this source-specific information.

o Location: Section 1 (Introduction, page 3) and Section 4.1 (IGMP

Message Format, page 11).

o URL: https://www.rfc-editor.org/rfc/rfc3376.html

2. Cisco, IP Multicast: IGMP Configuration Guide.

o Quote/Paraphrase: This guide explains that IGMPv3 adds support

for source filtering, which allows a client to signal that it wants to

receive traffic from only specific sources. This is done via the

IGMPv3 Membership Report.

o Location: "IGMP Version 3" section.

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipmulti_igmp/configuration/15-mt/imc-igmp-15-mt-

book/imc_igmp_v3.html

3. Carnegie Mellon University, School of Computer Science, 15-441:

Computer Networks, Lecture 19: Multicast.

o Quote/Paraphrase: The lecture slides clearly differentiate the

IGMP versions, noting that IGMPv3 supports source-specific

join/leave requests, in contrast to IGMPv2's group-specific leave

messages.

o Location: Slide 30, "IGMP v3".

o URL: https://www.cs.cmu.edu/~srini/15-441/F07/lectures/19multicast.pdf

A Type 1 hypervisor, also known as a bare-metal hypervisor, runs directly on the host's physical hardware. Its primary role is to create and manage virtual machines (VMs). Each VM operates as a self-contained computer, running its own guest operating system (E). A core function of the hypervisor is to abstract and manage the underlying physical hardware resources, including CPU, memory, and storage. It allocates these resources to the VMs. This includes creating and managing virtual storage (C), such as virtual hard disks, which are presented to the guest operating systems.

A. They are widely available to license for free. While some Type 1 hypervisors like Xen and KVM are open-source and free, and others like VMware ESXi have free versions with limited features, full-featured enterprise editions typically require paid licenses. Therefore, this is not a universal characteristic. B. They provide a platform for running bare metal operating systems. This is incorrect. A Type 1 hypervisor runs on bare metal hardware itself. It provides a platform for running virtualized or guest operating systems, not bare metal ones. D. They are a software layer that runs on top of a virtual server. This statement inverts the architecture. The hypervisor runs on a physical server and hosts virtual servers; it does not run on top of them.

NIST Special Publication 800-125A (Draft): Defines a hypervisor as a

software platform that "provides virtualization of hardware resources (such

as CPU, Memory, Network and Storage)" and "enables multiple computing

stacks (made of an operating system (OS) and application programs)

called Virtual Machines (VMs) to be run on a single physical host." This

supports both C and E.

o Source: NIST Computer Security Resource Center, "Draft SP 800-

125A Rev. 1, Security Recommendations for Server-based

Hypervisor Platforms", Page 7, Lines 130-132.

o URL: https://csrc.nist.gov/CSRC/media/Publications/sp/800125a/rev-1/draft/documents/sp800-125A-r1-draft.pdf

VMware Documentation (via Scale Computing resource): Describes

the hypervisor's role: "The hypervisor is the core component of

virtualization software, enabling multiple VMs to share a single physical

server... Dynamically allocates CPU, memory, and storage to each VM...

Guest operating systems... are installed within each VM." This confirms

the hypervisor manages storage (C) and runs guest OSs (E).

o Source: Scale Computing, "Virtualization Software: Benefits &

Types".

o URL: https://www.scalecomputing.com/resources/virtualizationsoftware-how-it-works-types-and-advantages

Xen Project Documentation: Describes the Xen Project hypervisor as

"an open-source type-1 or baremetal hypervisor, which makes it possible

to run many instances of an operating system or indeed different

operating systems in parallel on a single machine." This directly supports

option E. Regarding licensing (A), it notes Xen is "available as open

source," but this doesn't apply to all Type 1 hypervisors.

o Source: Xen Project, "Hypervisor".

o URL: https://xenproject.org/projects/hypervisor

IEEE Publication: A 2023 review paper states, "A Type 1 hypervisor runs

directly on the host computer's physical hardware and interacts directly

with its CPU, memory, and physical storage... A Type 1 hypervisor

replaces the host operating system... KVM, Microsoft Hyper-V, and

VMware vSphere are examples of a Type 1 hypervisor." This confirms the

direct management of hardware, including storage (supporting C).

o Source: JETIR, "A COMPREHENSIVE REVIEW OF THE

VIRTUALIZATION AND FACTORS AFFECTING IT.", Volume 10,

Issue 4, April 2023, Page 2.

o URL: https://www.jetir.org/papers/JETIR2304110.pdf

The provided configuration links an IP Service Level Agreement (SLA) operation to a track object. The command track 10 ip sla 10 reachability makes the track object's state (either up or down) directly dependent on the success or failure of the IP SLA ping. The most precise and standard method to trigger an Embedded Event Manager (EEM) applet from this setup is to monitor the state of the track object. When the IP SLA operation fails (e.g., the ICMP echo times out), the associated track object's state changes to down. Therefore, the EEM event trigger event track 10 state down correctly initiates the applet when a problem with the IP SLA is detected by the tracking mechanism.

B. event sla 10 state unreachable: This is incorrect because the EEM event sla detector does not use the state keyword unreachable. The state of an IP SLA operation is reflected by its associated track object. • C. event sla 10 state down: This is incorrect syntax. The EEM event sla detector does not use a down state. The up/down status is managed and reported by the track object, not directly by the SLA event detector in this context. D. event track 10 state unreachable: This is incorrect because the event track detector only recognizes the states up or down. The term unreachable is used in the track configuration itself to define what is being monitored, not as a state for the EEM trigger.

1. Cisco Systems, "Cisco IOS Embedded Event Manager Command

Reference": This document details the syntax for EEM commands.

o For event track: It specifies the valid states are up, down, or any.

URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/eem/command/eem-cr-book/eem-cr-

e1.html#wp1973656049

Reference: See the command syntax for event track <track-

object-number> state.

o For event sla: It details the triggers available for IP SLA operations.

URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/eem/command/eem-cr-book/eem-cr-

e1.html#wp1916325297

Reference: See the command syntax for event sla <sla-op-

id>.

2. Cisco Systems, "IP SLAs Configuration Guide, Cisco IOS Release

15M&T": This guide explains how to configure IP SLAs and track

their state.

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_eot.html

o Reference: The section "Scheduling IP SLAs Operations" and "IP

SLAs--Enhanced Object Tracking" demonstrate the relationship

between an IP SLA operation and a track object, which is then used

to trigger actions.

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. According to IETF RFC 7519, a JWT is represented as a compact string consisting of three parts separated by dots (.). These parts are the Header, the Payload (also known as the Claims Set), and the Signature. The header and payload are Base64Url-encoded JSON objects. The signature is created by signing the encoded header and payload, ensuring the token's integrity and authenticity. This three-part header.payload.signature structure is the fundamental composition of a JWT.

A. header and payload: This option is incorrect because it omits the signature. The signature is a mandatory component used to verify that the sender is who they say they are and to ensure that the message wasn't changed along the way. B. three parts separated by dots: version, header, and signature: This option is incorrect because the JWT standard defined in RFC 7519 does not include a 'version' part in its top-level structure. The structure is strictly header, payload, and signature. C. payload and signature: This option is incorrect as it omits the header. The header is essential as it contains metadata about the token itself, most importantly the cryptographic algorithm (alg) used for the signature.

1. Internet Engineering Task Force (IETF) RFC 7519, "JSON Web Token

(JWT)":

o Section 3.1 ("JWS Compact Serialization Overview") states: "the

JWT is represented as the concatenation of the three parts, with the

parts being separated by period ('.') characters." It defines the

structure as BASE64URL(UTF8(JWS Protected Header)) || '.' ||

BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature).

o URL: https://doi.org/10.17487/RFC7519

2. Microsoft Identity Platform documentation:

o "Microsoft identity platform access tokens" documentation page

explicitly describes the structure: "JWTs are split into three parts:

Header, Payload, Signature. Each part is separated by a . (dot)."

o URL: https://docs.microsoft.com/en-us/azure/activedirectory/develop/access-tokens#access-token-claims (The section

on "Validating tokens" and the visual breakdown confirm the three-

part structure).

3. Amazon Web Services (AWS) Documentation:

o "Verifying a JSON Web Token" for Amazon Cognito user pools

states: "A JSON Web Token (JWT) consists of three parts: a header,

a payload, and a signature."

o URL:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazo

n-cognito-user-pools-using-the-jwt-token.html

An extended node in a Cisco SD-Access fabric is specifically designed to extend fabric capabilities, such as policy enforcement and host onboarding, to downstream devices that are not fabric-native. It connects to non-fabric Layer 2 switches or end devices (like IoT devices) in locations where deploying a full fabric edge node is not feasible, such as in small remote offices or wiring closets. The extended node acts as a bridge, bringing these non-fabric endpoints into the fabric's policy domain.

A. in charge of establishing Layer 3 adjacencies with nonfabric unmanaged node: This is the primary function of a border node, which connects the SD-Access fabric to external Layer 3 networks (e.g., WAN, data center, internet). B. performs tunnelling between fabric and nonfabric devices to route traffic over unknown networks: While SD-Access uses VXLAN tunneling, this description is too general. This tunneling is fundamental to the entire fabric underlay, not a specific function of an extended node to connect to non-fabric devices. C. provides fabric extension to nonfabric devices through remote registration and configuration: This is too broad. While an extended node does enable extension, option D is more precise by specifying the connection is to downstream non-fabric enabled Layer 2 switches, which is the primary use case.

1. Cisco Systems, "Cisco SD-Access Solution Design Guide (CVD),"

November 2023.

o Reference: In the "SD-Access Fabric Nodes" section, under

"Extended Node," it states: "The SD-Access extended node solution

allows for the extension of the enterprise network's fabric

capabilities to smaller, remote sites... An extended node connects to

a fabric edge node... and extends the fabric to non-fabric-capable

downstream Layer 2 switches."

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco

-sd-access-design-guide.html#CiscoSD-AccessFabricRoles

2. Cisco Systems, "SD-Access for Distributed Campus Prescriptive

Deployment Guide," December 2023.

o Reference: The "Policy Extended Node" section describes its role:

"A policy extended node... extends an SD-Access fabric domain by

providing connectivity to non-carpeted or IoT-heavy areas... The

policy extended node connects upstream to an SD-Access fabric

edge node... and connects downstream to endpoints or to extended

node switches."

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sdaccess-distributed-campus-deployment-guide-2023.html

The characteristics should be assigned to Puppet and Ansible based on their distinct architectural and operational models as defined in their official documentation. Puppet-managed hosts pull configuration from the main node: Puppet operates on an agent/master architecture where the agent on a managed node periodically contacts the master to "pull" its configuration catalog. This is a core part of its design. requires an agent to be installed on hosts: To facilitate the pull model, a dedicated "Puppet agent" application must be installed and running as a service on every machine that Puppet manages. Ansible uses SSH: Ansible is agentless by design and communicates with managed nodes primarily over SSH. The control node pushes out small scripts, executes them via SSH, and removes them when finished. configuration files are procedural: Ansible Playbooks are composed of tasks that are executed sequentially from top to bottom. This ordered, step-by-step execution is a procedural approach to automation, in contrast to Puppet's declarative model.

1. Puppet Labs, "Overview of Puppet's architecture". This document

explicitly states, "managed nodes run the Puppet agent

application...Periodically, each Puppet agent sends facts to the Puppet

master, and requests a catalog...Puppet agent nodes and Puppet masters

communicate by HTTPS with client verification."

o URL: https://www.puppet.com/docs/puppet/5.5/architecture.html

o Reference: Section "The agent-master architecture", Paragraph 1;

Section "Communications and security", Paragraph 1.

2. Puppet Labs, "Introduction to Puppet". This guide explains, "Puppet

code is declarative, which means that you describe the desired state of

your systems, not the steps needed to get there."

o URL: https://www.puppet.com/docs/puppet/6/puppet_overview.html

o Reference: Section "What is Puppet?", Paragraph 2.

3. Red Hat Ansible, "How Ansible Works". The official documentation

states, "Ansible is agentless...It uses OpenSSH for transport...Ansible

works by connecting to your nodes and pushing out scripts called 'Ansible

modules' to them."

o URL: https://www.redhat.com/en/ansible-collaborative/how-ansibleworks

o Reference: Section "How Ansible Works", Paragraphs 2 & "Efficient

Architecture", Paragraph 2.

4. Spacelift, "Ansible Tutorial for Beginners" (referencing official

concepts). This tutorial describes playbooks as "an ordered list of tasks

along with its necessary parameters that define a recipe to configure a

system," highlighting the procedural nature of execution.

o URL: https://spacelift.io/blog/ansible-tutorial

o Reference: Section "Ansible Architecture and Concepts", bullet

point "Playbooks".

The Cisco Catalyst Center Template Editor is specifically designed to create and manage reusable configuration templates for network devices. Its core characteristic is the use of templates containing standardized configurations that are customized through variables (parameterized elements). This approach allows administrators to apply consistent configurations across numerous devices while easily adapting specific settings like IP addresses, hostnames, or VLAN IDs for each unique device or site. This method is fundamental for scalable and error-free network provisioning.

A. It facilitates software upgrades to network devices from a central point. This describes the Software Image Management (SWIM) feature, a distinct function within Cisco Catalyst Center used for managing and deploying device OS images, not for device configuration templating. B. It facilitates a vulnerability assessment of the network devices. This function is handled by the Assurance component of Cisco Catalyst Center, which monitors the network for security advisories (PSIRT) and potential vulnerabilities. It is not a function of the Template Editor. D. It provides a high-level overview of the health of every network device. This is a primary function of the Assurance health dashboard. The dashboard provides comprehensive visibility into network, client, and application health, which is separate from the configuration-focused Template Editor tool.

1. Cisco Systems, "Cisco Catalyst Center Template Editor User Guide,

Release 2.3.5": This guide explicitly states, "A template is a reusable

model for a configuration... You can define variables in a template by

entering a name for the variable." It details the process of creating both

regular and composite templates using variables for customization.

o Source: Cisco Catalyst Center Guides

o URL: https://www.cisco.com/c/en/us/td/docs/cloud-systemsmanagement/network-automation-and-management/dna-center/2-

3-5/user-

guide/b_cisco_dna_center_user_guide_2_3_5/m_template_editor.ht

ml

o Specific Section: Chapter: "Template Editor," Introduction.

2. Cisco Systems, "Cisco Catalyst Center User Guide, Release 2.3.7":

This document differentiates the features. The Template Editor is for

"creating velocity templates to provision devices." In contrast, SWIM is

described as the tool to "upgrade a device's software image," and

Assurance is the tool to "view the health of your network."

o Source: Cisco Catalyst Center Guides

o URL: https://www.cisco.com/c/en/us/td/docs/cloud-systemsmanagement/network-automation-and-management/dna-center/2-

3-7/user_guide/b-cisco-dna-center-user-guide-237/m-manage-

software-images.html

o Specific Sections: "Software Image Management" and "About

Cisco DNA Center Assurance" chapters clearly define the purpose

of options A and D.

A Transport Locator (TLOC) in Cisco Catalyst SD-WAN is a key attribute that identifies the physical attachment point of a WAN Edge router to its transport network (e.g., MPLS, internet, LTE). It is not merely an identifier for a tunnel but serves a crucial routing function. The Overlay Management Protocol (OMP) advertises network prefixes, known as vRoutes, along with their TLOC attributes. Other routers in the overlay use this TLOC as the next-hop address to forward traffic, establishing the data plane tunnels. A TLOC is uniquely defined by a three-part tuple: the system IP address of the router, a color that identifies the transport, and the encapsulation type (IPsec or GRE).

A: Differentiating nodes that offer a common service is typically handled by site IDs and VPNs or through specific policy configurations, not by the TLOC itself, whose primary role is transport connectivity. B: While a TLOC is associated with a specific overlay tunnel, describing it merely as a "value that identifies a specific tunnel" is imprecise. Its fundamental role is to function as the routing next-hop for OMP routes, which is a more specific and accurate description. C: An identifier for a specific service is a separate concept. Services are advertised by OMP using service routes, which are then mapped to TLOCs, but the TLOC itself represents the transport location, not the service.

1. Cisco Systems, "Cisco SD-WAN Overlay Routing," Cisco SD-WAN

Design Guide.

o This guide explicitly states, "The TLOC is the next-hop for vRoutes"

and "The TLOC is the address of the exit point on the transport side

of the WAN Edge router...". It details that OMP advertises vRoutes,

which are prefixes, and the associated TLOCs to other WAN Edge

routers.

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/c-sdwan-design-guide.html#CiscoSD-WANOverlayRouting

o Reference: See the section "Cisco SD-WAN Overlay Routing" and

the subsection "Transport Locator (TLOC)".

2. Cisco Systems, "OMP Overview," Cisco Catalyst SD-WAN Systems

and Interfaces Configuration Guide, Cisco IOS XE Release 17.x.

o This document describes the function of OMP, noting that it

advertises three types of routes: OMP routes (vRoutes), TLOC

routes, and service routes. It clarifies that vRoutes are prefixes and

that TLOCs identify the "next hop for OMP routes".

o URL:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/r

outing/ios-xe-17/routing-book-xe/m-omp-overview.html

o Reference: See the sections "OMP Advertisements" and "OMP

Routes".

A site-to-site wireless connection is a fixed Point-to-Point (P2P) link, designed to connect two specific locations. This requires an antenna that can focus its energy in a single, narrow beam to maximize signal strength and range while minimizing interference. The Yagi antenna is a highly directional antenna specifically engineered for this purpose. Its design provides high gain and a focused radiation pattern, making it the ideal choice for establishing a stable connection between two distant, fixed points.

A. omnidirectional: This antenna type radiates signals in all horizontal directions (a 360-degree pattern). It is used for Point-to-Multi-Point (P2MP) applications, such as a typical Wi-Fi access point serving multiple clients in an area, not for a direct link between two specific sites. B. patch: While the patch antenna is directional, it typically has a wider beamwidth and lower gain than a Yagi. It is more suitable for providing coverage to a specific sector or area rather than for a long-distance, highly focused P2P link. C. dipole: The dipole is a fundamental antenna type that is generally omnidirectional in the plane perpendicular to its axis. It lacks the high gain and sharp directivity required for a long-distance site-to-site connection.

1. Cisco: In its Antenna Selection Guide, Cisco clearly states, "Point-to-point

systems use directional antennas to focus the transmission." It lists the

Yagi as a primary example of a directional antenna used for bridging

between buildings.

o Source: Cisco, "Antenna Selection Guide," Document ID: 70622.

(While the original direct link may change, this document is a

canonical Cisco resource on the topic).

2. IEEE Publication: An article in IEEE Antennas and Propagation Magazine

describes the Yagi-Uda antenna as having "high gain and directivity,"

which are the essential characteristics needed to send a signal from one

specific point to another.

o Source: Balanis,

C. A. (2016). Antenna Theory: Analysis and

Design, 4th Edition. Wiley-IEEE Press. Chapter 10, "Yagi-Uda

Arrays." (This is a standard, authoritative textbook in the field).

3. Academic Source (University of York): Educational materials on

antenna characteristics show that the Yagi antenna's radiation pattern

features a very strong, narrow "major lobe" in one direction, contrasting

sharply with the wide patterns of omnidirectional and dipole antennas.

o Source: University of York, Department of Electronics, "Yagi

Antennas," Communications Lab material. (See

https://www.york.ac.uk/inst/speng/comm_lab/yagi/yagi.html for a

typical example of such educational material).

The core task is to log or "send information" about each specific command executed at the highest privilege level (15) to a TACACS+ server. This is a function of command accounting. The command aaa accounting commands 15 default start-stop group tacacs+ achieves this by: • aaa accounting: Specifies the AAA function for logging events. • commands 15: Narrows the scope specifically to individual commands executed at privilege level 15. This is the most precise keyword for the task, as opposed to exec, which applies to the entire session. • start-stop: Instructs the router to send an accounting record when a command begins and another when it ends. • group tacacs+: Designates the TACACS+ server group as the destination for these accounting records.

B. aaa authorization exec ...: This command is used to authorize (grant or deny permission for) the start of an entire user EXEC session, not to log individual commands run within it. It performs the wrong function (authorization vs. accounting) at the wrong scope (session vs. command). C. aaa authorization commands 15 ...: This command authorizes individual commands at privilege level 15, meaning it checks with the TACACS+ server whether the user is allowed to run a command before execution. The question asks to send information for commands, which implies logging the action itself, the primary role of accounting. D. aaa accounting exec ...: This command enables accounting for the entire user session (from login to logout), not for each individual command. It would create a log entry for the session's start and stop, but not for the specific commands entered during that session.

1. Cisco IOS Security Command Reference: Commands A to C, aaa

accounting commands

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/security/a1/sec-a1-cr-book/sec-cr-a.html#wp3554448157

o Details: This official Cisco command reference states that aaa

accounting commands level is used to "configure accounting for all

EXEC commands for a specific privilege level." This directly

validates that commands 15 is the correct syntax for targeting

individual commands at that level.

2. Cisco IOS Security Configuration Guide, Release 12.4, "Configuring

Accounting"

o URL:

https://www.cisco.com/c/en/us/td/docs/ios/12_4/security/configuratio

n/guide/scf/scfacct.html

o Details: In the section "Command Accounting," the guide explains

that aaa accounting commands provides "accounting for individual

EXEC commands." It contrasts this with aaa accounting exec, which

provides accounting for "a user EXEC terminal session." This

source clearly differentiates the scope of commands vs. exec.

The Python code snippet demonstrates sequence repetition. The multiplication operator (*) when applied to a list and an integer n creates a new list by concatenating the original list with itself n times. The initial list is [1, 2]. The expression list * 3 evaluates to [1, 2] concatenated with itself twice more, resulting in the final list [1, 2, 1, 2, 1, 2].

B. [1,2] * 3: This is a string representation of the operation itself, not the evaluated result that the print() function would output. C. [3, 6]: This incorrectly assumes the multiplication is applied element- wise. The * operator does not perform scalar multiplication on the elements of a standard Python list. D. [1,2], [1,2], [1,2]: This incorrectly represents the output as three separate lists. The repetition operator produces a single, new list containing all the elements.

1. Python Software Foundation, "More Control Flow Tools": The official

Python tutorial explains that for sequence objects, s * n results in "n

shallow copies of s concatenated". For a list like [1, 2], this means

concatenating it three times.

o Source: Python 3.13.0a2 Documentation

o URL: https://docs.python.org/3/tutorial/controlflow.html#arbitraryargument-lists (See the note on unpacking argument lists which

references sequence repetition behavior). A more direct reference is

in the sequence types section.

2. Python Software Foundation, "Sequence Types — list, tuple, range":

This documentation explicitly defines the behavior of common sequence

operations. It states that s * n or n * s is equivalent to adding s to itself n

times, creating a new sequence.

o Source: Python 3 Language Documentation

o URL: https://docs.python.org/3/library/stdtypes.html#sequencetypes-list-tuple-range (See the table under "Common Sequence

Operations").

3. MIT OpenCourseWare, "6.0001 Introduction to Computer Science and

Programming in Python, Fall 2016": Lecture 5 materials cover lists and

tuples. The lecture notes clarify that operators like + (concatenation) and *

(repetition) can be used with lists to create new lists.

o Source: MIT OCW

o URL: https://ocw.mit.edu/courses/6-0001-introduction-to-computerscience-and-programming-in-python-fall-

2016/resources/mit6_0001f16_lec5/ (The concept of list repetition is

a fundamental part of this introductory lecture).

In a Cisco Software-Defined Access (SD-Access) architecture, fabric-enabled Access Points (APs) handle the wireless client data plane differently than in traditional centralized WLAN designs. The control plane is still managed via a CAPWAP tunnel to the Wireless LAN Controller (WLC). However, the data plane traffic from wireless clients is encapsulated in a VXLAN tunnel directly by the AP and sent to its connected first-hop fabric edge switch. The fabric edge switch acts as the VXLAN Tunnel Endpoint (VTEP), terminating this initial tunnel. It then processes the traffic for policy enforcement and forwards it through the larger fabric overlay, potentially in another VXLAN tunnel, to its final destination.

B. on the WLC node: This is incorrect. In an SD-Access fabric deployment, the WLC is primarily responsible for the control plane (via CAPWAP). Data traffic is localized at the fabric edge to avoid creating a bottleneck at the WLC, which is a key benefit of the architecture. C. on the fabric border node switch: This is incorrect. The fabric border node's role is to connect the SD-Access fabric to external networks (e.g., the internet, data center). It only terminates VXLAN tunnels for traffic entering or exiting the fabric (north-south traffic), not for the initial tunnel from an AP. D. directly on the fabric APs: This is imprecise. While the AP is an endpoint that originates the VXLAN encapsulation, the question asks where the tunnel terminates. The tunnel exists between the AP and the edge switch; therefore, the termination point from the AP's perspective is the switch.

1. Cisco Systems, "SD-Access Solution Design Guide (CVD)" (August

2023). This guide explicitly details the traffic flow for fabric wireless.

o Reference: In the "SD-Access Wireless" section, it states: "For the

data plane, Fabric APs establish a VXLAN tunnel with their first-hop

fabric edge switch. This allows the data traffic to be sent directly

from the AP to the fabric edge, where it enters the SD-Access

fabric."

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco

-sd-access-design-guide.html

2. Cisco Systems, "Cisco SD-Access for Fabric-Enabled Wireless

Design and Deployment Guide". This document provides in-depth

information on the wireless integration.

o Reference: Chapter 2, "Fabric-Enabled Wireless Architecture,"

clarifies the data plane path: "The AP encapsulates wireless client

traffic in VXLAN and forwards it to the fabric edge. The fabric edge

then forwards the traffic to the destination."

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sdaccess-fabric-wireless-design-deployment-guide.html

When a wireless client roams between controllers that are in different mobility groups, it is always considered a Layer 3 roaming event. A mobility group is a set of wireless LAN controllers (WLCs) that share the same mobility group name, enabling seamless Layer 2 roaming for clients moving between access points associated with those controllers. When a client moves to a controller outside of its original mobility group, the new controller does not have the client's session information. This forces the client's traffic to be tunneled back to its original "anchor" controller, which is the defining mechanism of Layer 3 roaming, ensuring the client maintains its original IP address and session state.

B. Layer 7: This is the Application layer of the OSI model. While applications are affected by roaming, the network-level event of switching subnets or anchor points is not classified at this layer. C. Layer 1: This is the Physical layer (e.g., radio frequencies). While physical connectivity is a prerequisite for roaming, the logical process of managing the client's network session across subnets occurs at higher layers. D. Layer 2: This type of roaming occurs when a client moves between access points on the same subnet, typically managed by controllers within the same mobility group. The client's IP address does not change, and no tunneling to an anchor is required.

1. Cisco, "Mobility Architecture Guide": This guide explicitly defines the

boundaries for Layer 2 and Layer 3 roaming. It states that for a roam to be

considered Layer 2, the controllers must be in the same mobility group.

Roaming between controllers in different mobility groups necessitates a

Layer 3 event.

o Source URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/configguide/b_cg85/mobility_groups.html

o Specific Section: In the "Mobility Architecture" and "Inter-Controller

Roaming" sections, the documentation clarifies that "Layer 3

roaming occurs when a client roams between APs that are

connected to different controllers and the client WLAN on the

controllers is on different subnets." It further clarifies that controllers

in different mobility groups do not share client state, forcing this type

of roam.

2. Cisco, "Enterprise Mobility 8.5 Design Guide": This design guide

reinforces the concept by describing the mechanics of inter-controller

roaming.

o Source URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide/Chapter-7-Mobility.html

o Specific Section: Chapter 7, "Mobility," explains that a "mobility

group is a logical grouping of controllers that defines the realm of

seamless Layer 2 roaming for a wireless user." When a client roams

to a controller not in the configured mobility group, it triggers a

Layer 3 roaming event where traffic is tunneled over an EtherIP

tunnel.

The most effective action to reduce sticky clients is to increase the mandatory minimum data rates on the Access Point (AP). A sticky client is a device that remains associated with a distant AP despite having a closer one available. By increasing the minimum required data rate, the AP will disassociate clients that fall below this performance threshold. As a client moves away from an AP, its signal weakens, and its achievable data rate drops. Once it drops below the configured mandatory minimum, the client is forced to disconnect and re-scan, prompting it to find and associate with a closer AP that can provide a stronger signal and meet the rate requirement.

A. Decrease radio channel widths to 40 MHz: Changing channel width primarily affects throughput and channel reuse plans. While narrower channels can reduce interference in dense environments, this action does not directly influence a client's roaming decision or solve the sticky client issue. C. Decrease the mandatory minimum data rates: This action would worsen the sticky client problem. It allows a client to maintain a connection even with a very weak signal and low data rate, encouraging it to "stick" to a distant AP for longer. D. Increase radio channel widths to 160 MHz: Increasing channel width is aimed at boosting maximum throughput but is generally not recommended for dense environments due to a high potential for co-channel interference. It does not address the underlying cause of sticky clients.

1. Cisco, "High Density Wi-Fi Design and Deployment Guide": This guide

explicitly recommends tuning data rates to manage client behavior. It

states, "Disabling the lower data rates (e.g., 1, 2, 5.5, and 11 Mbps) can

help with 'sticky' clients... Forcing clients to use higher data rates means

that they will need to be closer to the AP. This encourages clients to roam

to a closer AP sooner." (See Chapter: Radio Resource Management,

Section: Data Rates).

o Source URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide/cuwn.html (Content on data rates and cell

sizing is a foundational concept in these guides).

2. Cisco, "Optimizing Enterprise-Class Wi-Fi Networks": This document

details that setting a higher minimum mandatory data rate effectively

shrinks an AP's cell size from a client's perspective. "A client must be able

to support a mandatory data rate to associate to an AP... By setting a

higher data rate as mandatory, the effective cell size is reduced, forcing

clients to connect to an AP that is physically closer."

o Source URL:

https://www.cisco.com/c/en/us/support/docs/wireless/5500-serieswireless-controllers/116057-site-survey-guidelines-wlan.html (Refer

to the section on "Data Rates").

3. IEEE 802.11-2020 Standard: The standard defines the mechanism for

Basic and Supported Rates. An AP advertises its "Basic Rate Set"

(equivalent to mandatory rates). A station must be able to receive and

transmit at all rates in the Basic Rate Set to join the Basic Service Set

(BSS). This foundational mechanism is what network administrators

leverage to control associations.

o Source Identifier: IEEE Std 802.11™ -2020, Section 9.4.2.3

"Supported Rates element".

o Source URL: https://ieeexplore.ieee.org/document/9363693

Cisco Catalyst Center, a core component of Cisco's Intent-Based Networking (IBN) architecture, uses northbound Intent APIs to allow users and external systems to specify the desired outcome or "intent" for the network. These APIs abstract the underlying complexity, enabling operators to define what they want the network to do (e.g., "provide guest wireless access") rather than specifying the granular, step-by-step device configurations required to achieve it. The controller then translates this high-level intent into specific actions on the network devices via its southbound interfaces. This focus on "outcome instead of the individual steps" is the defining characteristic of the Intent API.

A. southbound Multivendor Support: Southbound APIs are used by the controller to communicate down to the network devices. They are concerned with the "individual steps" of configuration (e.g., setting a VLAN on a port), not the high-level outcome or intent. B. westbound Integration: While Catalyst Center has westbound APIs for integration with IT systems like ITSM or IPAM, these are for process automation and data exchange between peer systems, not for defining the primary operational intent of the network itself. D. eastbound Events and Notifications: Eastbound APIs are used to stream data out of the Catalyst Center to other systems for monitoring, logging, and analytics. They report the network's current state and events, rather than receiving commands about its desired future state.

1. Cisco Systems, "Cisco Catalyst Center Northbound APIs." This official

documentation states, "The Cisco Catalyst Center northbound APIs, also

known as Intent APIs, allow you to programmatically control your

network... With these APIs, you can specify the what, and let Cisco

Catalyst Center determine the how."

o Source: Cisco Developer Portal

o URL: https://developer.cisco.com/docs/dna-center/#!cisco-dnacenter-platform-overview/cisco-dna-center-northbound-apis

o Reference: "Cisco DNA Center Northbound APIs" section.

2. Cisco Systems, "Cisco DNA Center API Overview." This guide clearly

differentiates the API types. It describes the Intent API as the primary

northbound interface for defining business intent and policy. It contrasts

this with southbound interfaces (for device control) and east-west

interfaces (for notifications and integration).

o Source: Cisco DNA Center API Quick Start Guide

o URL: https://www.cisco.com/c/en/us/td/docs/cloud-systemsmanagement/network-automation-and-management/dna-

center/tech_notes/b_dnac_api_best_practices.html

o Reference: "API Overview" section.

3. Haleplidis, E., et al. "Software-Defined Networking (SDN): Layers and

Architecture Terminology." This IETF RFC provides a standardized,

vendor-neutral definition of SDN architecture. It defines Northbound

Interfaces as those that "expose capabilities of a network" to applications,

enabling them to "request abstract network behaviors," which aligns

directly with the concept of intent.

o Source: IETF Request for Comments (RFC) 7426

o URL: https://www.rfc-editor.org/rfc/rfc7426.html

o Reference: Section 3.1, "SDN Northbound Interfaces (NBIs)."

In a Cisco Software-Defined Access (SD-Access) wireless deployment, the control and data planes for wireless traffic are separated to integrate wireless clients directly into the fabric. The Access Point (AP) establishes a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel to the Wireless LAN Controller (WLC) for control plane functions, including client authentication, association, and roaming management. Once a client is onboarded, its data plane traffic is encapsulated in Virtual Extensible LAN (VXLAN) by the AP and sent directly to the local fabric edge switch. This design allows for distributed data forwarding and consistent policy application across wired and wireless clients at the fabric edge.

A. Control plane traffic and data plane traffic are sent to the WLC through VXLAN. o This is incorrect. The control plane leverages CAPWAP, not VXLAN, for communication between the AP and the WLC. C. The control plane traffic is sent to the WLC through VXLAN, and the data plane traffic is sent to the WLC through CAPWAP tunnels. o This incorrectly reverses the protocols. CAPWAP is used for control, and VXLAN is used for the data plane path to the fabric edge, not the WLC. D. Control plane traffic and data plane traffic are sent to the WLC through CAPWAP tunnels. o This describes a traditional, non-fabric centralized wireless architecture (often called local mode), not the specific architecture of an SD-Access fabric-enabled wireless network.

1. Cisco, Software-Defined Access Wireless Design and Deployment

Guide, December 2023.

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco

-sda-wireless-design-and-deployment-guide.html

o Reference: In the "Fabric Wireless Architecture" section, the guide

states, "In the Cisco SD-Access wireless architecture, the APs still

form a CAPWAP control plane tunnel to the WLC... Once the client

is authenticated and is sending traffic, the APs encapsulate the

wireless client traffic in VXLAN and send it to the fabric edge node."

This directly supports the correct answer. The architecture diagrams

throughout the document visually confirm this flow.

2. Cisco, Cisco SD-Access Solution Design Guide (CVD), July 2023.

o URL:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cdasd-access-design-guide.html

o Reference: The "SD-Access Wireless" section explains that the

WLC is part of the control plane and that data traffic from wireless

clients is encapsulated in VXLAN from the Fabric AP to the fabric

edge node. It contrasts this with the legacy "local mode" where both

control and data are sent to the WLC via CAPWAP.