CISCO ENCOR 350-401 Exam Questions 2025

Cisco's Endpoint Detection and Response (EDR) solution, now known as Cisco Secure Endpoint, integrates multiple advanced capabilities to protect endpoints. Its core functionality relies on a combination of machine learning and behavioral analytics to detect unknown threats, leveraging threat intelligence from Cisco Talos for comprehensive threat awareness. A critical response feature is the ability to contain or isolate a compromised endpoint, preventing the threat from spreading across the network while allowing for further investigation. These three elements machine learning, threat intelligence, and containment are fundamental to its detection and response framework.

B. firewalling and intrusion prevention: These terms primarily describe network security functions, characteristic of Next-Generation Firewalls (NGFW) and Intrusion Prevention Systems (IPS), not the core features of an endpoint-centric EDR solution. C. container-based agents: This describes a potential deployment architecture for the agent, not a core security feature for threat detection or response. The agent's capabilities, not how it's packaged, are the key features. D. cloud analysts and endpoint firewall controls: "Cloud analysts" refers to a managed service (MDR) that uses the EDR tool, not a feature of the tool itself. While endpoint firewall control can be part of a larger security suite, it is not a defining feature of EDR's advanced detection and response cycle.

1. Cisco, "Cisco Secure Endpoint Data Sheet": This document explicitly

details the product's features. It mentions "Advanced Endpoint Detection

and Response," "Machine Learning," "Cisco Talos threat intelligence," and

"Host Isolation" (containment).

o Source URL:

https://www.cisco.com/c/en/us/products/collateral/security/amp-forendpoints/datasheet-c78-745509.html

o Specific Sections: See sections "Advanced Endpoint Detection

and Response" and the features table which lists "Machine learning

analysis" and "Isolate an endpoint".

2. Cisco, "What Is Endpoint Detection and Response (EDR)?": This page

defines EDR and highlights its key components, including threat hunting,

behavioral protection, and response capabilities like isolation. It reinforces

the concepts of advanced analysis (machine learning) and the use of

threat intelligence.

o Source URL:

https://www.cisco.com/c/en/us/products/security/endpointsecurity/what-is-endpoint-detection-and-response-edr.html

o Specific Sections: See paragraphs under "How does EDR work?"

and "Key capabilities of an EDR solution."

When a Lightweight Access Point (AP) boots up, it initiates a discovery process to find a Wireless LAN Controller (WLC). One of the methods used is DNS resolution. The AP will attempt to resolve the hostname CISCO-CAPWAP- CONTROLLER.localdomain. If the DNS server returns one or more IP addresses for this hostname, the AP will send a unicast CAPWAP Discovery Request message to each IP address it receives. It does not stop after the first one, nor does it immediately send a join request. A broadcast request is a different step in the discovery process and is not a response to a successful DNS lookup.

A. broadcast discover request: A broadcast discovery is a separate method sent to the local subnet (255.255.255.255). It is not initiated as a result of a successful DNS resolution for a specific controller hostname. B. join request to all the WLCs: An AP sends a Join Request only after it has received a Discovery Response from a WLC and has selected a controller to join. The initial contact after DNS resolution is a Discovery Request. D. Unicast discovery request to the first WLS that resolves the domain name: This is incorrect because the AP will send a discovery request to all IP addresses returned by the DNS server for the controller hostname, not just the first one, to ensure it discovers all available controllers.

1. Cisco, "Wireless LAN Controller (WLC) Discovery and Join Process,"

Document ID: 107606.

o This document outlines the AP discovery process. In the "WLC

Discovery on a Layer 3 Network" section, step 4 explicitly states:

"The APs can discover controllers through your domain name

server (DNS)... The AP sends a unicast CAPWAP discovery request

to every address."

o URL: https://www.cisco.com/c/en/us/support/docs/wireless/4400series-wireless-lan-controllers/107606-wlc-lap.html (Under the

section "WLC Discovery on a Layer 3 Network")

2. Cisco, "Deploying the Cisco 5760 Wireless LAN Controller," Release

3.6E.

o In the "Information About AP-Controller Communication" chapter,

the section "How the Access Point Finds the Controller" details the

DNS discovery method: "If the DNS returns a list of controller IP

addresses, the access point sends a unicast discovery request to

each controller on the list."

o URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/5760/soft

ware/release/36e/configuration_guide/b_cg36e/b_cg36e_chapter_0

101111.html (Under the section "How the Access Point Finds the

Controller")

3. Cisco, "Lightweight AP (LAP) Registration to a Wireless LAN

Controller (WLC)," Document ID: 70333.

o This guide reinforces the discovery steps. The "LAP States" section

explains that discovery precedes the join state. The "DNS

Discovery" part clarifies that the AP resolves CISCO-CAPWAP-

CONTROLLER.localdomain and sends discovery messages to the

resulting IP addresses.

o URL: https://www.cisco.com/c/en/us/support/docs/wireless/wirelesslan-controller-wlc/70333-lap-registration.html (Under the section

"DNS Discovery")

The objective is to complete a Python script that reads device data from a user and updates a JSON file. The provided code snippets correctly fill the blanks to achieve the required functionality based on standard Python syntax and library usage. • import json: This statement is placed at the top to import the necessary json module. This module provides the json.load() and json.dump() functions used later in the script to parse and write JSON data. • while True:: This creates an infinite loop, satisfying the requirement that the script should continue to read user input "Until interrupted from the keyboard." except: This keyword is required to begin the exception handling block. It catches the KeyboardInterrupt (e.g., from pressing Ctrl+C) or EOFError (e.g., from pressing Ctrl+D), which is the designated signal to stop gathering input. File = open: This statement correctly opens the specified file, devicesData.json, in "r+" mode (read and write) and assigns the file object to the variable File. This is necessary to both read the existing device data and write the updated data back. File.close(): This statement is placed at the end to close the file. It is a crucial best practice to release the file resource after all operations are complete, ensuring data integrity and preventing resource leaks.

1. Python json Module Documentation: The official documentation details

the functions json.load() for reading from a JSON file and json.dump() for

writing to one.

o Source: Python Software Foundation, Python 3.12.3

documentation.

o URL: https://docs.python.org/3/library/json.html (See sections

19.2.1. Basic Usage)

2. Python Control Flow Statements: The while statement and try...except

compound statements are fundamental control flow structures in Python.

The documentation specifies their syntax and usage.

o Source: Python Software Foundation, Python 3.12.3

documentation.

o URL: https://docs.python.org/3/tutorial/controlflow.html#morecontrol-flow-tools (for loops) and

https://docs.python.org/3/tutorial/errors.html#handling-exceptions

(for try...except).

3. Python File I/O: The official tutorial explains the use of the open() function

for file access, the different modes like "r+", and the importance of the

.close() method.

o Source: Python Software Foundation, Python 3.12.3

documentation.

o URL: https://docs.python.org/3/tutorial/inputoutput.html#readingand-writing-files (See section 7.2).

The question asks for a solution that simplifies the management of secure network access. Cisco TrustSec is the most precise answer because it is an architecture specifically designed to achieve this simplification. TrustSec decouples network access from IP addresses by classifying endpoints into logical groups (roles) and assigning them Security Group Tags (SGTs). Policies are then defined based on these role-based SGTs (e.g., "Doctors can access Patient Records"), which is significantly simpler to manage than creating and maintaining thousands of IP-based Access Control Lists (ACLs). This logical grouping is the core mechanism of simplification.

B. ISE to automate network access control leveraging RADIUS AV pairs This is incorrect because while the Cisco Identity Services Engine (ISE) is the central policy engine that implements the TrustSec architecture, TrustSec is the actual framework that provides the simplification through logical grouping. This option describes the tool, whereas option A describes the architectural solution that achieves the goal. C. RFC 3580-based solution to enable authenticated access leveraging RADIUS and AV pairs This is incorrect as RFC 3580 is a standard that provides guidelines for using RADIUS with IEEE 802.1X. It is a foundational protocol specification, not a comprehensive solution designed to simplify policy management across an enterprise. D. 802 1AE to secure communication in the network domain This is incorrect because IEEE 802.1AE, also known as MACsec, is a standard for Layer 2 data encryption. It ensures data confidentiality and integrity on a wired network but does not provide a framework for simplifying user and device access policy management.

1. Cisco Systems, "Cisco TrustSec Solution Design Guide": "Cisco

TrustSec technology provides a new paradigm for secure networking,

simplifying the provisioning and management of network access...

The goal of the Cisco TrustSec solution is to assign a Security Group Tag

(SGT) to a user/device... This simplifies policy management by reducing

the number of access control entries."

o Source URL:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/

TrustSec/2-1/TS_2-1_DG/tsd_2-1_overview.html

o Section: "Cisco TrustSec Solution Overview"

2. Cisco Systems, "TrustSec Security Group Tagging Design and

Implementation Guide": "The goal of the TrustSec solution is to assign a

Security Group Tag (SGT) to a user/device when it connects to the

network... This SGT is then used as a source and destination in the access

policies... This simplifies policy management by reducing the number

of access control entries that would have been required if using IP

addresses."

o Source URL:

https://www.cisco.com/c/en/us/support/docs/security/trustsec/11613

2-config-sgt-00.html

o Section: "Introduction"

3. IETF, RFC 3580, "IEEE 802.1X Remote Authentication Dial In User

Service (RADIUS) Usage Guidelines": This document describes the use

of RADIUS in conjunction with IEEE 802.1X authenticators, focusing on

protocol attributes and behavior. It is a technical specification, not a

management solution.

o Source URL: https://datatracker.ietf.org/doc/html/rfc3580

o Section: Abstract

4. IEEE Standards Association, "IEEE Standard for Local and

metropolitan area networks-Media Access Control (MAC) Security":

This standard specifies the provision of connectionless user data

confidentiality, data integrity, and data origin authenticity. Its focus is on

Layer 2 encryption.

o Source URL: https://standards.ieee.org/ieee/802.1AE/3439/

o Identifier: IEEE Std 802.1AE™ -2006

Cisco Catalyst SD-WAN routers, which function as the data plane or "WAN Edge" devices in the architecture, can be deployed in multiple form factors to fit various site requirements. These include hardware appliances for physical locations like branches and data centers, virtualized instances that can run on standard hypervisors or enterprise network virtualization platforms, and as instances within public cloud infrastructures like AWS, Azure, and Google Cloud to extend the SD-WAN fabric to cloud workloads. This flexibility allows for a consistent SD-WAN policy and architecture across a hybrid environment of physical, virtual, and cloud-based resources.

A. virtualized instances: This option is incorrect because it is incomplete. It omits the very common hardware appliance and cloud deployment models. B. hardware, software, cloud, and virtualized instances: This option is less precise than C. In this context, a "virtualized instance" is the "software" form factor. The term "virtualized" is more specific to the deployment model, distinguishing it from a physical appliance. Including both is redundant. D. hardware and virtualized instances: This option is incorrect because it is incomplete. It fails to include the crucial capability of deploying SD- WAN routers directly within public cloud environments, a key feature known as Cloud OnRamp.

1. Cisco Catalyst 8000V Edge Software Data Sheet: This document

explicitly states that the Catalyst 8000V is a "virtual-form-factor router" that

can be deployed in "virtual and cloud environments." It lists supported

hypervisors (VMware ESXi, KVM) for on-premises virtualization and public

clouds (Amazon EC2, Microsoft Azure, Google Cloud Platform) as

deployment locations.

o Source: Cisco, "Cisco Catalyst 8000V Edge Software Data Sheet"

o URL:

https://www.cisco.com/c/en/us/products/collateral/routers/catalyst8000v-edge-software/nb-06-cat8000v-edge-sw-data-sheet-ctp-

en.html (Refer to "Product overview" and "Benefits" sections).

2. Cisco SD-WAN Solution Overview: This document describes the

"endpoint flexibility" of the solution, covering physical platforms for

branches, aggregation sites, and virtual platforms. It explicitly mentions

extending the SD-WAN fabric to "data centers, branches, campuses,

colocation facilities, and clouds."

o Source: Cisco, "Cisco SD-WAN Solution Overview"

o URL: https://fe5e0932bbdbee188a67ade54de1bba9a4fe61c120942a09245b.ssl.cf1.rackcdn.com/nb-06-

sd-wan-sol-overview-cte-en.pdf (Refer to Page 4, "Endpoint

flexibility" and Figure 8, "Cisco SD-WAN portfolio").

3. Cisco SD-WAN Cloud OnRamp for IaaS White Paper: This paper details

the process of extending the enterprise WAN to public clouds by deploying

virtual SD-WAN routers within the cloud provider's infrastructure. It

confirms the "cloud" deployment model for edge devices.

o Source: Cisco, "Cisco SD-WAN Cloud OnRamp for Infrastructure

as a Service (IaaS) White Paper"

o URL: https://www.cisco.com/c/en/us/solutions/collateral/enterprisenetworks/sd-wan/white-paper-c11-743126.html (Refer to the

"Introduction" and "Solution" sections).

Auto anchor, also known as Mobility Anchor, is the feature specifically designed to ensure a wireless client maintains its original IP address when performing a Layer 3 roam between controllers, particularly when they are in different mobility groups. When a client roams to a new "foreign" controller, the foreign controller establishes an Ethernet-over-IP (EoIP) tunnel back to the client's original "anchor" controller. All of the client's traffic is sent through this tunnel to the anchor, from which it enters the wired network. This makes the client's physical location transparent and preserves its IP address, ensuring seamless session continuity.

A. interface groups: This feature is used on a single WLC to load-balance clients across a group of VLANs (interfaces). It does not provide the tunneling mechanism required for maintaining an IP address during an inter-controller roam. B. RF groups: This feature, also known as an RF domain, is used for coordinating Radio Resource Management (RRM) algorithms among a group of controllers. It manages radio settings like channel and power, and is unrelated to client IP address management during roaming. C. AAA override: This allows a RADIUS server to dynamically assign specific attributes, such as a VLAN ID, to a client upon authentication. It does not provide a mechanism to maintain that client's IP address when it roams to a different controller and subnet.

1. Cisco, "Enterprise Mobility 8.5 Design Guide"

o Details: In the "Mobility Architecture" chapter, the "Mobility Anchor"

section states: "Mobility anchoring, also known as guest tunneling,

is a feature where a controller is designated as the anchor point for

a particular WLAN... All client traffic is tunneled from the foreign

controller to the anchor controller over a Layer 3 tunnel (Ethernet-

over-IP). This allows a client to maintain its IP address when

roaming between controllers." It also notes this is useful for roaming

between different mobility groups.

o URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide/ch3_mobility_arch.html#_Ref518882092

2. Cisco, "Wireless Controller Configuration Guide, Release 8.10"

o Details: In the "Configuring Mobility Groups" chapter, the section

"Information About Mobility Anchor" explains: "In a mobility anchor

setup, a client can roam to any controller in the mobility list, but its

point of presence on the wired network is always the anchor

controller... This feature is also referred to as 'guest tunneling' or

'auto anchoring'."

o URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/810/config-guide/b_cg810/configuring_mobility_groups.html#ID347

The Python script requires three parts to correctly serialize a Python dictionary into a JSON formatted string and print it. 1. import json: The first blank requires importing Python's built-in json module, which provides the necessary tools for working with JSON data. 2. json_string = json.dumps(data): The second blank uses the json.dumps() function to perform the conversion. This function takes a Python object (the data dictionary) and returns it as a JSON formatted string. This string is then assigned to the json_string variable. 3. print(json_string): The third blank prints the value of the json_string variable, which now holds the JSON representation of the original Python object.

Python Software Foundation. (2025). json — JSON encoder and

decoder. Python 3.13.3 documentation. This official documentation states,

"To use this module, import json" and describes the json.dumps() function

as the method to "serialize obj to a JSON formatted str".

o URL: https://docs.python.org/3/library/json.html#basic-usage

Guttag,

J. V. (2016). Lecture 10: Files. 6.0001 Introduction to Computer

Science and Programming in Python, Fall 2016. Massachusetts Institute of

Technology: MIT OpenCourseWare. The principles of handling different

data formats like JSON are covered in university-level computer science

introductions.

o URL: https://ocw.mit.edu/courses/6-0001-introduction-to-computerscience-and-programming-in-python-fall-2016/resources/lecture-10-

files/

A primary benefit of a data modeling language, such as YANG, is to create a standardized, vendor-neutral definition for the configuration and state data of network devices. This allows for the abstraction of device management away from proprietary, vendor-specific command-line interfaces (CLIs) or APIs. By using these common models, organizations can create configurations and automation workflows that are "widely compatible" across different hardware platforms and vendors, effectively refactoring what would otherwise be platform-specific code. This approach simplifies network automation and management at scale.

A: This is imprecise. The data model itself is a definition, not a "machine- friendly code" that is deployed. It defines the structure for management protocols to use, enabling machine-to-machine communication for management, but the core benefit is the standardization it provides. B: This is misleading. While data models describe device status, modern management protocols that use them (like NETCONF and RESTCONF) are often positioned as more capable alternatives to SNMP for configuration, not merely as augmentations for its subscription features. C: This is incorrect. The fundamental purpose of adopting a standardized data modeling language is to move away from vendor-centric models and operations toward a common, interoperable framework, thereby reducing vendor lock-in.

1. IETF RFC 7950: The YANG 1.1 Data Modeling Language:

o Quote/Concept: "YANG is a data modeling language used to

model configuration data, state data, Remote Procedure Calls

(RPCs), and notifications for network management protocols... This

allows a clean separation between the data models and the

management protocols..."

o Location: Abstract, Page 4.

o URL: https://www.rfc-editor.org/rfc/rfc7950.html

2. Cisco IOS XE Programmability Configuration Guide:

o Quote/Concept: "YANG is a standards-based, data modeling

language that is used to model the configuration and operational

state of a network device. The use of a standards-based model

provides a vendor-neutral way of programming a network device

and helps in managing a multivendor network."

o Location: Chapter: "YANG Data Models".

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/prog/configuration/1612/b_1612_prog_config_guide/yang_d

ata_models.html

3. IETF RFC 8340: YANG Tree Diagrams:

o Quote/Concept: "A YANG data model defines a hierarchy of data

that can be used for configuration, to report operational state, and

for invoking operations on network devices... The YANG language...

is protocol independent." This independence is key to creating

compatible configurations across different platforms.

o Location: Section 1: Introduction, Paragraph 1.

o URL: https://www.rfc-editor.org/rfc/rfc8340.html

During a Layer 2 inter-controller roam, the primary goal is to maintain a seamless connection for the client device. This is achieved by ensuring the client retains its original IP address, as the roam occurs within the same subnet (Layer 2 domain). Furthermore, to avoid disrupting the session and forcing a full re-authentication, the client's security context (which includes security keys and authentication status) is transferred from the original "anchor" controller to the new "foreign" controller. This allows the client to continue communicating securely without interruption.

A. A new security context is applied for each controller to which the client is associated, but the IP address remains the same. This is incorrect because applying a new security context would require a full re- authentication, which seamless roaming protocols (like 802.11r) are designed to avoid. The existing context is transferred, not replaced. B. The client must be associated to a new controller where a new IP address and security context are applied. This is incorrect as it describes a Layer 3 roam. A defining characteristic of a Layer 2 roam is that the client keeps the same IP address. D. The client is marked as foreign in the database of each new controller to which it is connected. While it is true that the new controller is termed the "foreign" controller and maintains a "foreign" entry for the client, this is an architectural detail of how the roam is managed. Option C more accurately and completely describes the primary outcome and experience for the client's session, which is the core of the roaming event itself.

1. Cisco, Enterprise Mobility 8.5 Design Guide. This guide details the

mobility architecture. It states, "In the case of inter-controller L2 roam, the

client maintains its IP address... The WLCs exchange mobility messages

and the client database entry is moved from the anchor WLC to the foreign

WLC. This includes the security context of the client."

o Source: Cisco, "Enterprise Mobility 8.5 Design Guide", Chapter:

Mobility Architecture. (A specific URL is difficult as these guides are

updated, but the concept is fundamental in all versions of the Cisco

Wireless LAN Controller Design Guides). A representative

document is available at:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-

5_Deployment_Guide.html, see the "Inter-Controller Roaming"

section.

2. IEEE Std 802.11™ -2020, IEEE Standard for Information Technology—

Telecommunications and information exchange between systems

Local and metropolitan area networks— Specific requirements - Part

11: Wireless LAN Medium Access Control (MAC) and Physical Layer

(PHY) Specifications. The mechanisms for Fast BSS Transition (FT),

defined in section 12.5, are designed to allow a station (client) to quickly

transition between access points while maintaining security and

connectivity. This involves transferring security key information, thus

preserving the security context.

o Source: IEEE Std 802.11™ -2020, DOI:

10.1109/IEEESTD.2021.9363693, Section 12.5 "Fast BSS

transition".

Configuring a wireless network for WPA2+WPA3 transition mode (also called mixed mode) requires enabling cipher suites that are compatible with both WPA2 and WPA3 clients. According to the IEEE 802.11-2020 standard and Wi- Fi Alliance specifications, CCMP-128 (Counter Mode Cipher Block Chaining Message Authentication Code Protocol with a 128-bit key) is the mandatory cipher for WPA2-Personal. For WPA3-Personal, CCMP-128 is also a mandatory baseline cipher, even though stronger optional ciphers exist. Therefore, to ensure that both WPA2 and WPA3 clients can connect to the same SSID, the network must be configured to use CCMP-128. This allows WPA2 clients to connect using PSK and WPA3 clients to connect using SAE, both leveraging the common CCMP-128 cipher.

A. Configure the GCMP256 encryption cipher: GCMP-256 is an optional, stronger cipher for WPA3 and is not supported by WPA2 clients. Configuring only this would prevent WPA2 clients from connecting, defeating the purpose of a mixed-mode policy. C. Configure the GCMP128 encryption cipher: GCMP-128 is defined as an optional cipher suite for use with WPA3, particularly for management frames, but it is not the standard data encryption cipher for WPA2. Relying on it would not guarantee compatibility. D. Configure the CCMP256 encryption cipher: This cipher suite does not exist within the context of the IEEE 802.11 standard for WPA2 or WPA3 security. The standard specifies CCMP with a 128-bit key (CCMP- 128) and GCMP with a 256-bit key (GCMP-256).

1. Wi-Fi Alliance, "Wi-Fi CERTIFIED WPA3™ Specification," Version 3.1,

January 2023.

o Section 3.2.1 (Cipher Suites): This section specifies that for

WPA3-Personal, the mandatory cipher suite is CCMP-128. It also

lists GCMP-256 as optional. For a mixed WPA2-WPA3 mode, the

AP must support the mandatory cipher suites for both security

protocols.

o URL: https://www.wi-fi.org/file/wi-fi-certified-wpa3-specification-v3-1

2. IEEE Standard for Information Technology— Telecommunications and

information exchange between systems Local and metropolitan area

networks— Specific requirements - Part 11: Wireless LAN Medium

Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE

Std 802.11™ -2020.

o Section 12.7.2 (Cipher suites): This section details the valid cipher

suites. It defines "CCMP-128" for use in Robust Security Network

Associations (RSNAs), which is the foundation for WPA2 and

WPA3. The standard mandates CCMP-128 for RSN-capable

stations.

o DOI: https://doi.org/10.1109/IEEESTD.2021.9363693

3. Cisco, "WPA3 Deployment Guide," December 19, 2022.

o Section: WPA3 Transition Mode (WPA3-Personal): The guide

explicitly states, "The WPA3 transition mode enables a graceful

migration from WPA2 to WPA3... The AP broadcasts a single SSID

that both WPA2 and WPA3 capable clients can use to connect. The

mandatory cipher for WPA2 is AES/CCMP128... WPA3 also

mandates the use of AES/CCMP128 cipher."

o URL:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/173/config-

guide/b_cg_9800_17_3_1_book/wpa3_deployment_guide.html