Implementing Cisco Data Center Unified Fabric
Question No: 11 – (Topic 1)
On a Cisco Nexus 7000 Series router, which statement about HSRP and VRRP is true?
When VDCs are in use, only VRRP is supported.
HSRP and VRRP both use the same multicast IP address with different port numbers.
HSRP has shorter default hold and hello times.
The VRRP group IP address can be the same as the router-specific IP address.
Answer: D Explanation:
VRRP allows for transparent failover at the first-hop IP router by configuring a group of routers to share a virtual IP address. VRRP selects a master router in that group to handle all packets for the virtual IP address. The remaining routers are in standby and take over if the master router fails.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx- os/unicast/configuration/guide/l3_cli_nxos/l3_vrrp.html
Question No: 12 – (Topic 1)
Which statement explains why a Cisco UCS 6200 Fabric Interconnect that is configured in end-host mode is beneficial to the unified fabric network?
There is support for multiple (power of 2) uplinks.
Upstream Layer 2 disjoint networks will remain separated.
The 6200 can connect directly via vPC to a Layer 3 aggregation device.
STP is not required on the uplink ports from the 6200.
Answer: D Explanation:
In Cisco Unified Computing System environments, two Ethernet switching modes determine the way that the fabric interconnects behave as switching devices between the servers and the network. In end-host mode, the fabric interconnects appear to the upstream devices as end hosts with multiple links. In end-host mode, the switch does not run Spanning Tree Protocol and avoids loops by following a set of rules for traffic forwarding. In switch mode, the switch runs Spanning Tree Protocol to avoid loops, and broadcast and multicast packets are handled in the traditional way.
Topic 2, Implement Security on Cisco Unified Fabric Products in a Cisco Data Center Architecture
Question No: 13 – (Topic 2)
Which statement about RBAC user roles on a Cisco Nexus switch is true?
If you belong to multiple roles, you can execute only the commands that are permitted by both roles (logical AND).
Access to a command takes priority over being denied access to a command.
The predefined roles can only be changed by the network administrator (superuser).
The default SAN administrator role restricts configuration to Fibre Channel interfaces.
On a Cisco Nexus 7000 Series Switch, roles are shared between VDCs.
Answer: B Explanation:
If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also have RoleB, which has access to the configuration commands. In this case, the users have access to the configuration commands.
Question No: 14 – (Topic 2)
Which statement about the implementation of Cisco TrustSec on Cisco Nexus 7000 Series Switches is true?
While SGACL enforcement and SGT propagation are supported on the M and F modules, 802.1AE (MACsec) support is available only on the M module.
SGT Exchange Protocol is required to propagate the SGTs across F modules that lack hardware support for Cisco TrustSec.
AAA authentication and authorization is supported using TACACS or RADIUS to a Cisco Secure Access Control Server.
Both Cisco TrustSec and 802.1X can be configured on an F or M module interface.
Answer: A Explanation:
The M-Series modules on the Nexus 7000 support 802.1AE MACSEC on all ports, including the new M2-series modules. The F2e modules will have this feature enabled in the future.
It is important to note that because 802.1AE MACSEC is a link-level encryption, the two MACSEC-enabled endpoints, Nexus 7000 devices in our case, must be directly L2 adjacent. This means we direct fiber connection or one facilitated with optical gear is required. MACSEC has integrity checks for the frames and intermediate devices, like another switch, even at L2, will cause the integrity checks to fail. In most cases, this means metro-Ethernet services or carrier-provided label switched services will not work for a MACSEC connection.
Question No: 15 – (Topic 2)
After enabling strong, reversible 128-bit Advanced Encryption Standard password type-6 encryption on a Cisco Nexus 7000, which command would convert existing plain or weakly
encrypted passwords to type-6 encrypted passwords?
switch# key config-key ascii
switch(config)# feature password encryption aes
switch# encryption re-encrypt obfuscated
switch# encryption decrypt type6
Answer: C Explanation:
This command converts existing plain or weakly encrypted passwords to type-6 encrypted passwords.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx- os/security/configuration/guide/b_Cisco_Nexus_7000_NX- OS_Security_Configuration_Guide Release_5-x/b_Cisco_Nexus_7000_NX- OS_Security_Configuration_Guide Release_5-x_chapter_010101.html
Question No: 16 – (Topic 2)
Which statement about implementation of Cisco TrustSec on Cisco Nexus 5546 or 5548 switches are true?
Cisco TrustSec support varies depending on Cisco Nexus 5500 Series Switch model.
The hardware is not able to support MACsec switch-port-level encryption based on IEEE 802.1AE.
The maximum number of RBACL TCAM user configurable entries is 128k.
The SGT Exchange Protocol must use the management (mgmt 0) interface.
Reference: https://scadahacker.com/library/Documents/Manuals/Cisco –
TrustSec Solution Overview.pdf
Question No: 17 – (Topic 2)
In the dynamic vNIC creation wizard, why are choices for Protection important?
They allow reserve vNICs to be allocated out of the spares pool.
They enable hardware-based failover.
They select the primary fabric association for dynamic vNICs.
They allow dynamic vNICs to be reserved for fabric failover.
Answer: C Explanation:
Number of Dynamic vNICs – This is the number of vNICs that will be available for dynamic assignment to VMs. Remember that the VIC has a limit to the number of vNICs that it can support and this is based on the number of uplinks between the IOM and the FI. At least this is the case with the 2104 IOM and the M81KR VIC, which supports ((# IOM Links * 15) – 2)). Also remember that your ESXi server will already have a number of vNICs used for other traffic such as Mgmt, vMotion, storage, etc, and that these count against the limit.
Adapter Policy – This determines the vNIC adapter config (HW queue config, TCP offload, etc) and you must select VMWarePassThru to support VM-FEX in High Performance mode.
Protection – This determines the initial placement of the vNICs, either all of them are placed on fabric A or Fabric B or they are alternated between the two fabrics if you just select the “Protected” option. Failover is always enabled on these vNICs and there is no way to disable the protection.
Reference: http://infrastructureadventures.com/2011/10/09/deploying-cisco-ucs-vm-fex-for- vsphere-–-part-2-ucsm-config-and-vmware-integration/
Question No: 18 – (Topic 2)
When a local RBAC user account has the same name as a remote user account on an AAA server, what happens when a user with that name logs into a Cisco Nexus switch?
The user roles from the remote AAA user account are applied, not the configured local user roles.
All the roles are merged (logical OR).
The user roles from the local user account are applied, not the remote AAA user roles.
Only the roles that are defined on both accounts are merged (logical AND).
Answer: C Explanation:
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx- os/security/configuration/guide/sec_nx-os-cfg/sec_rbac.html
Question No: 19 – (Topic 2)
Which two security features are only supported on the Cisco Nexus 7000 Series Switches? (Choose two.)
IP source guard
traffic storm control
Dynamic ARP Inspection
Answer: B,F Explanation:
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast, multicast, or unicast traffic storm on physical interfaces.
Traffic storm control (also called traffic suppression) allows you to monitor the levels of the incoming broadcast, multicast, and unicast traffic over a 10-millisecond interval. During this interval, the traffic level, which is a percentage of the total available bandwidth of the port, is compared with the traffic storm control level that you configured. When the ingress traffic reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the interval ends.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/dcnm/security/configurati on/guide/b_Cisco_DCNM_Security_Configuration_Guide Release_5- x/Cisco_DCNM_Security_Configuration_Guide Release_5-x_chapter17.html
And http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/dcnm/security/configurati on/guide/b_Cisco_DCNM_Security_Configuration_Guide Release_5- x/Cisco_DCNM_Security_Configuration_Guide Release_5-x_chapter1.html
Question No: 20 – (Topic 2)
Which statement is true if password-strength checking is enabled?
Short, easy-to-decipher passwords will be rejected.
The strength of existing passwords will be checked.
Special characters, such as the dollar sign ($) or the percent sign (%), will not be allowed.
Passwords become case-sensitive.
Answer: A Explanation:
If a password is trivial (such as a short, easy-to-decipher password), the cisco NX_OS software will reject your password configuration if password-strength checking is enabled. Be sure to configure a strong password. Passwords are case sensitive.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7- x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x_chapter_01000.pdf
100% Ensurepass Free Download!
–Download Free Demo:642-997 Demo PDF
100% Ensurepass Free Guaranteed!
–Download 2017 EnsurePass 642-997 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|