Implementing Cisco Data Center Infrastructure
Question No: 11 – (Topic 1)
By default it will take 10 seconds for authentication to fail due to an unresponsive RADIUS server before a Cisco Nexus series switch reverts to another RADIUS server or local authentication. What is one efficient way to improve the reaction time to a RADIUS server failure?
Decrease the global RADIUS retransmission count to 1.
Decrease the global RADIUS timeout interval to 5 seconds.
Configure the RADIUS retransmission count and timeout interval per server, versus globally.
Configure per server a test idle timer, along with a username and password.
Answer: D Explanation:
You can monitor the availability of RADIUS servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval during which a RADIUS server receives no requests before the Nexus 5000 Series switch sends out a test packet. You can configure this option to test servers periodically.
The test idle timer specifies the interval during which a RADIUS server receives no requests before the Nexus 5000 Series switch sends out a test packet. The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the Nexus 5000 Series switch does not perform periodic RADIUS server monitoring.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid e/cli_rel_4_0_1a/CLIConfigurationGuide/sec_radius.html
Question No: 12 – (Topic 1)
Which three items must be configured in the port profile client in Cisco UCS Manager? (Choose three.)
vCenter IP address
VM port group
Answer: B,C,D Explanation:
After associating an ESX host to a DVS, you can migrate existing VMs from the vSwitch to the DVS, and you can create VMs to use the DVS instead of the vSwitch. With the hardware-based VN-Link implementation, when a VM uses the DVS, all VM traffic passes through the DVS and ASIC-based switching is performed by the fabric interconnect.
In Cisco UCS Manager, DVSes are organized in the following hierarchy: vCenter
Folder (optional) Datacenter Folder (required) DVS
At the top of the hierarchy is the vCenter, which represents a VMware vCenter instance. Each vCenter contains one or more datacenters, and optionally vCenter folders with which you can organize the datacenters. Each datacenter contains one or more required datacenter folders. Datacenter folders contain the DVSes.
Reference: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/1-3- 1/b_UCSM_GUI_Configuration_Guide_1_3_1/UCSM_GUI_Configuration_Guide_1_3_1_c hapter28.html
Topic 2, Data Center Infrastructure Security
Question No: 13 – (Topic 2)
After enabling strong, reversible 128-bit Advanced Encryption Standard password type-6
encryption on a Cisco Nexus 7000, which command would convert existing plain or weakly encrypted passwords to type-6 encrypted passwords?
switch# key config-key ascii
switch(config)# feature password encryption aes
switch# encryption re-encrypt obfuscated
switch# encryption decrypt type6
Answer: C Explanation:
This command converts existing plain or weakly encrypted passwords to type-6 encrypted passwords.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx- os/security/configuration/guide/b_Cisco_Nexus_7000_NX- OS_Security_Configuration_Guide Release_5-x/b_Cisco_Nexus_7000_NX- OS_Security_Configuration_Guide Release_5-x_chapter_010101.html
Question No: 14 – (Topic 2)
Which statement about implementation of Cisco TrustSec on Cisco Nexus 5546 or 5548 switches are true?
Cisco TrustSec support varies depending on Cisco Nexus 5500 Series Switch model.
The hardware is not able to support MACsec switch-port-level encryption based on IEEE 802.1AE.
The maximum number of RBACL TCAM user configurable entries is 128k.
The SGT Exchange Protocol must use the management (mgmt 0) interface.
Reference: https://scadahacker.com/library/Documents/Manuals/Cisco –
TrustSec Solution Overview.pdf
Question No: 15 – (Topic 2)
Which two security features are only supported on the Cisco Nexus 7000 Series Switches? (Choose two.)
IP source guard
traffic storm control
Dynamic ARP Inspection
Answer: B,F Explanation:
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast, multicast, or unicast traffic storm on physical interfaces.
Traffic storm control (also called traffic suppression) allows you to monitor the levels of the incoming broadcast, multicast, and unicast traffic over a 10-millisecond interval. During this interval, the traffic level, which is a percentage of the total available bandwidth of the port, is compared with the traffic storm control level that you configured. When the ingress traffic reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the interval ends.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/dcnm/security/configurati on/guide/b_Cisco_DCNM_Security_Configuration_Guide Release_5- x/Cisco_DCNM_Security_Configuration_Guide Release_5-x_chapter17.html
And http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/dcnm/security/configurati on/guide/b_Cisco_DCNM_Security_Configuration_Guide Release_5- x/Cisco_DCNM_Security_Configuration_Guide Release_5-x_chapter1.html
Question No: 16 – (Topic 2)
Which statement about RBAC user roles on a Cisco Nexus switch is true?
If you belong to multiple roles, you can execute only the commands that are permitted by both roles (logical AND).
Access to a command takes priority over being denied access to a command.
The predefined roles can only be changed by the network administrator (superuser).
The default SAN administrator role restricts configuration to Fibre Channel interfaces.
On a Cisco Nexus 7000 Series Switch, roles are shared between VDCs.
Answer: B Explanation:
If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also have RoleB, which has access to the configuration commands. In this case, the users have access to the configuration commands.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid e/cli/CLIConfigurationGuide/sec_rbac.html
Question No: 17 – (Topic 2)
How is a dynamic vNIC allocated?
Dynamic vNICs are assigned to VMs in vCenter.
Dynamic vNICs can only be bound to the service profile through an updating template.
Dynamic vNICs are bound directly to a service profile.
Dynamic vNICs are assigned by binding a port profile to the service profile.
Answer: C Explanation:
The dynamic vNIC connection policy determines how the connectivity between VMs and dynamic vNICs is configured. This policy is required for Cisco UCS domains that include servers with VIC adapters on which you have installed VMs and configured dynamic vNICs. Each dynamic vNIC connection policy includes an Ethernet adapter policy and designates the number of vNICs that can be configured for any server associated with a service profile that includes the policy.
For VM-FEX that has all ports on a blade in standard mode, you need to use the VMware adapter policy.
For VM-FEX that has at least one port on a blade in high-performance mode, use the VMwarePassThrough adapter policy or create a custom policy. If you need to create a
custom policy, the resources provisioned need to equal the resource requirements of the guest OS that needs the most resources and for which you will be using high-performance mode.
Question No: 18 – (Topic 2)
Which statement is true if password-strength checking is enabled?
Short, easy-to-decipher passwords will be rejected.
The strength of existing passwords will be checked.
Special characters, such as the dollar sign ($) or the percent sign (%), will not be allowed.
Passwords become case-sensitive.
Answer: A Explanation:
If a password is trivial (such as a short, easy-to-decipher password), the cisco NX_OS software will reject your password configuration if password-strength checking is enabled. Be sure to configure a strong password. Passwords are case sensitive.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7- x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x_chapter_01000.pdf
Question No: 19 DRAG DROP – (Topic 2)
Drag the description on the left to the most appropriate Nexus product on the right.
Question No: 20 – (Topic 2)
When a local RBAC user account has the same name as a remote user account on an AAA server, what happens when a user with that name logs into a Cisco Nexus switch?
The user roles from the remote AAA user account are applied, not the configured local user roles.
All the roles are merged (logical OR).
The user roles from the local user account are applied, not the remote AAA user roles.
Only the roles that are defined on both accounts are merged (logical AND).
Answer: C Explanation:
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx- os/security/configuration/guide/sec_nx-os-cfg/sec_rbac.html
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|