[Jan 10, 2025] Free CCNP Enterprise 300-440 Official Cert Guide PDF Download
Cisco 300-440 Official Cert Guide PDF
NEW QUESTION # 24
An engineer must configure an IPsec tunnel to the cloud VPN gateway. Which Two actions send traffic into the tunnel? (Choose two.)
- A. Configure a static route.
- B. Configure access lists that match the interesting user traffic.
- C. Configure a local policy in Cisco vManage.
- D. Configure an IPsec profile and match the remote peer IP address.
- E. Configure policy-based routing.
Answer: B,E
Explanation:
To send traffic into an IPsec tunnel to the cloud VPN gateway, the engineer must configure two actions:
Configure access lists that match the interesting user traffic. This is the traffic that needs to be encrypted and sent over the IPsec tunnel. The access lists are applied to the crypto map that defines the IPsec parameters for the tunnel.
Configure policy-based routing (PBR). This is a technique that allows the engineer to override the routing table and forward packets based on a defined policy. PBR can be used to send specific traffic to the IPsec tunnel interface, regardless of the destination IP address. This is useful when the cloud VPN gateway has a dynamic IP address or when multiple cloud VPN gateways are available for load balancing or redundancy. References:
Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3: Implementing Cloud Connectivity, Lesson 3: Implementing IPsec VPNs to the Cloud, Topic: Configuring IPsec VPNs on Cisco IOS XE Routers Security for VPNs with IPsec Configuration Guide, Cisco IOS XE, Chapter: Configuring IPsec VPNs, Topic: Configuring Crypto Maps
[Cisco IOS XE Gibraltar 16.12.x Feature Guide], Chapter: Policy-Based Routing, Topic: Policy-Based Routing Overview
NEW QUESTION # 25
Refer to the exhibits.
While troubleshooting, a network engineer discovers that the backup path fails between ASBR3 and ASBR4 for traffic between BGP AS6000 and BGP AS6500 when the connection between ASBR1 and ASBR2 goes down. The following configurations were performed on ASBR1:
Which command is missing?
- A. bgp additional-paths Install
- B. bgp additional-paths select
- C. redistribute static
- D. bgp advertise-best-external
Answer: D
Explanation:
The bgp advertise-best-external command is used to enable the advertisement of the best external path to internal BGP peers. This command is useful when there are multiple exit points from the local AS to other ASes, and the local AS wants to use the closest exit point for each destination. By default, BGP only advertises the best path to its peers, and the best path is usually the one with the lowest IGP metric to the next hop. However, this may not be the optimal path for traffic leaving the local AS, as it may result in suboptimal hot-potato routing or MED oscillations. The bgp advertise-best-external command allows BGP to advertise the best external path, which is the path with the lowest MED among the paths from different neighboring ASes, in addition to the best path. This way, the internal BGP peers can choose the best exit point based on the MED value, rather than the IGP metric. In this scenario, ASBR1 is configured to receive additional paths from ASBR2, which is a route reflector. ASBR2 receivestwo paths for the same prefix from AS6500, one from ASBR3 and one from ASBR4. ASBR2 selects the best path based on the IGP metric to the next hop, and advertises it to ASBR1. However, this path may not be the best external path, as it may have a higher MED value than the other path. If the connection between ASBR1 and ASBR2 goes down, ASBR1 will not have any backup path to reach AS6500, as it does not know the other path from ASBR4. To prevent this situation, ASBR1 should be configured with the bgp advertise-best-external command, so that it can receive the best external path from ASBR2, along with the best path. This way, ASBR1 will have a backup path to reach AS6500, in case the primary path fails. References := IP Routing: BGP Configuration Guide - BGP Additional Paths ... - Cisco, BGP Additional Paths
NEW QUESTION # 26
An engineer needs to configure enhanced policy-based routing (ePBR) for IPv4 by using Cisco vManage.
Drag and drop the steps from the left onto the order on the right to complete the configuration of the ePBR using the CLI add-on template.
Answer:
Explanation:
Explanation:
Enhanced Policy-Based Routing (ePBR) is used to direct packets that arrive at an interface to a specified next-hop. It is very useful in managing a large number of configured access lists more efficiently. In ePBR, the router drops the traffic packets if the next hop configured in the PBR policy is not reachable. To avoid packet loss in such scenarios, you must configure multiple next hops for each access control entry.
Here are the steps to configure ePBR for IPv4 using Cisco vManage:
Configure an extended ACL: This step involves defining the network or the host. For example, you can permit IPv4 traffic from any source to specific hosts.
Configure a class map that matches the ACL: Class maps match the parameters in the ACLs. For instance, you can create a class map of type traffic and match it with the previously created ACL.
Configure the policy map with the action to set the next hop: Policy maps with ePBR then take detailed actions based on the set statements configured. You can configure an ePBR policy map with the class map and set the next hop.
Apply the service policy on the interface: Finally, you apply the ePBR policy map to the interface. For example, you can apply the policy map to a GigabitEthernet interface.
References :=
Implementing Enhanced Policy Based Routing - Cisco
Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE
How to configure PBR - Cisco Community
NEW QUESTION # 27
An engineer must enable the OMP advertisement of BGP routes for a specific VRF instance on a Cisco IOS XE SD-WAN device. What should be configured after the global address-family ipv4 is configured?
- A. Set the VRF-specific route advertisements.
- B. Disable bgp advertisement.
- C. Enter sdwan mode.
- D. Enable bgp advertisement.
Answer: D
Explanation:
To enable the OMP advertisement of BGP routes for a specific VRF instance on a Cisco IOS XE SD-WAN device, the engineer must first configure the global address-family ipv4 and then enable bgp advertisement under the vrf definition. This will allow the device to advertise the BGP routes learned from the cloud provider to the OMP control plane, which will then distribute them to the other SD-WAN devices in the overlay network1 References := 1: Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3: Implementing Cloud Connectivity, Lesson 3: Configuring IPsec VPN from Cisco IOS XE to AWS, Topic: Configuring BGP on the Cisco IOS XE Device, Page 3-24.
NEW QUESTION # 28
An engineer must edit the settings of a site-to-site IPsec VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS). IPsec must be configured to support multiple peers and failover after 120 seconds of idle time on the first entry of the crypto map named Cisco. Drag and drop the commands from the left onto the order on the right.
Answer:
Explanation:
Explanation:
Step 1 = crypto map cisco 1 ipsec-isakmp Step 2 = set peer 192.168.10.1 default Step 3 = set peer
192.168.20.1 Step 4 = set security-association idle-time 120 default
The process of editing the settings of a site-to-site IPsec VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS), and configuring IPsec to support multiple peers and failover after 120 seconds of idle time on the first entry of the crypto map named Cisco involves several steps123456.
crypto map cisco 1 ipsec-isakmp: This command is used to create a new entry in the crypto map named
"cisco". The "1" is the sequence number of the entry, and "ipsec-isakmp" specifies that the IPSec security associations (SAs) should be established using the Internet Key Exchange (IKE) protocol13.
set peer 192.168.10.1 default: This command is used to specify the IP address of the default peer for the crypto map entry. In this case, the default peer is at IP address 192.168.10.115.
set peer 192.168.20.1: This command is used to add an additional peer to the crypto map entry. In this case, the additional peer is at IP address 192.168.20.1. This allows the IPsec VPN to support multiple peers56.
set security-association idle-time 120 default: This command is used to set the idle time for the security association. If no traffic is detected over the VPN for the specified idle time (in this case, 120 seconds), the security association is deleted, and the VPN connection fails over to the next peer46.
References :=
Configure a Site-to-Site IPSec IKEv1 Tunnel Between an ASA and a Cisco IOS Router - Cisco Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services - Cisco Community Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers Configure Failover for IPSec Site-to-Site Tunnels with Backup ISP Links on FTD Managed by FMC - Cisco Does Setting Multiple Peers in a Crypto Map Also Support Parallel IPSec Connections - Cisco Community Multiple WAN Connections - IPsec in Multi-WAN Environments | pfSense Documentation Multiple Set Peer for VPN Failover - Server Fault
NEW QUESTION # 29
A company with multiple branch offices wants a suitable connectivity model to meet these network architecture requirements:
* high availability
* quality of service (QoS)
* multihoming
* specific routing needs
Which connectivity model meets these requirements?
- A. fully meshed topology with SD-WAN technology using dynamic routing and prioritized traffic for QoS
- B. hub-and-spoke topology using MPLS with static routing and dedicated bandwidth for QoS
- C. star topology with internet-based VPN connections and BGP for routing
- D. hybrid topology that combines MPLS and SD-WAN
Answer: A
Explanation:
A fully meshed topology with SD-WAN technology using dynamic routing and prioritized traffic for QoS meets the network architecture requirements of the company. A fully meshed topology provides high availability by eliminating single points of failure and allowing multiple paths between branch offices.
SD-WAN technology enables multihoming by supporting multiple transport options, such as MPLS, internet, LTE, etc. SD-WAN also provides QoS by applying policies to prioritize traffic based on application, user, or network conditions. Dynamic routing allows the SD-WAN solution to adapt to changing network conditions and optimize the path selection for each traffic type. A fully meshed topology with SD-WAN technology can also support specific routing needs, such as segment routing, policy-based routing, or application-aware routing. References:
Designing and Implementing Cloud Connectivity (ENCC) v1.0
[Cisco SD-WAN Design Guide]
[Cisco SD-WAN Configuration Guide]
NEW QUESTION # 30
Which feature is unique to Cisco SD-WAN IPsec tunnels compared to native IPsec VPN tunnels?
- A. authentication mechanisms
- B. tunneling protocols
- C. real-time dynamic path selection
- D. end-to-end encryption
Answer: C
Explanation:
Cisco SD-WAN IPsec tunnels are different from native IPsec VPN tunnels in several ways. One of the unique features of Cisco SD-WAN IPsec tunnels is that they support real-time dynamic path selection, which means that they can automatically choose the best path for each application based on the network conditions and policies. This feature improves the performance, reliability, and efficiency of the network traffic. Native IPsec VPN tunnels, on the other hand, do not have this capability and rely on static routing or manual configuration to select the path for each tunnel. This can result in suboptimal performance, increased latency, and higher costs. References := Traditional IPsec Versus Cisco SD-WAN IPsec, SD-WAN vs IPsec VPN's - What's the difference?, SD-WAN vs. VPN: How Do They Compare?, Traditional IPSEC Versus SD-WAN IPSEC
NEW QUESTION # 31 
Refer to the exhibits. An engineer must redistribute OSPF internal routes into BGP to connect an on-premises network to a cloud provider. Which two commands should the engineer run on router R2? (Choose two.)
- A. redistribute ospf 1
- B. router bgp 100
- C. redistribute ospf 100
- D. redistribute bgp 100
- E. router ospf 1
Answer: A,B
Explanation:
To redistribute OSPF internal routes into BGP for connecting an on-premises network to a cloud provider, the engineer should run the commands "router bgp 100" and "redistribute ospf 1" on router R2. The command
"router bgp 100" is used to create a BGP routing process with AS number 100. The command "redistribute ospf 1" is used to redistribute OSPF routes from process ID 1 into BGP. References: = I need to access the specific content of Designing and Implementing Cloud Connectivity (ENCC) v1.0 from Cisco's official resources to provide exact references. However, I don't have direct access to external databases or resources, including the Cisco ENCC course materials. I recommend referring to the ENCC course materials for the most accurate and detailed information. Please note that this answer is based on general networking principles and may not reflect the specific content of the ENCC course. Always refer to the official course materials for the most accurate information.
NEW QUESTION # 32
Refer to the exhibit.
While troubleshooting an IPsec connection between a Cisco WAN edge router and an Amazon Web Services (AWS) endpoint, a network engineer observes that the security association status is active, but no traffic flows between the devices What is the problem?
- A. wrong encryption
- B. IKE version mismatch
- C. identity mismatch
- D. wrong ISAKMP policy
Answer: C
Explanation:
An identity mismatch occurs when the local and remote identities configured on the IPsec peers do not match.
This can prevent the establishment of an IPsec tunnel or cause traffic to be dropped by the IPsec policy. In this case, the network engineer should verify that the local and remote identities configured on the Cisco WAN edge router and the AWS endpoint match the values expected by each peer. The identities can be an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). The identities are exchanged during the IKE phase 1 negotiation and are used to authenticate the peers. If the identities do not match, the peers will reject the IKE proposal and the IPsec tunnel will not be established or will be torn down.
References :=
Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services, Topic: Troubleshooting Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3: Implementing Cloud Connectivity, Lesson 2: Implementing Cisco SD-WAN Cloud OnRamp for IaaS, Topic:
Troubleshooting Cisco SD-WAN Cloud OnRamp for IaaS
Cisco IOS Security Configuration Guide, Release 15M&T, Chapter: Configuring IPsec Network Security, Topic: Configuring IPsec Identity and Peer Addressing
NEW QUESTION # 33
Refer to the exhibit.
A network engineer discovers that the policy that is configured on an on-premises Cisco WAN edge router affects only the route tables of the specific devices that are listed in the site list. What is the problem?
- A. An inbound policy must be applied.
- B. The action must be set to deny
- C. A centralized data policy must be configured
- D. A localized data policy must be configured.
Answer: C
Explanation:
A centralized data policy is a policy that is applied to all devices in the overlay network, regardless of the site list. A localized data policy is a policy that is applied only to the devices that are listed in the site list. In this case, the network engineer wants to apply the policy to all devices in the overlay network, not just the specific devices in the site list. Therefore, a centralized data policy must be configured on the on-premises Cisco WAN edge router. References := Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3: Implementing Cloud Connectivity, Lesson 3: Implementing Cisco SD-WAN Cloud OnRamp for Colocation, Topic:
Centralized Data Policy
[Cisco SD-WAN Cloud OnRamp for Colocation Deployment Guide], Chapter: Configuring Centralized Data Policy
NEW QUESTION # 34 
Refer to the exhibits. An engineer needs to configure a site-to-site IPsec VPN connection between an on premises Cisco IOS XE router and Amazon Web Services (AWS). Which two IP prefixes should be used to configure the AWS routing options? (Choose two.)
- A. 30.30.30.0/30
- B. 40.40.40.0/24
- C. 30.30.30.0/24
- D. 50.50.50.0/30
- E. 20.20.20.0/24
Answer: A,B
Explanation:
The correct answer is A and E because they are the IP prefixes that match the tunnel interfaces on the Cisco IOS XE router. The AWS routing options should include the local and remote IP prefixes that are used for the IPsec tunnel endpoints. The other options are either the public IP addresses of the routers or the LAN subnets that are not relevant for the IPsec tunnel configuration. References := Designing and Implementing Cloud Connectivity (ENCC) v1.0, Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services, Site-to-Site VPN with Amazon Web Services
NEW QUESTION # 35
Which Microsoft Azure service enables a dedicated and secure connection between an on-premises infrastructure and Azure data centers through a colocation provider?
- A. Azure Private Link
- B. Azure ExpressRoute
- C. Azure Virtual Network
- D. Azure Site-to-Site VPN
Answer: B
Explanation:
Azure ExpressRoute is a service that enables a dedicated and secure connection between an on-premises infrastructure and Azure data centers through a colocation provider. A colocation provider is a third-party data center that offers network connectivity services to multiple customers. Azure ExpressRoute allows customers to bypass the public internet and connect directly to Azure services, such as virtual machines, storage, databases, and more. This provides benefits such as lower latency, higher bandwidth, more reliability, and enhanced security. Azure ExpressRoute also supports hybrid scenarios, such as connecting to Office 365, Dynamics 365, and other SaaS applications hosted on Azure. Azure ExpressRoute requires a physical connection between the customer's network and the colocation provider's network, as well as a logical connection between the customer's network and the Azure virtual network. The logical connection is established using a Border Gateway Protocol (BGP) session, which exchanges routing information between the two networks. Azure ExpressRoute supports two models: standard and premium. The standard model offers connectivity to all Azure regionswithin the same geopolitical region, while the premium model offers connectivity to all Azure regions globally, as well as additional features such as increased route limits, global reach, and Microsoft peering. References: Designing and Implementing Cloud Connectivity (ENCC) v1.0, Learning Plan: Designing and Implementing Cloud Connectivity v1.0 (ENCC 300-440) Exam Prep, ENCC | Designing and Implementing Cloud Connectivity | Netec
NEW QUESTION # 36
A company has multiple branch offices across different geographic locations and a centralized data center. The company plans to migrate Its critical business applications to the public cloud infrastructure that is hosted in Microsoft Azure. The company requires high availability, redundancy, and low latency for its business applications. Which connectivity model meets these requirements?
- A. site-to-site VPN with Azure VPN gateway
- B. ExpressRoute with private peering using SDCI
- C. AWS Direct Connect with dedicated connections
- D. hybrid connectivity with SD-WAN
Answer: B
Explanation:
The connectivity model that meets the requirements of high availability, redundancy, and low latency for the company's business applications is ExpressRoute with private peering using SDCI.
ExpressRoute is a service that provides a dedicated, private, and high-bandwidth connection between the customer's on-premises network and Microsoft Azure cloud network1.
Private peering is a type of ExpressRoute circuit that allows the customer to access Azure services that are hosted in a virtual network, such as virtual machines, storage, and databases2.
SDCI (Secure Data Center Interconnect) is a Cisco solution that enables secure and scalable connectivity between multiple data centers and cloud providers, using technologies such as MPLS, IPsec, and SD-WAN3.
By using ExpressRoute with private peering and SDCI, the company can achieve the following benefits:
High availability: ExpressRoute circuits are redundant and resilient, and can be configured with multiple service providers and locations for failover and load balancing1. SDCI also provides high availability by using dynamic routing protocols and encryption mechanisms to ensure optimal and secure path selection3.
Redundancy: ExpressRoute circuits can be paired together to form a redundant connection between the customer's network and Azure4. SDCI also supports redundancy by allowing multiple connections between data centers and cloud providers, using different transport technologies and service levels3.
Low latency: ExpressRoute circuits offer lower latency than public internet connections, as they bypass the congestion and variability of the internet1. SDCI also reduces latency by using MPLS and SD-WAN to optimize the performance and quality of service for the traffic between data centers and cloud providers3.
References:
What is Azure ExpressRoute?
Azure ExpressRoute peering
Cisco Secure Data Center Interconnect
ExpressRoute circuit and routing domain
NEW QUESTION # 37
Refer to the exhibit.
Drag and drop the steps from the left onto the order on the right to configure a site-to-site VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS).
Answer:
Explanation:
Explanation:
Step 1 = Create a Customer Gateway (CGW) in AWS. Step 2 = Create a Virtual Private Gateway (VGW) in AWS. Step 3 = Create a site-to-site VPN connection in AWS. Step 4 = Configure the IOS XE router with the required IPsec VPN parameters and routing settings. Step 5 = Verify and test the VPN connection.
The process of configuring a site-to-site VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS) involves several steps12.
Create a Customer Gateway (CGW) in AWS: This is the first step where you define the public IP address of your on-premises Cisco IOS XE router in AWS1.
Create a Virtual Private Gateway (VGW) in AWS: This involves creating a VGW and attaching it to the VPC in AWS1.
Create a site-to-site VPN connection in AWS: After setting up the CGW and VGW, you then create a site-to-site VPN connection in AWS. This involves specifying the CGW, VGW, and the static IP prefixes for your on-premises network1.
Configure the IOS XE router with the required IPsec VPN parameters and routing settings: After the AWS side is set up, you configure the on-premises Cisco IOS XE router with the required IPsec VPN parameters and routing settings2.
Verify and test the VPN connection: Finally, you verify and test the VPN connection to ensure that it is working correctly12.
References :=
Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services - Cisco Community SD-WAN Configuration Example: Site-to-site (LAN to LAN) IPSec between vEdge and Cisco IOS - Cisco Community
NEW QUESTION # 38
Refer to the exhibit.
A company uses Cisco SD-WAN in the data center. All devices have the default configuration. An engineer attempts to add a new centralized control policy in Cisco vManage but receives an error message. What is the problem?
- A. The policy for "Hub" should be applied in the outbound direction, and the policy for "All-Site" should be applied inbound.
- B. Site-list "All-Site" should be configured with a new match sequence that is lower than the sequence for site-list "Hub*.
- C. Apply an additional outbound control policy to override the site ID overlaps.
- D. A centralized control policy is already applied to the specific site ID and direction
Answer: B
Explanation:
The problem is that the site-list "All-Site" has a higher match sequence than the site-list "Hub", which means that the policy for "All-Site" will take precedence over the policy for "Hub" for any site that belongs to both lists. This creates a conflict and prevents the engineer from adding a new centralized control policy in Cisco vManage. To resolve this issue, the site-list "All-Site" should be configured with a new match sequence that is lower than the sequence for site-list "Hub", so that the policy for "Hub" will be applied first and then the policy for "All-Site" will be applied only to the remaining sites that are not in the "Hub" list. References := Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5), Module 3: Cisco SD-WAN Cloud OnRamp for Colocation, Lesson 3: Cisco SD-WAN Cloud OnRamp for Colocation - Centralized Control Policies Cisco SD-WAN Cloud OnRamp for Colocation Deployment Guide, Chapter 4: Configuring Centralized Control Policies Cisco SD-WAN Configuration Guide, Release 20.3, Chapter: Centralized Policy Framework, Section:
Policy Configuration Overview
NEW QUESTION # 39
An engineer signs in to Cisco vManage and needs to configure a custom application with a Cisco SD-WAN centralized policy. Drag and drop the steps from the left onto the order on the right to complete the configuration.
Answer:
Explanation:
Explanation:
To configure a custom application with Cisco SD-WAN centralized policy, you need to follow these steps25:
Click Configuration, select Policies, and then select Centralized Policy.
Click Custom Options, select Centralized Policy, and then select Lists.
Click Custom Applications, and then select New Custom Application.
Enter a name for the application, enter the match criteria, and then click Add.
The process of configuring a custom application with a Cisco SD-WAN centralized policy using Cisco vManage involves several steps1.
Click Configuration, select Policies, and then select Centralized Policy: This is the first step where you navigate to the Policies section in the Configuration menu of Cisco vManage1.
Click Custom Options, select Centralized Policy, and then select Lists: In this step, you select the Custom Options, then select Centralized Policy, and finally select Lists1.
Click Custom Applications, and then select New Custom Application: After setting up the Lists, you click on Custom Applications and then select New Custom Application1.
Enter a name for the application, enter the match criteria, and then click Add: Finally, you enter a name for the application, specify the match criteria, and then click Add to complete the configuration1.
References :=
Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE
NEW QUESTION # 40
......
Cisco 300-440 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Free 300-440 Exam Dumps to Improve Exam Score: https://evedumps.testkingpass.com/300-440-testking-dumps.html