300-430: Implementing Cisco Enterprise Wireless Networks (300-430 ENWLSI) Part 2
Question #: 51
Topic #: 1
After looking in the logs, an engineer notices that RRM keeps changing the channels for non-IEEE 802.11 interferers. After surveying the area, it has been decided that RRM should not change the channel. Which feature must be enabled to ignore non-802.11 interference?
A. Avoid Cisco AP Load
B. Avoid Non-802.11 Noise
C. Avoid Persistent Non-WiFi Interference
D. Avoid Foreign AP Interference
Selected Answer: C
Question #: 52
Topic #: 1
Which two protocols are used to communicate between the Cisco MSE and the Cisco Prime Infrastructure network management software? (Choose two.)
A. HTTPS
B. Telnet
C. SOAP
D. SSH
E. NMSP
Selected Answer: AC
Question #: 53
Topic #: 1
An engineer must configure MSE to provide guests access using social media authentication. Which service does the engineer configure so that guests use
Facebook credentials to authenticate?
A. Social Connect
B. Client Connect
C. Visitor Connect
D. Guest Connect
Selected Answer: C
Question #: 54
Topic #: 1
A network engineer has been hired to perform a new MSE implementation on an existing network. The MSE must be installed in a different network than the Cisco
WLC. Which configuration allows the devices to communicate over NMSP?
A. Allow UDP/16113 port on the central switch.
B. Allow TCP/16113 port on the firewall.
C. Allow UDP/16666 port on the VPN router.
D. Allow TCP/16666 port on the router.
Selected Answer: B
Question #: 55
Topic #: 1
What is the default NMSP echo interval between Cisco MSE and a Wireless LAN Controller?
A. 10 seconds
B. 15 seconds
C. 30 seconds
D. 60 seconds
Selected Answer: B
Question #: 56
Topic #: 1
An engineer just added a new MSE to Cisco Prime Infrastructure and wants to synchronize the MSE with the Cisco 5520 WLC, located behind a firewall in a DMZ.
It is noticed that NMSP messages are failing between the two devices. Which traffic must be allowed on the firewall to ensure that the MSE and WLC are able to communicate using NMSP?
A. TCP 1613
B. UDP 16113
C. UDP 1613
D. TCP 16113
Selected Answer: D
Question #: 57
Topic #: 1
Refer to the exhibit. An engineer needs to configure location services in an office. The requirement is to use FastLocate and achieve higher locations refresh rates. Which location-based technique should be implemented?
A. probe-based
B. location patterning
C. data packet-based
D. angulation
Selected Answer: C
Question #: 58
Topic #: 1
An engineer is managing a wireless network for a shopping center. The network includes a Cisco WLC, a Cisco MSE, and a Cisco Prime Infrastructure. What is required to use Cisco CMX Location Analytics?
A. Enable tracking parameters in Cisco MSE.
B. Enable Context Aware and CMX Browser Engage.
C. Install Cisco Prime Infrastructure with floor maps.
D. Set history parameters in Cisco MSE.
Selected Answer: D
Question #: 59
Topic #: 1
An engineer configures a deployment to support:
✑ Cisco CMX
✑ licenses for at least 3000 APs
✑ 6000 wIPS licenses
The Cisco vMSE appliance must be sized for this deployment. Which Cisco vMSE Release 8 option must the engineer deploy?
A. Large vMSE
B. Low-End vMSE
C. Standard vMSE
D. High-End vMSE
Selected Answer: C
Question #: 60
Topic #: 1
A new MSE with wIPS service has been installed and no alarm information appears to be reaching the MSE from controllers. Which protocol must be allowed to reach the MSE from the controllers?
A. SOAP/XML
B. NMSP
C. CAPWAP
D. SNMP
Selected Answer: B
Question #: 61
Topic #: 1
Which two statements about the requirements for a Cisco Hyperlocation deployment are true? (Choose two.)
A. After enabling Cisco Hyperlocation on Cisco CMX, the APs and the wireless LAN controller must be restarted.
B. NTP can be configured, but that is not recommended.
C. The Cisco Hyperlocation feature must be enabled on the wireless LAN controller and Cisco CMX.
D. The Cisco Hyperlocation feature must be enabled only on the wireless LAN controller.
E. If the Cisco CMX server is a VM, a high-end VM is needed for Cisco Hyperlocation deployments.
Selected Answer: CE
Question #: 62
Topic #: 1
An engineer is performing a Cisco Hyperlocation accuracy test and executes the cmxloc start command on Cisco CMX. Which two parameters are relevant?
(Choose two.)
A. X, Y real location
B. client description
C. AP name
D. client MAC address
E. WLC IP address
Selected Answer: AD
Question #: 63
Topic #: 1
Where is Cisco Hyperlocation enabled on a Cisco Catalyst 9800 Series Wireless Controller web interface?
A. Policy Profile
B. AP Join Profile
C. Flex Profile
D. RF Profile
Selected Answer: B
Question #: 64
Topic #: 1
The Cisco Hyperlocation detection threshold is currently set to -50 dBm. After reviewing the wireless user location, discrepancies have been noticed. To improve the Cisco Hyperlocation accuracy, an engineer attempts to change the detection threshold to -100 dBm. However, the Cisco Catalyst 9800 Series Wireless
Controller does not allow this change to be applied. What actions should be taken to resolve this issue?
A. Disable Cisco Hyperlocation, change the Cisco Hyperlocation detection threshold, and then enable it.
B. Create a new profile on Cisco CMX with the new Cisco Hyperlocation detection range, and apply it on the WLAN.
C. Place the APs to monitor mode, shutdown the radios, and then change the Cisco Hyperlocation detection threshold.
D. Shutdown all radios on the controller, change the Cisco Hyperlocation detection range, and enable the radios again.
Selected Answer: A
Question #: 65
Topic #: 1
An engineer must track guest traffic flow using the WLAN infrastructure. Which Cisco CMX feature must be configured and used to accomplish this tracking?
A. analytics
B. connect and engage
C. presence
D. detect and locate
Selected Answer: C
Question #: 66
Topic #: 1
An engineer has successfully implemented 10 active RFID tags in an office environment. The tags are not visible when the location accuracy is tested on the
Cisco CMX Detect and Locate window. Which setting on Cisco CMX allows the engineer to view the tags?
A. Enable RFID tags in tracking options.
B. Enable probing clients for active tags.
C. Define an RFID group globally and add the tags.
D. Enable hyperlocation services for RFID.
Selected Answer: A
Question #: 67
Topic #: 1
An engineer completed the basic installation for two Cisco CMX servers and is in the process of configuring high availability, but it fails. Which two statements about the root of the issue are true? (Choose two.)
A. The Cisco CMX instances are installed in the same subnet.
B. The types of the primary and secondary Cisco CMX installations differ.
C. The delay between the primary and secondary instance is 200 ms.
D. The sizes of the primary and secondary Cisco CMX installations differ.
E. Both Cisco CMX installations are virtual.
Selected Answer: D
Question #: 68
Topic #: 1
Refer to the exhibit. The image shows a packet capture that was taken at the CLI of the Cisco CMX server. It shows UDP traffic from the WLC coming into the server. What does the capture prove?
A. The Cisco CMX server receives NetFlow data from the WLC.
B. The Cisco CMX server receives NMSP traffic from the WLC.
C. The Cisco CMX server receives SNMP traffic from the WLC.
D. The Cisco CMX server receives Angle-of-Arrival data from the WLC.
Selected Answer: A
Question #: 69
Topic #: 1
A Cisco CMX 3375 appliance on the 10.6.1 version code counts duplicate client entries, which creates wrong location analytics. The issue is primarily from iOS clients with the private MAC address feature enabled. Enabling this feature requires an upgrade of the Cisco CMX 3375 appliance in a high availability pair to version 10.6.3. SCP transfers the Cisco CMX image, but the upgrade script run fails. Which configuration change resolves this issue?
A. Upgrade the high availability pair to version 10.6.2 image first and then upgrade to version 10.6.3.
B. Save configuration and use the upgrade script to upgrade the high availability pair without breaking the high availability.
C. Break the high availability using the cmxha config disable command and upgrade the primary and secondary individuality.
D. Run root patch to first upgrade to version 10.6.2 and then migrate to version 10.6.3.
Selected Answer: C
Question #: 70
Topic #: 1
An engineer has implemented advanced location services for a retail wireless deployment. The marketing department wants to collect user demographic information in exchange for guest WLAN access and to have a customized portal per location hosted by the provider. Which social connector must be tied into
Cisco CMX to provide this service?
A. Gmail
B. Google+
C. Facebook
D. MySpace
Selected Answer: A
Question #: 71
Topic #: 1
What are two considerations when deploying a Cisco Hyperlocation? (Choose two.)
A. NTP configuration is available, but not recommended.
B. The Cisco Hyperlocation feature must be enabled only on the wireless LAN controller.
C. After enabling Cisco Hyperlocation on Cisco CMX, the APs and the wireless LAN controller must be restarted.
D. The Cisco Hyperlocation feature must be enabled on the wireless LAN controller and Cisco CMX.
E. If the Cisco CMX server is a VM, a high-end VM is needed for Cisco Hyperlocation deployments.
Selected Answer: DE
Question #: 72
Topic #: 1
After installing and configuring Cisco CMX, an administrator must change the NTP server on the Cisco CMX server. Which action accomplishes this task?
A. Manually edit /etc/ntp.conf using an XML editor before restarting the server by using service restart all services.
B. Log in to the Cisco CMX CLI and issue set ntp server NTP IP where NTP IP is the IP of the NTP server.
C. Manually edit /etc/ntp.conf as the admin user before restarting ntpd by using service ntpd restart.
D. Log in to the Cisco CMX GUI as the administrator and type the IP address of the NTP server in System tab > Settings> TimeZone/NTP.
Selected Answer: D
Question #: 73
Topic #: 1
A customer managing a large network has implemented location services. Due to heavy load, it is needed to load balance the data coming through NMSP from the WLCs. Load must be spread between multiple CMX servers to help optimize the data flow for Aps. Which configuration in CMX meets this requirement?
A. cmxctl config feature flags nmsplb.cmx-ap-grouping true
B. cmxctl config feature flags nmsplb.cmxgrouping true
C. cmxctl config feature flags nmsplb.cmx-loadbalance true
D. cmxctl config feature flags nmsplb.cmx-rssi-distribute true
Selected Answer: B
Question #: 74
Topic #: 1
An engineer needs to provision certificates on a Cisco Catalyst 9800 Series Wireless Controller. The customer uses a third-party CA server. Which protocol must be used between the controller and CA server to request and install certificates?
A. SCEP
B. TLS
C. LDAP
D. SSL
Selected Answer: A
Question #: 75
Topic #: 1
A corporation has recently implemented a BYOD policy at their HQ. Which two risks should the security director be concerned about? (Choose two.)
A. network analyzers
B. malware
C. lost and stolen devices
D. keyloggers
E. unauthorized users
Selected Answer: BC
Question #: 76
Topic #: 1
When implementing self-registration for guest/BYOD devices, what happens when an employee tries to connect four devices to the network at the same time?
A. The last device is removed and the newly added device is updated as active device.
B. The registration is allowed, but only one device is connected at any given time.
C. All devices are allowed on the network simultaneously.
D. Purge time dictates how long a device is registered to the portal.
Selected Answer: D
Question #: 77
Topic #: 1
What is an important consideration when implementing a dual SSID design for BYOD?
A. After using the provisioning SSID, an ACL that used to make the client switch SSIDs forces the user to associate and traverse the network by MAC filtering.
B. If multiple WLCs are used, the WLAN IDs must be exact for the clients to be provisioned and traverse the network correctly.
C. SSIDs for this setup must be configured with NAC State-RADIUS NAC for the clients to authenticate with Cisco ISE, or with NAC State-ISE NAC for Cisco ISE to associate the client.
D. One SSID is for provisioning and the other SSID is for gaining access to the network. The use of an ACL should not be enforced to make the client connect to the REAL SSID after provisioning.
Selected Answer: B
Question #: 78
Topic #: 1
Refer to the exhibit. A network administrator deploys the DHCP profiler service in two ISE servers: 10.3.10.101 and 10.3.10.102. All BYOD devices connecting to
WLAN on VLAN63 have been incorrectly profiled and are assigned as unknown profiled endpoints. Which action efficiently rectifies the issue according to Cisco recommendations?
A. Nothing needed to be added on the Cisco WLC or VLAN interface. The ISE configuration must be fixed.
B. Disable DHCP proxy on the Cisco WLC.
C. Disable DHCP proxy on the Cisco WLC and run the ip helper-address command under the VLAN interface to point to DHCP and the two ISE servers.
D. Keep DHCP proxy enabled on the Cisco WLC and define helper-address under the VLAN interface to point to the two ISE servers.
Selected Answer: C
Question #: 79
Topic #: 1
An engineer must implement a BYOD policy with these requirements:
✑ Onboarding unknown machines
✑ Easily scalable
✑ Low overhead on the wireless network
Which method satisfies these requirements?
A. triple SSID
B. single SSID
C. open SSID
D. dual SSID
Selected Answer: B
Question #: 80
Topic #: 1
A company has a single WLAN configured for 802.1x authentication with the QoS set to Silver. This WLAN supports all corporate and BYOD access. A decision has been made to allow users to install Cisco Jabber on their personal mobile devices. Users report poor voice quality when using Jabber. QoS is being applied only as best effort. What must be configured to ensure that the WLAN remains on the Silver class and to ensure Platinum class for Jabber?
A. Configure QoS on the mobile devices that have Jabber installed.
B. Enable Cisco Centralized Key Management on the WLAN so that the Jabber-enabled devices will connect.
C. Configure the WLAN to broadcast on 5 GHz radios only and allow Jabber users to connect.
D. Configure an AVC profile for the Jabber traffic and apply it to the WLAN.
Selected Answer: D
Question #: 81
Topic #: 1
An engineer is implementing profiling for BYOD devices using Cisco ISE. When using a distributed model, which persona must the engineer configure with the profiling service?
A. Device Admin Node
B. Primary Admin Node
C. Monitor Node
D. Policy Services Node
Selected Answer: B
Question #: 82
Topic #: 1
DRAG DROP –
The network management team in a large shopping center has detected numerous rogue APs from local coffee shops that are broadcasting SSIDs. All of these
SSIDs have names starting with ATC (for example, ATC302, ATC011, and ATC566). A wireless network engineer must appropriately classify these SSIDs using the Rogue Rules feature. Drag and drop the options from the left onto the categories in which they must be used on the right. Not all options are used.
Select and Place:
Suggestion Answer:
Question #: 83
Topic #: 1
What must be configured on ISE version 2.1 BYOD when using Single SSID?
A. open authentication
B. 802.1x
C. no authentication
D. WPA2
Selected Answer: B
Question #: 84
Topic #: 1
A wireless engineer must implement a corporate wireless network for a large company in the most efficient way possible. The wireless network must support 32
VLANs for 300 employees in different departments. Which solution must the engineer choose?
A. Configure a second WLC to support half of the APs in the deployment.
B. Configure one single SSID and implement Cisco ISE for VLAN assignment according to different user roles.
C. Configure different AP groups to support different VLANs, so that all of the WLANs can be broadcast on both radios.
D. Configure 16 WLANs to be broadcast on the 2.4-GHz band and 16 WLANs to be broadcast on the 5.0-GHz band.
Selected Answer: B
Question #: 85
Topic #: 1
Which feature on the Cisco Wireless LAN Controller must be present to support dynamic VLAN mapping?
A. FlexConnect ACL
B. VLAN name override
C. CCKM/OKC
D. AAA override
Selected Answer: D
Question #: 86
Topic #: 1
Which three properties are used for client profiling of wireless clients? (Choose three.)
A. HTTP user agent
B. DHCP
C. MAC OUI
D. hostname
E. OS version
F. IP address
Selected Answer: ABC
Question #: 87
Topic #: 1
What is the default IEEE 802.1x AP authentication configuration on a Cisco Catalyst 9800 Series Wireless Controller?
A. EAP-PEAP with 802.1x port authentication
B. EAP-TLS with 802.1x port authentication
C. EAP-FAST with CAPWAP DTLS + port authentication
D. EAP-FAST with CAPWAP DTLS
Selected Answer: D
Question #: 88
Topic #: 1
An engineer must implement rogue containment for an SSID. What is the maximum number of APs that should be used for containment?
A. 1
B. 2
C. 3
D. 4
Selected Answer: B
Question #: 89
Topic #: 1
An engineer is following the proper upgrade path to upgrade a Cisco AireOS WLC from version 7.3 to 8.9. Which two ACLs for Cisco CWA must be configured when upgrading from the specified codes? (Choose two.)
A. Permit 0.0.0.0 0.0.0.0 any DNS any
B. Permit 0.0.0.0 0.0.0.0 UDP DNS any
C. Permit 0.0.0.0 0.0.0.0 UDP any DNS
D. Permit any any any
E. Permit 0.0.0.0 0.0.0.0 UDP any any
Selected Answer: BC
Question #: 90
Topic #: 1
CMX Facebook Wi-Fi allows access to the network before authentication. Which two elements are available? (Choose two.)
A. Allow HTTP traffic only before authentication and block all the traffic.
B. Allow all the traffic before authentication and intercept HTTPS only.
C. Allow HTTPs traffic only before authentication and block all other traffic.
D. Allow all the traffic before authentication and intercept HTTP only.
E. Allow SNMP traffic only before authentication and block all the traffic.
Selected Answer: CD
Question #: 91
Topic #: 1
An engineer is implementing Cisco Identity-Based Networking on a Cisco AireOS controller. The engineer has two ACLs on the controller. The first ACL, named
BASE_ACL, is applied to the corporate_clients interface on the WLC, which is used for all corporate clients. The second ACL, named HR_ACL, is referenced by
ISE in the Human Resources group policy. What is the resulting ACL when a Human Resources user connects?
A. HR_ACL appended with BASE_ACL
B. HR_ACL only
C. BASE_ACL appended with HR_ACL
D. BASE_ACL only
Selected Answer: B
Question #: 92
Topic #: 1
Branch wireless users report that they can no longer access services from head office but can access services locally at the site. New wireless users can associate to the wireless while the WAN is down. Which three elements (Cisco FlexConnect state, operation mode, and authentication method) are seen in this scenario? (Choose three.)
A. authentication-local/switch-local
B. WPA2 personal
C. authentication-central/switch-central
D. lightweight mode
E. standalone mode
F. WEB authentication
Selected Answer: ABE
Question #: 93
Topic #: 1
Refer to the exhibit. An engineer deployed a Cisco WLC using local EAP. Users who are configured for EAP-PEAP cannot connect to the network. Based on the local EAP debug on the controller provided, why is the client unable to connect?
A. The client is failing to accept certificate.
B. The Cisco WLC is configured for the incorrect date.
C. The Cisco WLC local EAP profile is misconfigured.
D. The user is using invalid credentials.
Selected Answer: C
Question #: 94
Topic #: 1
An engineer set up identity-based networking with ISE and configured AAA override on the WLAN. Which two attributes must be used to change the client behavior from the default settings? (Choose two.)
A. DHCP timeout
B. DNS server
C. IPv6 ACL
D. DSCP value
E. multicast address
Selected Answer: CD
Question #: 95
Topic #: 1
Refer to the exhibit. The security team has implemented ISE as an AAA solution for the wireless network. The wireless engineer notices that though clients are able to authenticate successfully, the ISE policies that are designed to place them on different interfaces are not working. Which configuration must be applied in the RADIUS Authentication Settings section from the ISE Network Device page?
A. Disable KeyWrap.
B. Use ASCII for the key input format.
C. Change the CoA Port.
D. Correct the shared secret.
Selected Answer: D
Question #: 96
Topic #: 1
An engineer is setting up a WLAN to work with a Cisco ISE as the AAA server. The company policy requires that all users be denied access to any resources until they pass the validation. Which component must be configured to achieve this stipulation?
A. WPA2 passkey
B. AAA override
C. CPU ACL
D. preauthentication ACL
Selected Answer: D
Question #: 97
Topic #: 1
A Cisco WLC has been added to the network and Cisco ISE as a network device, but authentication is failing. Which configuration within the network device configuration should be verified?
A. SNMP RO community
B. device interface credentials
C. device ID
D. shared secret
Selected Answer: D
Question #: 98
Topic #: 1
A user is trying to connect to a wireless network that is configured for WPA2-Enterprise security using a corporate laptop. The CA certificate for the authentication server has been installed on the Trusted Root Certification Authorities store on the laptop. The user has been prompted to enter the credentials multiple times, but the authentication has not succeeded. What is causing the issue?
A. There is an IEEE invalid 802.1X authentication policy on the authentication server.
B. The user Active Directory account is locked out after several failed attempts.
C. There is an invalid 802.1X authentication policy on the authenticator.
D. The laptop has not received a valid IP address from the wireless controller.
Selected Answer: A
Question #: 99
Topic #: 1
A wireless engineer is configuring LWA using ISE. The customer is a startup company and requested the wireless users to authenticate against a directory, but
LDAP is unavailable. Which solution should be proposed in order to have the same security and user experience?
A. Use SAML.
B. Use the internal database of the RADIUS server.
C. Use a preshared key on the corporate WLAN.
D. Use Novell eDirectory.
Selected Answer: B
Question #: 100
Topic #: 1
An engineer has implemented 802.1x authentication on the wireless network utilizing the internal database of a RADIUS server. Some clients reported that they are unable to connect. After troubleshooting, it is found that PEAP authentication is failing. A debug showed the server is sending an Access-Reject message.
Which action must be taken to resolve authentication?
A. Use the user password that is configured on the server.
B. Disable the server certificate to be validated on the client.
C. Update the client certificate to match the user account.
D. Replace the client certificates from the CA with the server certificate.
Selected Answer: A
