400-351 Exam-CCIE Wireless

CCIE Wireless
Exam: 400-351
Demo Edition
© 2016 - 2017 Troy Tec, LTD All Rights Reserved
400-351
1 http://www.troytec.com

QUESTION: 1
Which option in the Cisco Identity Services Engine checks that the user authentication
comes from a domain computer?
A. It is not possible to validate the computer domain membership through ISE.
B. Machine Access Restriction
C. Machine Access Restriction
D. Active Directory Attributes.
E. An identity source sequence can be used to perform this check.
Answer: C
Explanation:
From:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-
ADIntegration.html
QUESTION: 2
Which statement about 802.11h is true?
A. DFS feature works irrespective of whether the channel setting on WLC is set to auto
or manual.
B. 802.llh is not a mandatory standard under FCC regulations.
C. The FCC does not require 802.llh to be supported in the 5 GHz band.
400-351

D. When the radio detects a radar, it can use the channel for only 20 minutes at a time.
Answer: A
Explanation:
From:
EEE
802 .llh-2003-Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/IEEE_802.11h-2003
The standard provides Dynamic Frequency Selection (DFS) and Transmit Power
Control (TPC) to the 802.11a PHY. It has been integrated into the full IEEE 802.11-
2007 standard. FCC Regulations Update –Cisco
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300-
series/prod_white_paper0900aecd801c4a88.html
https://supportforums.cisco.com/document/52376/tpc-and-dfs-overview
QUESTION: 3
In which direction does Application Visibility and Control mark the DSCP value of the
original packet in the wireless LAN controller?
A. In both directions, upstream and downstream.
B. In one direction, downstream only.
C. In one configured direction, either upstream or downstream.
D. In one direction, upstream only.
Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-
guide/b_cg80/b_cg80_chapter_011001.htmlQUESTION: NO:
QUESTION: 4
On a Cisco autonomous AP, the maximum number of attempts to send a packet (packet
retries) is set to 32 by default. Which statement about the result when the AP has tried to
send a packet for that number of attempts and no response is received from the client is
true?
A. The access point drops the packet.
B. The client MAC address is excluded for 60 seconds.
400-351

C. The access point resets the radio interface.
D. The access point disassociates the client.
Answer: A
Explanation:
From:
Packet Retries & Max-Retries I mrn-cciew https://mrncciew.com/2013/06/16/packet-
retries-max-retries/In Autonomous(IOS) AP, you can configure number of attempts the
wireless device makes to send a packet before giving up & dropping the packet. There
are two ways of configuring this feature. One method for best effort (priority value 0)
traffic & another method for non-best effort (priority value 1-7)
1. Best-effort Traffic (packet retries command)
2. N on-Best-effort Traffic (packet max-retries command ) CLI default: packet retries 32
drop-packet channel width 40-above channel dfs station-role root rts retries 32 cfg:
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-
3/configuration/guide/cg15-3-3/cg15-3-3-chap6- radio.html
Configuring the Maximum Data Packet Retries
The maximum data retries setting determines the number of attempts the makes to send
a packet before giving up and dropping the packet. The default setting is 32. Beginning
in privileged EXEC mode
QUESTION: 5
Your customer has a Cisco Unified Wireless Network running AireOS 8.0 and wants to
learn about the FlexConnect mode that is available on his APs. Which two statements
are true? (Choose two.)
A. A newly connected AP can be booted in FlexConnect mode.
B. When an AP is changed from Local mode to FlexConnect mode, a reboot is required.
C. Enhanced FlexConnect mode allows to enable wIPS on FlexConnect APs.
D. When an AP is changed from Local mode to FlexConnect mode, reboot is not
required.
E. Using CCKM with FlexConnect APs requires the use of FlexConnect Groups.
F. FlexConnect was previously know as "H-TEEP"
Answer: D, E
Explanation:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDA
TED_ chapter_01000010.html
400-351

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/
ch7_HREA.html
QUESTION: 6
Which three types of ACLs are supported by the Cisco 5760 WLC? (Choose three.)
A. Port ACLs.
B. VLAN ACLs(VLAN maps).
C. Router port ACLs.
D. AP Radio ACL Switch port ACLs.
E. Router ACLs.
Answer: A, B, E
Explanation:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/secu
rity/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01010.htm
l#ID6 3 ACL Precedence Port ACLs Router ACLs VLAN Maps
QUESTION: 7
Which statement about Wired Guest Access is true?
A. The guest traffic can terminate on the foreign WLC, but egress interface must be
defined on the guest SSID
B. Wired Guest Access is not supported in the Cisco 5760 WLC
C. The wired guest traffic terminates only on the anchor Cisco WLC
D. The Cisco 5760 WLC supports Wired Guest Access only in conjunction with the
converged access switches.
Answer: C
Explanation:
http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-
controllers/118810-technote-wlc-00.html
QUESTION: 8
When a Flex Connect AP is in the "local authentication, local switching" state, it handles
client authentication and switches client data packets locally. This state is valid in
400-351

standalone mode and connected mode. Which three statements about a FlexConnect AP
are true? (Choose three).
A. In connected mode, the AP provides minimal information about the locally
authenticated client to the controller. This information is not available on the controller
policy type. Access VLAN. VLAN name, supported rates. Encryption ciphter.
B. In connected mode, the access point provides minimal information about the locally
authenticated client to the controller. However, this information is available to the
controller policy type., access VLAN, VLAN name, supported rates, encryption cipher.
C. Local authentication is useful where you cannot maintain a remote office setup of a
minimum bandwidth kbps with the round-trip latency no greater than 100 ms and the
maximum transmission unit no smaller than 576 bytes.
D. Local authentication is useful where you cannot maintain a remote office setup of a
minimum bandwidth kbps with the round-trip latency no greater than 150 ms and the
maximum transmission unit no higher than 500 bytes.
E. Local authentication in connected mode does not require any WLAN configuration.
F. Local authentication can be enabled only on the WLAN of a FlexConnect AP that is
in local switching mode.
Answer: A, C, F
Explanation:
2/configuration/guide/cg/cg_flexconnect.html
QUESTION: 9
You have configured VideoStream on a Cisco WLC and users are now viewing the
company video broadcast over the wireless network. How can you verify you have
VideoStream configured and working in the Cisco WLC GUI?
A. The Multicast Status shows "Normal Multicast" in the Multicast Group Details.
B. The Multicast Status shows "MediaStream Ongoing" in the Client detail page.
C. The Multicast Status shows "Multicast-direct Allowed" in the Multicast Group
Details.
D. The Multicast Status shows "MediaStream Allowed" in the Multicast Group Details.
Answer: C
400-351

QUESTION: 10
Refer to the exhibit. It belongs to a Cisco IOS AP with just one radio. This portion of
configuration refers to a multiple SSID/VLAN configuration. Which statement is
correct?
Refer to the exhibit. It belongs to a Cisco IOS AP with just one radio. This portion of
configuration refers to a multiple SSID/WLAN configuration. Which statement is
correct?
400-351

A. The configuration does not allow for non-corporate clients to connect to any SSID
Guest traffic.There fore will not allowed.
B. 'mbssid guest-mode' is used to allow broad cat of multiple SSIDs on the radio
interface. No other 'mbssid" commands are needed to achieve this functionality.
C. The AP must have subinterfaces 80,81,and 82 configured on the Radio 0 and Ethernet
interfaces.
D. The SSID "EAP" will allow clients to connect to it using any EAP authentication
method such as EAP-TLS.
Answer: C
Explanation:
Consider the association process of a wireless client to an SSID. Drag and drop the
client actions from the left into the correct order of operation on the right.
Left:
802.11 probe request 802.11 association request EAPol key message 2 802.11
authentication request EAP identity response
Right:
Step1 -------------Step1 802.11 probe request
Step2 -------------Step2 802.11 authentication request
Step3 -------------
Step3 802.11 association request Step4 -------------
Step4 EAP identity response
Step5 -------------Step5 EAPol key message 2
400-351

QUESTION: 11
Exhibit
Refer to the exhibit. You have been asked to troubleshoot why VTP is not distributing
new VLANs to a VTP client switch. Which option is the most likely root cause of this
VTP problem.
A. The VTP password is not set to level 15 on the client switch.
B. The VTP password encryption level is not set on the client switch.
C. The VTP encryption level does not match on the client switch.
D. The VTP password is incorrect on the client switch.
E. The client switch is set to transparent mode. Which ignores VLAN configuration
updates from VTP servers.
Answer: D
Explanation:
From:
Each sw, and issue the command:
No vtp password
400-351

https://www.packet6.com/configuring-vtp-on-cisco-switches/
http://www.sunpenguin.net/?p=283
QUESTION: 12
You are setting up a Cisco access point in repeater mode with a non-Cisco access point
as the parent and you use this interface configuration on your Cisco access point.
400-351

You are getting the following error message. Which reason for this issue is true?
A. %D0Tll-4-CANT_A$S0C:lnterface DotllRadioO, cannot associate:No Aironet
Extension IE.
B. "dotll extension aironet" is missing under the interface DotllRadio 0 interface
When repeater mode is used, unicast-flooding must be enabled to allow Aironet IE
communications.
C. The parent AP MAC address has not been defined.
D. Repeater mode only works between Cisco access points.
Answer: A
Explanation:
From:
400-351

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-
2_11_JA/configuration/guide/b12211sc/s11rep.html
QUESTION: 13
Which two advanced WLAN options are required when deploying central web
authentication with Cisco ISE? (Choose two.)
A. P2P Blocking Action set to Drop.
B. NAC State RADIUS NAC
C. NAC State SNMPNAC.
D. DHCP Addr. Assignment disabled.
E. Allow AAA override enabled.
Answer: B, E
Explanation:
From
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-
central-web-auth-00.html
QUESTION: 14
FlexConnect APs have already been deployed in a branch office for local switching.
Currently the WLAN in the large auditorium is proposed to change to a high-density
design and thus some low data rates are proposed to be disabled while keeping the data
400-351

rates in other areas under the same Cisco WLC. Which two configuration settings must
be modified in the Cisco WLC to achieve this configuration? (Choose two.)
A. RF Profiles
B. Mobility Groups
C. FlexConnect Groups
D. AP Groups
E. Fape profile.
Answer: A, D
Explanation:
From:
QUESTION: 15
You are installing Converged Access controllers that run Cisco IOS-XE and you are
ready to implement QoS. From the below, choose all the possible QoS target levels that
would apply to downstream traffic (toward the client)?
A. Client, SSID, Radio, Port
B. Client, SSID, Radio
C. Client, Radio
D. Client, SSID
Answer: A
Explanation:
Exhibit
400-351

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/
multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_010010.ht
ml
QUESTION: 16
Refer to the exhibit.
Exhibit
Which feature (and associated show output) is seen here?
A. Controller>show client tsm 802.11a 00:01:02:03:04:05 all
B. Controller>show client wmm 802.11a 00:01:02:03:04:05 all
C. Controller>show ap stats 802.11a00:01:02:03:04:05
D. Controller>show client detail 00:01:02:03:04:05
Answer: A
Explanation:
Exhibit
400-351

QUESTION: 17
You are designing a wireless network for a museum. One of their requirements is to
track people inside the museum and push a notification into their tablet device as soon as
they step in front of a painting with information about the artist and the painting. This
information must be delivered in real time. You are using regular probe request-based
tracking and during testing. You notice that although the tablet Is connected to the
museum Wi-Fi network, the location is not updating in real time as you move. It can
take almost 2 minutes for the location to be updated. Which option is the likely reason
for this issue?
A. Cisco MSE does not perform a new location calculation for certain elements if the
resulting position is not at least 5 meters different than the previous location.
B. Probe request-based tracking is bound to delay due to the broadcast type of traffic
that is not acknowledged over the air and could be lost.
C. CCXv4 S60 is disabled by default. You must enable CCXv4 S60, which is
compatible with all Wi-Ficlients. This feature comes out location updates more
frequently.
D. Probe request-based tracking is device dependent. The tablet might not send a probe
request if it is maintaining a good Wi-Fi signal, which can cause slower location
updates.
400-351

Answer: C
Explanation:
From.
http://www.cisco.com/c/en/us/support/docs/wireless/context-aware-software/110836-
cas-faq.html
Exhibit
400-351

Exhibit
http://www.cisco.com/c/en/us/td/docs/wireless/mse/3350/release/notes/mse7_0_220-
0.html#pgfId-1128560
400-351

https://communities.cisco.com/thread/41579?start=0&tstart=0
Exhibit
400-351

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/sys
tem_management/configuration_guide/b_sm_3se_3850_cg/b_sm_3se_3850_cg_chapter
_01 010.pdf
QUESTION: 18
Which two effects does TSPEC-based admission control have as it relates to WMM
clients? (Choose two)
A. Deny clients access to the WLAN that do not support WMM.
B. Allow access only for VoWLAN traffic when interference is detected.
C. Enforce airtime entitlement for wireless voice applications.
D. Ensure that call quality does not degrade for existing VoWLAN calls.
E. Deny clients access to the WLAN if then do not comply with the TERP standard.
Answer: C, D
Explanation:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowla
n41d g-book/vowlan_ch2.html
http://www.cisco.com/c/en/us/td/docs/wireless/technology/vowlan/troubleshooting/vowl
an_t roubleshoot/5_Troubleshooting_CAC_Rev1-2.html#wp1053384
QUESTION: 19
Which two options are new features that are supported by IGMPv3compared to
IGMPv2.(Choose two)
400-351

A. It extends IGMP. which allows for an explicit maximum response time field.
B. It adds support for source filtering.
C. Router can now send a group-specific query.
D. It adds support for IGMP Leave Message.
E. It supports the link local address 224.0.0.22. which is the destination IP address for
membership reports.
Answer: B, E
Explanation:
Do not understanding difference between IGMPv2 and v3 | LAN, Switching and
Routing | Cisco Support Community
https://supportforums.cisco.com/discussion/10948466/do-not-understanding-difference-
between-igmpv2-and-v3 IGMP Version 3 Cisco
http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_igmp.html
Feature Overview Internet Group Management Protocol (IGMP) is a protocol used by
IPv4 systems to report IP multicast memberships to neighboring multicast routers.
This feature module introduces support for Version 3 of IGMP. In previous versions of
Cisco IOS software only Version 1 and Version 2 were supported. IGMP Version 3
(IGMPv3) adds support for "source filtering," which enables a multicast receiver host to
signal to a router which groups it wants to receive multicast traffic from, and from which
source(s) this traffic is expected. This membership information enables Cisco IOS
software to forward traffic only from those sources from which receivers requested the
traffic.
IGMPv3 supports applications that explicitly signal sources from which they want to
receive traffic. With IGMPv3, receivers signal membership to a multicast host group in
the following two modes:
INCLUDE mode—In this mode, the receiver announces membership to a host group
and provides a list of IP addresses (the INCLUDE list) from which it wants to receive
traffic. EXCLUDE mode—In this mode, the receiver announces membership to a host
group and provides a list of IP addresses (the EXCLUDE list) from which it does not
want to receive traffic. This indicates that the host wants to receive traffic only from
other sources whose IP addresses are not listed in the EXCLUDE list. To receive traffic
from all sources, like in the case of the Internet Standard Multicast (ISM) service model,
a host expresses EXCLUDE mode membership with an empty EXCLUDE list.
IGMPv3 is the industry-designated standard protocol for hosts to signal channel
subscriptions in Source Specific Multicast (SSM). SSM was introduced in Cisco IOS
Release 12.1(3)1, however SSM support for IGMPv3 was introduced in 12.1(5)T. For
SSM
to rely on IGMPv3; IGMPv3 must be available in last hop routers and host operating
system network stacks, and be used by the applications running on those hosts.
In SSM deployment cases where IGMPv3 cannot be used because it is not supported by
the receiver host or the receiver applications, there are two Cisco-developed transition
solutions that enable the immediate deployment of SSM services: URL Rendezvous
400-351

Directory (URD) and IGMP Version 3 lite (IGMP v3lite). Both of these features are
documented in the Cisco IOS Release 12.0(15)S Source Specific Multicast with
IGMPv3, IGMP vSlite, and URD feature module.
IGMP
Version Description IGMPvl
Provides the basic query-response mechanism that allows the multicast
router to determine which multicast groups are active and other processes that enable
hosts to join and leave a multicast group. RFC 1112 defines the IGMPvl host extensions
for IP multicasting.
IGMPv2
Extends IGMP. allowing such capabilities as the IGMP leave process, group-specific
queries, and an explicit maximum response time field. IGMPv2 also adds the capability
for routers to elect the IGMP querier without dependence on the multicast protocol to
perform this task. RFC 2236 defines IGMPv2.
IGMPv3
Provides for source filtering. which enables a multicast receiver host to
signal to a router which groups it wants to receive multicast traffic from, and from which
sources this traffic is expected. In addition, IGMPv3 supports the link local address
224.0.0.22. which is the destination IP address for IGMPv3 membership reports; all
IGMPv3-capable multicast routers must listen to this address. RFC 3376 defines
IGMPv3.
QUESTION: 20
Exhibit
Refer to the exhibit. What is the best way to resolve this issue?
A. Install a server certificate signed by a well-know public CA on the WLC.
B. Disable certificate checks on the client.
C. Install a server certificate signed by a well-known public CA on the Radius Server.
D. Use the certificate authority on the Cisco Identity Services Engine.
Answer: C
400-351

Explanation:
From:
Event: 5400 Authentication failed
Failure Reason: 12321 PEAP failed SSL/TLS handshake because the client rejected the
ISE Local - certificate
Cisco ISE authentication failed because client reject certificate | AAA, Identity and NAC
| Cisco
Support Community https://supportforums.cisco.com/discussion/11697966/cisco-ise-
authentication-failed-because- client-reject-certificate
The error you are seeing in ISE is pointing to your client, if you have the eap settings set
to "validate server certificate" then you must manually set it to trust the rootCA that
signed the ISE certificate, or you can disable this option for testing. You can try to
remove this wireless network profile, and recreate it and see if the pop up appears which
asks you to validate the server's identity.
Possible Causes for this issue
The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not configured
to trust the Cisco ISE certificate.
Note [This is an indication that the client does not have or does not trust the Cisco ISE
certificates. Possible Causes The supplicant or client machine is not accepting the
certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not configured
to trust the Cisco ISE certificate. Resolution The client machine must accept the Cisco
ISE certificate to enable authentication.
400-351

400-351 Exam-CCIE Wireless

More Related Content

What's hot (20)

Similar to 400-351 Exam-CCIE Wireless (20)

More from Isabella789 (20)

Recently uploaded (20)

400-351 Exam-CCIE Wireless