Cisco CCIE Wireless Exam

Transcription

1 Cisco CCIE Wireless Exam Vendor: Cisco Exam Code: Exam Name: CCIE Wireless Written Exam, v2.0 Q&A: 315

2 QUESTION 1 Which two security features are associated with a wireless network employing i configured as a Robust Security Network? (Choose two.) A. WEP B. AES-CCMP C x D. IPsec E. TKIP F x Answer: BF QUESTION 2 Before conducting a passive RF site survey with a standalone AP, which two of these should be statically configured on the AP? (Choose two.) A. passive client B. channel assignment C. DTPC D. Tx power level E. channel scan defer priority Answer: BD QUESTION 3 After interviewing a customer to understand wireless client requirements, you determine that b must be enabled to support legacy clients within a mixed-mode environment. Which recommendation will have the greatest impact on mitigating the effects of b clients on the rest of the network? A. Restrict OFDM modulation from being used. B. Make 11 Mb/s the lowest mandatory rate. C. Enable a separate SSID for b clients. D. Enable a short preamble. Answer: B QUESTION 4 In a Cisco Unified Wireless Network environment, which two of these are required in order for clients to connect with MCS data rates? (Choose two.) A. EDCF B. client MFP C. multiple spatial streams D. AES-CCMP E. 40-MHz channels Answer: AD

3 QUESTION 5 The standard includes which two amendments to the original standard? (Choose two.) A c B d C j D r E u Answer: BC QUESTION 6 You are designing a wireless network utilizing EAP-TLS. One design requirement is to provide per-user differentiated QoS using only one SSID. What is the best way to achieve this goal? A. using WMM override B. using Cisco Airespace VSAs C. using QoS Enhanced BSS D. using AP groups Answer: B QUESTION 7 What does the letter P in the designation of the AIR-CAP3502P AP indicate? A. The AP supports the new IEEE p (WAVE) wireless standard. B. The AP requires professional installation. C. The AP can be used in plenum applications. D. The AP is compatible with polarization type antennae. Answer: B QUESTION 8 You are converting your wireless infrastructure from a data-only design to a location services design. Which task do you need to complete? A. Disable the DSSS speeds for RFID compatibility. B. Use fewer APs to avoid RFID 3D imaging. C. Set APs to maximum power for RF fingerprinting. D. Locate APs at the edges of your coverage area for trilateration. Answer: D QUESTION 9 Which statement about heat maps on Cisco WCS is true? A. They are predictive and rely only on the accuracy of the information that is provided with the map.

4 B. They are based on real-time actual values if Cisco Compatible Extensions is enabled on the APs. C. They are predictive but can be converted to real values by using the Refresh from network button. D. They are based on real-time actual values because of fingerprinting. Answer: A QUESTION 10 A clause 15 radio uses and supports data rates of. A. FHSS or DSSS, 1 Mb/s up to 11 Mb/s B. DSSS, 1 Mb/s and 2 Mb/s C. FHSS, 1 Mb/s and 2 Mb/s D. DSSS, 1 Mb/s up to 11 Mb/s Answer: B QUESTION 11 is classified as an i RSN with as the mandatory encryption protocol. A. WEP, TKIP B. WPA2,TKIP C. WPA, AES D. WPA2, AES Answer: D QUESTION 12 You are designing an autonomous wireless network for an office building that is located near a local airport. The customer requires the use of a/n clients only, and the APs must never change their channel after they are configured. Which two UNII bands and channels should you restrict the APs to use on the 5 GHz radios? (Choose two.) A. UNII-1 and UNII-3 B. UNII-1 and UNII-2 extended C and D and E and F and Answer: AF QUESTION 13 You have been hired to install an outdoor wireless network for a small city. The design must provide 360 degrees of coverage from a central location and at least 33 Mb/s of aggregate bandwidth for clause 18 radio clients. How do you design this solution? A. Three or more patch antennas installed in a circular pattern on the same supporting structure B. One high-gain omni-directional antenna

5 C. Three or more parabolic dish antennas installed in a circular pattern on the same supporting structure D. Three or more sector array antennas installed in a circular pattern on the same supporting structure E. Three or more Yagi antennas installed in a circular pattern on the same supporting structure Answer: D QUESTION 14 Which three security threats require the Cisco Adaptive wips service for mitigation? (Choose three.) A. on/off-channel rogue B. spectrum intelligence C. man-in-the-middle attack D. rogue switch-port tracing E. zero-day attack F. network reconnaissance EF QUESTION 15 Which of the following are required components for Client MFP? (Choose two.) A. CCXv4 B. CCXv5 C n D. WPA2 w/tkip or AES-CCMP E. AnyConnect 3.0 Answer: BD QUESTION 16 Which of the following statements are true regarding RLDP? (Choose two) A. RLDP works only on APs configured in Open Authentication mode. B. RLDP only works if the AP is in Monitor Mode. C. RLDP will attempt to identify each Rogue AP only once. D. RLDP only works if the Rogue AP is connected to a VLAN that is reachable by the WLC. E. RLDP only works if the AP is in Local Mode. Answer: AD QUESTION 17 Which of the following statements are not correct about Client Management Frame Protection (MFP)? (Choose 2.) A. Client MFP can replace Infrastructure MFP in case only CCXv5 clients are used. B. Client MFP encrypts class 3Unicastmanagement frames using the security mechanisms defined by i. C. In order to use Client MFP the client must support CCXv5 and negotiate WPA2 with AES- CCMP or TKIP.

6 D. The only supported method to obtain the pre-user MFP encryption keys is EAP authentication. E. CCXv5 client and access points must discard broadcast class 3 management frames. Answer: AD QUESTION 18 Corporation XYZ just underwent a third-party security audit. The auditors have required that the corporation implements 802.1x on its wireless network and disable all pre-shared key WLANs as soon as possible. XYZ does not have an internal CA installed to provide server certificates today. However, it wishes to implement an EAP method that requires clients to use server authentication in the future. XYZ also needs an EAP method that will allow both Active Directory user authentication and time-based tokens. What is the best EAP method for XYZ to implement? A. TTLS B. PEAP C. FAST D. TLS QUESTION 19 Which of the below parameters are used in calculating the range - maximum distance - of an outdoor link between two bridges? Choose two. A. The cable length between bridge and the connecting switch. B. The bridge transmission power. C. The outside temperature. D. The modulation type. E. The length of the antenna. Answer: BD QUESTION 20 When viewed from the side (in the H-plane), how can the radiation pattern of a patch and Yagi antennas be described? (Choose two.) A. the patch patterns are egg-shaped. B. the patch patterns are conical. C. the patch patterns are doughnut-shaped. D. the Yagi patterns are conical. E. the Yagi patterns are egg-shaped. F. the Yagi patterns are doughnut-shaped. Answer: AD QUESTION 21 The transmit power level on an a radio is configured for 25 mw. What is the corresponding value in decibels?

7 A. 2.5 dbm B. 3 dbm C. 14 dbm D. 18 dbm E. none of the above QUESTION 22 Users complain about intermittent wireless connectivity issues. You see the following message on your Cisco WCS, corresponding the time the connectivity issues occurred. AP 'building-1-entrance', interface '802.11b/g' on Controller ' '. Noise threshold violated. What do you do? A. Increase the interference threshold from the default 10%. B. Use a spectrum analyzer to discover the noise source. C. Check the logs for rogues in the area, and turn on rogue mitigation. D. Increase the power of the APs in the entrance hall. Answer: B QUESTION 23 Which environmental phenomena can cause considerable degradation to your wireless signals? A. multipath, reflection, scattering, refraction B. multipath, alpha particles, diversity, absorption C. multipath, cosmic radiation, free path loss, scattering D. multipath, convergence, refraction, gamma rays Answer: A QUESTION 24 You are working for a South American services integrator. Your customer has a working unified Cisco WLC solution in Costa Rica (-A domain). You need to integrate an office in Panama (-N domain); correct APs are already deployed for this domain. Which approach do you take? A. Do nothing. These APs will work on the same Cisco WLC because the countries are neighbors. B. Change the APs in the Panama office to AIR-CAP3502E-N-K9, which have external antennae. C. Use the config domain add -N command on the Cisco WLC. D. Add the country code for Panama (PA) through the Cisco WLC web GUI. Answer: D QUESTION 25 Which role does the Wi-Fi Alliance fulfill regarding WLANs? A. creates global interoperability for wireless channels and spectrum B. maintains and creates the protocol standards by which wireless devices work

8 C. ensures that wireless products that are available to consumers provide the features that the products claim to have D. creates strict regulations QUESTION 26 One of your customers is thinking of deploying wireless in a building. Which two items should you establish in a pre-site survey? (Choose two.) A. the exact channels that should be used B. the agreed coverage areas for the design C. the access security arrangements for getting into the building D. the type of deployment (data-only service, voice service, or location services) E. sources of RF interference Answer: BD QUESTION 27 On AIR-CAP3500 Series APs, which AP mode allows you to intensively analyze the frequency spectrum and detect interferers? A. Sniffer B. Monitor C. SE-Connect D. Analyzer E. Rogue Detector QUESTION 28 Your site has already been surveyed at 5 GHz for n VoWLAN services. Which services can you add safely, without conducting an additional site survey? (Choose two.) A. enhanced Layer 2 or Layer 3 security of the WLAN B. optional MFP client protection for Cisco Client Extensions Version 5 clients C n data services on the 2.4 GHz Frequency D n voice services on the 2.4 GHz Frequency E. new services (such as location) on both frequencies Answer: AB QUESTION 29 Which type of indoor Cisco AP should you deploy to make use of spatial multiplexing? A. AIR-LAP1242AG B. AIR-BR1310G C. AIR-LAP1131AG D. AIR-LAP1252AG

9 E. AIR-LAP1524AG Answer: D QUESTION 30 You are a wireless network administrator for a company that has installed a network that is based on Cisco WLC and uses Aironet 1140 Series APs. The clients are using the 2.4 GHz band and WPA TKIP for Layer 2 security. The president of the company reads a news article on the benefits of n and wants to deploy it at the office so that the company can use data rates of up to 150 Mb/s. What should you tell the president? A. You need to change your Layer 2 security policy to WPA2 AES to achieve the 300 Mb/s data rate. B. You need to purchase different APs because the 1140 Series supports only up to 54 Mb/s. C. You need to change the client Layer 2 security to WPA2 TKIP. D. You need to change the client Layer 2 security to open. E n data rates are possible only on 5 GHz. F n data rates are possible with the current client Layer 2 security, but for a theoretical data rate of 300 Mb/s, you need to use channel bonding, which is not recommended on the 2.4 GHz band. Answer: A QUESTION 31 You have been hired to conduct a predeployment indoor wireless site survey. Which item is not needed before starting the project? A. a statement of work that details the areas of the facility in which the customer wants to deploy wireless B. architecture drawings of the facility C. topographical maps D. a list of client devices and applications that will use wireless at the facility E. Layer 2 security requirements for the WLAN QUESTION 32 Which regulatory body develops standards for European information and communication technologies? A. European Union B. European Telecommunications Standards Institute C. European Radio and Telecommunications Terminal Equipment Directive D. International Organization for Standardization Answer: B QUESTION 33 ABC Company end users are reporting voice roaming issues. Which two situations are possible causes? (Choose two.) A. The RF coverage cells have only 10-percent overlap; 15- to 20-percent cell overlap is typically needed

10 for seamless roaming. B. The RF coverage is colocated. C. There is interference from a 5 GHz DECT-like phone. D. The RF coverage cells have only 20-percent overlap; 25- to 30-percent cell overlap is typically needed for seamless roaming. E. There is interference from the cellular network. Answer: AC QUESTION 34 Refer to exhibit. Which type of RF signature does the exhibit illustrate on channel 1? A. broadcast probe flood B. video camera C. Wi-Fi inverted D. NULL probe response E. none of the above Answer: B QUESTION 35 After interviewing the customer to understand its wireless client requirements, you determine that b must be enabled to support legacy clients within a mixed-mode environment. What recommendation will have the greatest mitigation on the effects of b clients on the rest of the network? A. Restrict the use of OFDM modulation. B. Make 11 Mb/s the lowest mandatory rate. C. Enable a separate SSID for b clients.

11 D. Enable short preamble. Answer: B QUESTION 36 Which of the below devices can cause unintentional RF jamming attacks against an wireless network? (Choose two.) A. Rogue Access Points B. Microwave Oven C. Radar D. 900 Mhz cordless phones Answer: BC QUESTION 37 When conducting a greenfield RF site survey with multiple APs, which information element should be enabled to ensure your site survey software will display the hostname of each AP? A. IE 0 B. IE 1 C. IE 133 D. IE 221 QUESTION 38 Corporation XYZ has 25 buildings (with a total of employees) and would like to implement a single SSID across their entire site. Which feature would be helpful to prevent wireless internet access from 1 of the 25 buildings? A. AP groups B. AAA override C. WLAN override D. MAC filtering Answer: A QUESTION 39 Which three of these are considered Cisco RF guidelines for a proper VoWLAN deployment? (Choose three.) A. Cell edge should be -67 dbm with 20 to 30 percent overlap. B. Channel utilization should be kept under 30 percent. C. Noise levels should not exceed -92 dbm. D. Packet loss should not exceed 5 percent. E. Jitter should be kept at a minimum (less than 300 ms). F retransmissions should be less than 20 percent.

12 Answer: ACF QUESTION 40 Which IEEE standard allows for the use of multiple 2-MHz communication channels within the 2.4- GHz spectrum? A B C D E Answer: B QUESTION 41 While reviewing data gathered during a passive RF site survey for an existing network of Cisco Aironet 1260 Series Access Points, you discover a high amount of potential co-channel interference throughout the network. Which two of these are potential causes? (Choose two.) A. an inconsistent beacon interval B. EDRRM is not enabled C. the APs are placed too close together D. a static channel plan is used E. the radio policy is inadvertently set identically for all SSIDs D QUESTION 42 You are tasked with creating a controller-based high-density RF design. Which three factors determine the cell size? (Choose three.) A. antenna type B. ClientLink support C. basic data rate D. TPC threshold setting E. AP placement F. free space path loss Answer: ACD QUESTION 43 You are tasked with designing a wireless network to support a specific 5-GHz wireless phone. During the initial design phase you are unable to obtain the client device radio specifications. From a network configuration perspective, which of these cannot be configured before you obtain the radio specifications? A. band select B. WMM queue selection C. DCA channel list

13 D. channel width QUESTION 44 You are configuring an autonomous wireless guest network for your customer. The customer requires that guest users be unable to communicate with one another. Which solution best meets this requirement? A. public secure packet forwarding on the AP and switch-port protected on the AP switch port B. public secure packet forwarding on the AP and limiting the AP switch port to the guest VLAN only C. port security on the AP and 802.1X on the AP switch port D. MAC filtering on the AP radio interface and switch-port protected on the AP switch port E. public secure packet forwarding on the AP and configuring the guest VLAN on the switched network as a private VLAN Answer: E QUESTION 45 What is the advantage of EAP-FAST compared to LEAP? A. EAP-FAST exchanges user credentials within a TLS tunnel whereas LEAP exchanges credentials information in clear, which allows possible offline "dictionary attacks." B. EAP-FAST allows authenticated in-band PAC provisioning, whereas LEAP uses anonymous in- band PAC provisioning, which is transparent to the user. C. LEAP only supports user and password changes in conjunction with MS-CHAPv2, whereas EAP-FAST supports user and password changes when using MS-CHAPv2 or OTP or PAC. D. EAP-FAST works with the authentication algorithm "open eap," and also with "network- eap," whereas LEAP is limited to the authentication algorithm "network-eap" only. Answer: A QUESTION 46 Which of the below statement is correct with regards to configuring local MAC authentication on an AP? A. A MAC address can be spoofed, so it is insecure. B. The MAC address is used in stead of the username in the EAP certificate exchange. C. The MAC address may be used in the key hash, if WEP is used as a key cipher. D. MAC address authentication can not co-exist with EAP authentication. Answer: A QUESTION 47 Which two statements are not correct about client MFP? (Choose two.) A. Client MFP can replace infrastructure MFP if only CCXv5 clients are used. B. Client MFP encrypts class 3 unicast management frames using the security mechanisms defined by i. C. In order to use client MFP, the client must support CCXv5 and negotiate WPA2 with AES- CCMP or TKIP.

14 D. The only supported method to obtain the pre-user MFP encryption keys is EAP authentication. E. The CCXv5 client and access points must discard broadcast class 3 management frames. Answer: AD QUESTION 48 Company XYZ has a wireless network in place. Which three general guidelines should be followed to overlay a Cisco Context-Aware Mobility Solution? (Choose three.) A. The maximum effective AP spacing should be between 40 feet and 70 feet. B. There should be a minimum of two APs within range of each client. C. APs at the perimeter of the coverage area need to be deployed. D. The physical placement of APs must be collinear. E. Equilateral triangle placement of the APs yields better accuracy. Answer: ACE QUESTION 49 You are designing a wireless infrastructure for an enterprise customer in the busy international banking district of Tokyo. All the client adapters are fairly modern, so you have turned off b speeds to reduce the size of your cells. Which channels will you choose to make optimum use of the available spectrum? A. 1, 5, 9, 13 B. 1, 6, 11 C. 1, 6, 11, 14 D. 1, 4, 7, 11, 14 E. 1, 5, 9 Answer: B QUESTION 50 Which three are equivalent forms of the IPv6 address 2011:0000:0000:0000:2010:0000:0000:000F? (Choose three.) A. 2011:0:0:0:2010:0:0:F B. 2011::2010::000F C. 2011:0:0000:0000:2010::000F D. 2011::2010:0:0:F E. 2011::201:0000:0000:000F F. 2011::201:0010:0010:000F Answer: ACD QUESTION 51 Which of the following is not a valid IPv6 address type? A. link-local unicast B. unique-local unicast

15 C. anycast D. multicast E. broadcast Answer: E QUESTION 52 To avoid classification at all switches within a QoS domain, a switch port may be configured in a trusted state. Which two statements are true regarding the trust state configuration of a switch port? (Choose two.) A. When mls qos trust is not configured on the port, the default port trust state is DSCP. B. When mls qos trust is not configured on the port, the default port trust state is CoS. C. The port trust state can be CoS or DSCP only. D. When mls qos trust cos is configured on the port, the port default CoS value is used for an untagged packet. E. When mls qos trust cos is configured on the port, the switch classifies an ingress packet by using the packet CoS value. Answer: DE QUESTION 53 Which aggregate of the IPv6 addresses 2001:0303:0000:5000:0000:052B:0000:0000/96 and 2001:0303:0000:5000:0000:052C:0000:0000/96 has the longest possible mask? A. 2001:0303:0000:5000:0000:052A:0000:0000/96 B. 2001:0303:0000:5000:0000:052A:0000:0000/95 C. 2001:0303:0000:5000:0000:0528:0000:0000/93 D. 2001:0303:0000:5000:0000:0520:0000:0000/92 QUESTION 54 Which two protocols or processes can be used for a switched network to control distribution of multicast traffic at Layer 2? (Choose two.) A. PIM B. CGMP C. IGMP v2 D. IGMP v3 E. IGMP snooping E QUESTION 55 A router has two interfaces: Ethernet 0 is connected to the LAN and Ethernet 1 is connected to the Internet. The LAN is /24. All hosts on the LAN must be able to form TCP connections to any host on the Internet. Hosts on the Internet may not form TCP connections to hosts on the LAN, except to port 25 of a mail server on the LAN. The web server IP address is

16 Which configuration fulfills all the requirements? A. interface ethernet 1 ip access-group 123 in! access-list 123 permit tcp any access-list 123 permit tcp any host eq 25 B. interface ethernet 1 ip access-group 123 in! access-list 123 permit tcp any established access-list 123 permit tcp any host eq 25 C. interface ethernet 1 ip access-group 123 in! access-list 123 permit tcp any host eq 25 access-list 123 deny tcp any D. interface ethernet 1 ip access-group 123 in! access-list 123 deny tcp any access-list 123 permit tcp any host eq 25 E. interface ethernet 1 ip access-group 123 in! access-list 123 permit tcp any host eq 25 access-list 123 permit tcp any access-list 123 deny tcp any Answer: B QUESTION 56 Cisco WiSM controllers have multiple interface types. Which three statements about the interface types of the controllers are true? (Choose three.) A. The service-port interface is the default interface for in-band management of the controller. B. If the service port is in use, then the management interface must be on a different subnet than the service port. C. You cannot ping the AP-manager interface. D. The virtual gateway interface is used to support mobility management. E. The management interface is used as the source IP address for all Layer 3 communications between the controller and the lightweight APs. F. On the Cisco WiSM, the management interface is used to synchronize the supervisor engine and the Cisco WiSM. Answer: BCD QUESTION 57 You have 2 WLCs with management IP addresses of and respectively. Your APs reside on a different subnet. Which of the below DHCP options needs to be configured?

17 A. option 43 hex f102c0a80b05c0a80b06 B. option 43 hex f108c0a80b05c0a80b06 C. option 43 hex f102c0a81105c0a81106 D. option 43 hex f108c0a81105c0a81106 Answer: B QUESTION 58 Which two statements about the IPv4 ToS byte are true? (Choose two.) A. The ToS byte is located in the Layer 2 header. B. The ToS byte is located in the Layer 3 header. C. The DSCP values range from 0 to 7. D. The IP precedence and the DSCP fields have two overlapping bits. E. The class selector in the DSCP field is defined for backward compatibility with IP precedence. Answer: BE QUESTION 59 Which three protocols does IEEE 802.1X access control allow until the client is authenticated? (Choose three.) A. Cisco Discovery Protocol B. VLAN Trunking Protocol C. Spanning Tree Protocol D. Extensible Authentication Protocol over LAN E. Dynamic Host Control Protocol Answer: ACD QUESTION 60 Cisco WiSM controllers have multiple interface types. Which two interfaces must be present and configured at setup time? (Choose two.) A. virtual B. virtual gateway C. service port D. operator defined Answer: AC QUESTION 61 IN CUWN, what DHCP option needs to be configured for APs to join specific WLCs, if the WLCs and APs reside in different subnets? A. option 43 B. option 60 C. option 82

18 D. option 150 Answer: A QUESTION 62 When LAG is enabled, all ports participate in LAG by default. Which statement about LAG is true? A. The failure of one link affects only management access, not traffic throughput. B. If any single link fails, traffic will automatically migrate to the remaining links. C. If only two switch ports are in the LAG group, and one switch port fails, then the other switch port will fail also. D. If there are only two LAG connections, then all VLANs must be allowed. Answer: B QUESTION 63 Two switches are connected by an EtherChannel. Which setting does not have to match on the connected ports in order to form an EtherChannel? A. the allowed VLAN list B. the spanning-tree PortFast settings C. DTP negotiation settings D. the native VLAN E. the spanning-tree port priorities for each VLAN QUESTION 64 Refer to the exhibit. Which two statements are true? (Choose two.) A is the IP address of the multicast source. B is the IP address of the multicast receiver. C is the RP address for multicast group D. The Ethernet 0/0 interface of the router and are in the same broadcast domain. E. The Ethernet 0/0 interface of the router and do not need to be in the same broadcast domain. Answer: BD QUESTION 65

19 DSCP values can be expressed in decimal form or by PHB. Which PHB is the equivalent of DSCP 20? A. AF20 B. AF22 C. AF26 D. AF28 Answer: B QUESTION 66 You are configuring a TACACS+ server and the security team asks you for details about this protocol. Which three statements about the TACACS+ protocol are true? (Choose three.) A. It is TCP based. B. It is UDP based. C. It uses port 49 by default. D. It uses port 59 by default. E. The username is sent in cleartext. F. The username is encrypted. Answer: ACF QUESTION 67 Refer to the exhibit. All the guest users that associate to the guest SSID on the Cisco WLC are receiving this message from their browser each time that they try to reach an Internet website. Which two changes will allow the guest users to avoid this message in a simple and secure way? (Choose two.) A. Generate and install a new certificate for the Cisco WLC web-auth, signed by the Cisco CA.

20 B. Configure a FQDN in the management interface of the Cisco WLC and add that FQDN to the DNS server. C. Configure a FQDN in the virtual interface of the Cisco WLC and add that FQDN to the DNS server. D. Generate and install a new certificate for the Cisco WLC web-auth, signed by a CA trusted by the browser. E. Generate and install a new certificate for the Cisco WLC web-auth, signed by the local CA. D QUESTION 68 Which local DHCP pools that are configured on an autonomous IOS AP will properly work and lease IP addresses to the wireless clients without using the "ip helper-address" command? A. only the pool configured for the native VLAN B. only the pool configured for the VLAN assigned to the SSID where the wireless clients are connected C. all of the configured local DHCP pools D. all of the configured local DHCP pools, if static routing is configured appropriately Answer: A QUESTION 69 Refer to the exhibit. Which two statements are true about the RADIUS attributes listed? (Choose two.) A. They are used for dynamic VLAN assignment for wireless or wired clients. B. They are used for dynamic VLAN assignment for VPN tunnels. C. They correspond to the RADIUS attribute numbers 64, 65, and 81. D. They correspond to the RADIUS attribute numbers 64, 65, and 71. E. They correspond to the RADIUS attribute numbers 74, 75, and 81. F. They correspond to the RADIUS attribute numbers 74, 75, and 91. Answer: AC QUESTION 70 DNS is configured to respond with a list containing multiple controller addresses. Upon DNS discovery, which statement is true? A. The AP sends a discovery request to the first controller on the list, and then goes down the list

21 chronologically until it receives a discovery response. B. The AP sends a discovery request to the last controller on the list, and then goes up the list chronologically until it receives a discovery response. C. The AP sends a discovery request to all controllers on the list simultaneously. D. Multiple controller IP addresses in a DNS response are not supported. QUESTION 71 Refer to the exhibit. The ACS RADIUS Authentication Report shows the output for a failed client authentication. Which action can resolve this issue? A. Re-generate the client certificate, which is expired. B. Install the complete ACS certificate CA chain on the client operating system. C. Re-generate the local ACS certificate, which was issued by an unknown CA. D. Import the complete client certificate CA chain on the ACS. Answer: D QUESTION 72 Which two statements about the management access control on Cisco WLC, using an external TACACS+ server, are true? (Choose two.) A. The Cisco WLC supports TACACS+ command authorization. B. The Cisco WLC AAA authorization is role-based, using custom TACACS+ attributes. C. The Cisco WLC AAA authorization is role-based, using Cisco VSA attributes. D. The Cisco WLC requires the TACACS+ server to return a Privilege-Level attribute. E. If a user is not entitled to a specific task, then the user is not allowed to access that task. F. If a user is not entitled to a specific task, then the user is allowed to have read-only access to that task. Answer: BF QUESTION 73 What is the benefit of using a CA-signed certificate over a self-signed certificate? A. You can generate a certificate with a longer validity period. B. Fewer steps need to be generated. C. More authentication types are supported. D. You can avoid impersonation attacks.

22 E. You can use bigger keys. Answer: D QUESTION 74 Refer to the exhibit. Which DHCP option is shown? A. 32 B. 43 C. 60 D. 150 E. 241 QUESTION 75 Refer to the exhibit. Which Cisco WLC IP addresses will be returned to a Cisco AP that requests an IP address from this DHCP pool? A and B and C and D and E. none of the above

23 Answer: B QUESTION 76 Which three EAP types are supported when using an LDAP backend database that does not return a cleartext password? (Choose three.) A. EAP-FAST-GTC B. EAP-TLS C. PEAPv0-MS-CHAPv2 D. PEAPv1-GTC E. EAP-FAST-MS-CHAPv2 F. LEAP Answer: ABD QUESTION 77 Refer to the exhibit. What can be filtered by using this DNIS filter on ACS? A. wireless clients, based on the SSID to which they are associating B. wireless IP phones, based on the phone number that they are calling C. authentications from AAA clients, based on their assigned location D. authentications from a specific Cisco WLC interface E. authentications, based on part of the username Answer: A QUESTION 78 Which statement about using the internal DHCP server feature on a Cisco WLC is true? A. DHCP option 43 must be configured on the internal DHCP server. B. The DHCP server IP address must be set to the Cisco WLC management interface IP address. C. The internal DHCP server can serve both wireless and wired clients. D. Autonomous APs are supported.

24 Answer: B QUESTION 79 When using DNS discovery, you must configure DNS to respond to which of the following? A. CISCO-WAP-CONTROLLER.localdomain B. CISCO-CONTROLLER.localdomain C. CISCO-CAPWAP-CONTROLLER.localdomain or CISCO-LWAPP-CONTROLLER.localdomain D. CISCO-CONTROLLER-LWAPP.localdomain or CISCO-CONTROLLER-CAPWAP.localdomain QUESTION 80 Which two methods can be used in Cisco Secure ACS 5.2 to assign client authentication requests to different access services or authorization policies, based on the SSID to which the client is associated? (Choose two.) A. DNIS-based end station filter B. CLI-based end station filter C. condition based on the RADIUS-IETF.Filter-ID(11) attribute D. condition based on the RADIUS-IETF:Called-Station-ID(30) attribute E. condition based on the RADIUS-IETF:Calling-Station-ID(31) attribute Answer: AD QUESTION 81 Refer to the exhibit. What might be the reason of these failed attempts in ACS? A. The wrong shared secret is configured on the AAA client or ACS. B. The request is coming from a AAA client that is configured only for RADIUS on ACS. C. The request is coming from a AAA client that is configured only for TACACS+ on ACS. D. The PC that is trying to access the device is outside the known subnet. Answer: B QUESTION 82 How can you configure an NTP server address for Cisco Secure ACS 5.2? A. through the ACS GUI only B. through the ACS CLI only C. through both the ACS GUI and CLI D. on the hosting Microsoft Windows operating system E. not possible because there are no NTP settings for ACS

25 Answer: B QUESTION 83 You have configured ACS to perform machine authentication against Active Directory. Both ACS and Active Directory hosts can ping each other, there is no firewall between them, and ACS trusts the correct CA. Yet the clients that are performing machine authentication with EAP-TLS and using valid certificates are failing to authenticate. What might the reason be? A. The wrong UDP port for Active Directory is configured on ACS. B. Machine access restrictions is enabled on ACS. C. The client certificate key is less than 2048 bit. D. The wrong date and time are on the ACS server. E. The host is not configured in the ACS internal database. Answer: D QUESTION 84 Refer to the exhibit. Which three statements about the configured attribute or value in ACS are true? (Choose three.) A. It is returned within a RADIUS packet. B. It is returned within a TACACS+ packet. C. It grants the use of configuration commands on autonomous APs. D. It grants at least read-only access to all the menus in the Cisco WLC GUI. E. It is case sensitive. F. It is not case sensitive. Answer: BDE QUESTION 85 On a Cisco WLC, which NTP authentication type or types are supported? A. MD5 and DES B. MD5, DES, and DES-CBC C. MD5 D. DES E. DES-CBC

26 QUESTION 86 Refer to the exhibit. Which DHCP option is shown? A. Option 60 B. Option 241 C. Option 32 D. Option 150 E. Option 43 Answer: E QUESTION 87 Refer to the exhibit. Cisco Secure ACS 5.2 shows successful TACACS+ authentication and authorization for the user, but access to the Cisco WLC GUI fails. What is the reason for this failure? A. The user password is incorrect. B. The authorization response does not include a Privilege-Level attribute. C. The assigned role is incorrect. D. The received TACACS+ packet is not encrypted.

27 QUESTION 88 You are configuring a RADIUS server and the security team asks you for details about this protocol. Which three statements about the RADIUS protocol are true? (Choose three.) A. It is TCP based. B. It is UDP based. C. RADIUS servers use port 1645 or port 1812 for authentication. D. RADIUS servers use port 1646 or port 1813 for authorization. E. The username is sent in cleartext. F. The username is encrypted. Answer: BCE QUESTION 89 In a bridge-to-bridge setup, the network administrator wants to allow only the root bridge the ability to associate to the non-root bridge. To achieve this goal, the administrator decides to implement a MAC filter. If 0017.dfa6.cdf0 is the MAC address of the root AP (ROOT_AP) and 0017.dfa6.ae13 is the MAC address of the non-root AP (NON-ROOT_AP), which command set will achieve this goal? A. ROOT_AP# configure terminal ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 ROOT_AP(config)# dot11 association mac-list 700 B. NON-ROOT_AP# configure terminal NON-ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 NON-ROOT_AP(config)# dot11 association mac-list 700 C. NON-ROOT_AP# configure terminal NON-ROOT_AP(config)# access-list 700 permit 0017.dfa6.ae13 NON-ROOT_AP(config)# dot11 association mac-list 700 D. NON-ROOT_AP# configure terminal NON-ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 NON-ROOT_AP(config)# dot11 ssid bridge NON-ROOT_AP(config-ssid)# dot11 association mac-list 700 E. ROOT_AP# configure terminal ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 ROOT_AP(config)# interface Dot11Radio0 ROOT_AP(config-if)# dot11 association mac-list 700 Answer: B QUESTION 90 Which two sets of commands will allow multiple SSIDs (each in its own VLAN) to be broadcast on a single radio interface for an autonomous AP? (Choose two.) A. dot11mbssid under the global config section and guest-mode under the SSID config section B. mbssid under the radio interface and mbssid guest-mode under the SSID config section C. dot11mbssid under the global config section and mbssid guest-mode under the SSID config section D. dot11mbssid under the global config section, mbssid under the radio interface, and guest-mode under

28 the SSID config section E. cannot broadcast multiple SSIDs under one radio interface if using multiple VLANs Answer: BC QUESTION 91 When a wireless client connects to an autonomous AP, which sequence of events will occur when connecting to a SSID that does not broadcast itself? A. probe request, probe response, association request, association response, authentication request, authentication response B. authentication request, authentication response, probe request, probe response, association request, association response C. probe request, probe response, authentication request, authentication response, association request, association response D. authentication request, authentication response, association request, association response, probe request, probe response QUESTION 92 Refer to the exhibit. Given the following GUI output on an autonomous AP, how many additional infrastructure APs are registered to the Cisco WDS AP that is shown in the exhibit, and which Cisco WDS master AP MAC address is used for the WDS registration process? A. Zero and 0022.bd1a.0680 B. Oneand 0022.bd1a.0680

29 C. Twoand 0026.cb53.6d40 D. Zero and 0026.cb53.6d40 E. Oneand 0026.cb53.6d40 F. Oneand 0024.d70c.7ca4 or 001b.7766.d253 Answer: B QUESTION 93 Which three statements about workgroup bridges in a unified environment are true? (Choose three) A. Web authentication is not supported for use with workgroup bridges. B. VLANs are supported for use with workgroup bridges. C. Wired clients that connect to a workgroup bridge inherit the QoS and AAA override attributes of the bridge. D. If a workgroup bridge associates to a web-authentication WLAN, then the bridge is added to the exclusion list and all the workgroup bridge wired clients are deleted. E. The lightweight feature Cisco CKM is supported for use with a workgroup bridge. F. If your AP has two radios, then you can configure both for workgroup bridge mode. Answer: ACD QUESTION 94 The QoS implementation for WLANs differs from QoS implementations on other Cisco devices. Which two actions do QoS enabled autonomous bridges perform? (Choose two) A. They do not classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag. B. They construct internal DSCP values and support mapping by assigning IP Differentiated Services Code Point (DSCP), Precedence, or Protocol values to Layer 2 COS values. C. They do not match packets using ACL; they use only modular quality of service (MQC) class- map for matching clauses. D. They do not construct internal DSCP values; they only support mapping by assigning IP Differentiated Services Code Point (DSCP), Precedence, or Protocol values to Layer 2 COS values. Answer: AD QUESTION 95 Refer to the exhibit. After setting up an AP to be part of network where WDS is running, you notice that the newly added AP is not able to join the WDS device. On the newly added AP, you only configure wlccp ap username cisco password ccie. You enable debug radius local-server error to help troubleshoot the issue. Given the debug output, what is the most likely cause of the issue? A. The WDS device is configured as a local RADIUS and the EAP packets are looping in the network.

30 B. The WDS device is configured as a local RADIUS and there is a mismatch on the RADIUS shared secret. C. The newly added AP is configured with a wrong password. D. The RADIUS server is not reachable. E. The WDS device is configured for EAP-FAST authentication and the newly added AP is using LEAP. QUESTION 96 The QoS implementation for WLANs differs from QoS implementation on other Cisco devices. With QoS enabled on autonomous APs, which two statements are true? (Choose two.) A. Autonomous APs do not prioritize packets; they classify packets based on DSCP value, client type, or the priority value in the 802.1Q or 802.1p tag. B. Autonomous APs do not construct internal DSCP values; they only support mapping by assigning IP DSCP, precedence, or protocol values to Layer 2 CoS values. C. Autonomous APs do not support 802.1Q or 802.1p tagged packets. D. Autonomous APs prioritize the traffic from voice clients over traffic from other clients when the QoS Element for Wireless Phones feature is enabled. Answer: BD QUESTION 97 A network administrator changed some wireless network SSID configuration settings on an autonomous AP. As a result, old clients can still connect by using the saved configuration on their wireless networks; however, new clients are not able to view or connect to the SSID. What is most likely the cause of the problem? A. The network administrator configured the SSID to not accept any new clients. B. The network administrator removed the broadcast command from the SSID configuration. C. The network administrator removed the guest-mode command from the SSID configuration. D. The network administrator changed the encryption algorithm of the SSID. QUESTION 98 When you have an AP in autonomous mode, you can configure the AP to only allow console or Telnet access to authorized users. What is the correct command sequence to achieve RADIUS login authentication via console? A. configure terminal aaa new-model aaa authentication login default line console 0 login authentication default radius-server host auth-port 1645 acct-port 1646 B. configure terminal aaa new-model aaa authentication login default group radius line console 0 login authentication default radius-server host auth-port 1645 acct-port 1646

31 C. configure terminal aaa new-model aaa authentication login default group radius login authentication default radius-server host auth-port 1645 acct-port 1646 D. configure terminal aaa new-model aaa authentication login default group radius line console 0 login authentication default group radius radius-server host auth-port 1645 acct-port 1646 Answer: B QUESTION 99 Refer to the exhibit. This setup uses two Cisco APs as wireless bridges. One bridge is configured for root bridge mode and the other is configured for non-root bridge mode. Client A associates with the root bridge and Client B associates with the non-root bridge. Which three statements are true? (Choose three.) A. Two bridges that are in root mode can talk to each other. B. Only one device can connect to the ethernet connection of the non-root bridge. C. For two bridges to communicate with each other, one bridge should be in root mode and the other must be in non-root mode. D. The default setting of a bridge is root. E. Two bridges that are in root mode cannot talk to each other. F. The default setting of a bridge is non-root. DE QUESTION 100 When viewing the configuration of an autonomous AP, you see these SNMP commands: snmp-server community comaccess ro 4 snmp-server enable traps snmp authentication

32 snmp-server host cisco.com version 2c public Which statement about these commands is true? A. These commands block read-only access for all objects to access list 4 members that use the comaccess community string. All other SNMP managers have access to any objects. SNMPv2c sends SNMP Authentication Failure traps to the host cisco.com, using the public community string. B. These commands allow write-only access for all objects to access list 4 members that use the comaccess community string. No other SNMP managers have access to any objects. SNMPv2c sends SNMP Authentication Failure traps to the host cisco.com, using the public community string. C. These commands allow read-only access for all objects to access list 4 members that use the comaccess community string. No other SNMP managers have access to any objects. SNMPv2c sends SNMP Authentication Failure traps to the host cisco.com, using the public community string. D. These commands allow read-only access to access list 4 members that use the comaccess community string. SNMPv2c sends SNMP Authentication Failure traps to the host cisco.com, using the public community string. QUESTION 101 Which authentication method is not supported when using the local RADIUS server feature of an autonomous AP? A. EAP-FAST B. EAP-TLS C. LEAP D. MAC Answer: B QUESTION 102 Refer to the exhibit. Given this debug output from the debug wlccp wds mn command, which event has occurred?

33 A. A wireless client with an IP address of has joined the Cisco WDS domain. B. A wireless client with an IP address of has re-associated to the Cisco WDS domain. C. A wireless client has been removed from the Cisco WDS domain. D. A wireless client has failed authentication. Answer: A QUESTION 103 Refer to the exhibit. This portion of a Cisco IOS AP configuration refers to a multiple SSID and VLAN configuration. Which statement is false?

34 A. The mbssid guest-mode command allows guest users to connect to the SSID. B. All SSIDs are broadcast by and visible to clients. C. The EAP SSID allows client to connect to it by using PEAP as an authentication method. D. The AP needs to have subinterfaces 80, 81, and 82 configured, both on the radio 0 and Ethernet interfaces. Answer: A QUESTION 102 When you set up an n-capable network using autonomous APs, which two settings let you achieve n rates? (Choose two.) A. no encryption

35 B. WPA2 AES-CCMP encryption C. WEP encryption D. Cisco Key Integrity Protocol encryption E. WPA1 TKIP encryption F. WPA2 TKIP encryption G. PSK Answer: AB QUESTION 105 You want to prevent a wireless client with a MAC address of 00:40:96:a5:b5:d4 from associating with an autonomous AP. Which commands do you use on the autonomous AP? A. dot11 association mac-list 700 access-list 700 deny a5.b5d4 ffff.ffff.ffff B. dot11 association mac-list 700 access-list 700 permit ffff.ffff.ffff access-list 700 deny a5.b5d C. dot11 association mac-list 700 access-list 700 deny a5.b5d access-list 700 permit ffff.ffff.ffff D. dot11 association mac-list 700 access-list 700 deny a5.b5d4 ffff.ffff.ffff access-list 700 permit ffff.ffff.ffff E. none of the above QUESTION 106 Which set of steps shows the correct order for adding an SSID with WPA security on a new VLAN via the GUI on an autonomous AP? A. Create the SSID, create the VLAN, and then set up encryption. B. Create the VLAN, set up encryption, and then create the SSID. C. Set up encryption, create the VLAN, and then create the SSID. D. Create the VLAN, create the SSID, and then set up encryption. Answer: B QUESTION 107 What is the function of the distance command on an autonomous bridge? A. to adjust the data rate of the packet transmission B. to adjust the bridge timeout values to account for the time that is required for radio signals to travel from bridge to bridge C. to give the person reading the configuration an idea of how far apart the bridge links are D. to increase the time that is needed for authentication Answer: B

36 QUESTION 108 Which command can you use to configure the standalone AP to use the NTP server at IP address ? A. ntp server B. sntp server C. ntp broadcast client D. sntp broadcast client Answer: B QUESTION 109 When configuring multiple BSSIDs in autonomous APs, which three requirements and guidelines should you follow? (Choose three.) A. APs must contain an a or b/g radio that supports multiple BSSIDs. B. RADIUS-assigned VLANs are supported when you enable multiple BSSIDs. C. VLANs cannot be configured. D. When you enable BSSIDs, the AP automatically maps a BSSID to each SSID. You cannot manually map a BSSID to a specific SSID. E. Any Wi-Fi certified client device can associate to an AP that uses multiple BSSIDs. F. You cannot enable multiple BSSIDs on APs that participate in WDS. Answer: ADE QUESTION 110 Which debug command is best to use when you suspect that a client will not connect to an autonomous AP because of an incorrect WPA PSK? A. debug dot11 mgmt station B. debug dot11 aaa authenticator process C. debug dot11 station connection failure D. debug dot11 encryption QUESTION 111 Refer to the exhibit. You are troubleshooting a client that is not able to associate to an SSID configured on an autonomous AP. What is most likely the cause of the association failure, given the debug output seen in the exhibit? A. The RADIUS server is not reachable. B. The username and password combination is incorrect.

37 C. The SSID is secured with PSK and the shared secret is wrong. D. There is no login method configured under the AAA configuration. E. The aaa authentication command is pointing to a nonexistent RADIUS server. F. The interface dot11radio0 does not require authentication and the client is requesting it. Answer: D QUESTION 112 You are setting up a wireless network using autonomous APs. Which two statements are true? (Choose two.) A. A wireless device always attempts to transmit at the highest datarate that is set to Basic, (orrequire in the GUI). B. At least one data rate must be set to Basic. C. The AP sends multicast and management frames at the lowest basic rate. D. The 5-GHz radios do not support 40-MHz channel width. Answer: AC QUESTION 113 Refer to the exhibit. You have setup an autonomous AP and configured an SSID to serve clients. While troubleshooting a client that is not able to associate to the SSID, you enable some debugs. Given the debug output seen in the exhibit, what is most likely the cause of association failure? A. The SSID is configured with TKIP encryption and the client PC is using AES encryption. B. The authenticating EAP method is PEAP and the username and password combination is incorrect. C. The SSID is secured with PSK and the shared secret is wrong. D. The RADIUS server is rejecting the dot1x authentication due to a message integrity check failure. QUESTION 114 To have the CleanAir feature merge reports from APs from different controllers, what do you need? A. CleanAir APs and Cisco WLCs in the same mobility group B. CleanAir APs, Cisco WLCs, and Cisco WCS C. CleanAir APs in the same RF group and Cisco WLCs D. CleanAir APs, Cisco WLCs, Cisco WCS PLUS, and a Cisco MSE E. CleanAir APs, Cisco WLCs, Cisco WCS PLUS, and a Cisco MSE with CleanAir tracking license Answer: D QUESTION 115

38 Refer to the exhibit. Client stations are trying to associate to a given SSID and fail to do so for some time before associating successfully. Considering the debug output that was collected, what could be the cause of the issue? A. The WLC is connected to two switches and LAG is not configured. B. The client was roaming and the SSID does not have the same WLAN ID on all company controllers. C. The client was already associated to another corporate SSID and Fast SSID change is disabled. D. The WLAN is constantly brought down because of CAPWAP tunnel flapping. E. An administrator changed the WLAN ID during the time in question. QUESTION 116 What is the correct procedure to install a chained certificate (if multiple certification authorities are involved) when you do web authentication on a WLC? A. In the Security > Web Authentication menu, download first the root CA certificate, apply, then download the intermediate CA and then the device certificate. B. Upload the WLC certificate through the Security > Web Authentication menu and the CA certificates by downloading with datatype Vendor CA Certificate. C. Zip all the certificates and download them on the WLC as datatype WebAuth Bundle. D. Only through command line with the command "transfer download data type webauth chained cert". E. Concatenate the device and intermediate CA certificates into one file along with the private key generated for the WLC CSR and upload that file in the Security > Web Authentication menu. Answer: E QUESTION 117 When configuring NAC in-band to work with a Cisco WLC, which statement is true, from a WLC perspective? A. NAC always needs to be enabled in the WLAN configuration. B. The Clean Access Server always needs to be configured as a RADIUS accounting server on the Cisco WLC. C. The Clean Access Manager always needs to be configured in the SNMP trap receiver. D. Only the quarantine VLAN ID needs to be configured as the WLAN interface. Answer: D QUESTION 118 You have four Cisco WLCs and have deployed wired guest access, using a single guest VLAN for all controllers. How can you achieve redundancy if the guest VLAN fails on the infrastructure switches? A. Configure one Cisco WLC as the anchor controller for the wired guest VLAN. B. Configure a different wired guest VLAN on each Cisco WLC.

39 C. Configure all the Cisco WLCs in the same mobility group. D. Set a fallback port on the wired guest interface. E. You cannot achieve redundancy of the wired guest VLAN. Answer: E QUESTION 119 You are on the U.S. East Coast (EST time zone, UTC-5) and configure NTP on your Cisco WLC. The Cisco WLC web GUI shows the correct time and date, but your APs are off by 5 hours. Which statement is true? A. This behavior is normal because the APs show UTC time. B. You need to configure the time zone on the APs. C. You need to configure the NTP server on the APs. D. You need to enable time-zone synchronization between the APs and Cisco WLC. E. APs support only an SNTP server, not an NTP server. Answer: A QUESTION 120 Which three statements about the VideoStream feature (also known as MediaStream) on the Cisco WLC are true? (Choose three.) A. It unicasts the stream only to clients that are subscribed via IGMP. B. It works both ways (from network to client and from client to network). C. It unicasts the stream only to APs on which you enable the feature. D. It sends unicast, so it can usually use higher data rates.

40 E. It unicasts the multicast stream over the air only; it multicasts on wired connections. F. It multicasts, so a large number of subscribed clients on the AP will not consume more bandwidth. Answer: ADE QUESTION 121 What is the minimum number of rules that is necessary in a CPU ACL to allow all access from a single VLAN to the management interface, yet prevent management access from all other VLANs while permitting all other traffic? A. five B. six C. seven D. eight Answer: B QUESTION 122 Refer to the exhibit. Your manager has asked you to configure a remote office Cisco WLC to support local EAP authentication. The manager wants the clients to use EAP-FAST. The LDAP server is Microsoft Active Directory. All users, including the account that is used to bind to the LDAP server, are in the default Users container in Active Directory. No RADIUS servers are configured on the Cisco WLC. The client is using the latest Intel card and supplicant. Why does the test client fail to authenticate? A. Local EAP does not support EAP-FAST when using an Active Directory LDAP server. B. The LDAP bind account cannot be in the same container as the wireless user accounts. C. The User object type is incorrect. D. The default Users container in Active Directory is a container rather than an organizational unit. E. The User attribute is incorrect.

41 Answer: D QUESTION 123 A wireless network administrator needs to limit guest user TCP traffic to no more than 50,000 kb/s, to conserve bandwidth on the guest WLAN. To do this, the administrator configures the average real-time rate to 50,000 kb/s and the burst real-time rate to 60,000 kb/s. Why does a test of the guest account show no restriction for the client TCP traffic? A. The administrator should have configured the average data rate and burst data rate. B. The average real-time rate and burst real-time rate should always be equal. C. The average real-time rate should always be higher than the burst real-time rate. D. The administrator should have configured the average data rate and the average real-time rate. Answer: A QUESTION 124 Refer to the exhibit. You are a senior wireless network administrator and have just completed the configuration of TACACS+ on your production Cisco WLC server. You can successfully log into the Cisco WLC by using your domain credentials. However, junior administrators, who have only local management accounts on the Cisco WLC, are complaining that they can no longer log into the Cisco WLC GUI or CLI. What is the cause of this problem? A. When TACACS+ is configured on the Cisco WLC, local authentication is permanently disabled. B. TACACS+ is the first authentication priority. The ACS is responding, so the Cisco WLC never queries the local database. C. TACACS+ was configured and the ACS is responding, so all local accounts on the Cisco WLC are disabled. D. The junior administrators must also have domain accounts with the same username but different passwords than the local Cisco WLC accounts, so the ACS is returning an access-reject. This prevents the Cisco WLC from querying the local database. Answer: B QUESTION 125 After performing a wireless site survey, you determine that to achieve proper HR-DSSS coverage within the rooms along a hallway area, the AP radios that service the hallway must be at 12 mw or higher. After the APs are all installed, you note that RRM is decreasing the power on the AP

42 radios in the hallway to 6 mw. Which two methods can you use to prevent the HRDSSS AP radio power levels from dropping below 12 mw? (Choose two.) A. Configure the minimum power-level assignment for the 2.4 GHz radio to 11 dbm under the individual TPC settings on the hallway APs. B. Configure the minimum power-level assignment for the 5 GHz radio to 11 dbm under the individual TPC settings on the hallway APs. C. Configure the minimum power-level assignment to 11 dbm under the global b/g/n TPC settings. D. Configure the minimum power-level assignment to 11 dbm under the global a/n TPC settings. E. Statically configure the 5 GHz radios on the hallway APs to power level 4. F. Statically configure the 2.4 GHz radios on the hallway APs to power level 4. F QUESTION 126 Refer to the exhibit. You are testing coverage-hole detection in your lab. You are using the default Cisco WLC coverage-hole detection configuration that is shown. You have 14 test clients, all associated to the same AP. You move three of the clients far away from the AP so that they have an RSSI of -85 dbm or lower for 1 minute. To your surprise, you see precoverage-hole alarms, but no coverage- hole alarm is triggered. Which two scenarios explain this issue? (Choose two.) A. The failed clients must be at an RSSI of -81 dbm or lower for at least 90 seconds. B. The failed clients must be at an RSSI of -80 dbm or lower for at least 90 seconds. C. The number of failed clients is less than 25 percent of the total number of clients that are associated to the AP. D. This Cisco WLC is not an RF group leader and so cannot make a coverage-hole decision. E. Coverage-hole alarms are generated based on the number and percentage of failed packets from the client, rather than on thresholds. Answer: AC

43 QUESTION 127 A wireless ISP has hired you to help set up a new Cisco WLC to provide wireless access to subscription-based customers. Each customer that uses the wireless network needs to pay their bill every 30 days. How do you configure the WLAN security to help meet this requirement? A. no Layer 2 security, conditional web redirect Layer 3 security B. WPA X Layer 2 security, splash page web redirect Layer 3 security C X Layer 2 security, splash page web redirect Layer 3 security D. WPA2 PSK Layer 2 security, conditional web redirect Layer 3 security E. no Layer 2 security, splash page web redirect Layer 3 security F. WPA 802.1X Layer 2 security, conditional web redirect Layer 3 security Answer: F QUESTION 128 When is the Poor Link SNR Alarm generated in a mesh network? A. when the SNR between the mesh nodes falls below 15 db. B. when the SNR between the client and the AP falls below 20 db. C. when the SNR between the mesh nodes falls below 12 db. D. when the Cisco WCS receives the first 10 SNR links from the network. QUESTION 129 A 7-Mb multicast traffic stream is being sent to wireless clients and it is using up most of the available wireless spectrum in the 2.4-GHz unlicensed band. As a result, many of the data applications have become sluggish and the video is choppy. What is the best option to send the multicast over the wireless network more efficiently and leave some bandwidth for the data applications (assuming the network is capable of supporting this option)? A. Raise the DTIM to 10 B. Enable WMM QoS C. Turn on multicast-multicast mode D. Turn off the lower data rates Answer: D QUESTION 130 The helpdesk is reporting that many users are reporting slow wireless connections in one of the office buildings. You look at the CleanAir statistics and do not see any interferers, but you see very high 2.4-GHz channel utilization from the Wi-Fi devices. WCS is reporting the following mix of chipsets in the building: 10 percent b, 75 percent g and 15 percent a. You do a survey and see that you have a very dense deployment of APs and a lot of cochannel interference. Which two steps would help lower your channel utilization in this area? (Choose two.) A. Raise the power on the 2.4-GHz radios.

44 B. Lower the power on the 2.4-GHz radios. C. Lower the DTIM. D. Raise the DTIM. E. Disable 1-, 2-, 5.5-, 6-, and 9-Mb data rates. F. Enable 1-, 2-, 5.5-, 6-, and 9-Mb data rates. Answer: BE QUESTION 131 Which two statements about virtual interfaces on a WLC are true? (Choose two.) A. A virtual interface serves as the redirect address for the web authentication login page. B. A virtual interface must have a DNS host name in order to prevent web authentication clients from getting a security warning on their web browser. C. A virtual interface acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server. D. A virtual interface acts as a RADIUS proxy for wireless clients. Answer: AC QUESTION 132 Refer to the exhibit. Which EAP type does the diagram illustrate? A. EAP-TLS B. EAP-MD5 C. PEAP D. EAP-GTC E. EAP-FAST F. LEAP

45 Answer: E QUESTION 133 Which statement describes the operation of an access point in Rogue Location Discovery Protocol mode? A. The AP uses the existing wireless infrastructure in order to scan for rogue APs. Once discovered, these rogues are added to a local list that includes the rogues' BSSIDs, MAC addresses, and any discovered security provisions (WPA, WEP, etc.). B. The AP detects a rogue client, and then the network administrator is able to contain both the rogue AP and the rogue clients. This can be achieved because deauthentication packets are sent to clients that are associated to rogue APs, so threats such as holes are mitigated. C. The AP moves to the rogue channel and attempts to connect to the rogue as a client. The AP then tries to obtain an IP address and forwards a UDP packet to the controller through the rogue. If the controller receives this packet, the network administrator is notified that a rogue AP has been discovered on the wired network. D. The AP determines whether or not a rogue access point is on a trusted network. It does not provide RF service of any kind, but rather receives periodic rogue access point reports from the controller, and sniffs all ARP packets. If it finds a match between an ARP request and a MAC address it receives from the controller, it generates a rogue access point alert to the controller. QUESTION 134 Refer to the exhibit. You want to use 3500e APs to setup an indoor mesh deployment. After you change the AP mode, the AP will not rejoin the Cisco WLC. Which debug command was run, according to the exhibit, and why is the AP not rejoining the Cisco WLC? A. debug capwap packet was run, and 3500e APs do not support indoor mesh. B. debug pm pki was run, and you must disable VLAN transparent for 3500e indoor mesh deployments. C. debug mesh security was run, and the 3500e radio MAC address is not in the local MAC filter list on the Cisco WLC. D. debug ap join was run, and you must disable VLAN transparent for 3500e indoor mesh deployments. E. debug capwap events enable was run, and the 3500e Ethernet MAC address is not in the local MAC filter list on the Cisco WLC. Answer: E QUESTION 135 When you configure channel bonding on your APs by using the 2.4-GHz radio, what is the maximum number of APs that you can place in a given location so that the AP channels do not overlap?

46 A. One B. Two C. Three D. Threein most of the countries, but 4 (including channel 14) in Japan Answer: A QUESTION 136 You calculate that your AP should transmit at 6 dbm to provide appropriate wireless coverage, while still complying with EIRP, with the antennas that you selected. However, the AP is transmitting at 1 dbm only, even though it is on power level 1. How can you increase the transmitting power? A. Choose appropriate antennas types. B. Decrease the antenna gain that is configured on the Cisco WLC. C. Switch to a custom Tx power level and increase the power level. D. Disable auto-rf. E. Activate n legacy beamforming on the Cisco WLC. Answer: B QUESTION 137 AP A is in AP group ONE and AP B in is AP group TWO. AP group ONE assigns the interface Marketing to the corporate WLAN, whereas AP group TWO assigns the interface Sales to the same WLAN. What happens if a client roams from AP A to AP B while connected to the corporate SSID? A. No roaming is possible. B. The client will reconnect with a new IP address from the Sales subnet. C. The client will keep its Marketing subnet IP address, but roaming will not be seamless. D. The client will keep its Marketing subnet IP address, and roaming will be seamless if the appropriate key management is used. E. A mobility tunnel will be established between the two APs, and the client will be allowed to keep its IP address. Answer: D QUESTION 138 What does disabling broadcast SSID in the WLAN configuration do? A. causes beacons to be unicast instead of broadcast B. prevents beacons from being sent and allows only probes C. allows beacons to be sent but leaves the SSID name field empty D. forbids all broadcasts for that SSID E. makes the SSID respond only to blank probes QUESTION 139

47 What does RLDP do? A. allows APs to detect rogues B. allows the Cisco MSE or location appliance to calculate the location of rogues C. allows APs to determine whether undetected rogue APs or clients are in the area D. makes APs stop servicing clients and tries to associate to the unsecured AP, to send special UDP packet to the Cisco WLC E. makes APs try to break the security of rogue APs, to allow better containment Answer: D QUESTION 140 You are designing a wireless guest anchoring solution for a large company. Forty-five Cisco WLCs running code are deployed in the corporate network. You expect about 3000 devices to use the guest network at any one time. A junior wireless administrator has suggested using a single WLC running as the anchor controller. What is your response? A. Using a WLC is the best option, based on the design requirements, because it is currently the least expensive WLC that supports auto-anchoring. B. Using a 4402 WLC is not feasible because 4402 WLCs do not support the 7.0 release of code. C. A single 4402 WLC supports only 2500 client database entries and therefore does not meet the design requirements. D. A single WLC, regardless of code. supports only 40 simultaneous EoIP tunnels and therefore does not meet the design requirements. QUESTION 141 Refer to the exhibit. Two Cisco WLCs on a Cisco WiSM and in the same mobility group are both running code. All the WLANs on both Cisco WLCs are configured for H-REAP local switching. Based on the configurations that are shown, which WLAN or WLANs will still be correctly mapped to a local VLAN if an H-REAP mode AP moves between the two controllers?

48 A. WLANs 2, 3, 4, and 5 B. All the WLANs C. WLAN 1 D. WLANs 2 and 5 E. WLANs 1, 2, 4, and 5 F. WLAN 5 Answer: D QUESTION 142 You are going to create a new WLAN on your production 5508 WLC running code. You do not want this WLAN to be in the default AP group on the Cisco WLC until you have thoroughly tested it. How can you achieve this goal when creating the WLAN on the production controller? A. Create the new WLAN on the Cisco WLC by using WLAN ID 13. B. A new WLAN will always be in the default AP group until you move the WLAN to a different AP group on the Cisco WLC. C. Use a Cisco WCS to create the WLAN by using WLAN ID 17. D. Create the new WLAN on the Cisco WLC using WLAN ID 20. Answer: D QUESTION 143 Refer to the exhibit. You have just configured multicast on the wired network and the controller. You configured the multicast address on the Cisco WLC to be , with IGMP snooping disabled. Clients 1 and 3 are associated to AP1, and Client 2 is associated to AP2. All three clients are associated and authenticated to WLAN 1. Using Client 1, you send an IGMP join request to test the multicast application on the wireless network. Which client or clients will need to process the multicast traffic?

49 A. none of the clients B. Client 1 C. Clients 1 and 2 D. Clients 1, 2, and 3 E. Clients 1 and 3 Answer: D QUESTION 144 Where is Ethernet bridged traffic terminated in a mesh network? A. WLC B. WGB C. MAP D. RAP Answer: D QUESTION 145 Which two statements about the CleanAir and AP modes are true? (Choose two.) A. The CleanAir chipset on local mode APs can scan all channels simultaneously. B. The CleanAir chipset on local mode APs scans only the current channel and only when the AP is silent. C. Monitor mode AP interferer reports cannot be merged unless you have a Cisco MSE. D. Monitor mode APs have no advantage over local mode APs for CleanAir.

50 E. Enhanced local mode (wips) allows the CleanAir chipset to scan all channels. Answer: BC QUESTION 146 What is the MAPs behavior if you enable mesh ethernet-bridging vlan-transparent on them? A. The MAPs bridge traffic that came from the Ethernet port, but only if the vlan tag matches the Cisco WLC configured VLANs and interfaces. B. The MAPs bridge traffic according to the VLAN configuration. C. The MAPs bridge toward the backhaul all traffic that arrives on the Ethernet port, without touching the vlan tag. D. The MAPs bridge toward the backhaul only traffic that arrives as untagged on the Ethernet port. E. The MAPs untag all traffic that arrives on the Ethernet port and bridge all the traffic toward the backhaul. Answer: E QUESTION 147 Which statement about the beamforming (ClientLink) feature on the Cisco WLC is true? A. It works only with n APs and clients. B. It works only with n APs and b/g clients. C. It provides a signal gain when the AP transmits towards the client. D. It provides a signal gain in both directions (AP to client and client to AP). QUESTION 148 You are running Connecting wireless clients have an HTTP proxy server configured and need to get web redirected in a web authentication (guest) SSID. Which two statements are true? (Choose two.) A. You do not need to enable WebAuth proxy redirection on the WLC. B. You need to enable WebAuth proxy redirection on the WLC. C. You need to configure DHCP option 252 on the WLC to provide clients with proxy configuration for their browser. D. The clients need to manually enter an exception in their browser proxy rule for the WLC virtual IP address. Answer: BD QUESTION 149 To improve the overall wireless experience of your users, you do not want any clients to use b data rates to associate to your wireless network. You do not want a/g/n data rates to be affected in any way. Which two configuration tasks on the Cisco WLC will achieve this goal? (Choose two.) A. Disable the 1, 2, 5.5, and 11 Mb/s data rates. B. Disable all data rates below 12 Mb/s. C. Configure the WLAN radio policies to a/g only.

51 D. Disable the b network on the Cisco WLC. E. Disable the 2.4 GHz radio on all the APs. F. Disable the DSSS data rates. Answer: AC QUESTION 150 After a scheduled downtime of your 5508 WLC, you notice that only a handful of the 100 APs are rejoining the controller. All the APs are in the same subnet and use default settings. Cisco WLC debugs indicate that the APs are sending discovery and join requests. Only after shutting down all the switch ports that connect to the APs and turning five ports back on at a time can you rejoin all the APs. Why were the APs unable to rejoin the Cisco WLC, and how can you prevent this from happening in the future? A. Having all the APs in the same VLAN created a Layer 2 broadcast storm, preventing the APs from receiving discovery and join responses from the Cisco WLC. You can prevent this by configuring the APs to send syslog messages to a multicast address, using the Cisco WLC CLI only. B. Having all the APs in the same VLAN created a Layer 2 broadcast storm, preventing the APs from receiving discovery and join responses from the Cisco WLC. You can prevent this by configuring the APs to send syslog messages to a unicast address, using the Cisco WLC CLI only. C. Having all the APs in the same VLAN created a Layer 3 broadcast storm, preventing the APs from receiving discovery and join responses from the Cisco WLC. You can prevent this by configuring the APs to send syslog messages to a unicast address, using the Cisco WLC CLI only. D. Having all the APs in the same VLAN created a Layer 2 broadcast storm. You cannot prevented this from happening again. Answer: B QUESTION 151 Which statement about H-REAP and FlexConnect APs on a Cisco WLC is false? A. Cisco CKM roaming is supported within an H-REAP group of APs. B. Cisco CKM roaming is unsupported between local mode APs and H-REAP APs. C. HREAP AP in standalone mode can authenticate new clients for CCKM roaming. D. H-REAP APs can have some locally switched WLANs and some centrally switched WLANs. QUESTION 152 In order to configure the MAP authorization using an external AAA server for the indoor MAP 1260 with the Ethernet MAC address 00:1d:a1:fe:e5:44 and base radio MAC address 00:1f:9d:2a:3f:10, which two user accounts are to be created on the RADIUS server? (Choose two.) A. 00:1f:9d:2a:3f:10 B. 001da1fee544 C. c da1fee544 D. ap3g1-001da1fee544 E. c f9d2a3f10 F. ap3g1-001f9d2a3f10

52 Answer: BD QUESTION 153 Corporation XYZ is enabling multicast on its WLANs in order to enable company meetings to be streamed to employee laptops. The company wishes to block specific unwanted multicast traffic from traversing the wireless network. What is the best way to filter multicast traffic going toward wireless clients? A. use a WLC ACL on the management interface B. use a CPU ACL on the WLC C. use a WLC ACL on the dynamic interface for all WLANs D. use an ACL on the first-hop router Answer: D QUESTION 154 You have implemented a branch network using H-REAP local switching. You have been asked to enable an acceptable use-policy web authentication page, without requiring users to enter credentials and login. Users should only have to accept the login terms. Which two solutions should you implement? (Choose two.) A. Enable a web policy of conditional web redirect. B. Use an external web server for the web authentication page. C. Use the internal web server for the web authentication page. D. Implement a pre-authentication ACL to allow web authentication page traffic. E. Enable a web policy of passthrough. E QUESTION 155 Refer to the exhibit. The wireless clients at your company are all on the /24 network. Given the applied ACL in the exhibit, which two statements are true? (Choose two.)

53 A. DNS requests from the wireless clients will be blocked. B. ICMP requests will be allowed to travel to the wireless clients. C. ICMP replies will be allowed to travel from the wireless clients. D. DNS requests from the wireless clients will be allowed. Answer: AB QUESTION 156 Your company is using wireless voice clients that have a unicast push-to-talk-function. DTIM is set to 10. Users report that the audio is choppy. Which action should you take to try to resolve this issue? A. Lower the DTIM to 2. B. Lower the DTIM to 1. C. Disable power saving on the wireless device. D. Enable power saving on the wireless device. E. Raise the DTIM to 15. QUESTION 157 Corporation XYZ has many retail branch sites that are using H-REAP APs. XYZ wishes to send multicast traffic to the branch sites on WLAN A, which is centrally switched. It also wishes to ensure that multicast traffic is not sent to sites that do not request it. Which two steps must be taken in order to make this work? (Choose two.) A. Enable multicasting in multicast mode B. Disable IGMP snooping C. Enable multicasting in unicast mode D. Enable IGMP snooping D QUESTION 158 Corporation XYZ is enabling wireless guest access for its guests. You will be using the Cisco WCS Lobby Ambassador feature to provision guest user accounts and want to make sure that the web authentication for guest access is not susceptible to brute force attacks. What is the best way to accomplish this? A. Configure web authentication max retries on the WCS. B. Implement a CPU ACL on the terminating WLC. C. Configure web authentication max retries on the WLC. D. Configure client exclusion. Answer: D QUESTION 159 You wish to configure a Cisco WCS to provide an additional layer of security by outlining which APs your DHCP servers will respond to. Which two pieces or combinations of information can be

54 used to achieve this objective? (Choose two.) A. AP MAC address B. AP MAC address and AP host name C. AP host name D. AP MAC address and AP SSID Answer: AD QUESTION 160 Which of the below statements is true about Radio Resource Management Neighbor messages? (Choose three.) A. they are transmitted at minimum power B. they are transmitted at maximum power C. they are transmitted at the highest data rate D. they are transmitted at the lowest supported data rate E. they are transmitted on all serviced channels F. they are transmitted every 60 seconds Answer: BDF QUESTION 161 The IT administrator can confirm the air quality and existing non-wi-fi interference on the Cisco WLC but cannot find any non-wi-fi interference on the Cisco WCS. What are two possible reasons for this issue? (Choose two.) A. The administrator did not add Cisco MSE to Cisco WCS. B. The administrator added Cisco MSE to Cisco WCS but forgot to sync Cisco MSE with Cisco WLC and the floor map. C. The administrator needs to enable the CleanAir function from the Cisco WCS GUI again. D. The administrator needs to restart Cisco WCS after adding Cisco WLC, to enable the CleanAir function. Answer: AB QUESTION 162 The IT manager wants the Cisco WCS to send notifications of alarms to identify issues in a timely fashion. The manager finds that not all of the alarms were sent via . Which default severity level of alarm will trigger an ? A. major B. critical C. minor D. informational E. critical and major Answer: B QUESTION 163

55 Refer to the exhibit. The IT manager is demonstrating the Cisco WCS to the CIO. During the demonstration of the client-troubleshooting feature, the CIO notices that some clients have the Test analysis, Messaging, and Event log options, whereas other clients do not. What is causing this difference? A. Cisco Compatible Extensions v5 clients have more troubleshooting options than other clients. B. When clients associate to the diagnostic channel, the Cisco WCS has more troubleshooting options. C. Associated clients have more troubleshooting options than other clients. D. Authenticated clients have more troubleshooting options than other clients. Answer: A QUESTION 164 Which three device types can be tracked with a context-aware license on a Cisco MSE? (Choose three.) A. wired client B. microwave oven C. ad hoc rogue AP D. 1.9 GHz DECT phone E. RFID chokepoint F. cellular smart phone Answer: ABC QUESTION 165 Which statement about the Cisco WCS WLAN configuration template is true? A. A WLAN template can be used to configure SSID settings on an AP. B. A WLAN template can be used to configure mandatory and supported data rates on a WLC. C. A WLAN template can be used to configure SSID settings on a WLC. D. A WLAN template can be used to configure channel and power level options on an AP. QUESTION 166 Refer to the exhibit. Which method was used to define this rogue AP as malicious?

56 A. This rogue AP matched a WCS malicious rogue AP classification rule. B. A WCS switch port trace was performed and the MAC address of the rogue AP was found connected to a Cisco switch port. C. This rogue AP was discovered using RLDP. D. A rogue AP alert was enabled that defines all rogues with open SSIDs as malicious. Answer: D QUESTION 167 Which two statements about deploying high availability for the Cisco WCS are true? (Choose two.) A. The high availability license file needs to be installed on the primary WCS server. B. The secondary WCS needs to be installed with the same version as the primary WCS. C. The primary and secondary WCS servers are not required to share the same subnet. D. The primary and secondary WCS servers need to be set up as high availability pairs. Answer: BC QUESTION 168 Refer to the exhibit. The IT manager is monitoring the wireless coverage of a floor. The manager sees the floor view that is shown. Which identifying information is displayed for the APs on the map view?

57 A. Tx power level B. utilization C. profiles D. average air quality E. associated clients F. coverage hole Answer: F QUESTION 169 Refer to the exhibit. According to the Cisco WCS floor map, which statement is true?

58 A. All APs are affected by interference from Bluetooth. B. All APs are affected by interference from a video camera. C. Only AP1 is affected by interference from a video camera. D. Any device that uses channel 1 is affected by interference from a video camera. Answer: D QUESTION 170 Which three statements about the Cisco WCS auto-provisioning feature are true? (Choose three.) A. Auto-provisioning allows WCS to automatically configure a new or replace a current wireless LAN controller. B. The service port of the WLAN controller is required to have network connectivity for the auto- provisioning process to begin. C. DHCP Option 43 (vendor-specific information) has to be configured in the DHCP scope options for the auto-provisioning process to begin. D. DHCP Option 150 (TFTP server address) has to be configured in the DHCP scope options for the auto-provisioning process to begin. E. Using the add filter command in WCS will create a controller configuration file. F. WCS auto-provisions the management interface of the WLAN controller by pushing a predefined template.

59 Answer: ADE QUESTION 171 Refer to the exhibit. Which statement about the Cisco WCS RRM event message is true? A. Excessive non interference caused the channel change. B. Being near another managed AP on the same channel caused the channel change. C. A CleanAir AP detected a persistence interferer and forced an RRM reassignment of channels. D. Event-driven RRM caused the channel change. Answer: B QUESTION 172 To manage the wireless network separately, an IT administrator created several virtual domains on the Cisco WCS. APs and WLCs were assigned to these virtual domains. However, when the IT staff logs into the Cisco WCS, they are assigned to the default root domain. The Cisco WCS login request is authenticated by an external RADIUS server. What needs to be configured next to solve this problem? A. The IT administrator needs to add the correct attribute in the RADIUS server to assign the administrator to the proper virtual domain. B. The IT administrator needs to add local user accounts in the Cisco WCS. C. The administrator needs to change to TACACS+ authentication because the virtual domain cannot be assigned via RADIUS authentication. D. Users need to manually select the proper virtual domain after logging into the root domain. E. The IT administrator needs to configure the user group settings to map users to the proper virtual domain. Answer: A QUESTION 173

60 Refer to the exhibit. With five devices connected to an AP radio, this Cisco WCS alarm was activated. Which action will prevent this alarm from appearing again when 10 devices connect to the AP radio? A. Within Cisco WCS, modify the Max client event parameters to trigger an alarm when 11 or more clients associate to the radio. B. Within Cisco WCS, create an RRM template to modify the Max clients setting and apply it to all controllers. C. Within Cisco WCS, enable spectrum load balancing for this AP. D. Within Cisco WCS, modify the alarm settings to activate on 11 or more clients. Answer: B QUESTION 174 Following the instructions in the configuration guide, the IT staff backs up the historical data of the installed Cisco MSE. Where does this data gets stored? A. On the Cisco MSE, in the root path. B. In the FTP directory that is specified during Cisco WCS installation. C. In the directory that is specified during the backup operation. D. In the TFTP directory that is specified during Cisco WCS installation. Answer: B QUESTION 175 Refer to the exhibit. Based on this Cisco Spectrum Expert "FFT Duty Cycle" screen capture, which device type is most likely generating the signal in Wi-Fi channel 1?

61 A. a broad-spectrum, low-power device B. a high-power, broad-spectrum, frequency-hopping device C. a spread-spectrum, narrowband, frequency-hopping device D. a high-power, narrow-spectrum, direct-sequence device using CCK modulation Answer: B QUESTION 176 Which two statements about the Cisco WCS alarms and events are true? (Choose two.) A. An alarm is the listing of an SNMP trap from a WLAN controller. B. An event can be a report about radio interference crossing a threshold. C. An alarm is a Cisco WCS response to one or more related events. D. An event summary of critical, major, and minor events is displayed at the top of the Cisco WCS page. Answer: BC QUESTION 177 Which statement about the Cisco WCS security index is true? A. The security index will display red (high threat level) when the managed WLAN detects multiple rogues and attack signatures.

62 B. The security index is a weighted scale of WLAN security ranging from 0 least risk (secure) to 100 high risk (unsecure). C. The security index uses device configuration parameters to assign a weighted value of network security. D. The security index of the Cisco WCS managed network is the average of all controller and Cisco MSE scores. QUESTION 178 Refer to the exhibit. According to the Cisco WCS CleanAir dashboard, which interferer is causing the most interference at the time of the capture? A. video camera B. Bluetooth link C. DECT-like phone D. DECT phone Answer: D QUESTION 179 Refer to the exhibit. Which statement about the information that is displayed within the Cisco Spectrum Expert tool is true?

63 A. Bluetooth interference can be the cause of client connection issues. B. The AP on channel 11 is at maximum throughput capacity. C. Non-Wi-Fi interference on channel 1 would cause major performance issues for APs on that channel. D. Channel 6 cannot be used for Wi-Fi. QUESTION 180 Refer to the exhibit. Which statement about this Cisco WCS wips configuration is true?

64 A. Only a Cisco WLC and an AP are required to detect these wips signatures. B. APs in monitor mode are required to detect these wips signatures. C. Cisco WCS, a Cisco WLC, Cisco MSE, and an AP in enhanced local mode are required to detect these wips signatures. D. Cisco WCS, a Cisco WLC, Cisco MSE, and an AP in FlexConnect mode are required to detect these wips signatures. Answer: B QUESTION 181 Company ABC has a deployment plan that includes multiple controllers. To start the deployment and manage the controllers more efficiently, the IT administrator decides to use controller autoprovisioning on Cisco WCS. Which three controller options are available as matching criteria? (Choose three.) A. hostname B. MAC address C. serial number D. management IP address E. device type F. UDI

65 Answer: ABC QUESTION 182 Refer to the exhibit. Which menu option in the Cisco Wireless Control Systems (WCS) planning mode will create a report detailing AP placement and signal coverage? A. Home B. Add APs C. Delete APs D. Map Editor E. Synchronize F. Generate Proposal G. Planned AP Association Answer: F QUESTION 183 The manufacturing firm XYZ deployed outdoor mesh in one of their factories. The IT manager is asked to enable monitoring of the mesh network on the map. Which two mesh link options can be shown as link labels of the mesh link on the map? (Choose two.)

66 A. SNR B. packet error rate C. data rate D. backhaul channel E. hop counter Answer: AB QUESTION 184 The IT manager acknowledges that some security issues that are shown in a detailed security index report violate company policies. However, the security index does not change after synchronizing the configuration of the Cisco WLC on Cisco WCS. What are two possible reasons for this issue? (Choose two.) A. The acknowledged issue is on a controller that does not directly affect the security index score (for instance, it is not the controller with the lowest score). B. The acknowledged issue is on a WLAN that does not directly affect the security index score. Only the lowest scoring WLAN of the lowest scoring controller affects the security index score. C. The acknowledged issue is on a controller that does not directly affect the security index score (for instance, it is not the controller with the highest score). D. The acknowledged issue is on a WLAN that does not directly affect the security index score. Only the highest scoring WLAN of the highest scoring controller affects the security index score. Answer: AB QUESTION 185 Which two statements about why client devices fail to be displayed on a Cisco WCS floor map are true? (Choose two.) A. NMSP communication has failed between the Cisco MSE and Cisco WCS. B. Filtering parameters have not been configured for the context-aware service. C. Network designs and controllers have not been assigned to the Cisco MSE. D. LOCP communication has failed between the Cisco MSE and Cisco WCS. Answer: AC QUESTION 186 Which statement about Cisco WCS virtual domains (partitioning) is true? A. The WCS root user is contained to the root virtual domain and cannot view other virtual domains. B. Each virtual domain can be configured to include or exclude selected maps, WLCs, or APs based on the hierarchical level of each domain. C. Any AP managed by WCS will be visible in all virtual domains. D. Each virtual domain can be configured to include or exclude selected reports, configuration templates, or WCS background tasks based on the hierarchical level of each domain. Answer: B

67 QUESTION 187 Refer to the exhibit. Which statement is true when the basic audit mode is selected in Cisco WCS? A. Basic audit will only audit the reachability and functional status of the WLAN controller. B. Basic audit will compare the device configuration in the WCS database against the current WLAN controller configuration. C. Basic audit will compare the WCS template settings against the current WLAN controller configuration. D. Basic audit will instruct the WLAN controller to notify WCS when a configuration change has occurred via the web interface or CLI of the controller. Answer: B QUESTION 188 The IT manager needs to start deploying WLAN in a new building and is using the planning mode in Cisco WCS to generate a coverage proposal. Which statement about the planning mode in Cisco WCS is false? A. Planning mode calculates the necessary number of APs, based on traffic type on the network, location accuracy requirements, number of users, and number of users per square footage. B. In the advanced options, the Aggressive option generates more APs to cover the floor area, whereas the Very safe option generates a proposal with fewer APs to cover the same area. C. Walls that are defined in the floor map are used or accounted for in the planning mode calculation. D. Users can specify a particular model of Cisco AP, antenna, and throughput for the planning mode calculation. Answer: B QUESTION 189 Refer to the exhibit. The client troubleshooting feature on Cisco WCS is very useful. You can

68 collect the log message that is logged against a specific client on Cisco WCS. What statement about the log function in client troubleshooting is true? A. The log messages are collected automatically when the administrator starts to troubleshoot the client. The administrator needs to stop the log collection manually. B. The log messages are collected when the administrator clicks "Start". Log collection stops only after the administrator clicks "Stop". C. The log messages are collected automatically as soon as the administrator starts to troubleshoot the client. The log collection stops automatically after a period of 10 minutes. D. The log messages are collected when the administrator clicks "Start". The log collection stops automatically after 10 minutes. Answer: D QUESTION 190 When designing a WLAN network to support both voice and context-aware services, which set of design principles should you follow? A. A voice and context-aware site survey can be one survey, and both voice and context-aware deployment recommendations can be implemented. APs that are not serving clients will be in monitor mode. B. A context-aware site survey usually recommends deploying more APs because of the requirement for perimeter coverage and four corners of a floor. However, voice deployment recommendations should be adopted because of the mission-critical nature of voice traffic. C. A voice and context-aware site survey can be one survey, but voice deployment recommendations take precedence over context-aware deployment recommendations because the context-aware survey usually recommends too many APs and might introduce too much co- channel interference, negatively affecting voice quality. D. A voice and context-aware site survey can be one survey, but context-aware deployment recommendations

69 take precedence over voice deployment recommendations because context- aware services require at least four APs to hear clients or tags at -75 dbm. An AP can provide adequate coverage to voice clients with acceptable SNR. E. A voice and context-aware site survey can be one survey, but voice deployment recommendations take precedence over context-aware deployment recommendations. Context- aware surveys usually recommend too many APs, and APs need to be in local mode because APs in monitor mode spend too much time (2 sec) on each channel, listening for rogue activities, and often miss client or tag beaconing. Answer: A QUESTION 191 Refer to the exhibit. What appears to be the issue with the wireless client device? A. The client 802.1x configuration is incorrect. B. There is RF interference. C. The client WPA2 parameters are incorrect. D. No response is being received from the DHCP server. E. The client is configured with the wrong WEP key. F. No response is being received from the RADIUS server for 802.1x authentication. Answer: D QUESTION 192 You are developing a context-aware application with customized middleware. The Cisco MSE is configured to send northbound notifications to the middleware as well as to the Cisco WCS via SOAP/XML. You created the notification definitions via the WCS and see notifications coming in on the middleware, but you do not see notification messages showing up in the WCS. What could be causing this problem? A. The notification receiver is not correctly configured in the WCS. Make sure the WCS is correctly configured with a northbound notification receiver using SNMPv2 and the correct community string.

70 B. The notification group does not have an MSE assigned and the MSE is not synchronized. C. The WCS does not understand SOAP/XML. To correct this, change the transport protocol to SNMP/plain text. D. The WCS does not understand SOAP/XML. To correct this, change the transport protocol to SNMP/XML. E. The WCS does not understand SOAP/XML. To correct this, change the transport protocol to Syslog/plain text. F. The WCS does not understand SOAP/XML. To correct this, change the transport protocol to Syslog/XML. Answer: D QUESTION 193 Refer to the exhibit. A customer calls you to report that it is not able to carry calls on its Cisco Unified Wireless IP phones. The phones are not registering with the call manager even though it has a static IP address. Which WLC feature could be causing this problem? A. DHCP Address Assignment Required is selected on the SSID. B. There is a DHCP server configured on the SSID. This should not be implemented when AAA override is selected. C. MFP client protection should be set to "required" on Voice SSIDs. D. The Option 150 IP address is misconfigured in the DHCP pool. Answer: A QUESTION 194 You have been getting reports of voice disruption over wireless communications in your network. Your SSID is configured to use WPA1 with TKIP and Cisco Centralized Key Management. You see a lot of TKIP replay messages on the WLC logs. What is the most probable reason for the voice disruptions? A. TKIP replay causes access point to reboot as a security measure. This causes voice disruptions for the associated clients until they scan and reconnect to another AP. B. The TKIP countermeasure timer is putting the AP down for a specified time and causing the voice disruptions. C. TKIP replay activates MFP. If MFP detects the replays, it will trigger a disassociation to all wireless clients. D. The use of WPA1 with TKIP is the main reason for the voice disruptions. It is better to use WPA2 with AES to avoid this problem. Answer: B

71 QUESTION 195 A user runs the Cisco Unified Wireless IP Phone 7921 with an AP that runs autonomous Cisco IOS Software. How does the 7921 decide whether to associate to an AP to avoid over congestion? A. The 7921 monitors the QBSS information element, which includes the Min and Max contention window fields, and uses the information to evaluate contention and channel utilization. B. The 7921 monitors the QBSS information element, which includes channel load information in the beacon and probe response frames. C. The 7921 monitors the QBSS information element, which includes EDCF such as queuing on the radio egress port, and uses the information to evaluate AP load and make an association decision. D. The 7921 monitors the QBSS information element, which includes radio access categories and the Min and Max contention window fields, to evaluate AP load. Answer: B QUESTION 196 Two callers, using the Cisco Unified Wireless IP Phone 7921 on the same AP running autonomous Cisco IOS Software, have trouble calling each other, but the problem does not exist when they call each other using a wired IP phone. Signaling and call routing appear to work correctly. What else might be causing the problem? A. On the AP, DTIM is set to 2, Beacon Interval is set to 100, and PSPF is enabled. B. On the AP, MFP is enabled for U-APSD, DHCP is not required, and PSPF is disabled. C. On the AP, WMM is enabled for U-APSD, DHCP is required, and PSK is enabled. D. On the AP, CAC is enabled for U-APSD, P2P-blocking is enabled, and Cisco CKM is enabled. E. On the AP, ARP unicast is disabled, 802.1X is configured, and WDS is enabled. F. On the AP, MFP is disabled, 802.1X is configured to support TSPEC, and WDS is enabled. Answer: A QUESTION 197 You want to expand the services of your wireless network and add location tracking on top of voice over wireless. Although the existing wireless network offers excellent voice over wireless services, tracking accuracy is not working well enough. You decide to contract a site survey engineer. What is this engineer most likely to recommend? A. Disable 2.4 GHz and higher data rates, which interfere with location tracking. B. Add wireless APs that are not from Cisco, to accomplish location tracking. C. Add more APs to the perimeters of the floors. D. Choose between voice over wireless and location tracking; you cannot use both simultaneously. E. Install chokepoints to perform good location accuracy. QUESTION 198 Refer to the exhibit. You are a wireless specialist and have been called to inspect an existing wireless network that offers voice services. High channel utilization on 2.4 GHz has been reported. How can you solve this problem?

72 A. Disable higher data rates 36, 48, and 54 Mb/s, which increase channel utilization. B. Enable lower data rates 1 and 2, to avoid sticky clients. C. Disable data rates 1, 2, 5.5, 6, and 9 Mb/s; set 11 Mb/s as mandatory; and leave the other higher data rates as supported. D. Deselect DTPC, to avoid high channel utilization. E. Enable at least five mandatory data rates. QUESTION 199 To achieve location tracking, which four tasks must be completed? (Choose four.) A. Synchronize Cisco WLC or WLCs with Cisco MSE. B. Add Cisco MSE to Cisco WCS. C. Synchronize the network designs with Cisco MSE. D. Open UDP port 6750 between Cisco WLC and Cisco MSE. E. Ensure that APs are placed correctly on maps. F. Ensure that the correct antenna type is selected on Cisco WCS. Answer: ABCE QUESTION 200 Refer to the exhibit. A Cisco Wireless IP Phone is unable to seamlessly roam on 2.4 GHz. There are interruptions of several seconds on each roaming. No problems are reported on 5 GHz. A full site survey for voice has been completed on both bands. Which Cisco WLC feature does this issue involve?

73 A. client load balancing B. Aironet information element C. coverage-hole detection D. client band select Answer: D QUESTION 201 When designing a WLAN network using Cisco 1142 APs to support both voice services (Cisco 7921 IP Phones) and data services, what design principles are true? (Choose 2) A n data rates should be enabled to improve overall performance even if the Cisco 7921 IP Phones do not support n data rates. B n data rates should not be enabled as the Cisco 7921 IP Phones are not n capable. As such, no performance improvement is expected for the voice clients upon enabling n data rates. C. Ensure proper floor coverage to ensure good voice quality (-67 dbm, 20% cell overlap, and 19 db channel separation). D. -67 dbm, 20% cell overlap, and 19 db channel separation is impossible to achieve. Therefore, a site survey to ensure required RSSI coverage is top priority to ensure good voice quality. E. RRM should not be used as it is not designed for wireless voice services and will adjust the channel and Tx power settings to non optimized values for voice services. F. RRM should be used because it is the only way to ensure that channel and Tx power are configured to support voice services. Answer: AC QUESTION 202 Resource Reservation Control (RRC) provides enhanced capabilities to manage admission and policy controls when deploying VideoStream on a Cisco Unified Wireless Network. Which statement correctly states the decision making process RRC goes through to admit or deny a client from joining a stream?

74 A. RRC initiates admission and policy decisions based on the radio resource measurements, traffic statistics measurement, and system configurations. The WLC initiates RRC requests to the APs for the IGMP join. B. The WLC processes IGMP join requests after checking all the parameters, including client count, channel utilization, latency, QoS, and client link rates. C. RRC algorithm periodically checks if conditions have changed. If a policy is violated, the client will be denied to the stream immediately. When the condition improves, the client will be admitted to join again. D. RRC algorithm will check and ensure the conditions are optimal before the client gets admitted. If the conditions are only partially satisfied, the client will be admitted but will have a better QoS priority to protect the stream quality. E. RRC is a control mechanism to ensure good connection quality for a video stream via multicast. Clients that do not satisfy all conditions will always be admitted as best effort clients. Clients that do not get admitted 3 times within a specific time period, are denied access to the stream. Answer: A QUESTION 203 Which two statements are true regarding the location tracking history on the Cisco 3300 Series Mobility Services Engine? (Choose two.) A. By default, the historical data is archived for 30 days. B. The history of an element is recorded if it moves more than 5 meters (or 15 feet). C. The history of an element is recorded if it moves across floors. D. History logging is enabled by default. E. An element is removed from the tracking table after one hour of inactivity. Answer: AC QUESTION 204 When designing a WLAN network to support both voice and context-aware services, which set of design principles should you follow? A. An AP must be placed at the perimeter and in each of the four corners of the floor. All APs must be enabled to ensure proper coverage on the floor to provide -67 dbm, 20 percent celloverlap, and 19 db channel separation. B. An AP must be placed at the perimeter and in each of the four corners of the floor. Some APs may be disabled to ensure proper coverage on the floor to provide -67 dbm, 20 percent celloverlap, and 19 db channel separation. C. An AP must be placed at the perimeter and in each of the four corners of the floor to ensure proper coverage on the floor to provide -67 dbm, 20 percent cell overlap, and 19 db channel separation. Some APs may be in monitor mode. D. If a conflict occurs between the AP placement for voice design and for context-aware location design, then the voice design should take precedence, to protect against delays and dropping of sensitive voice traffic. E. In a design that includes both voice and context-aware services, voice design always requires more APs to be deployed to ensure -67 dbm coverage, 20 percent cell overlap, 19 db channel separation, and proper capacity planning. F. In a design that includes both voice and context-aware services, voice design should take precedence to avoid co-channel interference, which can negatively affect voice quality. Voice design also requires -67 dbm coverage, 20 percent cell overlap, and 19 db channel separation, which is more difficult to achieve.

75 QUESTION 205 When deploying the Cisco Unified Wireless IP Phone 7925 running firmware release on a Cisco Unified architecture, which features should you enable to support fast secure roaming while maintaining a scalable deployment? A. The controller supports PKC, so use WPA X. B. The controller does not support PKC, so use WPA2 PSK. C. The controller does not support OKC, so use WPA2 PSK. D. The 7925 does not support WPA2 with Cisco CKM, so use WPA2 PSK. E. The 7925 supports WPA2 with Cisco CKM, so use WPA X. F. The 7925 supports PKC, so use WPA X. Answer: E QUESTION 206 Refer to the exhibit. Looking at the packet capture between the client and AP during a voice troubleshooting session, what can you learn?

76 A. The 802.1p COS value is marked as 5, which typically is used for the voice traffic that is encoded in G711. B. IP precedence is marked as 5 for the voice traffic that is encoded in G711, with a corresponding e UP marking of 6. C. The WMM UP value is marked as 5, which typically is used for the voice traffic that is encoded in G711, and DSCP is marked as EF. D. IP precedence is marked as 5, with a corresponding e UP marking of 6 and a correct DSCP marking to EF; the voice traffic is encoded in G711. E. The 802.1p COS value is marked as 5, with a correct DSCP marking to EF, and the voice traffic is encoded in G711. F. WMM UP marking is marked as 5, which typically is used for video traffic; this voice traffic stream is encoded in G711, and DSCP is marked as EF. Answer: F QUESTION 207 To support efficient bandwidth utilization for broadcasting multicast packets to all WLANs on the AP, which two mechanisms can you configure on the Cisco WLCs? (Choose two.) A. VideoStream can be used to convert multicast transmissions to broadcast transmissions at the AP, to enable the AP to receive ACKs from the clients and to determine the frames that need to be retransmitted. B. VideoStream can be used to convert multicast transmissions to unicast transmissions at the AP. The same data rate will be used, but the unicast stream allows the AP to receive ACKs from the clients and to determine the frames that need to be retransmitted. C. RRC in a Cisco WLC will use channel utilization as a metric to determine capacity and perform admission control, but it does not deny requests that would cause oversubscription. D. RRC in a Cisco WLC will use channel utilization as a metric to determine capacity and perform admission control, and it denies requests that would cause oversubscription by sending SAP messages to clients on drop. E. VideoStream can be used to convert multicast transmission to unicast transmission at the AP. Because of the unreliable nature of wireless media, no ACKs are expected from the clients; however, unicast transmission will effectively reduce multicast PLR to between 0.1 and 0.5 percent. F. VideoStream can be used to convert multicast transmission to unicast transmission at the AP, to enable the AP to receive ACKs from the clients and to determine the frames that need to be retransmitted. Answer: DF QUESTION 208 You are testing newly purchased Cisco Wireless IP Phones on your wireless network on the 5 GHz band. You notice that there are audio gaps during roaming. Troubleshooting network engineers find out that the issue is caused by the use of Dynamic WEP on the SSID. Why is this use a problem? A. Dynamic WEP is incompatible with the Cisco Wireless IP Phones. B. Dynamic WEP requires a full authentication with the RADIUS server during roaming. C. Dynamic WEP provides the same WEP key to several phones simultaneously, which can cause delays if a phone needs to wait for its slot time. D. Dynamic WEP requires use of 2.4 GHz on the phones. Answer: B

77 QUESTION 209 A hospital has four Cisco WLCs, a WCS, and an MSE. All devices are correctly synchronized via the WCS. You have been called to inspect a location tracking problem. In some areas, tracked elements are being reported on wrong floors. After troubleshooting, you find out that the hospital building does not provide enough interfloor attenuation. What is the best way to solve the problem? A. Assign a separate WLC to each floor in order to make sure that tags do not get reported on wrong floors. B. Do not use more than 10 APs on each floor. Using more than 10 causes signals to propagate across floors and pushes tags to wrong floors. C. Vertically align APs across floors for better accuracy. D. Turn on Cisco Compatible Extensions location measurements on the WLC to enhance location accuracy. QUESTION 210 Which two statements are true regarding the VideoStream functionality on the WLC? (Choose two.) A. It applies to any multicast video streams available on the network. B. It enables broadcasting the video stream using n HT data rates. C. It applies only to the configured media streams. D. It converts the multicast video stream into unicast to be sent directly to clients at the WLC level. E. It delivers reliable video multicast by having the receiver clients acknowledge the multicast video data frames on the air. F. The AP replicates the multicast video frames into unicast frames to be sent directly to wireless clients at their individual data rate. F QUESTION 211 Drag and Drop Question

78 Answer: QUESTION 212 Drag and Drop Question Answer: QUESTION 213 Drag and Drop Question

79 Answer: QUESTION 214 Drag and Drop Question Answer:

80 QUESTION 215 You are designing a wireless guest access solution to be used on a central campus and remote sites, where APs are configured in FlexConnect mode. The guest Internet access service is offered by the domain controller. You want to use the guest anchor feature on the Cisco WLC. Which Cisco WLC type should you consider deploying? A. Any Cisco WLC. B. A Cisco WLC by itself is not sufficient to support guest anchor and captive portal services. C. A Cisco 5508 WLC, running Release , deployed as a guest anchor WLC. D. A Cisco 2504 WLC, running Release , because guest access is a best-effort service and does not need to support large loads. QUESTION 216 You are helping your company to design a WLAN for a new campus. While writing a proposal for a site survey, which two of these benefits should you outline in your proposal to justify the investment in a comprehensive site survey? (Choose two.) A. A site survey will help determine the exact channels and power settings to be used by the APs, so that all applications can run correctly. B. A site survey will help determine AP placement and coverage based on the proposed AP models and antenna types. C. A site survey will help identify expected RF interference within the given environment. D. A site survey will help determine the type and number of clients that can be used in the given environment as well as the applications that can be used. Answer: BC QUESTION 217 You are designing a wireless point-to-point connection between two buildings that are 5 miles (8 km) apart. Which statement is true regarding the design, considering that there is a lake between the two buildings? A. You do not need to be concerned about multipath, reflection, scattering, or refraction because this is an outdoor design. B. A pair of workgroup bridges will need to be used to bridge Ethernet traffic over the air between buildings. C. You need to be concerned with the even and odd Fresnel zones because they can result in signal

81 cancellation or amplification. D. You need to simplify the design by putting a router on each building because wireless APs or bridges cannot carry 802.1Q traffic across the wireless link. E. Your concern should be the lake between the two buildings rather than the distance, because the water will absorb the signal. QUESTION 218 You want to enable multicast video streaming supporting multicast for both wired and wireless clients. Which two statements are true regarding the design of the network to deliver multicast streams over wireless? (Choose two.) A. Multicast and broadcast packets cannot be managed because wireless clients will use the lowest mandatory rate supported by each AP to send and receive traffic. B. Multicast and broadcast packets do not send out ACK messages, and all packets are being delivered via best effort. C. Multicast over wireless relies on a TCP retransmission mechanism for reliable transmission, which explains why multicast presents a unique challenge for media traffic because multicast video is mostly UDP traffic. D. A wireless network does not provide reliable transmission for multicast packets and does not classify queues or provision QoS. E. IGMPv3 is required to provide reliable transmission for multicast streams. The default retransmission mechanism will prioritize WMM queues by means of the e UP value. Answer: BD QUESTION 219 You need to deploy several WLCs to manage Unified APs on the main site and on remote locations (on different subnets). A wireless network printer is added to the network. Multicast is used to discover the printer. You enable multicast-multicast mode on the WLCs. Which two of these statements are true, considering interoperability and requirements of the network? (Choose two.) A. The infrastructure should be ready to allow multicast routing from the WLC management interfaces to all managed APs. B. There is no need to configure multicast routing on the infrastructure, because all the wireless clients are on the same VLAN or subnet. C. You can configure any multicast IP address on the WLCs, as long as you make sure to use the same address on the WLCs. D. To avoid issues, you need to make sure that the WLC multicast IP address is different for each controller and is not used for anything else on the network. E. There is no need to allow multicast traffic on the WAN VPN links to the remote locations, because this traffic goes within the LWAPP/CAPWAP tunnel. Answer: AD QUESTION 220 A retail company is refreshing their WLANs in their stores. Costs, resiliency, and ease of management are all important design criteria. Which two statements are true when considering your proposed Cisco Unified Wireless solution? (Choose two.)

82 A. FlexConnect (H-REAP) should be considered to manage the WLAN from a centralized controller. In the event of WAN failure, clients already connected can continue to connect and operate as normal. B. FlexConnect (H-REAP) should not be considered to manage the WLAN. In the event of WAN failure, clients already connected will be dropped and need to re-associate and re-authenticate to the network, using the in-store RADIUS and directory services. C. The Cisco 2504 WLC should be considered to manage the store WLANs. The Cisco 2504 WLC will provide full services to the store and can be managed and configured from a centralized controller. In the event of WAN failure, clients already connected can continue to connect and operate as normal. D. The Cisco 2504 WLC should be considered to manage the store WLANs. The Cisco 2504 WLC will provide full services to the store and can be managed and configured from a centralized management system (NCS or WCS). In the event of WAN failure, clients already connected can continue to connect and operate as normal. E. The Cisco 7510 WLC should be considered to be deployed in each store to manage the store WLAN. In the event of WAN failure, clients already connected can continue to connect and operate as normal. Answer: AD QUESTION 221 You are designing a new WLAN for an old warehouse. To make sure that the spectrum analysis is accurate, which two of these devices should you try to remove from the warehouse? (Choose two.) A. old 2.4-GHz cordless phones B. new DECT 6.0 series cordless phones C. 900-MHz PA radio system D. the neighbor Wi-Fi system that operates in both 2.4 GHz and 5.0 GHz E. old microwave ovens Answer: AE QUESTION 222 You were hired as a wireless consultant to plan and design a secure WLAN on a Cisco Unified Wireless Network, allowing access only by the employees of the company. The requirements are as follows: * Authenticate employees based on their existing Active Directory user domain credentials. * The username/password credentials need to be protected during the authentication handshake by using a PKI. * Encrypt data traffic using the strongest encryption method defined by the i standard. * Implement a standard authentication method that is supported by most wireless clients and RADIUS servers What option meets these requirements? A. EAP-TLS with WPA2-AES B. PEAPv0/EAP-MS-CHAPv2 with WPA2-AES C. EAP-FAST/EAP-MS-CHAPv2 (anonymous PAC provisioning) with WPA2-TKIP D. EAP-FAST/EAP-MS-CHAPv2 (anonymous PAC provisioning) with WPA2-AES

83 Answer: B QUESTION 223 Which association certifies product interoperability between different vendors so that users are not locked into a single brand of Wi-Fi products? A. IEEE B. IETF C. Wi-Fi Alliance D. FCC E. Wireless Networking Alliance F. Cisco Compatible Extensions QUESTION 224 What is the role of the IEEE regarding WLANs? A. IEEE conducts certification testing to ensure that products from different vendors can interoperate. B. IEEE provides guidance and creates regulations for each regulatory authority concerning spectrum usage, including frequency and power settings. C. IEEE maintains and creates technical standards and protocols used by wireless LAN devices. D. IEEE enforces standards and regulations within each regulatory domain and reports violations to appropriate authorities. QUESTION 225 Which RRM feature increases the AP radio Tx power when the client SNR levels pass below a given threshold? A. Dynamic Channel Assignment B. Transmit Power Control C. Dynamic Transmit Power Control D. Coverage Hole Detection Answer: D QUESTION 226 It is recommended that you use channels on a 2.4-GHz WLAN deployment with three or more APs, because only channels 1 to 11 are available on the 2.4-GHz Cisco ISM band due to the regulatory domain. Which one of these statements explains why this channel usage is recommended? A. This channel usage is required by the standard. B. They are the only non-overlapping channels available on the 2.4-GHz ISM band. Channels other than overlap each other. C. This is the highest channel usage combination available (allowing three different channels to be used),

84 combining channels that are separated enough on the 2.4-GHz ISM band to avoid co- channel interference. D. The channels are separated 30-MHz away, and the energy radiated by an b/g device can only extend up to 25-MHz within the bandwidth of the channels due to regulations. QUESTION 227 Which two of the below protocols must a client support in order to use client MFP? (Choose two.) A x B. CCXv4 C. CCXv5 D. WEP E. WPA1 with TKIP or AES-CCMP F. WPA2 with TKIP or AES-CCMP F QUESTION 228 Which three of the below values does a wireless client use, when operating in DCF mode, to calculate the duration field in the MAC header for transmitting a non-fragmented unicast data packet? (Choose three.) A. MPDU length B. SIFS interval C. DIFS interval D. PIFS interval E. transmit rate F. ACK length Answer: BEF QUESTION 229 The e standard defines mechanisms for providing QoS treatment to wireless frames. Which three of these mechanisms enable the e EDCA standard to achieve differentiated treatment for wireless frames? (Choose three.) A. priority queuing B af tag mapping C. four access categories D. AP controlled access phase E. differentiated back-off timers Answer: ACE QUESTION 230 The IEEE i standard defines mechanisms for wireless client authentication and data encryption. During 802.1X EAP authentication, a number of keys are used in order to establish a secure encrypted link between the access point and the client. Which two of these keys are

85 derived via the WPA four-way handshake? (Choose two.) A. PMK B. PTK C. MSK D. GMK E. GTK Answer: BE QUESTION 231 In order to protect IEEE clients against spoofed management frames, client Management Frame Protection encrypts management frames sent between access points and clients. Which three of these management frames are protected by client MFP? (Choose three.) A. beacon B. authentication C. deauthentication D. disassociation E. probe request F. probe response G. QoS (WMM) action frames DG QUESTION 232 Infrastructure Management Frame Protection enables the wireless infrastructure to detect management frames spoofed by an attacker. Which two of these mechanisms does infrastructure MFP introduce to access points in order to protect against such attacks? (Choose two.) A. management frame validation B. management frame encryption C. cryptographically-hashed message integrity check D. cryptographically-hashed frame check sequence E x authentication Answer: AC QUESTION 233 You are deploying a wireless network in a warehouse located next to an airport. Which two of these 5-GHz channels would avoid potential radar interference, considering that many airport radars use the UNII-2 frequency ranges? (Choose two.) A. 36 B. 52 C. 140 D. 153 Answer: AD

86 QUESTION 234 Your site has already been surveyed at 5 GHz for n VoWLAN services. Which two services can you add safely, without conducting an additional site survey? (Choose two.) A. enhanced Layer 2 or Layer 3 security of the WLAN B. optional MFP client protection for Cisco Client Extensions Version 5 clients C n data services on the 2.4 GHz Frequency D n voice services on the 2.4 GHz Frequency E. new services (such as location) on both frequencies Answer: AB QUESTION 235 Which two of the following statements are true regarding RLDP? (Choose two.) A. RLDP works only on APs configured in Open Authentication mode. B. RLDP only works if the AP is in Monitor Mode. C. RLDP will attempt to identify each Rogue AP only once. D. RLDP only works if the Rogue AP is connected to a VLAN that is reachable by the WLC. E. RLDP only works if the AP is in Local Mode. Answer: AD QUESTION 236 When configuring authentication for a WLAN through a RADIUS server, which statement is correct when per-wlan RADIUS source support is enabled? A. You must specify a RADIUS server in the WLAN settings; otherwise, authentications will fail. B. If the RADIUS server is on one of the WLC dynamic interface networks, RADIUS traffic from the controller will be sourced from that dynamic interface. C. If AAA override is enabled, the WLAN settings will override any RADIUS attribute received by the RADIUS server. D. Wireless clients need to trust the WLC certificate in case of EAP-TLS authentications. Answer: B QUESTION 237 When implementing a web authentication-based WLAN, which two of these statements are correct? (Choose two.) A. When using an external web authentication server, a pre-auth ACL is required for the WLC B. You need to configure DNS resolution for the IP address of the Cisco WLC virtual interface. C. When using the Cisco WLC as a web auth server, wireless clients will never be able to validate the Self Signed Certificate (SCC) so a Locally Significant Certificate (LSC) must be used. D. If you are using an external web server for the login portal, wireless clients may be required to trust two certificates: one from the external web server and one from the Cisco WLC. Answer: AD

87 QUESTION 238 Which two of these procedures enable you to implement dynamic VLAN assignment for wireless users connecting to a Cisco WLC on a secure dot1x WLAN, so that users connect to a specific VLAN based upon their credentials? (Choose two.) A. Configure the IETF Tunnel-Private-Group-ID attribute on the TACACS server so that it can send the VLAN ID to the WLC. B. Configure the IETF RADIUS attributes 64, 65, and 81 on the RADIUS server so that it can send the VLAN ID to the WLC. C. Configure the IETF RADIUS attribute 81 on the RADIUS server so that it can send the interface name to the WLC. D. Configure the Cisco Airespace RADIUS Aire-Vlan-Id attribute on the RADIUS server so that it can send the VLAN ID to the WLC. E. Configure the Cisco Airespace RADIUS Aire-Interface-Name attribute on the RADIUS server so that it can send the interface name to the WLC. Answer: BE QUESTION 239 When configuring management user authentication on a WLC, which statement is correct? A. You can configure an LDAP server to authenticate management users. B. You can configure users on the local WLC database with different authorization privileges for specific menus. C. If the local database is selected as a second priority after RADIUS, the local WLC database will not be used if the authentication fails through the RADIUS server. D. A lobby ambassador user can push new management users to the WLC through Cisco WCS. QUESTION 240 You want to restrict read/write admin access levels to only the Security tab on a Cisco WLC for a particular admin user. Which two of these options do you need to configure? (Choose two.) A. a custom attribute-value pair on the ACS B. a Cisco attribute-value pair on the ACS C. a RADIUS authentication/authorization server D. a TACACS+ authentication/authorization server E. the Lobby Ambassador feature Answer: AD QUESTION 241 You are troubleshooting a connectivity issue on a Cisco WLC, in which wireless clients occasionally lose their connection. Which two of these infrastructure application services can help you to troubleshoot this issue by using one service to synchronize time on the WLC, and a server that is configured with another service to receive the output of the client debugs from the WLC? (Choose two.) A. FTP

88 B. TFTP C. syslog D. SNMP E. DHCP F. NTP G. TRAPLOG F QUESTION 242 You are configuring a Cisco WLC in a hotel that provides wireless guest access to the Internet, using web authentication. Guest credentials are generated for individual rooms upon check-in. Users often complain about certificate security warnings when opening their browser. You need to fix this issue so that the clients stop getting this certificate warning every time they access the Web-Authentication page, but still protect the credentials during the authentication handshake of this guest setup. You cannot configure the user devices yourself. What is the best solution that meets these requirements? A. Disable HTTPS on the WLC to avoid the certificate warning during the web authentication. B. Configure the WLAN with an EAP method that does not use PKI certificates, but still protects the credentials during the authentication handshake. C. Remove the self-signed SSL certificate of the WLC or make sure that the clients know about the WLC CA that generated this self-signed certificate. D. Install a third-party SSL certificate on the WLC, issued by a known public CA. Answer: D QUESTION 243 When configuring a WLAN doing Layer 3 web authentication, the Cisco WLC can authenticate the users with different servers or databases. Which two of these activities are valid options? (Choose two.) A. using the local RADIUS server of the WLC B. using the local database on the WLC (just configuring local net users) C. using Lobby Ambassador users D. using PAP with an external RADIUS server E. using MS-CHAP with an external RADIUS server F. using LDAP over SSL with an external database Answer: BD QUESTION 244 When authenticating wireless clients through PEAPv0 with MS-CHAPv2, which statement is correct? A. Authentication credentials are exchanged inside a TLS tunnel. B. The client must trust the RADIUS server certificate. C. The same certification authority must issue both the client and server certificates. D. The CN attribute of the RADIUS server certificate must contain the FQDN or the IP address of the RADIUS server itself.

89 E. A self-signed RADIUS server certificate cannot be used. Answer: A QUESTION 245 What is the correct command to upgrade an autonomous AP to a Cisco Unified AP (Cisco IOS Release 12.3(8)JEA2), after you established console access to the AP and set up a TFTP server at ? A. AP# copy tftp: flash://< >/ c1140-rcvk9w8-tar jea2.tar B. AP# archive download-sw/force-reload/overwrite tftp:// / c1140-k9w7-tar jea2.tar C. AP# archive download-sw/force-reload/overwrite tftp:// / c1140-rcvk9w8-tar jea2.tar D. AP# archive download-sw/force-reload/overwrite tftp:// / c1140-k9w7-bin jea2.bin QUESTION 246 Which three of these options are not valid ways to extend wireless coverage in an autonomous AP environment? (Choose three.) A. Add additional APs in repeater mode. B. Add additional APs in bridge mode. C. Add additional APs in access point mode. D. Increase the transmitter power level. E. Use both radios. F. Position the APs optimally. G. Use QoS. Answer: BEG QUESTION 247 Refer to the exhibit. What does the max-channel 30 command refer to? A. maximum percentage of channel utilization for CAC traffic B. maximum bandwidth of traffic utilization for CAC traffic C. maximum percentage of bandwidth for non-cac traffic D. maximum number of queues on the radio interface for CAC traffic Answer: A QUESTION 248 You are configuring an access point in a mobile scenario (on a train) which is connected to a L2 switch that has multiple clients attached. The access point must be configured to connect to the

90 mesh network. Which two of the below bridge configuration settings need to be configured? (Choose two.) A. station-role workgroup-bridge B. station-role workgroup-bridge universal C. station-role non-root bridge D. infrastructure-ssid Answer: AD QUESTION 249 You are deploying a Cisco DMP (Digital Media Player) that only has an Ethernet interface, and you plan to plug it into an access point to connect it to the Cisco Unified Wireless Network. The DMP multicast video is displaying distorted and pixelated video. Which one of these radio interface actions is most likely to improve the video stream quality? A. Increase the RTS threshold to B. Disable short preambles. C. Configure station-role workgroup-bridge universal. D. Enable infrastructure-client. Answer: D QUESTION 250 Refer to the exhibit. The autonomous AP has a corporate and guest SSID configured. The security team requested that you limit guest user traffic to DHCP, DNS, and web browsing on the AP. Which configuration best satisfies the request? A. access-list 101 permit udp any any eq 67 access-list 101 permit udp host eq 53 access-list 101 permit tcp any eq 80 access-list 101 deny ip any any interface FastEthernet 0 ip access-group 101 in B. access-list 101 permit udp any any eq 67 access-list 101 permit udp host eq 53 access-list 101 permit tcp any eq 80 access-list 101 deny ip any any interface dot11radio 0 ip access-group 101 in C. access-list 101 permit udp any any eq 67 access-list 101 permit udp host eq 53 access-list 101 permit tcp any eq 80

91 access-list 101 deny ip any any interface dot11radio 0 ip access-group 101 in D. access-list 101 permit udp any any eq 67 access-list 101 permit udp host eq 53 access-list 101 permit tcp any eq 80 access-list 101 deny ip any any interface FastEthernet 0 ip access-group 101 in Answer: B QUESTION 251 In the Cisco Unified Wireless Network (CUWN) model, which of the following mappings is correct at the AP level? A. The AP maps IP DSCP 46 (EF) to IEEE e UP CoS 6. B. The AP maps IP DSCP 46 (EF) to IEEE e UP CoS 5. C. The AP maps IEEE e UP CoS 6 to 802.1p UP CoS 5. D. The AP maps IEEE e UP CoS 5 to 802.1p UP CoS 6. Answer: A QUESTION 252 You enabled CAC on your autonomous AP. Which two of these statements are true? (Choose two.) A. If WMM is enabled, non-wmm clients are still able to prioritize voice packets. B. If WMM is disabled, the AP will prioritize voice packets. C. If WMM is enabled, the AP will prioritize voice packets. D. If WMM is disabled, WMM clients are still able to prioritize voice packets internally. D QUESTION 253 A network administrator is trying to convert a Cisco Aironet 1250 Series Lightweight Access Point back to autonomous mode using a TFTP server and AP mode button. DHCP Option 43 is configured, but the AP is not connected to the controller. Console and physical access to the AP has been established. The TFTP server is local to the PC and the directory has the original image of "c1250-k9w7-tar b.jda3.tar," downloaded from Cisco.com. The PC is directly connected to the access point, but the conversion is failing. Which one of these statements is a possible reason for the failure? A. The 1250 Series AP is a lightweight-only AP and needs a WLC. B. The image filename is incorrect. C. The lightweight AP has to be joined to the WLC and then converted, using the config ap tftp- downgrade command. D. Telnet is not enabled on the AP or WLC. E. The network administrator needs to use the archive command directly on the AP for this procedure to complete. Answer: B

92 QUESTION 254 Company XYZ needs to establish network connectivity to a newly acquired, adjacent building less than 1 kilometer (3280 feet) away. The project calls for implementing a wireless solution using autonomous access points in a point-to-point bridging solution using external antennas on interface dot11radio1. You need to secure the bridge link with strong EAP, DOT1x, and WPA methods, using a local RADIUS server. However, the link cannot be established and the following message is observed in the logs: "DOT1X_SHIM-3-SUPP_START_FAIL: Unable to start supplicant on Dot11Radio1." What is most likely the root cause? A. The non-root bridge is not configured for WPA key management. B. There is RF interference corrupting the b/g RF signal. C. The non-root bridge does not have the correct authentication credentials configured. D. The RADIUS service on the root bridge is not started or needs to be restarted. QUESTION 255 Company ABC is implementing a point-to-point bridging solution to a building approximately 3 kilometers (1.86 miles) away. The equipment used will be two autonomous access points set to frequency 2412 Mhz with external antennas. The bridge link will be authenticated using an external RADIUS server. While looking at the interface statistics, the network administrator observes duplicate frames in the receive counters. What is most likely the root cause of these duplicate frames? A. The antennae are not installed on the primary port. B. The counters on interface dot11radio1 are most likely due to the RF signal being corrupted by an outside interference source. C. The non-root bridge is failing the authentication process and, as a result, sending and receiving intermittently. D. The distance parameter is not configured. E. There is no clear LOS between the two buildings. The access points need to be mounted on higher masts to obtain the proper clearance. Answer: D QUESTION 256 Which three of the below statements is true about Radio Resource Management Neighbor messages? (Choose three.) A. they are transmitted at minimum power B. they are transmitted at maximum power C. they are transmitted at the highest data rate D. they are transmitted at the lowest supported data rate E. they are transmitted on all serviced channels F. they are transmitted every 60 seconds Answer: BDF QUESTION 257 A user reported that, when viewing a video over the wireless network, the video keeps dropping

93 every 30 minutes. What is the most likely cause? A. Interference is causing the connection to drop. B. The default session timeout is deauthenticating the client. C. The WLC, by default, changes channel every 30 minutes. D. The idle timeout is disassociating the client. Answer: B QUESTION 258 You have been hired by an organization that would like to grow their wireless deployment from 150 to 300 users. They only have 200 available addresses on the current wireless subnet and are looking for recommendations on how to overcome this limitation. They have already created a second interface in another subnet that provides 200 additional addresses to accommodate the additional users. Which two of the below actions would you recommend? (Choose two.) A. Use the local DHCP server on the WLC to assign addresses. B. Create AP groups, assign APs to the groups and assign different interfaces to the WLAN for each group. C. Configure LACP on the WLC. D. Change the default maximum number of allowed clients. E. Create an interface group and assign the interface group to the WLAN. F. Configure Passive Client on the WLAN. Answer: BE QUESTION 259 Which WLC feature allows an administrator to limit a wireless client to trigger a change in the AP power settings? A. Wireless Protection Policies B. Management Frame Protection C. Cisco Aironet Extensions D. Coverage Hole Detection E. Transmit Power Control Answer: D QUESTION 260 Which three of these options are variables used within the TPC algorithm to determine the transmit power? (Choose three.) A. antenna gain (dbi) B. antenna gain (dbm) C. RSSI of third highest neighbor above the threshold D. SNR of third highest neighbor above the threshold E. Tx power control threshold F. client SNR cutoff value G. number of neighbors H. Tx Max

94 EH QUESTION 261 A Cisco Unified Wireless Network client is configured with manual proxy settings. How can you, as an administrator, ensure that the user is able to authenticate and access the network by having the WLC respond to a client request with a web page that prompts the user to change the Internet proxy settings to automatically detect the proxy settings? A. Enable conditional redirect on the web authentication policy. B. Make sure that the option for web authentication proxy redirection port is set to 0. C. Make sure that the web authentication proxy redirection mode is enabled. D. Make sure that the web authentication proxy redirection mode is disabled. QUESTION 262 Refer to the exhibit. A network administrator is configuring local WLC DHCP services. Which group of statements regarding the output in the exhibit and the client DHCP process is correct? A. DHCP proxy is enabled. The WLC has sent the client DHCP Discover out, but no DHCP Offer came back. This indicates DHCP proxy needs to be disabled for local WLC DHCP service. B. DHCP proxy is disabled. The WLC has received a DHCP request from the client. As the capture does not include an indication a DHCP ACK was received or not, this does not indicate a specific issue. C. DHCP proxy is disabled. The WLC has sent the client DHCP Discover out, but no DHCP Offer came back. This indicates an apparent WLC issue. D. DHCP proxy is enabled. The client is requesting and the WLC interface is on VLAN 141. points to a network VLAN 141 issue. E. DHCP proxy is enabled. The WLC has received the client DHCP Discover, but there should be a DHCP ACK because the client asked to use This is a client supplicant DHCP issue. Answer: B QUESTION 263 You are tasked to convert autonomous AP static WEP users to Cisco Unified WLC 802.1X EAP users using their current Microsoft Active Directory accounts using a single WLAN. You need to preserve the wired VLAN that these users were connecting on. Which of the below procedures provides the best solution for this conversion? A. Configure the WLAN for Layer 2 security and use the WLC local RADIUS for authentication. Configure the WLC local RADIUS server to authenticate each user against the Microsoft Active Directory.

95 Configure the WLC local RADIUS server to pass down IETF RADIUS attributes 64, 65, and 81 containing the appropriate Layer 2 VLAN to the users. B. Configure the access point groups feature for two groups and map the WLAN to the correct interfaces for each group. Set the access points to the correct access point group for where these converted WEP users will be located. Connecting users will be placed on the correct Layer 2 VLAN. C. Configure the WLAN for the appropriate Layer 2 security settings and ensure that AAA override is configured. Configure an external RADIUS server to authenticate each user against the Microsoft Active Directory. Configure the external RADIUS server to pass down IETF RADIUS attributes 64, 65, and 81 containing the appropriate Layer 2 VLAN to the users. D. Configure two WLANs, one WEP, and one with EAP, but only broadcast the EAP WLAN so that only one SSID is visible. Configure each WLAN interface mapping to the correct and corresponding dynamic interface. Then, use the WLC local RADIUS to authenticate users against the current Microsoft Active Directory. Configure the WLC connecting trunk port to allow the appropriate user wired Layer 2 VLAN. Configure the interface group feature to contain all of the dynamic interfaces needed. Configure the single WLAN to use the interface group and authenticate to an external RADIUS server configured to check the users against the Microsoft Active Directory. The authenticated users will be placed on the correct VLANs dynamically. QUESTION 264 You are installing a new AP, out of the box, on the Internet. However, you are required to enforce only preregistered APs to be allowed to connect to the DMZ controller. Which two of these actions best meet the requirement? (Choose two.) A. Make sure that the option to accept Cisco SSC from the AP is enabled on the WLC. B. Make sure that the option to accept an MIC from the AP is enabled on the WLC. C. Make sure that the option to accept an LSC from the AP is enabled on the WLC. D. Authorize the AP to use an internal authorization list on the WLC, or to use an AAA server. Answer: BD QUESTION 265 Which one of these options is not a valid reason for a client to become excluded? A. excessive association failures B. excessive authentication failures C. excessive 802.1X association failures D. excessive 802.1X authentication failures E. an attempt to use an IP address already assigned to another device F. excessive web authentication failures QUESTION 266 Refer to the exhibit. While troubleshooting a VoWLAN call quality issue on a Cisco Unified Wireless IP Phone 7925 on a Cisco Unified Wireless Network, a network administrator views a compilation of outputs from the WLAN settings and client connection status, as shown in the exhibit. From the information shown, which one of these characteristics about the problem is

96 true? A. The RSSI is outside of the recommended specifications for voice. B. The client keeps getting put into a blacklisted state due to client exclusions because Cisco Centralized Key Management and EAP-FAST are incompatible. C. The WLAN does not have a DHCP server assigned and therefore the client is not getting an IP address. D. The SNR is outside of the required RF specifications for voice.

97 Answer: A QUESTION 267 Refer to the exhibit. A network administrator is troubleshooting a multicast problem in a Cisco Unified Wireless Network topology. Which one of these groups of characteristics best describes the output shown in the exhibit? A. The WLC is configured for multicast-multicast. The multicast-direct feature is configured and a stream to group is currently allowed at best-effort. B. The WLC is configured for multicast-unicast. The multicast-direct feature is configured and and a stream from source is currently allowed. C. The WLC is configured for multicast-multicast. The multicast-direct feature is configured and a stream from source is currently allowed but failed due to a missing QoS priority tag. D. The WLC is configured for multicast-unicast. The multicast-direct feature is configured and a stream from source is currently allowed at best-effort. E. The WLC is configured for multicast-multicast. The multicast-direct feature is configured and a stream from source is currently allowed but failed due to a missing QoS priority tag. Answer: A QUESTION 268 Refer to the exhibit. The corporate office has mandated that all guest WLAN users should have a per-user bandwidth restriction. The requirement is 1 Mb/s for normal rate with a peak of 1.2 Mb/s. This is to be set for HTTP traffic only. From the exhibit, showing the QoS properties for a current guest user connection, is the above requirement met?

98 A. Yes, the profile has been configured for 1000 Kb/s for average rate and 1200 Kb/s for burst rate for all traffic. B. No, the profile has been configured for 1000 Mb/s for average rate and 1200 Mb/s for burst rate for HTTP traffic. C. No, the profile has been configured for 1000 Kb/s for average rate and 1200 Kb/s for burst rate for all traffic. D. Yes, the profile has been configured for 1000 Kb/s for average rate and 1200 Kb/s for burst rate for HTTP traffic. E. Yes, the profile has been configured for 1000 Mb/s for average rate and 1200 Mb/s for burst rate for all traffic. QUESTION 269 Refer to the exhibit. A network administrator is troubleshooting a client connection and runs a debug client command on the device MAC address. From the information in the exhibit, which explanation is correct? A. DHCP proxy is enabled. The WLC has sent the DHCP Discover out, but no DHCP Offer came back, which points to an apparent network issue. B. DHCP proxy is disabled. The WLC has sent the DHCP Discover out, but no DHCP Offer came back, which points to an apparent network issue. "Pass Any Exam. Any Time." Cisco Exam C. DHCP proxy is enabled. The WLC has sent the DHCP Discover out, but no DHCP Offer came back, which points to an apparent WLC issue because the DHCP proxy should be disabled by default. D. DHCP proxy is enabled. The client is requesting but the WLC interface is on a different subnet, which points to an apparent client supplicant issue. E. DHCP proxy is disabled. The WLC has sent the DHCP Discover out, and a DHCP Offer came back of , but the client is not accepting it and therefore timing out. Answer: A QUESTION 270 Refer to the exhibit. The customer intermittently sees these messages in the WLC message logs. Which two sentences describe what these messages indicate? (Choose two.) A. This is an authentication process failure between the supplicant and RADIUS server for the unicast key.

99 B. There is one more retransmit attempt allowed by default. C. There are two more retransmit attempts allowed by default. D. This is an encryption process failure between the supplicant and the WLC for the unicast key. E. This is an encryption process failure between the supplicant and the WLC for the broadcast key. F. This is an authentication process failure between the supplicant and the WLC for the broadcast key. Answer: BE QUESTION 271 You are configuring WLC high availability for an access point. Which statement is true? A. You always need to configure both the controller system names and WLC IP address. B. High availability can only be configured using the WLC IP addresses. C. Controller names in access point high availability configurations are not case-sensitive. D. A WLC IP address only needs to be configured when the backup WLC is in a different mobility group. Answer: D QUESTION 272 Refer to the exhibit. A network administrator is troubleshooting a client connection problem. In the process of collecting information, a client debug is run on the controller for the device MAC address. What is the most likely cause of the problem? A. WPA/802.1X Layer 2 security is enabled. Cisco Centralized Key Management is enabled. The logs show an EAP/802.1X identity request failure, which points to a WLC issue. Client will be deauthenticated. B. WPA2/802.1X Layer 2 security is enabled. The logs show a RADIUS identity request failure, which points to a WLC issue. Client will immediately send an EAPOL-start packet to try again. C. WPA2/802.1X Layer 2 security is enabled. The logs show an EAP/802.1x identity request failure, which points to a supplicant issue. Client will be deauthenticated. D. WPA PSK Layer 2 security is enabled. The logs show an EAP/802.1X identity request failure, which points to a supplicant issue. Client will immediately send an EAPOL-start packet to try again. E. WPA2 PSK Layer 2 security is enabled. The logs show an EAP/802.1X identity request failure, which points to a WLC issue. Client will be deauthenticated.

100 QUESTION 273 A network administrator is troubleshooting a problem of a CAPWAP access point that intermittently disconnects from the WLC. The administrator is trying to determine when the problem is happening. UDP port 514 is allowed. What is the best option for successfully gathering comprehensive information about the problem? A. Configure a script to log into the WLC to gather logs and save them on a PC, where they can be reviewed daily. B. The CAPWAP AP has no syslog capability but the WLC does have syslog capability. Configure the WLC for syslog and level 1. C. Configure the CAPWAP AP and the WLC for syslog and level 6. D. Configure the CAPWAP AP for buffered logging and level 7. Configure the WLC for syslog and level 7. E. Configure the CAPWAP AP and the WLC for syslog and level 1. QUESTION 274 Refer to the exhibit. You are testing the mesh AP feature in your lab. You begin by changing the AP mode from local to bridge on one of your Cisco 3500 Series APs. The AP reboots and attempts to rejoin the controller, but it fails to do so. Based upon the information in the exhibit, which two of these options would allow the AP to join the WLC? (Choose two.) A. Add 08:d0:9f:22:9e:10 to the AP Authorization List B. Add 08:d0:9f:22:9e:10 to the MAC Address Filter C. Add 64:9e:f3:0e:b6:76 to the AP Authorization List D. Add 64:9e:f3:0e:b6:76 to the MAC Address Filter D

101 QUESTION 275 Refer to the exhibit. A network administrator is configuring and installing an indoor mesh network using two CAPWAP APs. The APs were out of the box and have already been installed in their designated locations. The RAP is joined to the controller and configured appropriately, but the MAP is not visible on the WLC. In the output shown, which of these explanations is the most likely reason for the issue? A. The MAP should have been primed to the WLC before being deployed. The Bridge Group Name is not configured by default. The AP policy for the MAP is not configured. B. The MAP should have been primed to the WLC before being deployed. The Bridge Group Name uses the MAC address and is configured but does not match, which is the reason for the failure. C. The MAP does not have to be primed to the WLC before being deployed to the field because the WLC discovery process is different for MAPs than it is for RAPs. The Bridge Group Name does not have to match but the RAP has to have the MAP MAC address added to its database. D. The MAP should have been primed to the WLC before being deployed. The Bridge Group Name does not need to match. The MAP is running an LWAPP image that requires its MAC address to be configured in the RAP in order for a successful join. E. The MAP does not have to be primed to the WLC before being deployed. The Bridge Group Name needs to match. The AP policy is automatically populated by the MAP discovery process via CAPWAP, but is failing in this example. Answer: A QUESTION 276 Your customer is attempting to create two WLANs with identical SSIDs and identical Layer 2 security policies on their WLC 5508, without success. Which two of these actions would help them? (Choose two.) A. Assign the WLANs to different AP groups. B. Assign each WLAN to a different interface. C. Set the WLAN IDs to a number greater than 17. D. Use different radio policies for each WLAN. Answer: AC QUESTION 277 According to Cisco best practices, many features require the WLC to be synchronized with an NTP server. For which of these options is time synchronization not required? A. SNMPv3 B. MFP

102 C. CAPWAP D. Location QUESTION 278 Refer to the exhibit. The help desk informs you that some users cannot receive multicast video. Upon troubleshooting, you determine that the users who are unable to receive the multicast video are all connected at 9 Mbps. Users that are connected at a data rate of 12 Mbps or higher are able to receive the multicast video. Which data rate can you modify to fix the problem? A. Change 6 Mbps to Supported. B. Change 6 Mbps to Mandatory. C. Change 9 Mbps to Supported. D. Change 9 Mbps to Disabled. Answer: D QUESTION 279 In order for MFP client protection to be required on the WLAN, which three of these requirements must the client meet? (Choose three.) A. The client must support CCXv5. B. The client must use WPA2 with AES-CCMP. C. The client must use either EAP or PSK to obtain the PMK. D. The client exclusion must be enabled on the WLAN. E. TKIP or AES must be used for encryprion. F. Any encryption method can be used. Answer: ACE

103 QUESTION 280 Which of the following WLC feature is disabled by configuring the Passive Client feature? A. proxy ARP B. Proactive Key Caching C. DHCP proxy D. power-save mode Answer: A QUESTION 281 Which two EAP methods are supported on H-REAP AP using a local RADIUS server? (Choose two.) A. PEAP B. EAP-FAST C. LEAP D. EAP-TLS Answer: BC QUESTION 282 You are attempting to use the Auto Provisioning feature in a Cisco WCS to apply the configuration to a new WLC. Which options is not a valid method for identifying a WLC using the Auto Provisioning feature? A. serial number B. MAC address C. IP address D. hostname QUESTION 283 Which three of these AP working modes is able to detect rogue access points over the air rather than through the wired network? (Choose three.) A. local mode B. monitor mode C. rogue detector mode D. FlexConnect mode E. sniffer mode F. rogue discovery mode Answer: ABD QUESTION 284

104 You are implementing Cisco CleanAir through the Cisco WCS without any MSE integration. Which two types of data are you able to track through the Cisco WCS? (Choose two.) A. location of one interferer at a time on the WCS map B. history tracking and reports of the worst interferers C. air quality history tracking and reports D. location of multiple interferers at a time on the WCS map E. air quality index on the heat maps when hovering the mouse over the AP icons E QUESTION 285 During the installation of a Cisco WCS, you are given the option to modify the protocol ports used by the WCS. Which two of these protocol ports can you modify? (Choose two.) A. HTTP B. HTTPS C. FTP D. TFTP E. SNMP Answer: AB QUESTION 286 When placing APs on a map through the Cisco WCS, which two statements are true? (Choose two.) A. You must place all your access points on a map for the RRM algorithm to start working. B. You will be able locate multiple wireless clients at a time. C. You can automatically place APs on the map by accepting the planning mode tool result. D. You will automatically track the location of interferers. E. If an MSE was added already, you need to re-synchronize the network designs. F. Minor severity alarms will be logged to indicate that new APs were added to the map. E QUESTION 287 When implementing context-aware location services on the Cisco WCS through the MSE, which two types of data or functionality are only available after adding an MSE? (Choose two.) A. location of only one wireless client at a time on the WCS map B. location of multiple wireless clients at a time on the WCS map C. client location history D. ability to define WCS map boundaries E. ability to set alerting options for rogue access points Answer: BC QUESTION 288

105 When adding an MSE to a Cisco WCS, you are given the option to enable HTTP. What would be a good reason to enable HTTP communication to the MSE? A. If HTTPS is disabled on the MSE. B. If port 443 is blocked by a firewall in between WCS and the MSE. C. If the MSE is being added to a version of WCS prior to 7.0. D. If a a third-party application needs to communicate with the MSE. Answer: D QUESTION 289 When troubleshooting wireless clients through the Client Sessions report on the Cisco WCS, which statement is correct? A. You are able to see the client password in case of PAP authentication. B. You are able to see the client username in case of a web authentication-enabled WLAN. C. You are able run a ping test for a single client at a time. D. You are able run a ping test for multiple clients at a time. E. You are able to reboot a client PC remotely. Answer: B QUESTION 290 You currently have one Cisco WCS server on your network and you would like to add a second WCS server for high availability. Which one of these options is not required to configure high availability? A. Both WCS servers must run on the same operating system. B. Both WCS servers must be in the same subnet. C. Both WCS servers must run the same software release. D. The primary WCS server must have an SMTP server configured. Answer: B QUESTION 291 How can you improve location accuracy using RFID tags in RF-noisy or congested environments, such as hospitals? A. Repeat frame transmissions per channel within each transmission interval (although this will lower battery life). B. Transmit beacons as unicast instead of multicast, to make sure that APs can pick up the beacon packets. C. Decrease the inter-cell overlap to 5 percent, decreasing the uncertain area. D. Increase the data rate for the beacon packets to make sure that more data can be transmitted within the same time interval. Answer: A QUESTION 292 How many non-overlapping channels are available for WLANs on the UNII-1 band?

106 A. 8 B. 4 C. 12 D. 16 Answer: B QUESTION 293 Which option can you configure for inbound Call Admission Control on a Cisco Unified Wireless Network AP for video applications on a specific radio band? A. Set the data rate for a non-voice client below 11 Mb/s. B. Set the desired maximum RF bandwidth that is allocated for video traffic. C. Set QBSS to have precedence over TSPEC. D. Set WMM = 6 for RTP packets. Answer: B QUESTION 294 What is the minimum CCX version to support WMM? A. v2, which also supports Cisco Centralized Key Management B. v3, which also supports EAP-FAST C. v4, which also supports UPSD D. v5, which also supports MFP Answer: B QUESTION 295 You like to troubleshoot location tracking issues on one specific RFID tag. How can this be achieved? A. Turn on wcp events enable on the WLC and filter events based on MAC address. B. Turn on debug rfid {mac address} enable on the WLC, and filter CCX Payload packets sent toward the MSE based on the MAC address. C. Turn on CCXv5 on the RFID tag to allow sending RSSI information toward the AP, including the client ID. D. Enable MAC Address Based Logging Parameters. Download and examine the zip file containing the log on the Cisco WCS or NCS. Answer: D QUESTION 296 Location tracking and positioning systems can be classified by different techniques. Which statement is true? A. The ToA technique requires very precise knowledge of the transmission start times. To simplify this technique, TDoA does not require the use of a synchronized time source at the point of transmission, but the receivers still require time synchronization. B. RSS is measured by either the mobile device or the receiving sensor. Knowledge of the transmitter

107 output power allows you to calculate the distance between the two stations. C. A common benefit of AoA compared to the other location tracking techniques is its susceptibility to multipath interference, which allows several angle calculations and therefore very accurate positioning. D. The LTP field in the CCX Payload information allows synchronization between transmitter and receivers to allow calculation of the position within 10 meters during 90 percent of the time. Answer: A QUESTION 297 Why would a wireless voice deployment not be good enough for providing accurate contextaware services? A. Voice wireless clients have higher power settings. If you add context-aware services, you need to add APs within the area. B. Voice wireless clients operate at a higher speed than needed for RFID tagging. C. It is not a requirement to place APs at the floor perimeter for voice deployments. D. The RFID tags use multicast, whereas wireless clients use unicast. QUESTION 298 If you are restricted from using 5 Ghz channels that require DFS and TPC for a 7925 VoWLAN customer deployment in the United States, how many channels can you use? A. 4 B. 8 C. 12 D. 16 Answer: B QUESTION 299 Your enterprise customer is considering adding a VoWLAN service to their existing wireless deployment. The VoWLAN wireless phones have limited power and processing capabilities. The IT manager insists that, while the authentication protocol must preserve battery and processing power, it must also be secure. Assume that the wireless phones and AAA infrastructure support all the EAP methods listed within the options. Which one of the below 802.1X EAP authentication protocols would you recommend to your customer? A. EAP-FAST B. EAP-TLS C. EAP-TTLS D. LEAP Answer: A QUESTION 300 Asset tags are not being detected correctly and re-verification of the correct configuration should be performed. It is also recommended that verification of correct asset tag RSSI detection and

108 message forwarding is conducted. Which statement is correct about the RFID tag timeout settings, as you would see in a show advanced location summary on a Cisco WLC? A. The RFID tag timeout should be set to two to five times the longest tag transmission interval found in the tag population, including stationary and any in-motion tag transmission intervals. B. The RFID tag timeout should be set to four to six times the longest tag transmission interval found in the tag population, including stationary and any in-motion tag transmission intervals. C. The RFID tag timeout should be set to three to eight times the longest tag transmission interval found in the tag population, including stationary and any in-motion tag transmission intervals. D. The RFID Tag RSSI expiry timeout cannot be configured; it is a fixed value (1200 seconds). QUESTION 301 The Context-Aware Services engine, which resides on the Cisco MSE, can determine and track the location of wireless clients based on data reported by the access points. Which two types of data does the CAS engine use to determine the location of the wireless clients? (Choose two.) A. SNR B. RSSI C. number of antennas per access point D. TDOA E. current access point power level Answer: BD QUESTION 302 Wireless client location tracking provided by the Cisco MSE relies heavily on the number of access points that can hear a particular wireless client. What are the minimum and optimal numbers of access points required to cover an area in order to provide location tracking? A. minimum 1 access point, optimal 3 or more access points B. minimum 2 access points, optimal 4 or more access points C. minimum 3 access points, optimal 4 or more access points D. minimum 4 access points, optimal 5 or more access points E. minimum 5 access points, optimal 6 or more access points QUESTION 303 Bandwidth-based Call Admission Control for voice services allows the client to request the required bandwidth or medium time to accept calls in a congested RF environment. Which three of these statements must be true in order for bandwidth-based CAC to correctly operate for voice calls? (Choose three.) A. WLAN must use the silver QoS profile B. WLAN must use the gold QoS profile C. WLAN must use the platinum QoS profile D. Client must support at least CCXv4 E. Client must support at least CCXv3

109 F. WMM does not need to be enabled for WLAN G. WMM must be enabled for WLAN DG QUESTION 304 When deploying voice in a new wireless deployment, the phone transmits at a maximum power level of 50 mw. Which maximum AP transmit power would avoid one-way communication? A. 23 dbm B. 14 dbm C. 17 dbm D. 20 dbm QUESTION 305 Drag and Drop Questions Answer: QUESTION 306 Drag and Drop Questions

110 Answer: QUESTION 307 Drag and Drop Questions Answer:

111 Ensurepass.com Members Features: 1. Verified Answers researched by industry experts. 2. Q&As are downloadable in PDF and VCE format % success Guarantee and Money Back Guarantee. 4. Free updates for 180 Days. View list of All Exam provided: To purchase Lifetime Full Access Membership click here: Valid Discount Code for 2014: SFOH-FZA0-7Q2S To purchase the HOT Exams: Cisco CompTIA Oracle VMWare IBM LX Z0-051 VCAD510 C N Z0-052 VCP510 C BR0-002 SG Z0-053 VCP550 C CAS-001 SG Z0-060 VCAC510 C CLO-001 SK Z0-474 VCP5-DCV RedHat ISS-001 SK Z0-482 VCP510PSE EX JK0-010 SY Z0-485 EX JK0-801 SY Z Z0-820