2025/December Latest Braindump2go 350-401 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go 350-401 Real Exam Questions!
QUESTION 1028
Which DNS record type is required to allow APs to discover a WLC by using DNS on IPv4?
A. NS
B. A
C. SOA
D. MX
Answer: B
QUESTION 1029
What is modularity in network design?
A. ability to bundle several functions into a single layer of the network
B. ability to create self-contained, repeatable sections of the network
C. ability to self-heal the network to prevent service outages
D. ability to scale and accommodate future needs of the network
Answer: D
Explanation:
You can design a campus network in a logical manner, using a modular approach. In this approach, each layer of the hierarchical network model can be broken into basic functional units. These units, or modules, then can be sized appropriately and connected, while allowing for future scalability and expansion.
QUESTION 1030
Refer to the exhibit. An engineer configured TACACS+ to authenticate remote users, but the configuration is not working as expected. Which configuration must be applied to enable access?
A. R1 (config)# ip tacacs source-interface Gig 0/0
B. R1 (config)# tacacs server prod
R1(config-server-tacacs)# port 1020
C. R1 (config)# aaa authorization exec default group tacacs+ local
D. R1 (config)# tacacs server prod
R1(config-server-tacacs)# key cisco123
Answer: D
QUESTION 1031
A customer has two Cisco WLCs that manage separate APs throughout a building. Each WLC advertises the same SSID but terminates on different interfaces. Users report that they drop their connections and change IP addresses when roaming. Which action resolves this issue?
A. Configure high availability.
B. Enable fast roaming.
C. Configure mobility groups.
D. Enable client load balancing
Answer: C
Explanation:
Mobility or roaming services enables a WLAN client to retain its association !!!seamlessly!!! while moving from one Access Point to another. Cisco WLAN controllers (WLC) can be organized into wireless mobility groups to support intercontroller roaming.
QUESTION 1032
What is one difference between the RIB and the FIB?
A. The RIB keeps all routing information received from peers, and the FIB keeps the minimum information necessary to make a forwarding decision.
B. The RIB works at the data plane, and the FIB works at the control plane.
C. The FIB contains routing prefixes, and the RIB contains the Layer 2 and Layer 3 information necessary to make a forwarding decision.
D. The RIB is known as the CEF table, and the FIB is known as the routing table.
Answer: A
QUESTION 1033
What is a characteristic of an AP operating in FlexConnect mode?
A. All traffic traverses the WLC to ensure policy enforcement on client traffic.
B. Forwarding for locally switched traffic continues when the AP loses connectivity to the WLC.
C. APs connect in a mesh topology and elect a root AP
D. FlexConnect enables an AP to connect to multiple WLCs.
Answer: B
QUESTION 1034
What is the benefit of using TCAM for IP forwarding decisions versus using the CAM table?
A. TCAM finds results based on binary, and CAM uses the longest match to find results
B. TCAM processes lookups in a hardware CPU. and CAM relies on binary masks to find results.
C. TCAM finds results based on masks, and CAM finds results basing on exact match.
D. TCAM uses low cost hardware memory to store addresses, and CAM uses expensive hardware memory.
Answer: B
Explanation:
The problem with CAM is that it can only do exact matches on ones and zeros (binary CAMs).
By implementing router prefix lookup in TCAM, we are moving process of Forwarding Information Base lookup from software to hardware.
QUESTION 1035
Refer to the exhibit. Two indirectly connected routers fail to form an OSPF neighborship. What is the cause of the issue?
A. failing hello packets between the two routers
B. DR/BDR selection dispute
C. MTU mismatch
D. OSPF network type mismatch
Answer: C
QUESTION 1036
Which feature is provided by Cisco Mobility Services Engine in a Cisco Wireless Unified Network architecture?
A. It adds client packet capturing.
B. It enables NetFlow data collection.
C. It adds client tracking and location API.
D. It identifies authentication problems.
Answer: C
Explanation:
This solution allows a customer to track any Wi-Fi device, including clients, active RFID tags, and rogue clients and access points (APs).
QUESTION 1037
Which unit of measure is used to measure wireless RF SNR?
A. dBi
B. dB
C. dBm
D. mW
Answer: B
Explanation:
The signal-to-noise ratio (SNR) is typically expressed in decibels (dB). This logarithmic scale is used because it allows for easier comparison of large or small SNR values. While other units might be used in specific contexts, decibels are the most common and widely used unit for expressing SNR.
https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Signal-to-Noise_Ratio_(SNR)_and_Wireless_Signal_Strength
QUESTION 1038
In a campus network design, what are two benefits of using BFD for failure detection? (Choose two.)
A. BFD speeds up routing convergence time.
B. BFD is an efficient way to reduce memory and CPU usage.
C. BFD provides fault tolerance by enabling multiple routers to appear as a single virtual router.
D. BFD provides path failure detection in less than a second.
E. BFD enables network peers to continue forwarding packets in the event of a restart.
Answer: AD
QUESTION 1039
Refer to the exhibit. A network engineer issues the debug command while troubleshooting a network issue. What does the output confirm?
A. ACL 100 is tracking ICMP traffic from 10.1.1.1 destined for 1.1.1.1.
B. ACL100 is tracking all traffic from 10.1.1.1 destined for 1.1.1.1.
C. ACL100 is tracking ICMP traffic from Serial1/0 destined for Serial3/0.
D. ACL100 is tracking ICMP traffic from 1.1.1.1 destined for 10.1.1.1.
Answer: D
QUESTION 1041
Which version of NetFlow does Cisco Threat Defense utilize to obtain visibility into the network?
A. NBAR2
B. IPFIX
C. 8
D. flexible
Answer: D
QUESTION 1042
Refer to the exhibit. What is printed to the console when this script is run?
A. a key-value pair in tuple type
B. an error
C. a key-value pair in list type
D. a key-value pair in string type
Answer: D
QUESTION 1043
What is a difference between Chef and other automation tools?
A. Chef is an agentless tool that uses playbooks, and Ansible is an agent-based tool that uses cookbooks.
B. Chef is an agentless tool that uses a primary/minion architecture, and SaltStack is an agent-based tool that uses a primary/secondary architecture
C. Chef is an agent-based tool that uses cookbooks, and Ansible is an agentless tool that uses playbooks.
D. Chef uses Domain Specific Language, and Puppet uses Ruby.
Answer: C
QUESTION 1044
An engineer must configure a new WLAN that supports 802.11r and requires users to enter a passphrase. What must be configured to support this requirement?
A. 802.1X and Fast Transition
B. FT PSK and Fast Transition
C. 802.1X and SUITEB-1X
D. FT PSK and SUITEB-1X
Answer: B
Explanation:
Fast Transition (FT), often referred to as 802.11r, allows wireless clients to seamlessly switch between access points (APs) within the same WLAN without any noticeable interruption in connectivity. This significantly improves the user experience, especially for mobile users or applications sensitive to network disruptions.
QUESTION 1045
Refer to the exhibit. An engineer is troubleshooting an mDNS issue in an environment where Cisco ISE is used to dynamically assign mDNS roles to users. The engineer has confirmed that ISE is sending the correct values, but name resolution is not functioning as expected. Which WLC configuration change resolves the issue?
A. Enable AAA Override.
B. Enable Aironet IE.
C. Set MFP client protection to Required.
D. Change NAC state to ISE NAC.
Answer: A
QUESTION 1046
What is one role of the VTEP in a VXLAN environment?
A. to maintain VLAN configuration consistency
B. to forward packets to non-LISP sites
C. to provide EID-to-RLOC mapping
D. to encapsulate the tunnel
Answer: D
QUESTION 1047
How is CAPWAP data traffic encapsulated when running an Over the Top WLAN in a Cisco SD-Access wireless environment?
A. LISP
B. VXLAN
C. GRE
D. IPsec
Answer: B
QUESTION 1048
Refer to the exhibit. What does the Python code accomplish?
A. It configures interface e1/32 to be in an admin down state
B. It generates a status code of 403 because the type is incorrect.
C. It configures interface e1/32 to be in an err-disable state.
D. It returns data in JSON-RPC format.
Answer: A
QUESTION 1049
Refer to the exhibit. Which action must be performed to allow RESTCONF access to the device?
A. Enable the NETCONF service.
B. Enable the SSH service.
C. Enable the IOX service.
D. Enable the HTTPS service.
Answer: D
Explanation:
RESTCONF runs over HTTPS. The following commands must be enabled to support RESTCONF over port 443:
ip http secure-server
QUESTION 1051
Which technology is used as the basis for the Cisco SD-Access data plane?
A. LISP
B. 802.1Q
C. VXLAN
D. IPsec
Answer: C
QUESTION 1052
How is OAuth framework used in REST API?
A. as a framework to hash the security information in the REST URL
B. by providing the external application a token that authorizes access to the account
C. as a framework to hide the security information in the REST URL
D. by providing the user credentials to the external application
Answer: B
QUESTION 1053
What is a characteristic of Cisco DNA southbound APIs?
A. implements monitoring by using the SOAP protocol
B. enables orchestration and automation of network devices based on intent
C. utilizes REST API
D. simplifies management of network devices
Answer: B
QUESTION 1054
Where is the wireless LAN controller located in a mobility express deployment?
A. The wireless LAN controller exists in a server that is dedicated for this purpose.
B. The wireless LAN controller is embedded into the access point.
C. The wireless LAN controller exists in the cloud.
D. There is no wireless LAN controller in the network.
Answer: B
QUESTION 1055
Refer to the exhibit. A network engineer must permit administrators to automatically authenticate if there is no response from either of the AAA servers. Which configuration achieves these results?
A. aaa authentication enable default group radius local
B. aaa authentication login default group radius
C. aaa authentication login default group tacacs+ line
D. aaa authentication login default group radius none
Answer: D
QUESTION 1056
Which hypervisor requires a host OS to run and is not allowed to directly access the hosts hardware and resources?
A. native
B. bare metal
C. type 1
D. type 2
Answer: D
QUESTION 1057
Refer to the exhibit. The NETCONF object is sent to a Cisco IOS XE switch. What is the purpose of the object?
A. Discover the IP address of interface GigabitEthernet1
B. Remove the IP address from interface GigabitEthernet1
C. Set the description of interface GigabitEthernet1 to “1”
D. View the configuration of all GigabitEthernet interfaces
Answer: A
QUESTION 1058
Which protocol does Cisco SD-WAN use to protect control plane communication?
A. STUN
B. OMP
C. IPsec
D. DTLS
Answer: D
QUESTION 1059
Which security option protects credentials from sniffer attacks in a basicAPI authentication?
A. next-generation firewall
B. TLS or SSL for communication
C. VPN connection between client and server
D. AAA services to authenticate the API
Answer: B
QUESTION 1060
Which mechanism can be used to enforce network access authentication against an AAA server if the endpoint does not support the 802.1X supplicant functionality?
A. WebAuth
B. MACsec
C. private VLANs
D. port security
Answer: A
QUESTION 1061
An engineer must configure router R1 to validate user logins via RADIUS and fall back to the local user database if the RADIUS server is not available. Which configuration must be applied?
A. aaa authentication exec default radius local
B. aaa authentication exec default radius
C. aaa authorization exec default radius local
D. aaa authorization exec default radius
Answer: C
QUESTION 1062
What does the Cisco WLC Layer 3 roaming feature allow clients to do?
A. maintain their IP address when roaming to an AP or controller with a different client VLAN assignment
B. maintain their connection between APs even when the AP management VLANs are different
C. maintain their connection even if the client IP address changes when roaming
D. roam seamlessly between controllers even when the controller management VLANs are different
Answer: D
Explanation:
L3 roaming enables client to preserve its ip when roaming to an AP that is connected to another WLC.
QUESTION 1064
What is the function of Cisco DNA Center in a Cisco SD-Access deployment?
A. It is responsible for the design, management, deployment, provisioning, and assurance of the fabric network devices
B. It is responsible for routing decisions inside the fabric
C. It provides integration and automation for all nonfabric nodes and their fabric counterparts
D. It possesses information about all endpoints, nodes, and external networks related to the fabric
Answer: A
QUESTION 1065
How do the MAC address table and TCAM differ?
A. TCAM is populated from the ARP file, and the MAC address table is populated from the switch configuration file
B. TCAM stores Layer 2 forwarding information, and the MAC address table stores QoS information
C. TCAM lookups can match only 1s and 0s, and MAC address lookups can match 1s, 0s and a third “care/don’t care” state
D. TCAM is a type of memory and the MAC address table is a logical structure
Answer: D
QUESTION 1066
Which technology provides an overlay fabric to connect remote locations utilizing commodity data paths and improves network performance, boosts security, and reduces costs?
A. InfiniBand
B. VTEP
C. SD-WAN
D. VXLAN
Answer: C
QUESTION 1067
Which two actions are recommended as security best practices to protect REST API? (Choose two.)
A. Enable dual authentication of the session
B. Use a password hash
C. Use SSL for encryption
D. Use TACACS+ authentication
E. Enable out-of-band authentication
Answer: BC
QUESTION 1068
Refer to the exhibit. An engineer is configuring WebAuth on a Cisco Catalyst 9800 Series WLC. The engineer has purchased a third-party certificate using the FQDN of the WLC as the CN and intends to use it on the WebAuth splash page. What must be configured so that the clients do not receive a certificate error?
A. Virtual IPv4 Hostname must match the CN of the certificate
B. Virtual IPv4 Address must be set to a routable address
C. Web Auth Intercept HTTPs must be enabled
D. Trustpoint must be set to the management certificate of the WLC
Answer: A
QUESTION 1070
Refer to the exhibit. What is the output of this code?
A. 1st_item#######: 645298791871446
2nd_item_that_must_display: jlugyydt##
B. 1st_item#######: 6452987918
2nd_item_that_m: jlugyydt##
C. 1st_item#######: 8791871446
at_must_display: jlugyydt
D. 645298791871446
##jlugyydt
Answer: A
QUESTION 1071
Refer to the exhibit. An engineer is troubleshooting an issue with non-Wi-Fi interference on the 5-GHz band. The engineer has enabled Cisco CleanAir and set the appropriate traps, but the AP does not change the channel when it detects significant interference. Which action will resolve the issue?
A. Enable the Avoid Persistent Non-WiFi interference option
B. Change the DCA Sensitivity option to High
C. Enable the Event Driven Radio Resource Management option
D. Disable the Avoid Foreign AP Interference option
Answer: C
Explanation:
The reason the AP is not changing channels upon detecting significant interference is because Event Driven Radio Resource Management (EDRRM) is not enabled. EDRRM allows the AP to dynamically change channels based on interference detected in real-time. Without EDRRM enabled, the AP may still detect interference but will wait until the next Dynamic Channel Assignment (DCA) cycle to change channels, which could be up to 10 minutes, as per the interval set in the exhibit.
Event Driven RRM (EDRRM) is crucial for immediate response to interference. By enabling EDRRM, the AP can dynamically react to changing conditions, improving performance and reducing interference impact.
Dynamic Channel Assignment (DCA) operates on an interval-based system, and EDRRM provides the ability to act between DCA intervals.
Enabling Event Driven RRM will allow the AP to change channels immediately when non-Wi-Fi interference is detected, thereby mitigating the interference effects.
QUESTION 1072
Refer to the exhibit. What is achieved by the XML code?
A. It displays the access list sequence numbers from the output of the show ip access-list extended flp command on the terminal screen
B. It displays the output of the show ip access-list extended flp command on the terminal screen
C. It reads the access list sequence numbers from the output of the show ip access-list extended flp command into a dictionary list
D. It reads the output of the show ip access-list extended flp command into a dictionary list
Answer: D
QUESTION 1073
An engineer measures the Wi-Fi coverage at a customer site The RSSI values are recorded as follows:
– Location A: -72 dBm
– Location B: -75 dBm
– Location C -65 dBm
– Location D -80 dBm
Which two statements does the engineer use to explain these values to the customer? (Choose two.)
A. The signal strength at location C is too weak to support web surfing
B. Location D has the strongest RF signal strength
C. The RF signal strength at location B is 50% weaker than location A
D. The RF signal strength at location C is 10 times stronger than location B
E. The signal strength at location B is 10 dB better than location C
Answer: CD
QUESTION 1074
Where are operations related to software images located in the Cisco DNA Center GUI?
A. Services
B. Provisioning
C. Assurance
D. Design
Answer: D
Explanation:
In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.
QUESTION 1075
What is a difference between OSPF and EIGRP?
A. OSPF uses a default hello timer of 5 seconds. EIGRP uses a default hello timer of 10 seconds.
B. OSPF uses multicast addresses 224.0.0.5 and 224.0.0.6. EIGRP uses multicast address 224.0.0.10.
C. OSPF uses an administrative distance of 115. EIGRP uses an administrative distance of 160.
D. OSPF uses IP protocol number 88. EIGRP uses IP protocol number 89.
Answer: B
QUESTION 1076
Which type of antenna is designed to provide a 360-degree radiation pattern?
A. Yagi
B. patch
C. directional
D. omnidirectional
Answer: D
QUESTION 1082
Which two security mechanisms are used by Cisco Threat Defense to gain visibility into the most dangerous cyber threats? (Choose two.)
A. virtual private networks
B. file reputation
C. VLAN segmentation
D. Traffic Telemetry
E. dynamic enforce policy
Answer: BD
QUESTION 1083
Which action is a LISP ITR responsible for?
A. responding to map-request messages
B. forwarding user data traffic
C. finding EID-to-RLOC mappings
D. accepting registration requests from ETRs
Answer: C
Explanation:
An ITR is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites. When the ITR receives a packet destined for an EID, it first looks for the EID in its mapping cache. If the ITR finds a match, it encapsulates the packet inside a LISP header with one of its RLOCs as the IP source address.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-mt/irl-15-mt-book/irl-overview.pdf
QUESTION 1084
An engineer modifies the existing ISE guest portal URL to use a static FQDN. Users immediately report that they receive certificate errors when they are redirected to the new page. Which two additional configuration steps are needed to implement the change? (Choose two.)
A. Add a new DNS record to resolve the FQDN to the PSN IP address
B. Create and sign a new CSR that contains the static FQDN entry
C. Manually configure the hosts file on each user device.
D. Disable HTTPS on the WLC under the Management menu
E. Add the FQDN entry under the WLC virtual interface
Answer: AB
QUESTION 1086
What is contained in the VXLAN header?
A. VXLAN network identifier
B. source and destination RLOC ID
C. endpoint ID
D. original Layer 2 VLAN ID
Answer: A
Explanation:
VXLAN is typically used to extend L2 networks, but the original Layer 2 VLAN ID itself is not included in the VXLAN header.
QUESTION 1087
Refer to the exhibit. Clients are reporting an issue with the voice traffic from the branch site to the central site. What is the cause of this issue?
A. There is a routing loop on the network
B. There is a high delay on the WAN links
C. Traffic is load-balancing over both links, causing packets to arrive out of order
D. The voice traffic is using the link with less available bandwidth
Answer: A
QUESTION 1088
Which virtualization component creates VMs and performs hardware abstraction that allows multiple VMs to run at the same time?
A. container
B. Docker
C. hypervisor
D. rkt
Answer: C
QUESTION 1089
Refer to the exhibit. An SSID is configured and both clients can reach their gateways on the Layer 3 switch, but they cannot communicate with each other. Which action resolves this issue?
A. Set the WMM Policy to Allowed
B. Set the P2P Blocking Action to Disabled
C. Set the WMM Policy to Required
D. Set the P2P Blocking Action to Forward-UpStream
Answer: B
QUESTION 1090
What is a characteristic of VXLAN?
A. It extends Layer 2 and Layer 3 overlay networks over a Layer 2 underlay
B. It has a 12-byte packet header
C. It uses TCP for transport
D. Its frame encapsulation is performed by MAC-in-UDP
Answer: D
Explanation:
VXLAN (Virtual Extensible LAN) uses MAC-in-UDP encapsulation, where Ethernet frames are encapsulated within UDP packets to enable Layer 2 networks to extend over a Layer 3 underlay. This encapsulation allows for scalable network virtualization, supporting up to 16 million VXLAN segments using a 24-bit VXLAN Network Identifier (VNI).
QUESTION 1091
Which network devices secure API platforms?
A. content switches
B. web application firewalls
C. next-generation intrusion detection systems
D. Layer 3 transit network devices
Answer: B
QUESTION 1092
What does Call Admission Control require the client to send in order to reserve the bandwidth?
A. SIP flow information
B. Wi-Fi multimedia
C. VoIP media session awareness
D. traffic specification
Answer: D
QUESTION 1093
Which capability does a distributed virtual switch have?
A. use floating static routes
B. provide configuration consistency across the hosts
C. run dynamic routing protocols
D. use advanced IPsec encryption algorithms
Answer: B
QUESTION 1094
Which two methods are used to assign security group tags to the user in a Cisco TrustSec. architecture? (Choose two.)
A. web authentication
B. IEEE 802.1x
C. DHCP
D. modular QoS
E. policy routing
Answer: AB
QUESTION 1095
Which resource must the hypervisor make available to the virtual machines?
A. bandwidth
B. IP address
C. processor
D. secure access
Answer: C
QUESTION 1096
Refer to the exhibit. An engineer must configure a Cisco WLC with WPA2 Enterprise mode and avoid global server lists. Which action is required?
A. Enable EAP parameters
B. Apply CISCO ISE default settings
C. Select a RADIUS authentication server
D. Disable the RADIUS server accounting interim update
Answer: C
QUESTION 1098
Which two mechanisms are used with OAuth 2.0 for enhanced validation? (Choose two.)
A. authorization
B. custom headers
C. request management
D. authentication
E. accounting
Answer: AD
QUESTION 1099
Which characteristic applies to the endpoint security aspect of the Cisco Threat Defense architecture?
A. detect and block ransomware in email attachments
B. outbound URL analysis and data transfer controls
C. user context analysis
D. blocking of fileless malware in real time
Answer: C
Resources From:
1.2025 Latest Braindump2go 350-401 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/350-401.html
2.2025 Latest Braindump2go 350-401 PDF and 350-401 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1EIsykNTrKvqjDVs9JMySv052qbrCpe8V?usp=sharing
3.2025 Free Braindump2go 350-401 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/350-401-VCE-Dumps(1028-1099).pdf
Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!