Cisco Designing and Implementing Cloud Connectivity 300-440 ENCC Exam Questions

Answer : B, E

To redistribute OSPF internal routes into BGP, the engineer needs to configure two commands on router R2. The first command isrouter bgp 100, which enables BGP routing process and specifies the autonomous system number of 100. The second command isredistribute ospf 1 match internal external, which redistributes the routes from OSPF process 1 into BGP, and matches both internal and external OSPF routes. This way, the engineer can avoid introducing extra routes that are not part of OSPF process 1, such as the default route or the connected routes.Reference: =Designing and Implementing Cloud Connectivity (ENCC) v1.0, [ENCC: Configuring IPsec VPN from Cisco IOS XE to AWS], [Deploying Cisco IOS VTI-Based Point-to-Point IPsec VPNs]

Answer : B, C

The end-to-end ping between the office user PC and the AWS EC2 instance is not working because either the security group rules for the host VPC are blocking the ICMP traffic or the IPsec SA counters are showing errors or drops. To diagnose the loss of connectivity, the engineer should check both the security group rules and the IPsec SA counters. The network security group rules on the host VNET are not relevant because they apply to Azure, not AWS. The IPsec SA configuration on the Cisco VPN router and the AWS private virtual gateway are not likely to be the cause of the problem because the site-to-site VPN tunnel is already up and the site-to-site routing works correctly.Reference:=

Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5), Module 3: Configuring IPsec VPN from Cisco IOS XE to AWS, Lesson 3: Verify IPsec VPN Connectivity

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE, Chapter: IPsec VPN Overview, Section: IPsec Security Association

AWS Documentation, User Guide for AWS VPN, Section: Security Groups for Your VPC

Answer : B

A centralized internet gateway is a network design that routes all internet-bound traffic from the on-premises infrastructure through a single point of egress, typically located at the data center or a regional hub1.This approach allows the enterprise to apply consistent security policies and access controls for SaaS applications, as well as optimize the bandwidth utilization and performance of the WAN links2.A centralized internet gateway can use various technologies to provide connectivity to SaaS applications, such as proxy servers, firewalls, web filters, and WAN optimizers3.However, a cloud-based proxy server (option A) is not a part of the centralized internet gateway, but rather a separate service that can be used to route traffic from the on-premises infrastructure to the SaaS provider data center4.VPN connections (option C) and dedicated, private connections (option D) are also not related to the centralized internet gateway, but rather alternative ways of providing secure and reliable access to SaaS applications from the on-premises infrastructure5.Therefore, the correct answer is option B, which describes the basic function of a centralized internet gateway.Reference:=1: Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 1: Cloud Connectivity Overview, Lesson 1: Cloud Connectivity Concepts, Topic: Centralized Internet Gateway2: Cloud OnRamp for SaaS, Cisco IOS XE Catalyst SD-WAN Release 17.3.1a and Later, Topic: Centralized Internet Gateway3: Architect and optimize your internet traffic with Azure routing preference, Microsoft Azure Blog, Topic: Routing via the premium Microsoft global network4: What is SaaS?Software as a Service, Microsoft Azure, Topic: How SaaS works5: How an application gateway works, Microsoft Learn, Topic: Application gateway components

Answer : A, E

The correct answer is A and E because they are the IP prefixes that match the tunnel interfaces on the Cisco IOS XE router. The AWS routing options should include the local and remote IP prefixes that are used for the IPsec tunnel endpoints. The other options are either the public IP addresses of the routers or the LAN subnets that are not relevant for the IPsec tunnel configuration.Reference:=Designing and Implementing Cloud Connectivity (ENCC) v1.0,Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services,Site-to-Site VPN with Amazon Web Services

Answer : C

According to the FedRAMP Authorization Boundary Guidance document1, the method used to create authorization boundary diagrams (ABDs) is to identify all tools as either external or internal to the boundary. The ABD is a visual representation of the components that make up the authorization boundary, which includes all technologies, external and internal services, and leveraged systems and accounts for all federal information, data, and metadata that a Cloud Service Offering (CSO) is responsible for.The ABD should illustrate a CSP's scope of control over the system and show components or services that are leveraged from external services or controlled by the customer1.The other options are incorrect because they do not capture the full scope and details of the authorization boundary as required by FedRAMP.Reference:= FedRAMP Authorization Boundary Guidance document1

Answer : D

The problem is that the site-list ''All-Site'' has a higher match sequence than the site-list ''Hub'', which means that the policy for ''All-Site'' will take precedence over the policy for ''Hub'' for any site that belongs to both lists. This creates a conflict and prevents the engineer from adding a new centralized control policy in Cisco vManage. To resolve this issue, the site-list ''All-Site'' should be configured with a new match sequence that is lower than the sequence for site-list ''Hub'', so that the policy for ''Hub'' will be applied first and then the policy for ''All-Site'' will be applied only to the remaining sites that are not in the ''Hub'' list.Reference:=

Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5), Module 3: Cisco SD-WAN Cloud OnRamp for Colocation, Lesson 3: Cisco SD-WAN Cloud OnRamp for Colocation - Centralized Control Policies

Cisco SD-WAN Cloud OnRamp for Colocation Deployment Guide, Chapter 4: Configuring Centralized Control Policies

Cisco SD-WAN Configuration Guide, Release 20.3, Chapter: Centralized Policy Framework, Section: Policy Configuration Overview

Answer : B

An identity mismatch occurs when the local and remote identities configured on the IPsec peers do not match. This can prevent the establishment of an IPsec tunnel or cause traffic to be dropped by the IPsec policy. In this case, the network engineer should verify that the local and remote identities configured on the Cisco WAN edge router and the AWS endpoint match the values expected by each peer. The identities can be an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). The identities are exchanged during the IKE phase 1 negotiation and are used to authenticate the peers. If the identities do not match, the peers will reject the IKE proposal and the IPsec tunnel will not be established or will be torn down.Reference:=

Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services, Topic: Troubleshooting

Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 3: Implementing Cloud Connectivity, Lesson 2: Implementing Cisco SD-WAN Cloud OnRamp for IaaS, Topic: Troubleshooting Cisco SD-WAN Cloud OnRamp for IaaS

Cisco IOS Security Configuration Guide, Release 15M&T, Chapter: Configuring IPsec Network Security, Topic: Configuring IPsec Identity and Peer Addressing