The newly updated Lead4Pass 350-401 dumps with PDF and VCE and free online practice

350-401 dumps

The newly updated Lead4Pass 350-401 dumps contain 1051 exam questions and answers, as well as provide difficult analysis, in line with the Cisco 350-401 ENCOR certification exam conditions!

Because Lead4Pass 350-401 dumps are actually verified by a professional team, it is real and effective! And provide two learning types: 350-401 dumps PDF, and 350-401 dumps VCE, both types contain the latest 350-401 exam questions!

So, get the latest 350-401 dumps in PDF or VCE format from Lead4Pass:, to ensure you pass the exam easily.

Two free surprises:

  1. Get some Lead4Pass 350-401 dumps in PDF format
  2. Online practice section Lead4Pass 350-401 dumps

First Surprise: Online Download Section Lead4Pass 350-401 dumps:

The second surprise: online practice part Lead4Pass 350-401 dumps

TypeNumber of exam questionsExam nameExam code
Free15Implementing and Operating Cisco Enterprise Network Core Technologies (ENCOR)350-401
Question 1:

How does Cisco Trustsec enable more access controls for dynamic networking environments and data centers?

A. uses flexible NetFlow

B. assigns a VLAN to the endpoint

C. classifies traffic based on the contextual identity of the endpoint rather than its IP address

D. classifies traffic based on advanced application recognition


Correct Answer: C

The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without network redesign.

Question 2:


Which technology provides a secure communication channel for all traffic at Layer 2 of the OSI model?

A. MACsec

B. IPsec


D. Cisco Trustsec


Correct Answer: A

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out- of band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework. A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the MKA peer. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to an MKA peer) using the current session key.


Note: Cisco Trustsec is the solution that includes MACsec.

Question 3:


What do Cisco DNA southbound APIs provide?

A. Interface between the controller and the network devices

B. NETCONF API interface for orchestration communication

C. RESful API interface for orchestrator communication

D. Interface between the controller and the consumer


Correct Answer: A

The Southbound API is used to communicate with network devices.

350-401 dumps practice answers 3

Question 4:


Which NGFW mode block flows crossing the firewall?

A. Passive

B. Tap

C. Inline tap

D. Inline


Correct Answer: D

Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, and Passive (ERSPAN). When Inline Pair Mode is in use, packets can be blocked since they are processed inline When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified

Question 5:


Which two pieces of information are necessary to compute SNR? (Choose two.)


B. noise floor

C. antenna gain


E. transmit power


Correct Answer: BD

signal-to-noise ratio (SNR) A measure of received signal quality, calculated as the difference between the signal\’s RSSI and the noise floor. A higher SNR is preferred. Reference:

Question 6:


Which requirement for an Ansible-managed node is true?

A. It must be a Linux server or a Cisco device.

B. It must have an SSH server running.

C. It must support ad hoc commands.

D. It must have an Ansible Tower installed.


Correct Answer: B


Question 7:


What is the difference between the enable password and the enable secret password when password encryption is enabled on an IOS device?

A. The enabled password is encrypted with a stronger encryption method.

B. There is no difference and both passwords are encrypted identically.

C. The enabled password cannot be decrypted.

D. The enable secret password is protected via stronger cryptography mechanisms.


Correct Answer: D

The “enable secret” password is always encrypted (independent of the “service passwordencryption” command) using the MD5 hash algorithm. The “enable password” does not encrypt the password and can be viewed in clear text in the runningconfig. In order to encrypt the “enable password”, use the “service password-encryption” command. This command will encrypt the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse. The MD5 hash is a stronger algorithm than Vigenere so answer \’The enable secret password is protected via stronger cryptography mechanisms\’ is correct.

Question 8:


Refer to the exhibit.

350-401 dumps practice questions 8

Which configuration establishes EBGP neighborship between these two directly connected neighbors and exchanges the loopback network of the two routers through BGP?

350-401 dumps practice questions 8-1

A. Option A

B. Option B

C. Option C

D. Option D


Correct Answer: A

With BGP, we must advertise the correct network and subnet mask in the “network” command (in this case network on R1 and network on R2). BGP is very strict in routing advertisements. In other words, BGP only

advertises the network which exists exactly in the routing table. In this case, if you put the command “network x.x.0.0 mask” or “network x.0.0.0 mask” or “network x.x.x.x mask” then BGP will not

advertise anything.

It is easy to establish eBGP neighborship via the direct link. But let \’s seen what is required when we want to establish eBGP neighborship via their loopback interfaces. We will need two commands:


the command “neighbor ebgp-multihop 2” on R1 and “neighbor ebgpmultihop 2” on R1. This command increases the TTL value to 2 so that BGP updates can reach the BGP neighbor which is two hops away.


Answer `R1 (config) #router bgp 1 R1 (config-router) #neighbor remote-as 2 R1 (config-router) #network mask R2 (config) #router bgp 2 R2 (config-router) #neighbor remote-as 1 R2 (config-router) #network mask Quick Wireless Summary Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight + Autonomous: self-sufficient and standalone. Used for small wireless networks. + Lightweight: A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller (WLC) to function. Do LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels. ?Control and Provisioning for Wireless Access Point (CAPWAP) is an IETF standard for control messaging for setup, authentication, and operations between APs and WLCs. CAPWAP is similar to LWAPP except for the following differences: +CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES. + CAPWAP has a dynamic maximum transmission unit (MTU) discovery mechanism. + CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages) An LAP operates in one of six different modes:


Local mode (default mode): measures noise floor and interference, and scans for intrusion detection (IDS) events every 180 seconds on unused channels + FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode: allows data traffic to be switched locally and not go back to the controller. The FlexConnect AP can perform standalone client authentication and switch VLAN traffic locally even when it\’s disconnected to the WLC (Local Switched). FlexConnect AP can also tunnel (via CAPWAP) both user wireless data and control traffic to a centralized WLC (Central Switched).


Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a sensor for location-based services (LBS), rogue AP detection, and IDS + Rogue detector mode: monitor for rogue APs. It does not handle data at all. + Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to a remote machine where you can use protocol analysis tool (Wireshark, Airopeek, etc) to review the packets and diagnose issues. Strictly used for troubleshooting purposes. + Bridge mode: bridge together the WLAN and the wired infrastructure together. Mobility Express is the ability to use an access point (AP) as a controller instead of a real WLAN controller. But this solution is only suitable for small to midsize, or multi-site branch locations where you might not want to invest in a dedicated WLC. A Mobility Express WLC can support up to 100 Aps

Question 9:


In which part of the HTTP message is the content type specified?

A. HTTP method


C. header

D. body


Correct Answer: C


Question 10:


Which behavior can be expected when the HSRP versions is changed from 1 to 2?

A. Each HSRP group reinitializes because the virtual MAC address has changed.

B. No changes occur because versions 1 and 2 use the same virtual MAC OUI.

C. Each HSRP group reinitializes because the multicast address has changed.

D. No changes occur because the standby router is upgraded before the active router.


Correct Answer: A

Even though HSRP version 2 uses the new IP multicast address to send hello packets instead of the multicast address of, used by HSRP version 1; when the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC address.

Question 11:


A response code of 404 is received while using the REST API on Cisco UNA Center to POST to this URI.

/dna/intent/api/v1 /template-programmer/project

What does the code mean?

A. The client made a request a resource that does not exist.

B. The server has not implemented the functionality that is needed to fulfill the request.

C. The request accepted for processing, but the processing was not completed.

D. The POST/PUT request was fulfilled and a new resource was created, Information about the resource is in the response body.


Correct Answer: A

The 404 (Not Found) error status code indicates that the REST API can\’t map the client\’s URI to a resource but may be available in the future. Subsequent requests by the client are permissible. Reference:

Question 12:


What is the structure of a JSON web token?

A. three parts separated by dots header payload, and signature

B. header and payload

C. three parts separated by dots version header and signature

D. payload and signature


Correct Answer: A

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is

digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. JSON Web Tokens are composed of three parts, separated by a dot (.): Header, Payload, Signature. Therefore,

a JWT typically looks like the following:


The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. To create the signature part you have to take the encoded header, the encoded payload, a

secret, the algorithm specified in the header, and sign that.


Question 13:


Which OSPF network types are compatible and allow communication through the two peering devices?

A. broadcast to nonbroadcast

B. point-to-multipoint to nonbroadcast

C. broadcast to point-to-point

D. point-to-multipoint to broadcast


Correct Answer: A

The following different OSPF types are compatible with each other:

+ Broadcast and Non-Broadcast (adjust hello/dead timers) + Point-to-Point and Point-to-Multipoint (adjust hello/dead timers) Broadcast and Non-Broadcast networks elect DR/BDR so they are compatible. Point-topoint/ multipoint do not elect DR/BDR so they are compatible.


Question 14:


At which Layer does Cisco DNA Center supports REST controls?

A. EEM applets or scripts

B. Session layer

C. YMAL output from responses to API calls

D. Northbound APIs


Correct Answer: D

Question 15:


Which statement about agent-based versus agentless configuration management tools is true?

A. Agentless tools require no messaging systems between master and slaves.

B. Agentless tools use proxy nodes to interface with slave nodes.

C. Agent-based tools do not require a high-level language interpreter such as Python or Ruby on slave nodes.

D. Agent-based tools do not require the installation of additional software packages on the slave nodes.


Correct Answer: A



Enjoy two premium benefits for free! Although they are only part of the Lead4Pass 350-401 dumps!

Now, use PDF or VCE to practice Lead4Pass 350-401 dumps: (1051 Q&A), assisting you to pass the Cisco 350-401 ENCOR certification exam 100% successfully.