Refer to the exhibit.
An engineer successfully brings up the site-to-site VPN tunnel between the remote office and the AWS virtual private gateway, and the site-to-site routing works correctly. However, the end-to-end ping between the office user PC and the AWS EC2 instance is not working. Which two actions diagnose the loss of connectivity? (Choose two.)
Correct Answer:
BC
The end-to-end ping between the office user PC and the AWS EC2 instance is not working because either the security group rules for the host VPC are blocking the ICMP traffic or the IPsec SA counters are showing errors or drops. To diagnose the loss of connectivity, the engineer should check both the security group rules and the IPsec SA counters. The network security group rules on the host VNET are not relevant because they apply to Azure, not AWS. The IPsec SA configuration on the Cisco VPN router and the AWS private virtual gateway are not likely to be the cause of the problem because the site- to-site VPN tunnel is already up and the site-to-site routing works correctly. References :=
✑ Designing and Implementing Cloud Connectivity (ENCC, Track 1 of 5), Module 3:
Configuring IPsec VPN from Cisco IOS XE to AWS, Lesson 3: Verify IPsec VPN Connectivity
✑ Security for VPNs with IPsec Configuration Guide, Cisco IOS XE, Chapter: IPsec VPN Overview, Section: IPsec Security Association
✑ AWS Documentation, User Guide for AWS VPN, Section: Security Groups for Your VPC
DRAG DROP
An engineer must use Cisco vManage to configure an SLA class to specify the maximum packet loss, packet latency, and jitter allowed on a connection. Drag and drop the steps from the left onto the order on the right to complete the configuration.
Solution:
The process of configuring an SLA class to specify the maximum packet loss, packet latency, and jitter allowed on a connection using Cisco vManage involves several steps12.
✑ Click Configuration, select Policies, and then select Add Policy: This is the first step where you navigate to the Policies section in the Configuration menu of Cisco vManage1.
✑ Click SLA Class and then click New SLA Class List: In this step, you create a new SLA Class List1.
✑ Select Criteria, select Loss, Latency and Jitter, and then click Add: After setting up the SLA Class List, you select the criteria for the SLA class. In this case, the criteria are Loss, Latency, and Jitter1.
✑ Set values for Loss, Latency, Jitter, and App Probe Class: Finally, you set the values for Loss, Latency, Jitter, and App Probe Class1.
References :=
✑ Information About Application-Aware Routing - Cisco
✑ Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20
Does this meet the goal?
Correct Answer:
A
Refer to the exhibits.
An engineer must redistribute OSPF internal routes into BGP to connect an on-premises network to a cloud provider. Which two commands should the engineer run on router R2? (Choose two.)
Correct Answer:
AD
To redistribute OSPF internal routes into BGP for connecting an on-premises network to a cloud provider, the engineer should run the commands ??router bgp 100?? and ??redistribute ospf 1?? on router R2. The command ??router bgp 100?? is used to create a BGP routing process with AS number 100. The command ??redistribute ospf 1?? is used to redistribute OSPF routes from process ID 1 into BGP. References: = I need to access the specific content of Designing and Implementing Cloud Connectivity (ENCC) v1.0 from Cisco??s official resources to provide exact references. However, I don??t have direct access to external databases or resources, including the Cisco ENCC course materials. I recommend referring to the ENCC course materials for the most accurate and detailed information. Please note that this answer is based on general networking principles and may not reflect the specific content of the ENCC course. Always refer to the official course materials for the most accurate information.
Refer to the exhibit.
Which Cisco lKEv2 configuration brings up the IPsec tunnel between the remote office router and the AWS virtual private gateway?
A) 
B)
C)
Correct Answer:
C
Option C is the correct answer because it configures the IKEv2 profile with the correct match identity, authentication, and keyring parameters. It also configures the IPsecprofile with the correct transform set and lifetime parameters. Option A is incorrect because it does not specify the match identity remote address in the IKEv2 profile, which is required to match the AWS virtual private gateway IP address. Option B is incorrect because it does not specify the authentication pre-share in the IKEv2 profile, which is required to authenticate the IKEv2 peers using a pre-shared key. Option C also matches the configuration example provided by AWS1 and Cisco2 for setting up an IKEv2 IPsec site-to- site VPN between a Cisco IOS-XE router and an AWS virtual private gateway. References :=
✑ 1: AWS VPN Configuration Guide for Cisco IOS-XE
✑ 2: Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services
Which Microsoft Azure service enables a dedicated and secure connection between an on- premises infrastructure and Azure data centers through a colocation provider?
Correct Answer:
B
Azure ExpressRoute is a service that enables a dedicated and secure connection between an on-premises infrastructure and Azure data centers through a colocation provider. A colocation provider is a third-party data center that offers network connectivity services to multiple customers. Azure ExpressRoute allows customers to bypass the public internet and connect directly to Azure services, such as virtual machines, storage, databases, and more. This provides benefits such as lower latency, higher bandwidth, more reliability, and enhanced security. Azure ExpressRoute also supports hybrid scenarios, such as connecting to Office 365, Dynamics 365, and other SaaS applications hosted on Azure. Azure ExpressRoute requires a physical connection between the customer??s network and the colocation provider??s network, as well as a logical connection between the customer??s network and the Azure virtual network. The logical connection is established using a Border Gateway Protocol (BGP) session, which exchanges routing information between the two networks. Azure ExpressRoute supports two models: standard and premium. The standard model offers connectivity to all Azure regionswithin the same geopolitical region, while the premium model offers connectivity to all Azure regions globally, as well as additional features such as increased route limits, global reach, and Microsoft peering. References: Designing and Implementing Cloud Connectivity (ENCC) v1.0, Learning Plan: Designing and Implementing Cloud Connectivity v1.0 (ENCC 300-440) Exam Prep, ENCC | Designing and Implementing Cloud Connectivity| Netec
