Question 1

A new MSE with wIPS service has been installed and no alarm information appears to be reaching the MSE from controllers. Which protocol must be allowed to reach the MSE from the controllers?

Accepted Answer

B

Explanation: The Network Mobility Services Protocol (NMSP) is a Cisco-proprietary protocol that facilitates communication between a Cisco Wireless LAN Controller (WLC) and a Cisco Mobility Services Engine (MSE). This protocol is essential for the MSE to receive data for services such as wIPS (Wireless Intrusion Prevention System) and Context-Aware Services (CMX). The WLC collects security event information from its managed access points and forwards this data, including wIPS alarms and rogue device information, to the MSE over an NMSP connection. If this protocol is blocked by a firewall or an access control list, the MSE will not receive any alarm data.

Question 2

A corporation has employees working from their homes. A wireless engineer must connect 1810
OEAP at remote teleworker locations. All configuration has been completed on the controller side,
but the network readiness is pending. Which two configurations must be performed on the firewall
to allow the AP to join the controller? (Choose two.)

Accepted Answer

B, D

Explanation: For a Cisco OfficeExtend Access Point (OEAP) to establish a connection with a Wireless LAN Controller (WLC) across the public internet, two fundamental network configurations are required. First, the WLC, which resides on the private corporate network, must be reachable from the AP at the remote location. This is accomplished by configuring Network Address Translation (NAT) on the firewall to map a public, internet-routable IP address to the WLC's AP-Manager interface. The WLC must also be configured with this public NAT IP. Second, the firewall must be configured to permit the Control and Provisioning of Wireless Access Points (CAPWAP) protocol traffic. CAPWAP uses UDP port 5246 for control plane communication and UDP port 5247 for data plane traffic, both of which must be allowed inbound to the WLC.

Question 3

An engineer wants to upgrade the APs in a Cisco FlexConnect group. To accomplish this upgrade, the
FlexConnect AP Upgrade setting will be used. One AP of each model with the lowest MAC address in
the group must receive the upgrade directly from the controller. Which action accomplishes this
direct upgrade?

Accepted Answer

D

Explanation: The Cisco FlexConnect AP Upgrade feature is designed to conserve WAN bandwidth by having only one "master" AP per model within a FlexConnect group download the new software image from the controller. The other "slave" APs then download the image from the master AP over the local network. The controller automatically selects the AP with the lowest MAC address as the master. An administrator has the option to manually override this and set a specific AP as the master. To ensure the default behavior occurs (where the AP with the lowest MAC is chosen), the administrator should simply enable the feature and not manually configure any master AP.

Question 4

A shopping center uses AireOS controllers with Cisco Wave 2 APs. A separate WLAN named Guest-
012345678-WLAN is used for guest wireless
clients. Management needs location analytics to
determine popular areas. CMX must track only associated clients. What must be selected on the
CMX server settings?

Accepted Answer

A

Explanation: The core requirement is to perform location analytics using Cisco CMX but to limit the tracking to only clients that are actively connected to the network. By default, CMX processes location data for both associated clients and unassociated (probing) clients. To meet the requirement of tracking only associated clients, the administrator must configure CMX to ignore the data from probing devices. The "Exclude probing clients" setting (or unchecking "Include Probing Clients") is the specific function designed for this purpose, ensuring analytics are based solely on devices that have completed the association process with an AP.

Question 5

An engineer has been hired to implement a way for users to stream video content without having
issues on the wireless network. To accomplish this goal, the engineer must set up a reliable way for a
Media Stream to work between Cisco FlexConnect APs. Which feature must be enabled to
guarantee delivery?

Accepted Answer

C

Explanation: Cisco Media Stream (also called VideoStream) achieves reliable video delivery by having the AP convert the multicast stream to independent unicast frames that are acknowledged by every client. On a WLC this behaviour is activated through the Media Stream option “Multicast Direct.” FlexConnect APs inherit this setting from the controller; when Multicast Direct is enabled, the FlexConnect APs replicate the stream per-client, guaranteeing delivery and preventing the loss normally associated with multicast over 802.11.

Question 6

An engineer must implement Cisco Identity-Based Networking Services at a remote site using ISE to
dynamically assign groups of users to specific IP subnets. If the subnet assigned to a client is available
at the remote site, then traffic must be offloaded locally, and subnets are unavailable at the
remote site must be tunneled back to the WLC. Which feature meets these requirements?

Accepted Answer

C

Explanation: The scenario requires a solution where client traffic is either switched locally at a remote site or tunneled to the central WLC, with the decision based on the VLAN assigned by ISE. This functionality is explicitly provided by the VLAN-based central switching feature within a FlexConnect architecture. This feature allows an administrator to define which VLANs are tunneled (centrally switched). When a client associates, and ISE assigns it to a VLAN, the FlexConnect AP checks its configuration. If the assigned VLAN is not on the central switching list, its traffic is switched locally. Otherwise, it is tunneled to the WLC, perfectly matching the requirements.

Question 7

Which QoS level is recommended for guest services?

Accepted Answer

B

Explanation: In Cisco's wireless architecture, Quality of Service (QoS) is managed through predefined profiles. The Bronze profile is specifically designed for background or low-priority traffic. Guest services are considered non-critical, and their traffic should not impede essential enterprise applications like voice or video. Assigning guest services to the Bronze profile ensures they receive the lowest priority handling, aligning with best practices for network resource management. This prevents guest traffic from consuming bandwidth that may be needed for business-critical operations.

Question 8

A wireless engineer needs to implement client tracking. Which method does the angle of arrival use to determine the location of a wireless device?

Accepted Answer

D

Explanation: Angle-of-Arrival (AoA) location systems compute a client’s position by measuring the angle at which the RF signal reaches a multi-element antenna array on each access point; this measured angle is the signal’s angle of incidence and is then intersected from two or more APs to pinpoint the device. No RSSI values or time-difference metrics are required—only the incident angle.

Question 9

A network administrator just completed the basic implementation of Cisco CMX and tries to
implement location tracking. The administrator is having trouble establishing connectivity between
one of the WLCs through NMSP. What must be configured to establish this connectivity? (Choose
two.)

Accepted Answer

B, C

Explanation: To establish a connection between a Cisco Wireless LAN Controller (WLC) and a Cisco Connected Mobile Experiences (CMX) server, the Network Mobility Services Protocol (NMSP) is used. This requires two primary configuration steps. First, NMSP must be explicitly enabled on the WLC, and the CMX server must be added to the WLC's list of mobility service engines. Second, if a firewall or access control list exists between the WLC and the CMX server, it must be configured to permit NMSP traffic. NMSP uses TCP port 16113 for communication initiated from the WLC to the CMX server. Failure in either of these steps will prevent connectivity.

Question 10

After receiving an alert about a rogue AP, a network engineer logs into Cisco Prime Infrastructure and
looks at the floor map where the AP that
detected the rogue is located. The map is synchronized
with a mobility services engine that determines that the rogue device is actually inside the campus.
The engineer determines that the rogue is a security threat and decides to stop if from broadcasting
inside the enterprise wireless network. What is the fastest way to disable the rogue?

Accepted Answer

C

Explanation: The fastest way to disable a rogue AP from the Cisco Prime Infrastructure (PI) console is to initiate containment. This action instructs nearby managed access points to actively disrupt the rogue AP's operation by sending deauthentication frames to its clients. This immediately stops the rogue from providing service on the enterprise network. While classifying the rogue as malicious is a prerequisite, the containment action itself is what disables the device's functionality. Physically locating and powering off the device is time-consuming and not the fastest method available through the management system.

Question 11

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CISCO_300-430_Dumps/page_58_img_1.jpg An engineer must restrict some subnets to have access to the WLC. When the CPU ACL function is enabled, no ACLs in the drop-down list are seen. What is the cause of the problem?

Accepted Answer

B

Explanation: On a Cisco AireOS Wireless LAN Controller (WLC), Access Control Lists (ACLs) must first be created as separate entities before they can be applied for specific functions, such as protecting the CPU. The configuration process is sequential: an administrator first navigates to the Security > Access Control Lists section of the GUI to define the ACL and its rules. Only after the ACL is created and saved does it become available for selection in other parts of the configuration, including the Management > CPU > CPU Access Control Lists page shown in the exhibit. An empty drop-down list indicates that this prerequisite step of creating an ACL has not been performed.

Question 12

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CISCO_300-430_Dumps/page_13_img_1.jpg Which COS to DSCP map must be modified to ensure that voice traffic is tagged correctly as it traverses the network?

Accepted Answer

D

Explanation: According to Cisco's Quality of Service (QoS) best practices, voice media traffic (RTP) is the most delay-sensitive and should be marked with a Class of Service (CoS) value of 5 at Layer 2 and a Differentiated Services Code Point (DSCP) value of 46 (Expedited Forwarding, EF) at Layer 3. The exhibit shows the output of show mls qos map cos-dscp, which reveals that CoS 5 is currently mapped to DSCP 40. This is an incorrect mapping for voice traffic. To ensure voice traffic is tagged correctly as it traverses the network, the mapping must be modified to associate CoS 5 with DSCP 46.

Question 13

An engineer is configuring multicast for two WLCs. The controllers are in different physical locations
and each handles around 500 wireless clients. How should the CAPWAP multicast group address be
assigned during configuration?

Accepted Answer

A

Explanation: When configuring WLCs in multicast mode, each controller must be assigned a unique CAPW-AP multicast group address. This is a critical requirement to ensure that access points (APs) only receive multicast traffic from the specific controller to which they are associated. If multiple WLCs on the same routed multicast network use the same multicast group address, an AP associated with one WLC would incorrectly receive and process multicast packets from other WLCs. This creates unnecessary overhead on the AP and can lead to unpredictable behavior.

Question 14

An engineer wants the wireless voice traffic class of service to be used to determine the queue order
for packets received, and then have the differentiated services code point set to match when it is
resent to another port on the switch. Which configuration is required in the network?

Accepted Answer

D

Explanation: “mls qos trust cos” tells the switch to accept (trust) the 802.1p CoS value that arrives from the WLC/AP, use that value to choose the internal queue, and then rewrite the packet’s DSCP on egress via the default cos-to-dscp map. Thus queueing is driven by the received CoS and the DSCP sent toward the next hop is automatically set to the equivalent value—exactly the behavior requested.

Question 15

An engineer is using Cisco Prime Infrastructure reporting to monitor the state of security on the WLAN. Which output is produced when the Adaptive wIPS Top 10 AP report is run?

Accepted Answer

D

Explanation: The "Adaptive wIPS Top 10 AP" report in Cisco Prime Infrastructure identifies the access points that have detected the highest number of security threats. The report lists the top 10 access points ranked by the total count of Wireless Intrusion Prevention System (wIPS) events. This security monitoring function relies on Access Points configured in monitor mode. In this mode, an AP dedicates its radios to off-channel scanning, continuously monitoring all channels in its band to detect rogue devices and security attacks, which is the foundation of the Adaptive wIPS system.

Free Cisco 300-430 Actual Exam Questions