Refer to the exhibits.

While troubleshooting, a network engineer discovers that the backup path fails between ASBR3 and ASBR4 for traffic between BGP AS6000 and BGP AS6500 when the connection between ASBR1 and ASBR2 goes down. The following configurations were performed on ASBR1:

Which command is missing?

1. A. bgp additional-paths Install
2. B. bgp additional-paths select
3. C. redistribute static
4. D. bgp advertise-best-external

Correct Answer: D
The bgp advertise-best-external command is used to enable the advertisement of the best external path to internal BGP peers. This command is useful when there are multiple exit points from the local AS to other ASes, and the local AS wants to use the closest exit point for each destination. By default, BGP only advertises the best path to its peers, and the best path is usually the one with the lowest IGP metric to the next hop. However, this may not be the optimal path for traffic leaving the local AS, as it may result in suboptimal hot-potato routing or MED oscillations. The bgp advertise-best-external command allows BGP to advertise the best external path, which is the path with the lowest MED among the paths from different neighboring ASes, in addition to the best path. This way, the internal BGP peers can choose the best exit point based on the MED value, rather than the IGP metric. In this scenario, ASBR1 is configured to receive additional paths from ASBR2, which is a route reflector. ASBR2 receivestwo paths for the same prefix from AS6500, one from ASBR3 and one from ASBR4. ASBR2 selects the best path based on the IGP metric to the next hop, and advertises it to ASBR1. However, this path may not be the best external path, as it may have a higher MED value than the other path. If the connection between ASBR1 and ASBR2 goes down, ASBR1 will not have any backup path to reach AS6500, as it does not know the other path from ASBR4. To prevent this situation, ASBR1 should be configured with the bgp advertise-best-external command, so that it can receive the best external path from ASBR2, along with the best path. This way, ASBR1 will have a backup path to reach AS6500, in case the primary path fails. References := IP Routing: BGP Configuration Guide - BGP Additional Paths ?? - Cisco, BGP Additional Paths

DRAG DROP
Refer to the exhibit.

Drag and drop the steps from the left onto the order on the right to configure a site-to-site VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS).

Solution:
Step 1 = Create a Customer Gateway (CGW) in AWS. Step 2 = Create a Virtual Private Gateway (VGW) in AWS. Step 3 = Create a site-to-site VPN connection in AWS. Step 4 = Configure the IOS XE router with the required IPsec VPN parameters and routing settings. Step 5 = Verify and test the VPN connection.
The process of configuring a site-to-site VPN connection between an on-premises Cisco IOS XE router and Amazon Web Services (AWS) involves several steps12.
✑ Create a Customer Gateway (CGW) in AWS: This is the first step where you
define the public IP address of your on-premises Cisco IOS XE router in AWS1.
✑ Create a Virtual Private Gateway (VGW) in AWS: This involves creating a VGW and attaching it to the VPC in AWS1.
✑ Create a site-to-site VPN connection in AWS: After setting up the CGW and VGW, you then create a site-to-site VPN connection in AWS. This involves specifying the CGW, VGW, and the static IP prefixes for your on-premises network1.
✑ Configure the IOS XE router with the required IPsec VPN parameters and routing settings: After the AWS side is set up, you configure the on-premises Cisco IOS XE router with the required IPsec VPN parameters and routing settings2.
✑ Verify and test the VPN connection: Finally, you verify and test the VPN connection to ensure that it is working correctly12.
References :=
✑ Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services - Cisco Community
✑ SD-WAN Configuration Example: Site-to-site (LAN to LAN) IPSec between vEdge
and Cisco IOS - Cisco Community

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

Refer to the exhibits.

An engineer needs to configure a site-to-site IPsec VPN connection between an on premises Cisco IOS XE router and Amazon Web Services (AWS). Which two IP prefixes should be used to configure the AWS routing options? (Choose two.)

1. A. 30.30.30.0/30
2. B. 20.20.20.0/24
3. C. 30.30.30.0/24
4. D. 50.50.50.0/30
5. E. 40.40.40.0/24

Correct Answer: AE
The correct answer is A and E because they are the IP prefixes that match the tunnel interfaces on the Cisco IOS XE router. The AWS routing options should include the local and remote IP prefixes that are used for the IPsec tunnel endpoints. The other options are either the public IP addresses of the routers or the LAN subnets that are not relevant for the IPsec tunnel configuration. References := Designing and Implementing Cloud Connectivity (ENCC) v1.0, Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services, Site-to-Site VPN with Amazon Web Services

Refer to the exhibit.

Which Cisco lKEv2 configuration brings up the IPsec tunnel between the remote office router and the AWS virtual private gateway?
A)

B)

C)

1. A. Option A
2. B. Option B
3. C. Option C

Correct Answer: C
Option C is the correct answer because it configures the IKEv2 profile with the correct match identity, authentication, and keyring parameters. It also configures the IPsecprofile with the correct transform set and lifetime parameters. Option A is incorrect because it does not specify the match identity remote address in the IKEv2 profile, which is required to match the AWS virtual private gateway IP address. Option B is incorrect because it does not specify the authentication pre-share in the IKEv2 profile, which is required to authenticate the IKEv2 peers using a pre-shared key. Option C also matches the configuration example provided by AWS1 and Cisco2 for setting up an IKEv2 IPsec site-to- site VPN between a Cisco IOS-XE router and an AWS virtual private gateway. References :=
✑ 1: AWS VPN Configuration Guide for Cisco IOS-XE
✑ 2: Configure IOS-XE Site-to-Site VPN Connection to Amazon Web Services

Which method is used to create authorization boundary diagrams (ABDs)?

1. A. identify only interconnected systems that are FedRAMP-authorized
2. B. show all networks in CIDR notation only
3. C. identify all tools as either external or internal to the boundary
4. D. show only minor or small upgrade level software components

Correct Answer: C
According to the FedRAMP Authorization Boundary Guidance document1, the method used to create authorization boundary diagrams (ABDs) is to identify all tools as either external orinternal to the boundary. The ABD is a visual representation of the components that make up the authorization boundary, which includes all technologies, external and internal services, and leveraged systems and accounts for all federal information, data, and metadata that a Cloud Service Offering (CSO) is responsible for. The ABD should illustrate a CSP??s scope of control over the system and show components or services that are leveraged from external services or controlled by the customer1. The other options are incorrect because they do not capture the full scope and details of the authorization boundary as required by FedRAMP. References := FedRAMP Authorization Boundary Guidance document1