300-430 Implementing Cisco Enterprise Wireless Networks (300-430 ENWLSI) Question and Answers

 The correct configuration for limiting Internet bandwidth for each guest client on a Cisco Catalyst 9800 WLC is through a policy map. A policy map allows the creation of policies that can manage traffic within a network. By setting a bandwidth limit within the policy map, the WLC can enforce the required QoS for guest clients. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

CMX Facebook Wi-Fi is designed to provide limited access to the network before a user completes authentication. This feature allows HTTP traffic only before authentication while blocking all other traffic, which corresponds with option A. Additionally, it intercepts HTTP traffic to redirect the user to the authentication page, which aligns with option D. The purpose of these restrictions is to ensure that users can be directed to log in via Facebook for Wi-Fi access without compromising network security by allowing unchecked access. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

To create an account for CLI access to an access point for troubleshooting, the WLC must be configured to allow user access with the capability to make changes. The ReadWrite User Access Mode enables an engineer to have full read and write access to the AP’s configuration via the CLI, which is necessary for performing troubleshooting tasks. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

During the Extensible Authentication Protocol (EAP) process, the RADIUS server generates an encrypted session key after the client’s identity is authenticated. This session key is sent to the access point to encrypt data frames between the client and the access point. It ensures that each session has a unique encryption key, enhancing security. References: Look for information on EAP and RADIUS in the CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

On a Cisco Catalyst 9800 Series Wireless Controller, the command set that prevents a FlexConnect AP from allowing wireless clients to connect when its Ethernet connection is nonoperational is the fallback-radio-shut command within the FlexConnect profile configuration. This command disables the radios on the AP, thus preventing client connections during Ethernet link failure. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The AAA override feature on a WLAN allows for individualized security policies to be applied to users after they are authenticated by the AAA server, which in this case is Cisco ISE (Identity Services Engine). The company policy requires that all users be denied access to any resources until they pass validation. By using AAA override, the network can enforce access control policies based on user credentials and group membership, ensuring that users cannot access network resources until they have been validated by Cisco ISE. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The angle of arrival (AoA) method for client tracking determines the location of a wireless device using triangulation. This technique involves measuring the angle at which the signal arrives at different receivers (access points) and using this information to pinpoint the device’s location within the network. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The issue with the Cisco CMX dashboard not showing any data can be resolved by integrating the Wireless LAN Controllers (WLCs) with the CMX system. The CMX solution relies on data from the WLCs to track and detect users’ presence in the office area. Without the WLCs being added to CMX, the system cannot collect the necessary analytics and location data for its operations.

To ensure reliable streaming of multicast video over a wireless link, it’s essential to optimize the multicast settings on the controller. Option B, implementing video-stream for the multicast video on the controller, is a feature that optimizes the delivery of multicast streams by converting them into unicast streams for specific clients, thus improving reliability. Option C, allowing multicast-direct to work correctly, involves enabling multicast-direct globally, which allows multicast packets to be sent directly to clients without the need for them to subscribe to a specific multicast group, enhancing efficiency and reliability. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

On the Global Configuration page of a Wireless LAN Controller (WLC), for an Access Point (AP) to use IEEE 802.1X for authenticating to the wired infrastructure, it is necessary to configure a RADIUS shared secret. This secret will be used by the AP as part of its credentials when communicating with a RADIUS server during the authentication process. References: (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

When implementing Cisco Identity-Based Networking on a Cisco AireOS controller with two ACLs where one is applied directly on the WLC interface and another referenced by ISE for a specific group policy, the resulting ACL for a user in that group would be a combination of both ACLs. The BASE_ACL applied on the corporate_clients interface acts as the default ACL for all corporate clients, while HR_ACL is specific for Human Resources users. When a Human Resources user connects, HR_ACL takes precedence but does not replace BASE_ACL; instead, it appends its rules to those of BASE_ACL resulting in an aggregated set of rules from both ACLs. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

 IGMP snooping is a feature that allows a network switch to listen to the Internet Group Management Protocol (IGMP) network traffic. This feature enables the switch to identify the multicast streams to which hosts are interested and to forward multicast traffic intelligently. By enabling IGMP snooping on the Wireless LAN Controller (WLC), it ensures that multicast streams are only forwarded to the access points (APs) where clients are subscribed to them. Setting the AP multicast mode to a specific multicast address, such as 238.255.255.255, allows the WLC to send multicast traffic to APs using this address, which helps in efficient distribution of the multicast stream.

For optimal voice over WLAN performance with a Cisco 8821 wireless phone, the Cisco recommended configuration is to set the switch port to access mode and trust the DSCP markings. This ensures that voice traffic is appropriately prioritized in the network, providing better quality of service for voice communications. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

When configuring an Access Control List (ACL) to restrict traffic to the Wireless LAN Controller (WLC) CPU, the direction of the traffic is crucial. Since the ACL is meant to control traffic that is destined for the WLC CPU, it should be set as “Inbound”. This means that any rules applied within this ACL will affect incoming traffic towards the WLC, which is necessary when aiming to restrict certain types of traffic from reaching and potentially overwhelming the controller’s processing capabilities. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 To ensure the 1810 OEAP can join the controller from remote teleworker locations, the firewall must allow specific UDP ports that are used for AP communication with the controller. UDP ports 5246 and 5247 are used for Control and Provisioning of Wireless Access Points (CAPWAP) control and data messages, while UDP ports 12222 and 12223 are used for OfficeExtend APs’ data traffic. Blocking these ports would prevent the APs from joining the controller, hence they must be allowed on the firewall.

 The customizable security report in Cisco Prime Infrastructure that shows rogue access points (APs) detected since a point in time is the “New Rogue APs” report. This report is specifically designed to track and list all newly detected rogue APs within the network from a specified time, allowing network administrators to quickly identify unauthorized devices. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

When configuring an Access Control List (ACL) to restrict traffic to the Wireless LAN Controller (WLC) CPU, the direction of the traffic is crucial. Since the ACL is meant to control traffic that is destined for the WLC CPU, it should be set as “Inbound”. This means that any rules applied within this ACL will affect incoming traffic towards the WLC, which is necessary when aiming to restrict certain types of traffic from reaching and potentially overwhelming the controller’s processing capabilities. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The primary change to the network when adding APs for location-based services, such as VolMLAN, would be the AP footprint. This refers to the physical coverage area of the access points. Increasing the AP footprint enhances the ability to perform location-based services by improving the accuracy of triangulation and location tracking of devices. This is because a denser AP footprint allows for more precise determination of a device’s location within the network. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, specifically the sections discussing location-based services and AP deployment strategies for optimal coverage and location tracking.

Allowing access to the Local Area Network (LAN) without implementing a Mobile Device Management (MDM) solution poses a significant security risk to a Bring Your Own Device (BYOD) policy. Without MDM, the organization lacks control over the personal devices that connect to its network, which could lead to unauthorized access to sensitive data, potential data breaches, and the inability to enforce security policies.

In Cisco Prime Infrastructure, the report that must be created to present a list of all rogue APs with a high severity score to senior management is the “Rogue APs” report. This report provides detailed information about rogue access points detected in the network, including their severity score, which helps in assessing the potential risk they pose to the network security. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

To integrate the Mobility Services Engine (MSE) with Cisco Prime Infrastructure for tracking the location of clients and rogues on maps, it is essential to add the MSE to Cisco Prime Infrastructure using the communication credentials specific to Cisco Prime Infrastructure. This ensures that both systems can communicate effectively. Additionally, a valid license for location tracking must be applied to enable the MSE’s location services capabilities. Without this license, the MSE would not be able to provide client and rogue location tracking functionalities. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

To ensure that all Android devices are placed into a separate VLAN on their wireless network without deploying ISE, the feature that must be implemented on the Cisco WLC is “WLAN local policy”. This feature allows the network administrator to create policies that can classify and segregate devices based on their operating system, in this case, Android devices, into a designated VLAN. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

Graphical user interface Description automatically generated

 LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining distributed directory information services over an IP network. In the context of Cisco ISE (Identity Services Engine), LDAP can be utilized as a directory service to authenticate and authorize users during local web authentication processes. LDAP supports a wide range of directory services, including Microsoft Active Directory, which is commonly used in enterprise environments.

 Link-Local Service (LSS) filtering for mDNS (Multicast Domain Name System) is used to control the propagation of mDNS services across the network. To enable LSS for the AppleTV mDNS service only when ORIGIN is set to Wired, the correct action is to set ORIGIN to Wired and enable LSS specifically for the AppleTV service. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 The two protocols used to communicate between the Cisco Mobility Services Engine (MSE) and the Cisco Prime Infrastructure network management software are HTTPS and NMSP (Network Mobility Services Protocol). HTTPS is used for secure web-based communications, while NMSP is a Cisco proprietary protocol used specifically for efficient, real-time communication between MSE and network management software like Cisco Prime Infrastructure. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

When an IT department needs to locate a stolen laptop using its MAC address, enabling Location History for Clients on the Mobility Services Engine (MSE) is crucial as it allows for historical tracking of client devices’ locations. Furthermore, Client location tracking must also be enabled on the MSE; this feature actively tracks and updates the current position of all client devices in real-time. Both settings are necessary to provide a comprehensive view of where the laptop has been over time and its current location within the wireless network’s coverage area. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

 For an enterprise wireless network with distributed offices globally and APs configured in FlexConnect mode, enabling FlexConnect local authentication is essential to support 802.11r and CCKM. This configuration allows for fast roaming and maintains a secure connection by locally authenticating the clients without having to go back to the central site, thus providing a seamless and efficient roaming experience for the users.

In Cisco Wireless LAN Controller (WLC) environments, the feature that allows for different usernames and passwords for administrative support on specific APs is the local management users. This feature enables the configuration of unique credentials on individual APs, separate from the global credentials used for the rest of the network. By enabling local management users, the APs in the CEO’s office can have distinct administrative access controls, ensuring a higher level of security and customization. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

For new Access Points (APs) in a Cisco FlexConnect deployment, switch ports should be configured in trunk mode. This allows the APs to handle traffic for multiple WLANs or SSIDs, each associated with different VLANs. Trunk mode enables the AP to tag traffic with the correct VLAN IDs as per its configuration. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The Voice VLAN feature on switches allows the network to distinguish between voice traffic and data traffic from wireless clients connected to IP phones. This is crucial for applying the appropriate QoS to ensure that voice traffic is prioritized over client data traffic. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

Split tunneling on a Cisco Aironet 600 Series OfficeExtend AP allows for traffic to be divided between two different networks. In this case, it enables the user to access the corporate network for work-related tasks while simultaneously allowing them to print to a printer on their home network. This is achieved by routing the traffic meant for the corporate network to the WLC, while local traffic such as the connection to a home printer is kept on the local network. References := CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

Cisco Prime Infrastructure reporting provides a comprehensive summary of inconsistencies and missed best practices related to WLAN controllers. It aggregates data from all WLCs, Cisco MSE, and itself to generate detailed reports. References: Cisco Prime Infrastructure reporting features documentation.

The default IEEE 802.1x AP authentication configuration on a Cisco Catalyst 9800 Series Wireless Controller is EAP-FAST with CAPWAP DTLS (Option D). This method uses EAP-FAST for authentication within a secure tunnel established by Datagram Transport Layer Security (DTLS) over CAPWAP, which provides both security for authentication credentials and encryption for wireless management frames. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

Protocol Independent Multicast (PIM) sparse mode and dense mode are two different multicast routing mechanisms. Sparse mode uses distribution trees and is designed for networks where multicast groups are sparsely distributed across the network, minimizing unnecessary traffic. In contrast, dense mode floods the network with multicast traffic and then prunes back the branches where there are no interested receivers, which can lead to inefficient use of bandwidth. References := CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

In a FlexConnect group with local switching but central DHCP, clients can use features like multicast and static IP without any issues. However, fast roaming, which allows clients to move seamlessly between access points with minimal delay, requires the access points to handle client information locally. If the configuration is changed to allow local DHCP, then the access points can cache client credentials, enabling fast roaming.

References :=

• CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide
• Cisco documentation on FlexConnect configurations

For high availability configuration in Cisco CMX servers to work correctly, both primary and secondary servers must be identical in terms of installation type (physical or virtual) and size (resources allocated like CPU, RAM). If there is a mismatch in these aspects, it can lead to failure in setting up high availability as they need to synchronize data between them seamlessly. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 For an enterprise wireless network with distributed offices globally and APs configured in FlexConnect mode, enabling FlexConnect local authentication is essential to support 802.11r and CCKM. This configuration allows for fast roaming and maintains a secure connection by locally authenticating the clients without having to go back to the central site, thus providing a seamless and efficient roaming experience for the users.

The Cisco Aironet 600 Series OfficeExtend APs support various Layer 2 security options, including WPA+WPA2 and 802.1X. WPA and WPA2 provide secure encryption for wireless data, while 802.1X offers a robust authentication framework. These security options ensure that the wireless network is protected against unauthorized access and data breaches, which is crucial for remote workers connecting to the corporate network. References := CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

Trusting DSCP is essential for maintaining the QoS markings across the wired and wireless network in a FlexConnect deployment. By trusting DSCP, the WLC and APs will preserve the QoS markings set by applications and devices, ensuring consistent QoS treatment throughout the network. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

When an engineer enables CPU ACLs on a Cisco device through Security > Access Control Lists > CPU Access Control Lists menu, this change applies immediately to both wireless and wired traffic directed towards the CPU of the device. This includes all management traffic destined for control plane services within the device itself, providing an additional layer of security against potential threats. References: (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

The maximum time range that can be viewed on the Cisco DNA Center issues and alarms page is 24 hours. This allows network administrators to monitor and troubleshoot recent issues and alarms within a one-day period. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

Cisco Connected Mobile Experiences (CMX) Location Analytics requires accurate tracking of devices within the wireless network’s coverage area. To utilize CMX Location Analytics effectively, it is essential to enable tracking parameters in Cisco Mobility Services Engine (MSE). This allows MSE to collect data on device locations and movements within the environment, which can then be analyzed by CMX for insights into customer behavior, asset tracking, or other analytical purposes. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

For location analytics in a shopping center using AireOS controllers with Cisco Wave 2 APs, the CMX server settings must exclude probing clients to track only associated clients. This setting ensures that the location analytics data reflects the movements of clients that are actively connected to the WLAN, providing accurate insights into popular areas within the shopping center. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 In a BYOD (Bring Your Own Device) deployment strategy that prefers a single SSID model, an Identity Services Engine (ISE) is required. Cisco’s ISE is a security policy management platform that automates and enforces context-aware security access to network resources. It allows for the creation of policies that control access to the network based on user identity, device type, device health, and posture compliance, which is essential for a BYOD environment. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 Configuring an AVC profile for the Jabber traffic and applying it to the WLAN ensures that voice traffic from Cisco Jabber receives Platinum QoS while keeping other WLAN traffic at Silver class. AVC allows for deep packet inspection which can identify Jabber application packets so they can be given priority over other types of traffic.

To segregate iOS-connected devices onto a guest SSID on VLAN 101 and the rest of the clients on VLAN 102, specific configurations are needed on the Cisco Catalyst 9800 Wireless LAN Controller (WLC). The correct configurations required are:

• Add local profiling policy under global security policy settings (Option B): This allows the WLC to profile devices based on their operating system. By identifying iOS devices, a local profiling policy can then direct these devices to the appropriate VLAN.
• Enable device classification on global wireless settings (Option E): Device classification is necessary for the WLC to differentiate between device types. Once enabled, it can apply different policies based on whether a device is recognized as an iOS device or not.

References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

The correct command set for configuring a Cisco Catalyst 9800 Series Wireless Controller so that the client traffic enters the network at the AP switch port is Option C:

config terminal

wireless profile policy [policy name]

no central switching

end

This configuration disables central switching, which means that client traffic will be locally switched at the access point level rather than being sent through the controller. This is useful in scenarios where local switching is preferred due to reasons such as reducing latency or conserving bandwidth on WAN links. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

The Media Stream feature on a Cisco WLC allows for the prioritization of streaming media. To guarantee at least 2 Mbps stream per user, the ‘coarse’ Resource Reservation Control (RRC) template should be used, as it provides the necessary bandwidth allocation for each user’s media stream. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 To adjust the precedence and override the QoS profile on the WLAN for WebEx, an Application Visibility and Control (AVC) profile needs to be created for WebEx. AVC profiles allow for the identification and prioritization of specific applications over the wireless network, ensuring that critical applications like WebEx receive the necessary bandwidth and QoS treatment. References := CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

When a wireless controller is configured to authenticate clients against Microsoft Active Directory using PEAP (Protected Extensible Authentication Protocol), it uses RADIUS (Remote Authentication Dial-In User Service) as the protocol to communicate with the authentication server. RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

In Quality of Service (QoS) for networking, Class of Service (COS) and Differentiated Services Code Point (DSCP) are used for traffic classification and prioritization. Voice traffic is generally given high priority due to its sensitivity to delay and requires proper tagging to maintain quality over the network.

The correct mapping for voice traffic, according to best practices, is a COS value of 5 mapped to a DSCP value of 46. This is because DSCP 46 corresponds to Expedited Forwarding (EF), which is typically used for voice traffic prioritization in IP networks.

The exhibit shows the output from a command on a network device that displays the current mappings between COS values and DSCP values. The mapping that needs modification for correct voice traffic tagging can be identified by looking at the standard practice for voice QoS, which uses a COS value of 5 mapped to a DSCP value of 46.

References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

The correct command to shut down the 2.4 GHz radio on a specific AP on a Cisco 3850 switch is ap name Floor1_AP1 dot11 24ghz shutdown. This command specifies the AP by name (Floor1_AP1), the radio frequency band (dot11 24ghz), and the action to be taken (shutdown). The other commands listed either reference the wrong frequency band, use incorrect syntax, or are not valid Cisco IOS commands for managing AP radios. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The Voice VLAN feature on switches allows the network to distinguish between voice traffic and data traffic from wireless clients connected to IP phones. This is crucial for applying the appropriate QoS to ensure that voice traffic is prioritized over client data traffic. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

In a Cisco wireless LAN controller, setting a specific data rate to ‘Mandatory’ means that all wireless clients must be able to communicate at this rate. To ensure that multicast uses the 54Mbps rates, one must set the 54Mbps data rate to ‘Mandatory’. This configuration will make it so that all multicast traffic is transmitted at this minimum set data rate, thus meeting the requirement specified by the engineer.

The correct command to add a VLAN with a specific ID to a FlexConnect group in a Cisco Wireless LAN Controller (WLC) is ‘config flexconnect group BranchA-FCG vlan 30 add’. This command specifies the FlexConnect group name ‘BranchA-FCG’ and the VLAN ID ‘30’, followed by the action ‘add’, which is consistent with Cisco’s CLI syntax for WLC configuration. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

When planning an image upgrade for a large number of Access Points (APs) across remote sites with limited WAN bandwidth, it’s crucial to minimize WAN utilization. The best approach in this scenario is:

• Predownload the new code to the APs (Option A): This method involves sending the new firmware image to all APs before actually rebooting them with the new image. It allows APs to download firmware when network usage is low, thus minimizing impact during peak hours.

References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

In Cisco ISE version 2.1 for BYOD with a Single SSID setup, 802.1x must be configured to provide the necessary layer of security and to facilitate the device registration process. 802.1x authentication allows for the use of EAP (Extensible Authentication Protocol) to authenticate users before they can access the network. This ensures that only authorized devices can join the BYOD network, providing a secure method for device onboarding and access control. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 In a Cisco WLAN deployment where it is required that all APs from branch1 remain operational even if the control plane CAPWAP tunnel is down, the operational mode that must be configured on the APs is standalone (option B). In standalone mode, the APs can continue to function and provide network access to clients even without a connection to the WLC, which is essential during a WAN failure to headquarters. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, with a focus on AP operational modes and their behavior during network disruptions.