1 / 9 Cisco 350-101 Exam Implementing and Operating Cisco Wireless Core Technologies (350-101 WLCOR)v1.0 https://www.passquestion.com/350-101.html 35% OFF on All, Including 350-101 Questions and Answers P ass 350-101 Exam with PassQuestion 350-101 questions and answers in the first attempt. https://www.passquestion.com/ 2 / 9 1.A school district is deploying Cisco Catalyst 9176 APs to remote sites with occasional WAN outages. The IT team wants the APs to attempt joining a secondary or tertiary Catalyst 9800 WLC if the primary controller is unreachable. The team must preconfigure all controller IP addresses using the AP CLI before deploying. Which set of CLI commands sets the primary, secondary, and tertiary controller IP addresses on a Catalyst 9176 AP? A. set controller primary-base main-wlc 10.10.10.10 set controller secondary-base backup 10.10.10.20 set controller tertiary-base tertiary-wlc 10.10.10.30 B. capwap ap primary-base main-wlc 10.10.10.10 capwap ap secondary-base backup-wlc 10.10.10.20 capwap ap tertiary-base tertiary-wlc 10.10.10.30 C. ap join primary 10.10.10.10 ap join secondary 10.10.10.20 ap join tertiary 10.10.10.30 D. capwap ap wlc primary 10.10.10.10 capwap ap wlc secondary 10.10.10.20 capwap ap wlc tertiary 10.10.10.30 Answer: B Explanation: Cisco lightweight and Catalyst access points use CAPWAP for AP-to-controller discovery and join operations. For AP-side preconfiguration, Cisco documents the syntax as capwap ap {primary-base | secondary-base | tertiary-base} controller-name controller-ip-address, specifically for configuring primary, secondary, and tertiary controllers on the AP. This matches option B exactly because it includes the CAPWAP AP command, the controller priority keyword, the controller name, and the controller management IP address. (Cisco) The Catalyst 9800 AP join process also recognizes these configured controller entries in priority order: primary controller using capwap ap primary-base, secondary controller using capwap ap secondary-base, and tertiary controller using capwap ap tertiary-base. (Cisco) This allows the AP to attempt a backup controller when the preferred controller is unavailable, which is appropriate for remote sites with intermittent WAN reachability. Option A uses obsolete or invalid set controller syntax. Option C invents an ap join command format. Option D incorrectly inserts wlc into the AP CAPWAP command. Reference topics: Wireless Network Implementation — CAPWAP discovery, AP join process, Catalyst 9800 controller redundancy, and AP CLI provisioning. 2.Refer to the exhibit. 3 / 9 An engineer is setting up a new WLC in a branch office. The IT security policy states that all management access must use encrypted protocols, administrators will connect remotely, and network scans will be run to check for any noncompliant management protocol exposure. Which action must the engineer take to achieve the required management access policy? A. Permit only HTTP, Telnet, and SSH across all VLANs for 10.10.1.0/24. B. Enable Telnet, SSH, and HTTPS across the management and guest interfaces. C. Permit console access for 10.10.1.0/24 only with HTTP disabled. D. Enable HTTPS and SSH, and disable HTTP and Telnet on the WLC. Answer: D Explanation: The correct action is to expose only encrypted management services: HTTPS for WebUI administration and SSH for remote CLI administration. The exhibit confirms the WLC wireless management interface is VLAN 10 with IP address 10.10.1.2, but interface placement alone does not enforce secure management protocol policy. Cisco Catalyst 9800 documentation identifies web admin settings as controller management configuration that determines administrator access, protocols, and interfaces for remote management. Cisco further states that administrators can connect securely over HTTPS, while HTTP “ is not a secure connection, ” and that HTTPS encrypts data to and from the server. For CLI access, Cisco ’ s Catalyst 9800 Secure Shell guidance states that SSH enables secure remote access, and using transport input ssh prevents non-SSH Telnet connections, limiting the device to SSH-only access. Therefore, options A and B violate policy because they permit Telnet and/or HTTP. Option C fails because console access is local, not remote, and disabling only HTTP still leaves Telnet exposure unresolved. Reference topics: Wireless Monitoring and Management — WLC management access, secure administration, HTTPS, SSH, and management-plane hardening. 4 / 9 3.How does the optimized roaming function operate in a WLC implementation? A. It disassociates clients when the RSSI is lower than the set threshold. B. It is integrated with external services for client wireless experience. C. Device locations are determined through peer-to-peer beacons. D. Load balancing is statically defined for all locations. Answer: A Explanation: Optimized roaming is a Cisco WLC feature designed to reduce sticky-client behavior. A sticky client remains associated to an AP even after moving far enough away that another AP would provide better RF service. Cisco describes optimized roaming as actively monitoring client data RSSI and disconnecting clients when received signal strength falls below the configured threshold. The official Catalyst 9800 documentation states that optimized roaming “ disassociates client when the RSSI is lower than the set threshold, ” which directly matches option A. This function does not calculate device location through peer-to-peer beaconing, does not depend on external experience services, and is not static load balancing. It is an RF/client-roaming enforcement mechanism controlled by the wireless infrastructure. In practical operation, the AP/WLC evaluates client signal quality and, when the configured optimized roaming criteria are met, forces the client to disconnect so it can reassess the RF environment and roam to a better AP. Cisco also notes that optimized roaming helps maintain client connectivity by managing disassociationn based on RSSI and data-rate thresholds. Reference topics: Client Connectivity Configuration — client roaming behavior, sticky-client mitigation, RSSI thresholds, and WLC roaming optimization 4.A network engineer must isolate all guest users connected to the WLAN on a Cisco 9800 WLC so they cannot communicate with each other but can access the internet. The WLAN must meet these requirements: • SSID named VisitorAccess assigned to VLAN 30 • guests prohibited from sharing files with other guests • must be scalable to multiple access points in the building Which action must the network engineer take to meet the requirements? A. Enable P2P blocking in the policy profile and map the WLAN to a dedicated guest VLAN. B. Set up local authentication and map the WLAN to a dedicated guest VLAN. C. Set up a FlexConnect group and use local switching for the guest WLAN internet access. D. Enable multicast mode and associate a RADIUS server with the guest WLAN. Answer: A Explanation: The requirement is guest client isolation, not merely guest authentication or internet breakout. On a Catalyst 9800 WLC, peer-to-peer blocking is the correct control because it prevents wireless clients associated to the same WLAN from communicating directly with one another. Cisco defines peer-to-peer blocking as a WLAN security feature applied to individual WLANs, where each client inherits the WLAN ’ s P2P blocking behavior, and traffic can be bridged locally, dropped, or forwarded upstream. For this scenario, the appropriate action is the drop behavior, because guest-to-guest file sharing must be prohibited while upstream internet access remains available. The dedicated guest VLAN, VLAN 30, provides traffic segmentation from production networks and creates a clean policy boundary for VisitorAccess. Cisco ’ s Catalyst 9800 configuration model maps 5 / 9 WLANs to policy profiles, and the policy profile defines client network and switching policy, including VLAN association. Options B, C, and D do not solve client isolation: local authentication validates users, FlexConnect/local switching changes traffic forwarding behavior, and multicast/RADIUS does not block unicast guest-to-guest traffic. Reference topics: Client Connectivity Configuration — guest WLAN design, P2P blocking, VLAN segmentation, and Catalyst 9800 WLAN-to-policy mapping. 5.How does MIMO operate during wireless transmission? A. It uses multiple radio paths to increase throughput and reliability. B. It applies frequency hopping to prevent crosstalk. C. It shares a single connection among endpoints for coverage expansion. D. It limits data paths to a single antenna for error reduction. Answer: A Explanation: MIMO, or Multiple-Input Multiple-Output, is a core 802.11n and later wireless technology that uses multiple transmit and receive radio chains and antennas to improve wireless performance. Cisco ’ s Wireless RF Reference Guide explains that IEEE 802.11n introduced MIMO, replacing the older single-radio SISO model with multiple radios, each using its own antenna, to increase data rates and improve reception in multipath environments. Cisco also notes that weak or distorted multipath signals can be received by more than one radio and reconstructed, improving decode quality and reliability. This directly supports option A: MIMO exploits multiple RF paths rather than treating multipath as purely destructive. Depending on implementation, MIMO can use spatial diversity, maximal ratio combining, and spatial streams to increase throughput, improve signal-to-noise ratio, reduce retries, and make more efficient use of airtime. Cisco describes spatial stream notation such as 4x4:4 as four transmitters, four receivers, and four spatial streams. Option B describes frequency hopping, not MIMO. Option C is not a MIMO function. Option D is the opposite of MIMO because MIMO deliberately uses multiple antennas and radio paths. Reference topics: 802.11 Technology Fundamentals — MIMO, spatial streams, multipath, SISO versus MIMO, and 802.11n/ac/ax PHY enhancements. 6.Refer to the exhibit. The Catalyst 9800 WLC logs show when a client with MAC address 9C:4E:36:8A:2B:F1 fails to connect to a WLAN configured for Wi-Fi Protected Access 3-Enterprise with 802.1X. Which action must the engineer take to resolve the issue? A. Ensure that the AP is using the appropriate credentials. B. Change the WLAN to Wi-Fi Protected Access 2-Personal and configure a preshared key. C. Verify the client's Active Directory credentials and ensure that the RADIUS server is reachable. D. Disable RADIUS NAC on the policy profile assigned to the WLAN. Answer: C Explanation: 6 / 9 The log is a Layer 2 802.1X authentication failure, not an AP join or WLAN encryption mismatch. In WPA3-Enterprise, the client authenticates with 802.1X/EAP through the configured AAA path. Cisco ’ s Catalyst 9800 WPA3 Enterprise configuration requires the necessary RADIUS or AAA servers and authentication lists before enabling WPA3 Enterprise, and the WLAN must reference the dot1x authentication list. Therefore, a Cred Fail reason points directly at the user/device credential validation path: the supplicant credentials, Active Directory identity source, RADIUS policy match, or RADIUS reachability. Cisco ’ s 9800 802.1X configuration workflow also shows the controller defining a RADIUS server, adding it to a RADIUS group, creating a dot1x AAA authentication method list, and applying that list to the WLAN. It further recommends checking whether the RADIUS server is alive and using ISE RADIUS Live Logs to inspect authentication requests and results. Option A is wrong because the AP is not the supplicant in this WLAN client authentication event. Option B downgrades the security model and avoids 802.1X rather than fixing it. Option D addresses NAC behavior, not a credential authentication failure. Reference topics: Client Connectivity Configuration — WPA3-Enterprise, 802.1X/EAP, RADIUS authentication, and client authentication troubleshooting. 7.Which feature does bridge mode provide in a Cisco wireless mesh architecture? A. It enables point-to-point communication between network segments. B. It switches all traffic passing through the AP to 2.4 GHz by default. C. It adjusts RF transmit power on any neighbor nodes. D. It communicates with WAN edge by default. Answer: A Explanation: Bridge mode in a Cisco wireless mesh deployment allows access points to operate as mesh infrastructure nodes, typically as a Root AP (RAP) or Mesh AP (MAP), so Ethernet segments can be connected across a wireless backhaul. Cisco ’ s mesh design documentation states that in a point-to-point bridging scenario, a mesh AP can extend a remote network by using the backhaul radio “ to bridge two segments of a switched network. ” This directly maps to option A: point-to-point communication between network segments. In Catalyst 9800 mesh deployments, Cisco documents converting an AP to bridge mode with capwap ap mode bridge, after which the AP rejoins the controller in bridge mode and can be assigned a mesh role. Cisco also defines the RAP as the AP with the wired connection toward the WLC, while the MAP joins through its radio path toward the RAP. Option B is incorrect because bridge mode does not force all traffic to 2.4 GHz; Cisco mesh backhaul can use configured backhaul radios. Option C describes RRM/TPC behavior, not bridge mode. Option D incorrectly associates mesh bridge mode with WAN edge functions. Reference topics: Wireless Network Implementation — mesh AP roles, RAP/MAP operation, wireless backhaul, and Ethernet bridging. 8.Refer to the exhibit. 7 / 9 An engineer must configure wireless guest networking for a deployment at site A, which requires support for guest VLAN assignment and assignment for wlan guest-network 20. The controller will provide network segregation and restrict access to internal resources. Based on the configuration commands, which action meets the requirements? A. Establish a mesh bridge connection for the guest VLAN and assign logical interface for isolation. B. Create a policy profile for the guest VLAN and a policy tag to map the WLAN to the policy profile. C. Assign a policy tag to map the to WLAN and assign a physical interface for isolation. D. Implement the Spanning Tree Protocol and assign an AP group name. Answer: B Explanation: The exhibit creates WLAN profile guest-network with WLAN ID 20 and enables web authentication, but it does not yet define the client VLAN or bind the WLAN to a deployable policy. On Catalyst 9800 controllers, the WLAN profile defines SSID and wireless/security characteristics, while the policy profile defines client-facing network policy, including VLAN assignment, AAA, ACLs, and switching behavior. Cisco ’ s web authentication configuration guide states that the policy profile specifies client VLAN, AAA, ACLs, timeout settings, and related policy, and the VLAN is assigned under the policy profile. The second required object is the policy tag, because a policy tag maps the WLAN profile to the policy profile. Cisco also notes that the default policy tag automatically maps only WLAN IDs 1 through 16; WLAN ID 17 or higher cannot use that default mapping. Since this WLAN is ID 20, a custom policy tag mapping is required. Mesh bridging, STP, AP group naming, or physical-interface isolation do not complete the Catalyst 9800 WLAN-to-VLAN policy model. Reference topics: Wireless Network Implementation — Catalyst 9800 configuration model, WLAN profiles, policy profiles, policy tags, guest VLAN assignment, and web authentication. 9.Refer to the exhibit. 8 / 9 A WLC is deployed at a branch location to facilitate secure client connectivity. A network engineer configures one WLAN using WPA2 Personal passphrase and activates ASCII format key to align with company security policies. Which configuration enables client authentication for this WLAN? A. no security wpa akm dot1x B. client dhcp-proxy enable C. security wpa wpa2 ciphers aes D. security wpa akm psk set-key ascii 0 Answer: D Explanation: WPA2-Personal authenticates clients with a preshared key, not with 802.1X. Cisco documents WPA/WPA2 as supporting multiple authentication methods, including 802.1X and PSK, and specifically states that when PSK is selected, a preshared key or passphrase must be configured. The configuration element that enables client authentication in this scenario is the PSK ASCII key function represented by option D. On Catalyst 9800 IOS XE, the PSK method is enabled with PSK authentication key management, and the passphrase is defined with security wpa psk set-key {ascii | hex} {0 | 8} password; Cisco ’ s example is security wpa psk set-key ascii 0 test. Option A disables 802.1X AKM, which is appropriate for Personal mode, but it does not by itself authenticate clients. Option B controls DHCP proxy behavior and has no role in WPA authentication. Option C enables AES for WPA2 encryption, which protects traffic confidentiality but does not supply the authentication secret. Reference topics: Client Connectivity Configuration — WPA2-Personal, PSK authentication, AKM selection, AES encryption, and Catalyst 9800 WLAN security configuration. 10.A wireless administrator must configure detailed and comprehensive monitoring for client devices across branch locations. The team wants to streamline operations for faster response during performance degradation. To support the organization's growth, the administrator needs a centralized reporting platform that displays aggregated data. Which solution must the administrator use to monitor the clients in the network? 9 / 9 A. Implement central syslog server. B. Use Cisco Catalyst Center Assurance. C. Run show logging on WLC CLI. D. Use the WLC dashboard. Answer: B Explanation: Cisco Catalyst Center Assurance is the correct solution because the requirement is centralized, scalable, multi-site client monitoring with aggregated health and troubleshooting data. Cisco states that Catalyst Center Assurance provides a Client health dashboard and supports both wired and wireless clients. It is specifically used to obtain a global view of all client device health and determine whether issues require action. This directly matches the need for monitoring clients across branch locations and responding faster during performance degradation. Catalyst Center Assurance also provides location-based visibility, health scoring, client trend analysis, onboarding failure reasons such as AAA or DHCP, and Client 360 views for detailed troubleshooting. Cisco documents that Client 360 provides detailed client connectivity troubleshooting, including what problem occurred, when it occurred, why it occurred, and whether the impact is isolated or widespread. Cisco ’ s Catalyst Center data sheet further describes Network and Client Health dashboards as giving administrators a high-level overview of every network device and client, with expansion by geographical site, device list, client list, or topology. Syslog, WLC CLI logging, and a local WLC dashboard are useful operational tools, but they do not provide enterprise-scale assurance analytics. Reference topics: Wireless Monitoring and Management — Catalyst Center Assurance, Client Health, Client 360, centralized wireless monitoring, and operational analytics. 11.What is a benefit of network adaptability in terms of improved operational outcomes when using AI-RRM in Cisco Catalyst Center? A. provisioning of static device addresses B. reduction of co-channel interference C. transmission of regular software update schedules D. categorization of users by authentication type Answer: B Explanation: The correct answer is reduction of co-channel interference. AI-RRM in Cisco Catalyst Center is designed for RF optimization, not IP addressing, software scheduling, or user identity classification. Cisco describes AI-enhanced RRM as applying artificial intelligence and machine learning to optimize RF environments and automate/adapt RF parameter tuning for Cisco wireless networks. This is directly tied to operational RF outcomes such as improved channel planning, transmit power behavior, channel width decisions, and better spectrum utilization.