Cisco 300-820 Exam Dumps & Practice Test Questions

Question 1:

In the context of SIP calls using the Session Description Protocol (SDP), what is a common problem caused by Network Address Translation (NAT)?

A. NAT adds headers that can increase packet size beyond the MTU limit.
B. Time zone differences behind NAT make offset calculations unreliable.
C. SDP includes an IP address that may be a private, non-routable address.
D. SDP encryption keys are only usable by clients outside the NAT boundary.

Correct Answer: C

Explanation:

In SIP-based communications, the Session Description Protocol (SDP) plays a key role in establishing media streams by providing essential information such as the IP addresses and ports used for audio and video. However, when devices reside behind a Network Address Translation (NAT) gateway, complications arise—particularly in how these addresses are presented and interpreted.

The main issue lies in the connection information field of SDP messages. Devices behind a NAT typically use private IP addresses (e.g., 192.168.x.x or 10.x.x.x), which are not globally routable. When such a device sends an SDP offer, it includes its private IP address in the SDP payload. This becomes problematic because external devices—those on the public internet—cannot reach the private IP to establish a media session.

This mismatch leads to broken media paths, where signaling succeeds but RTP streams cannot be established correctly. As a result, users may experience one-way audio or complete media failure. This issue is one of the most common NAT-related challenges in SIP communications.

To address this, technologies such as:

• STUN (Session Traversal Utilities for NAT) – allows clients to discover their public IP and port.

• TURN (Traversal Using Relays around NAT) – enables media relaying via an external server.

• ICE (Interactive Connectivity Establishment) – combines STUN and TURN to establish the best media path.

• Session Border Controllers (SBCs) – such as Cisco’s Expressway-E and CUBE, help manage NAT traversal by rewriting IP headers or terminating and relaying the media.

In contrast:

• Option A (MTU issues due to NAT headers) is more applicable to tunneling protocols like VPN, not SDP.

• Option B (time zone offsets) is unrelated to SIP or SDP behavior.

• Option D (encryption keys affected by NAT) is incorrect; encryption is not inherently broken by NAT unless there is a key negotiation problem unrelated to SDP.

Hence, Option C is correct: NAT causes SDP to advertise non-routable private IPs, which leads to failed media sessions unless proper NAT traversal techniques are used.

Question 2:

An organization using Cisco Unified Communications Manager (CUCM) for internal communication needs to set up secure video calls with external entities. What is the correct configuration to achieve this securely?

A. Deploy Cisco Unified Border Element with Cisco ASA Firewall
B. Deploy Cisco Unified Border Element with Cisco Firepower Firewall
C. Deploy Cisco Expressway-C and Cisco Expressway-E
D. Deploy Cisco Expressway-C with Cisco Unified Border Element

Correct Answer: C

Explanation:

Organizations running Cisco Unified Communications Manager (CUCM) often need to expand their capabilities to securely communicate with external users, partners, or remote employees. When it comes to enabling secure video and voice communication across organizational boundaries, the optimal Cisco-recommended solution is to deploy Cisco Expressway-C and Cisco Expressway-E.

This architecture is designed for secure traversal of voice and video calls across NATs and firewalls without requiring VPNs. Here's how the system works:

• Cisco Expressway-C (Core) is deployed inside the enterprise network. It integrates with CUCM and handles internal signaling and call routing.

• Cisco Expressway-E (Edge) is placed in the DMZ (Demilitarized Zone). It interacts with external clients and routes incoming and outgoing SIP or H.323 signaling traffic securely to the Expressway-C.

This pairing ensures:

• NAT traversal using secure protocols like ICE, STUN, and TURN.

• Encrypted signaling and media via TLS (for SIP) and SRTP (for RTP).

• External devices, such as mobile workers or business partners, can participate in video calls without compromising internal security.

Why the other options are incorrect:

• Option A and B (CUBE with ASA or Firepower) are valid for SIP trunking—connecting to external VoIP providers—but not ideal for endpoint-to-endpoint secure video communication with external users.

• Option D mixes Expressway-C and CUBE, which serve different roles and are not deployed together for this use case.

Thus, to support secure external video communications while maintaining seamless internal operations through CUCM, deploying Cisco Expressway-C and Expressway-E is the recommended and correct solution.

Question 3:

When setting up static NAT on Cisco Expressway-E, which Session Description Protocol (SDP) attribute is updated to reflect the translated public IP address?

A. SDP b-line
B. SIP record route
C. SDP c-line
D. SDP m-line

Correct Answer: C

Explanation:

When deploying a Cisco Expressway-E behind a static NAT (Network Address Translation) configuration, it's essential to ensure that media connections between internal and external endpoints function properly. A critical aspect of this involves modifying the Session Description Protocol (SDP) content shared during call setup.

SDP is used in SIP (Session Initiation Protocol) messages to describe multimedia communication sessions. Among its attributes, the c-line (connection line) defines the IP address that endpoints use to establish media streams, such as audio and video.

In static NAT configurations, internal IP addresses are not publicly routable. Therefore, if the SDP c-line advertises a private internal IP, external endpoints won’t be able to establish a media path. To resolve this, the SDP c-line must be rewritten to contain the NAT-translated public IP address, which is the reachable address for external participants.

Cisco Expressway-E is designed to handle this automatically when static NAT is correctly configured. It ensures that any internal media address in the SDP is replaced with the corresponding public address before sending the message outside the enterprise network. This adjustment ensures proper routing of media traffic and maintains seamless communication across NAT boundaries.

Let’s analyze the incorrect options:

• A (SDP b-line): This line specifies bandwidth information for the media stream but does not handle IP addressing.

• B (SIP record route): This is part of SIP signaling and is used for routing requests through proxies. It is unrelated to the media IP address advertisement.

• D (SDP m-line): This attribute defines the media types and ports (like audio or video), but not the IP address involved in NAT traversal.

In conclusion, to support NAT environments effectively, Cisco Expressway-E modifies the SDP c-line, ensuring that the correct external IP address is presented for media connectivity. This process is a fundamental component of enabling reliable audio and video communication between internal users and external participants.

Question 4:

A business is deploying a Cisco Collaboration system and wants to allow internal SIP-registered endpoints to communicate with external parties using both SIP and H.323 protocols. 

What feature should be enabled, and on which device should it be configured?

A. Interworking on Cisco Expressway-C
B. Transcoding on Cisco Unified Communications Manager (CUCM)
C. Transcoding on Cisco Expressway-C
D. Interworking on Cisco Unified Communications Manager

Correct Answer: A

Explanation:

In environments where a company primarily uses SIP (Session Initiation Protocol) for internal communications but needs to interact with external entities using H.323, there must be a mechanism to bridge the two protocols. This functionality is known as interworking, and in the Cisco Collaboration architecture, the Cisco Expressway-C is the preferred platform to enable it.

Interworking refers to the ability to convert signaling and media between different communication protocols—in this case, SIP and H.323. The Cisco Expressway-C sits inside the network and works in conjunction with the Expressway-E to securely traverse firewalls and facilitate communication with external endpoints. Expressway-C is equipped to handle protocol translation and manage signaling differences between SIP and H.323 endpoints.

Let’s break down why Option A is correct:

• Cisco Expressway-C provides built-in interworking functionality that allows SIP-registered internal devices (like Cisco Jabber or IP phones) to communicate with H.323 devices outside the enterprise. It dynamically converts the signaling between protocols, enabling interoperability without additional infrastructure complexity.

Now consider the incorrect options:

• Option B (Transcoding in CUCM): Transcoding refers to converting media formats or codecs—not signaling protocols. While CUCM supports codec negotiation, it doesn’t facilitate SIP-to-H.323 communication.

• Option C (Transcoding on Expressway-C): Similarly, while Expressway-C supports transcoding, the question is about protocol compatibility, which is managed through interworking—not codec conversion.

• Option D (Interworking on CUCM): While CUCM does have limited interworking support, it’s not designed to facilitate external protocol communication over the internet. Expressway-C is specifically optimized for this function, especially when used in tandem with Expressway-E.

In conclusion, to enable seamless communication between internal SIP devices and external H.323 or SIP endpoints, interworking should be enabled on Cisco Expressway-C. This ensures that protocol differences are handled automatically, maintaining a unified collaboration experience across the enterprise and its partners.

Question 5:

In a Hybrid Message Service High Availability deployment involving multiple Cisco IM and Presence clusters, what is a critical configuration requirement to ensure proper communication across the clusters?

A. Intercluster Sync Agent must be operational on all clusters
B. Intercluster Lookup Service must be fully functional across all clusters
C. Multiple Device Messaging must be turned off on each IM and Presence cluster
D. AXL service must only run on the publisher node of each IM and Presence cluster

Correct Answer: B

Explanation:

When implementing Cisco Hybrid Message Service in a High Availability (HA) deployment spanning multiple IM and Presence Service clusters, seamless intercluster communication is vital for consistent and reliable messaging capabilities. One of the most critical components that enables this communication is the Intercluster Lookup Service (ILS).

The ILS is a protocol designed to facilitate automatic user discovery and presence information sharing across different clusters. It allows IM and Presence clusters to learn about each other’s users and services, enabling rich messaging interactions—even in multi-cluster environments. Without ILS, clusters cannot exchange the essential data required for hybrid messaging to function properly, leading to fragmented or failed communication between users located in different clusters.

Let’s examine why the other options are incorrect:

• Option A (Intercluster Sync Agent): Although the Intercluster Sync Agent (ICSA) plays a role in synchronizing certain user data and configuration information between clusters, it does not facilitate real-time presence or messaging discovery across clusters. Its role is supplementary compared to ILS, which handles dynamic lookup and data exchange essential for hybrid deployments.

• Option C (Multiple Device Messaging disabled): Disabling Multiple Device Messaging is not a requirement for Hybrid Message Service HA. This feature allows users to receive messages on multiple registered devices, and its status has no bearing on intercluster functionality or the hybrid deployment architecture.

• Option D (AXL service on publisher only): The AXL (Administrative XML Layer) service is used primarily for administrative tasks such as retrieving and modifying configuration data. While it's typically enabled on the publisher node of a cluster, its function does not influence the messaging path or the communication between hybrid clusters.

In conclusion, for Hybrid Message Service to operate reliably in a multi-cluster high-availability environment, ILS must be properly configured and functioning across all involved clusters. It ensures that user identity, presence information, and messaging capabilities are synchronized, which is fundamental to delivering seamless cross-cluster collaboration. This makes Option B the correct and most essential requirement in this context.

Question 6:

When encrypted signaling is used between Cisco Collaboration endpoints, what is a key limitation of implementing NAT ALG for voice and video communication?

A. Internal devices are restricted from using private IP addresses
B. NAT ALG cannot inspect encrypted signaling message contents
C. NAT ALG introduces jitter in voice streams
D. Source IPs fail to define valid destination IPs for return communication

Correct Answer: B

Explanation:

When voice and video communication systems, such as Cisco Collaboration endpoints, operate over encrypted signaling protocols, one of the primary challenges encountered is the behavior of NAT ALG (Network Address Translation Application Layer Gateway).

The role of NAT ALG is to assist NAT devices in handling application-layer protocols (such as SIP or H.323) by inspecting and modifying signaling packets to ensure proper routing of audio/video streams. However, when the signaling data is encrypted—for example, using Transport Layer Security (TLS)—the ALG loses the ability to read, interpret, and modify these messages. This introduces a critical barrier to communication, particularly in NAT traversal scenarios.

Option B is correct because the encrypted nature of the signaling traffic prevents the ALG from accessing vital information such as internal IP addresses and port numbers, which are needed for rewriting packet headers and managing sessions. Since ALGs rely on visibility into these details to adjust for NAT translation, their inability to inspect encrypted packets breaks the NAT traversal process, resulting in failed or incomplete call setups.

Now, examining the incorrect options:

• Option A (Internal devices can’t use private IPs): This is misleading. NAT is explicitly designed to allow internal devices with private IP addresses to communicate externally. The use of private IPs is standard in NAT scenarios and not restricted due to encryption.

• Option C (ALG causes jitter): Jitter refers to variations in packet arrival times and is typically caused by network congestion, latency, or inconsistent routing paths. NAT ALG itself is not a source of jitter unless improperly configured, and it certainly isn’t its defining limitation.

• Option D (Source IPs can't define destination IPs): This describes a symptom of NAT traversal failure but doesn’t address the root cause in the context of encrypted signaling. The fundamental issue here is not about source addresses but about the ALG's inability to see and adjust signaling data because it is encrypted.

In summary, the central obstacle with encrypted signaling and NAT ALG is that the ALG can’t process the encrypted data, rendering it ineffective. This makes Option B the most accurate representation of the technical challenge.

Question 7:

Which two factors can cause port 8443 to be inaccessible from the internet when connecting to Expressway-E? (Select two options.)

A. MRA license is not enabled on Expressway-E
B. Unified Communications zone is currently down
C. Expressway-E lacks a configured transform setting
D. The SRV record for _cisco-uds is incorrectly set
E. A firewall is preventing access to the port

Correct Answers: A and E

Explanation:

In a Cisco Expressway deployment, particularly when supporting Mobile and Remote Access (MRA), port 8443 plays a critical role. This port is commonly used to establish secure communication between remote clients and the Expressway-E, typically using HTTPS for signaling and service negotiation. If port 8443 cannot be accessed from the internet, two of the most likely causes are missing licensing and firewall configuration issues.

• A. MRA license is not enabled on Expressway-E:
  The Expressway-E must have the MRA license activated in order to support Mobile and Remote Access functionality. If the license is not applied, services associated with MRA, including those that use port 8443 for HTTPS signaling and authentication, will not be operational. Without this license, the Expressway-E effectively disables the service tied to port 8443, rendering it unreachable even if the port appears open at the network level.

• E. A firewall is preventing access to the port:
  Firewalls sit between the internet and internal infrastructure and play a key role in managing inbound and outbound traffic. If the firewall is configured to block traffic on port 8443, remote clients will be unable to initiate connections to Expressway-E, even if the service is properly configured. This is a common issue in deployments where strict security policies are enforced, or port forwarding is not properly configured.

The remaining options, although relevant in specific diagnostic scenarios, are not direct causes for port 8443 being inaccessible:

• B. Unified Communications zone is down:
  While a failed UC zone affects service communication between Expressway-C and Expressway-E, it does not prevent port 8443 from being accessed externally.

• C. Expressway-E lacks a transform setting:
  Transform settings are used for SIP message normalization or NAT-related configurations, but they do not specifically control port accessibility.

• D. Misconfigured SRV record for _cisco-uds:
  This DNS record supports service discovery for Jabber clients, not direct port access. A misconfigured SRV record would lead to service lookup failures, not a closed port.

Therefore, when troubleshooting connectivity issues to port 8443, the first checks should be for a valid MRA license on Expressway-E and ensuring that firewall rules permit traffic on that port from the public network.

Question 8:

What type of encryption can be applied to media traffic on an Expressway zone to ensure secure communication?

A. Advanced Encryption Standard (AES)
B. IPsec
C. Triple DES (3DES)
D. Force unencrypted

Correct Answer: B

Explanation:

When configuring Cisco Expressway zones, especially in deployments that involve traversing public networks or linking internal and external domains, it is vital to secure media traffic. Cisco Expressway supports various security protocols, but when it comes to encrypting the actual media (audio/video) exchanged between endpoints, IPsec is the primary mechanism.

• B. IPsec:
  Internet Protocol Security (IPsec) is a widely adopted suite of protocols designed to provide end-to-end encryption and authentication for IP communications. In Cisco Expressway environments, IPsec can be enabled on zones to secure media streams transmitted between devices. It ensures data confidentiality, integrity, and authenticity, particularly important when the media path traverses untrusted networks. IPsec encryption is negotiated during the setup of a secure communication session, protecting both signaling and media in supported scenarios.

The other options do not reflect how Expressway zones handle media encryption:

• A. Advanced Encryption Standard (AES):
  Although AES is a common encryption algorithm used across many technologies, Expressway zones do not directly expose AES as a configuration option. AES may be used under the hood in various encrypted protocols like TLS or IPsec, but it's not something you configure explicitly on an Expressway zone.

• C. Triple DES (3DES):
  3DES is an older encryption standard and is largely deprecated due to performance inefficiencies and security weaknesses. Cisco Expressway does not support or recommend 3DES for media encryption. Modern deployments rely on more secure and scalable options like IPsec and TLS.

• D. Force unencrypted:
  Choosing to force unencrypted communication undermines the entire objective of deploying Expressway in secure environments. This option disables encryption, leaving media traffic vulnerable to eavesdropping and tampering. It may only be used in legacy environments with strict compatibility requirements, but it's not a recommended practice.

In conclusion, IPsec is the most appropriate and secure encryption method available for media protection in Cisco Expressway zone configurations. It ensures the secure delivery of media streams in both internal and external communications, supporting the security and compliance objectives of enterprise collaboration deployments.

Question 9:

In the Cisco Expressway environment, what is the role of a "transform" configuration?

A. It acts as a neighbor zone to establish a link between Expressway servers.
B. It changes the audio codec during call handling.
C. It is responsible for routing calls to their destination.
D. It modifies an alias based on defined patterns, converting it into another alias.

Correct Answer: D

Explanation:

In Cisco Expressway, a transform serves a critical role in managing how calls are handled and routed based on their destination aliases. Specifically, transforms are used to rewrite or modify an alias—typically a SIP URI or E.164 number—when it matches certain defined criteria. This process is essential in complex environments where alias formats differ across systems or when integrating multiple collaboration platforms.

For example, a user may dial user@example.com, but the destination system might expect user@video.example.com. A transform can detect the original alias format and modify it to match the required destination format before the call is routed. This ensures that communication between dissimilar systems remains seamless and efficient.

Let’s break down the options:

• A is incorrect because neighbor zones are used to define trusted peer connections between Expressway servers, but they are not transformations or alias modifications.

• B is also incorrect since codec selection and negotiation are handled via SIP/SDP negotiation or media capability settings—not via transforms.

• C may seem plausible, but the actual routing decisions are handled by dial plans and search rules. While transforms do assist routing by preparing the alias into a routable format, they do not perform routing by themselves.

• D is correct. A transform inspects the alias and, if it matches the specified conditions (like a regex pattern), it modifies the alias into another form. This might include prefixing, stripping, or replacing domains, enabling consistent routing behavior.

This feature is extremely useful in scenarios such as multi-domain deployments, federation between systems, or integration with CUCM (Cisco Unified Communications Manager). Transforms offer a dynamic way to ensure that alias formats conform to the requirements of the target systems, making communication between disparate platforms more reliable.

Question 10:

Which two DNS SRV records are valid for supporting SIP over TLS and H.323 communication for a domain like example.com? (Choose two.)

A. _sips._tcp.example.com
B. _sips._udp.example.com
C. _h323ls._udp.example.com
D. _h323ls._tcp.example.com
E. _collab-edge._tls.example.com

Correct Answers: A, C

Explanation:

DNS SRV (Service) records are used to map specific services to hostnames and ports. These are particularly important in unified communications and video conferencing environments, such as those that use Cisco Expressway, to enable service discovery for protocols like SIP and H.323.

Let’s examine the valid SRV records for SIP and H.323:

• A: _sips._tcp.example.com — This is a valid and standard SRV record for SIP over TLS (also referred to as Secure SIP or SIPS). The prefix _sips specifies that it’s for secure SIP, while _tcp designates the use of the TCP transport protocol, which is required for TLS. SIP clients will use this SRV record to locate the appropriate server for initiating encrypted VoIP sessions.

• B: _sips._udp.example.com — This is invalid. The _sips service implies encryption via TLS, which cannot be delivered over UDP. TLS is inherently a TCP-based protocol, and this combination does not make sense in standard SIP deployments.

• C: _h323ls._udp.example.com — This is a valid SRV record for H.323 Location Services using UDP. The _h323ls portion refers to H.323 Gatekeepers that handle address resolution and routing within H.323 networks. These services typically rely on UDP, making this SRV record valid and necessary for H.323 devices to locate gatekeepers.

• D: _h323ls._tcp.example.com — This is not typically valid. While TCP can technically be used in some H.323 communication scenarios, Location Services for H.323 typically use UDP, making this SRV record uncommon and likely unsupported.

• E: _collab-edge._tls.example.com — While this SRV record is used in Cisco Mobile and Remote Access (MRA) deployments, it is not directly related to SIP or H.323. It facilitates service discovery for the Expressway Edge node, particularly for Jabber clients, not for standard SIP or H.323 communications.

In summary, A and C are the correct answers because they conform to standard practices for supporting secure SIP and H.323 Location Services respectively. SRV records like these are essential for enabling automatic service discovery, simplifying endpoint configuration, and ensuring seamless connectivity in collaboration environments.