Route Oct 2019
Route Oct 2019
Route Oct 2019
Question 1
What is the task you must perform when configuring SSH? (Choose two)
A. Configure TACACS+
B. Configure hostname
C. Generate RSA key
D. Disable telnet
Answer: B C
Explanation
The following are the prerequisites for configuring the switch for secure shell (SSH):
– For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private
key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its
secure transport.
– Before enabling SCP, you must correctly configure SSH, authentication, and authorization
on the switch.
– Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir,
and Adelman (RSA) key pair.
– SCP relies on SSH for security.
– SCP requires that authentication, authorization, and accounting (AAA) authorization be
configured so the router can determine whether the user has the correct privilege level.
– A user must have appropriate authorization to use SCP.
– A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS
File System (IFS) to and from a switch by using the copy command. An authorized
administrator can also do this from a workstation.
– The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or
3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES)
encryption software image.)
– Configure a hostname and host domain for your device by using the hostname and ―ip
domain-name‖ commands in global configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-
0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-
x_cg_chapter_01001.html
Question 2
Which two pieces of information can you determine from the output of the show ntp status
command?
Answer: C D
Explanation
First we can see if the local device has been synchronized or not by the line ―Clock is
synchronized‖ (or ―Clock is unsynchronized‖) -> Answer D is correct.
Also in the same line, we see the line ―reference is 10.1.2.1‖ which is the IP address of the
peer to which the clock is synchronized. For example in this case R1 has been configured
with the command ―R1(config)#ntp server 10.1.2.1‖ -> Answer C is correct.
Question 3
You are implementing WAN access for an enterprise network while running applications that
require a fully meshed network, which two design standards are appropriate for such an
environment? (Choose two)
Answer: A B
Explanation
With DMVPN phase 2 and 3, spokes can speak with each other directly like they are directly
connected in a meshed network. This simplifies the connectivity for the enterprise -> Answer
A is correct.
Another way to run applications that require a fully meshed network is through a WAN
distribution layer that is connected to all remote sites. Therefore these sites can communicate
with each other via this WAN distribution layer.
Question 4
Which task do you need to perform first when you configure IP SLA to troubleshoot a
network connectivity issue?
Answer: B
Explanation
This question is a bit unclear but answer B is still the best choice here. Maybe ―Enable the
ICMP echo operation‖ here means ―Configure the ICMP echo operation‖ which requires the
following commands:
configure terminal
ip sla operation-number
icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address |
hostname} | source-interface interface-name]
frequency seconds
For example:
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#frequency 10
After that we can schedule the above ICMP echo operation with the command (for example):
Then we can verify the ICMP echo operation at the end with the command ―show ip sla
group schedule‖ and ―show ip sla configuration‖.
Question 5
Which technology can combine multiple physical switches into one logical switch?
A. HSRP
B. VSS
C. VRRP
D. NHRP
Answer: B
Question 6
Which two features are compatible with port security? (Choose two)
A. Voice VLAN
B. SPAN source port
C. DTP
Answer: A B
Explanation
Table 3 of the following link lists which features are compatible with port security feature:
https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/mult
ibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011111.html
Question 7
Which fallback method can you configure to allow all AAA authorization requests to be
granted if the other methods do not respond or return an error?
A. Radius
B. Enable
C. TACACS+
D. NONE
Answer: D
Explanation
The following examples show how to use a TACACS+ server to authorize the use of network
services. If the TACACS+ server is not available or an error occurs during the authorization
process, the fallback method (none) is to grant all authorization requests:
Question 8
By default what is the maximum number of equal metric path BGP uses for load balancing?
A. 4
B. 6
C. 8
D. 16
Answer: C
Explanation
Reference:
https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/bgp/maximum-
paths-bgp.html
Question 9
The track objects in IP SLA and make sure that it is only up if all track objects are up, which
method achieves that goal?
A. AND
B. OR
C. XOR
D. NOT
Answer: A
Explanation
This command configures a tracked list object, and enter tracking configuration mode. The
track-number can be from 1 to 500.
+ boolean – Specify the state of the tracked list based on a Boolean calculation.
+ and – Specify that the list is up if all objects are up or down if one or more objects are
down.
+ or – Specify that the list is up if one object is up or down if all objects are down
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12
-2_55_se/configuration/guide/3750xscg/sweot.pdf
Question 10
With PCA and PCB and there are three routers between them and a different MTU value and
they want a PCA to run an application with PCB and DF is set so we have to choose?
A. MSS
B. PMTU
C. GRE
D. ?
Answer: B
Question 11
Question 12
How to implement local authentication using a list for case insensitive usernames?
Answer: A
Explanation
Use the aaa authentication login command with the local method keyword to specify that the
Cisco router or access server will use the local username database for authentication. For
example, to specify the local username database as the method of user authentication at login
when no other method list has been defined, enter the following command:
Note: The difference between the last keyword ―local‖ and ―local-case‖ is the first one uses
the case-insensitive local username database while the second keyword uses case-sensitive
local username for authentication.
ip nhrp shortcut - configured on the spoke which is responsible to rewrite the CEF entry after
getting the redirect message from hub
ip nhrp network-id - (?)
ip nhrp map - (?)
ip redirects - are disabled by default on a tunnel interface
ip nhrp responder - Specifies which interface the Next Hop Server uses for the NHRP
responder IP address
ip nhrp nhs - Statically configures a Next Hop Server
Explanation
In fact the "ip nhrp shortcut" should be both "configured on the spoke which is responsible to
rewrite the CEF entry after getting the redirect message from hub" and "Enables NHRP
shortcut switching on the interface" so maybe there is something missing in this question.
Note: "ip redirects" (not "ip nhrp redirects") are disabled by default on a tunnel interface
Question 14
Question about IP SLA deployment cycle. Chose best IP SLA deployment cycle that reduce
deployment (Choose four)
Answer: A B D E
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper090
0aecd8017f8c9.html
+ ip nhrp shortcut – configured on the spoke which is responsible to rewrite the CEF entry
after getting the redirect message from hub
+ ip nhrp network-id – (?)
+ ip nhrp map – (?)
+ ip redirects – are disabled by default on a tunnel interface
+ ip nhrp responder – Specifies which interface the Next Hop Server uses for the NHRP
responder IP address
+ ip nhrp nhs – Statically configures a Next Hop Server
But they cannot be matched with two rest options on the left.
Explanation
In fact the ―ip nhrp shortcut‖ should be both ―configured on the spoke which is responsible to
rewrite the CEF entry after getting the redirect message from hub‖ and ―Enables NHRP
shortcut switching on the interface‖ so maybe there is something missing in this question.
Note: ―ip redirects‖ (not ―ip nhrp redirects‖) are disabled by default on a tunnel interface
Question 14
Question about IP SLA deployment cycle. Chose best IP SLA deployment cycle that reduce
deployment (Choose four)
Answer: A B D E
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper090
0aecd8017f8c9.html
Question 15
What are two differences between SNMP traps and SNMP informs? (Choose two)
Answer: A D
Explanation
Traps are messages alerting the SNMP manager to a condition on the network. Informs are
traps that include a request for confirmation of receipt from the SNMP manager -> Answer A
is correct.
Traps are often preferred even though they are less reliable because informs consume more
resources in the router and the network. Unlike a trap, which is discarded as soon as it is
sent, an inform must be held in memory until a response is received or the request times out -
> Answer D is correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/12-
4t/snmp-12-4t-book/nm-snmp-cfg-snmp-support.html
Question 16
A. UDP
B. TCP
C. IP
Answer: B
Question 17
A router in an EVN environment is choosing a route. Which value is given the highest
selection priority?
Answer: A
Question 18
A. unicast flooding
B. uRPF failure
C. errdisabling of ports
D. port security violations
E. excessive STP reconvergence
Answer: A B
Explanation
The very cause of unicast flooding is that destination MAC address of the packet is not in the
L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding
ports in its VLAN (except the port it was received on). Below case studies display most
common reasons for destination MAC address not being known to the switch.
Unicast RPF configured in strict mode may drop legitimate traffic that is received on an
interface that was not the router‘s choice for sending return traffic. Dropping this legitimate
traffic could occur when asymmetric routing paths are present in the network (-> Therefore
answer ―uRPF failure‖ is correct)
Reference: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-
forwarding.html
Question 19
Which difference in the packet fragmentation feature between IPv4 and IPv6 devices is true?
Answer: A
Explanation
With IPv4, every router can fragment packets, if needed. If a router cannot forward a packet
because the MTU of the next link is smaller than the packet it has to send, the router
fragments the packet. It cuts it into slices that fit the smaller MTU and sends it out as a set of
fragments. The packet is then reassembled at the final destination. Depending on the network
design, an IPv4 packet may be fragmented more than once during its travel through the
network.
With IPv6, routers do not fragment packets anymore; the sender takes care of it. Path MTU
discovery tries to ensure that a packet is sent using the largest possible size that is supported
on a certain route. The Path MTU is the smallest link MTU of all links from a source to a
destination.
Reference: https://www.oreilly.com/library/view/ipv6-essentials/0596001258/ch04s08.html
Question 20
Answer: A B
Explanation
The two answers here are listed in the ―differences between Stateless NAT64 and Stateful
NAT64 at (https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676277.html)
Question 21
A. The router attempts to forward the packet along an alternate path in the route table
B. The router sends an ICMP Time Exceeded Message to the host that sent the packet
C. The router sends an ICMP Destination Unreachable Message to the host that sent the
packet
D. The router flags the packet and forwards it to the next hop
Answer: B
Explanation
RFC 791 requires that a router destroy any datagram with a TTL value of zero. Packets that
have been dropped due to the expiration of their TTL value are known as TTL expiry
packets. When an IP packet is received with a TTL less than or equal to one and is expected
to be forwarded by the router, the router is required to drop the packet and reply back to the
source with an ICMPv4 Type 11, Code 0 Time Exceeded message. In theory, upon receipt
of this message, the originating device should detect an issue—such as a routing problem
when sending to that particular destination, or an initial TTL value that is too low—and react
to overcome the problem.
Reference: https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html
Question 22
Which purpose of the AAA accounting feature is true when you use TACACS+
authentication?
Answer: B
Question 23
Based on the output from the show ip protocols vrf RED command, what is happening with
the routing processes?
Answer: C
Explanation
From the output we notice the line ―Redistributing External Routes from bgp 800, includes
subnets in redistribution‖ so that means BGP 800 is redistributed into OSPF 1 (with the
―redistribute bgp 800 subnets‖ under ―router ospf 1‖).
Question 24
Which limitation is introduced when you deploy RIPv2 on a network that uses supernet
advertisement?
Answer: A
Explanation
Supernet advertisement (advertising anynetwork prefix less than its classful major network)
is not allowed in RIP route summarization. For example , the following supernet
summarization is invalid:
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#ip summary-address rip 10.0.0.0 252.0.0.0
-> We can only summarize to the classful supernet networks.
Question 25
When configuring DHCP on a Cisco router what is the function of DHCP Option 82?
Answer: B
Explanation
DHCP option 82 provides additional security when DHCP is used to allocate network
addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client
requests from untrusted sources
Question 26
Answer: D
Explanation
IP PBR can now be fast-switched. Prior to Cisco IOS Release 12.0, PBR could only be
process-switched, which meant that on most platforms the switching rate was approximately
1000 to 10,000 packets per second. This speed was not fast enough for many applications.
Users that need PBR to occur at faster speeds can now implement PBR without slowing
down the router. Fast-switched PBR supports all of the match commands and most of the set
with the following restrictions:
+ The set ip default next-hop and set default interface commands are not supported.
+ The set interface command is supported only over point-to-point links, unless a route
cache entry exists using the same interface specified in the set interface command in the route
map.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.pdf
Question 27
Which type of Cisco Express Forwarding adjacency is created when the next hop is directly
connected, but its MAC header rewrite information is missing?
A. punt
B. discard
C. null
D. glean
Answer: D
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on
the router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency. A glean adjacency entry indicates that a
particular next hop should be directly connected, but there is no MAC header rewrite
information available. When the device needs to forward packets to a specific host on a
subnet, Cisco Express Forwarding requests an ARP entry for the specific prefix, ARP sends
the MAC address, and the adjacency entry for the host is built.
Punt adjacency – When packets to a destination prefix can‘t be CEF Switched, or the feature
is not supported in the CEF Switching path, the router will then use the next slower switching
mechanism configured on the router.
Question 28
Which protocol will stop listening and advertising updates, when using passive-interface
command? (Choose two)
A. OSPF
B. EIGRP
C. BGP
D. RIP
E. IS-IS
Answer: A B
Explanation
The ―passive-interface…‖ command in EIGRP or OSPF will shut down the neighbor
relationship of these two routers (no hello packets are exchanged).
In RIP, this command will not allow sending multicast updates via a specific interface but
will allow listening to incoming updates from other RIP speaking neighbors. This means that
the router will still be able to receive updates on that passive interface and use them in its
routing table.
Question 29
Place the BGP commands to the proper locations
Answer:
Question 30
Which two statements about configuring OSPFv3 are true? (Choose two)
Answer: A D
Explanation
When using NBMA in OSPFv3, you cannot automatically detect neighbors. On an NBMA
interface, you must configure your neighbors manually using interface configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-
1sg/ip6-route-ospfv3.html
Cisco IOS routers offer two OSPF configuration methods for IPv6:
+ Using the traditional ―ipv6 router ospf‖ global configuration command. For example:
Answer C is not correct as OSPFv3 does not require ―network‖ statement like OSPFv2.
Question 31
Answer: A
Explanation
The command ―distribute-list 1 out eigrp 20‖ creates an outbound distribute-list to filter
routes being redistributed from EIGRP AS 20 into RIP according to ACL 1.
Question 32
A. 64512 to 65535
B. 1 to 64511
C. 1024 to 65535
D. 1 to 1024
Answer: A
Explanation
BGP AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511
Question 31
Answer: A
Explanation
The command ―distribute-list 1 out eigrp 20‖ creates an outbound distribute-list to filter
routes being redistributed from EIGRP AS 20 into RIP according to ACL 1.
Question 32
A. 64512 to 65535
B. 1 to 64511
C. 1024 to 65535
D. 1 to 1024
Answer: A
Explanation
BGP AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511
Question 33
Which routing protocol searches for a better route through other autonomous systems to
achieve convergence?
A. Link-state
B. Hybrid
C. Path vector
D. Distance vector
Answer: C
Explanation
Path vector routing protocol (like BGP) can get information from other BGP autonomous
systems to find the best route.
Which is the minimum privilege level to allow a user to execute all user-level commands but
prohibits enable-level commands by default?
A. level 1
B. level 0
C. level 16
D. level 15
E. level 14
Answer: A
Question 76
What command can you enter to configure an enable password that uses an encrypted
password from another configuration?
Answer: D
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.
The enable secret has been hashed with MD5, whereas in the command:
The password has been encrypted using the weak reversible algorithm.
When we enter the ―enable secret‖ command with a number after that, the IOS can specify
that the password has been encrypted so it will not encrypt any more and accept that
password.
In new Cisco IOS (v15+), it seems the device does not recognize ―enable secret 7‖ command
as encrypted password. We tried on Cisco IOS v15.4 and see this:
Note: In fact, there is an error with the answer D. As we entered the command in answer D,
the router denied the encrypted password because it was not a valid encrypted secret
password. That means the router also checked if the password was hashed correctly or not.
But it is the best answer in this question.
Question 108
Which is minimum level for which user can see full commands but can‘t change anything?
A. 0
B. 1
C. 14
D. 15
E. 16
Answer: B
Question 183
Which password takes precedence if you configure multiple passwords for Telnet
connections to a Cisco IOS device?
Answer: B
Question 190
Which condition must be met before you can configure SSH on a device running Cisco IOS?
Explanation
To enable SSH on Cisco IOS, you need to have crypto feature in the IOS.
Question 212
Which two statements about the enable secret and enable password commands are true?
(Choose two)
A. If both commands are missing from the global configuration, vty lines use the console
password
B. The enable secret command overrides enable password
C. The enable password command has a stronger encryption algorithm than enable secret
D. The enable secret command is backwards-compatible with more versions of IOS
E. The enable secret and enable password commands must be used together
Answer: A B
Question 1
What does the following access list, which is applied on the external interface FastEthernet
1/0 of the perimeter router, accomplish?
Answer: C
Explanation
The first answer is not correct because the 10.0.0.0 network range is not correct. It should be
10.0.0.0. to 10.255.255.255.
Question 9
A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.
Answer: C D
Question 69
Which two different configuration can you apply to a deviceto block incoming SSH access?
(Choose two)
Answer: C D
Explanation
The ―ipv6 traffic-filter‖ command is used to filter IPv6 traffic flowing through an interface
while the ―ipv6 access-class‖ command is used to filter IPv6 traffic destined to the router (via
logical interfaces).
Which access list entry checks for an ACK within a packet TCP header?
Answer: C
Explanation
The established keyword is only applicable to TCP access list entries to match TCP segments
that have the ACK and/or RST control bit set (regardless of the source and destination ports),
which assumes that a TCP connection has already been established in one direction only.
Let‘s see an example below:
Note:
Suppose host A wants to start communicating with host B using TCP. Before they can send
real data, a three-way handshake must be established first. Let‘s see how this process takes
place:
1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with host B. This message
includes a sequence (SEQ) number for tracking purpose. This sequence number can be any
32-bit number (range from 0 to 232) so we use ―x‖ to represent it.
2. After receiving SYN message from host A, host B replies with SYN-ACK message (some
books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge).
This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let‘s called it ―y‖) is a random number and does not have any
relationship with Host A‘s SYN SEQ number.
+ ACK number is the next number of Host A‘s SYN sequence number it received, so we
represent it with ―x+1‖. It means ―I received your part. Now send me the next part (x + 1)‖.
The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if
host A still wants to talk to it as well (via SYN part).
3. After Host A received the SYN-ACK message from host B, it sends an ACK message
with ACK number ―y+1‖ to host B. This confirms host A still wants to talk to host B.
Question 84
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Answer: D
Explanation
Password Authentication Protocol (PAP) is a very basic two-way process. The username and
password are sent in plain text, there is no encryption or protection. If it is accepted, the
connection is allowed. The configuration below shows how to configure PAP on two routers:
Note: The PAP ―sent-username‖ and password that each router sends must match those
specified with the ―username … password …‖ command on the other router.
Question 107
Answer: C E
Which value does a Cisco router use as its default username for CHAP authentication?
Answer: A
Which command instruct a PPPoE client to obtain its IP address from the PPPoE server? (OR
What command is needed to get the ip address assigned from the PPPOE server?)
A. interface dialer
B. ip address negotiated
C. pppoe enable
D. ip address dhcp
E. ip address dynamic
Answer: B
Explanation
Question 13
Answer: B C
Explanation
In the above link there is a topology shows ―DMVPN Access to Multiple Hosts from the
Same PPPoE Client‖ -> Answer B is correct.
Question 141
A. DHCP
B. BOOTP
C. PPP
D. APPA
Answer: C
Explanation
Question 222
Which two commands must you configure in the calling router to support the PPPoE client?
(Choose two)
Answer: B E
Which two facts must you take into account when you deploy PPPoE? (Choose two)
Answer: B E
Explanation
The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR)
interesting traffic control list functionality of the dialer interface with a PPP over Ethernet
(PPPoE) client, but also keeps original functionality (PPPoE connection up and always on
after configuration) for those PPPoE clients that require it.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbpecls.html
But it is just an optional feature and we don‘t need DDR idle timers to be configured to
support VPDN login -> Answer A is not correct.
DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.
We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.
Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the
introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM
PVC supports multiple PPPoE clients, allowing second line connection and redundancy.
Multiple PPPoE clients can run concurrently on different PVCs, but each PPPoE client must
use a separate dialer interface and a separate dialer pool. Therefore answer E is still correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/15-
mt/bba-15-mt-book/bba-ppoe-client.pdf
Question 29
Answer: C
Question 104
Which feature eliminates the need for Cisco Express Forwarding to maintain a route cache?
A. Adjacency table
B. RIB
C. FIB
D. MAC address table
Answer: C
Explanation
The two main components of Cisco Express Forwarding operation are the forwarding
information base (FIB) and the adjacency tables.
The forwarding information base (FIB) lookup table contains all known routes that exist in
the routing table, it eliminates the need for route cache maintenance.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/xe-
3se/5700/isw-cef-xe-3se-5700-book/ipswitch_cisco_express_forwarding.pdf
Question 125
Which Cisco Express Forwarding component maintains Layer 2 next-hop addresses that are
used for hardware switching?
A. adjacency table
B. RIB
C. ARP table
D. FIB
Answer: A
Explanation
Nodes in the network are said to be adjacent if they can reach each other with a single hop
across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2
addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB
entries.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.
html
Question 163
Refer to exhibit. What is indicated by the show ip cef command for an address?
A. CEF is unable to get routing information for this route.
B. CEF cannot switch packet for this route and passes it to the next best switching method.
C. A valid entry and is pointed to hardware based forwarding.
D. CEF cannot switch packet for this route and drops it.
Answer: B
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on the
router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency.
Punt adjacency – When packets to a destination prefix can‘t be CEF Switched, or the feature
is not supported in the CEF Switching path, the router will then use the next slower switching
mechanism configured on the router.
Question 177
Which three algorithms can you configure with the ip cef load-sharing algorithm
command? (Choose three)
A. per-packed
B. Tunnel
C. per-destination
D. Universal
E. Per-source
F. Include-ports
Answer: B D F
Explanation
The following load-balancing algorithms are provided for use with Cisco Express Forwarding
traffic. You select a load-balancing algorithm with the ip cef load-sharing algorithm
command.
+ Original algorithm – The original Cisco Express Forwarding load-balancing algorithm
produces distortions in load sharing across multiple routers because the same algorithm was
used on every router. Depending on your network environment, you should select either the
universal algorithm (default) or the tunnel algorithm instead.
+ Universal algorithm – The universal load-balancing algorithm allows each router on the
network to make a different load sharing decision for each source-destination address pair,
which resolves load-sharing imbalances. The router is set to perform universal load sharing
by default.
+ Tunnel algorithm – The tunnel algorithm is designed to balance the per-packet load when
only a few source and destination pairs are involved.
+ Include-ports algorithm – The include-ports algorithm allows you to use the Layer 4
source and destination ports as part of the load-balancing decision. This method benefits
traffic streams running over equal cost paths that are not load shared because the majority of
the traffic is between peer addresses that use different port numbers, such as Real-Time
Protocol (RTP) streams. The include-ports algorithm is available in Cisco IOS Release
12.4(11)T and later releases.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-
mt/isw-cef-15-mt-book/isw-cef-load-balancing.html#GUID-D545ACC1-258F-4073-BC8E-
94EC30AAE924
Question 18
A network engineer is working on the network topology and executes the command no ip
split horizon on interface S0/0 of the Hub router. What is the result of this command?
A. A routing loop is created.
B. Each of the spoke routers can see the routes that are advertised from the other spoke
routers.
C. The Spoke routers can see the routes that are advertised by the hub router.
D. The hub router can see the routes that are advertised by the spoke routers.
Answer: B
Question 21
If you convert a WAN connection with OSPF from T1 to a Frame Relay circuit, which two
actions must you take to enable the connection? (Choose two)
Answer: A B
Explanation
Question 46
Which two statements about Frame Relay LMI autosense are true on a router? (Choose two)
Answer: B D
Explanation
Question 72
In a point-to-multipoint Frame Relay topology, which two methods ensure that all routing
updates are received by all EIGRP routers within the Frame Relay network? (Choose two)
Answer: A C
Explanation
Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship but the
routes cannot be advertised from the Hub to the Spoke because of split horizon rule ->
Answer D is not correct.
To overcome the split horizon rule we can use subinterface as each subinterface is treated like
a separate physical interface so routing updates can be advertised back from Hub to
Spokes. -> Answer C is correct.
Note: The split horizon rule states that routes will not be advertised back out an interface in
which they were received on
Question 77
In which two ways can split horizon issues be overcome in a Frame Relay network
environment? (choose two)
A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites.
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
E. Disabling split horizon.
Answer: C E
Question 80
On which two types of interface is Frame Relay switching supported? (Choose two)
A. serial interfaces
B. Ethernet interfaces
C. fiber interfaces
D. ISDN interfaces
E. auxiliary interfaces
Answer: A D
Question 123
Which task must you perform to enable a point-to-point Frame Relay connection?
Answer: C
Which two statements about Frame Relay Point-to-Point connections are true? (Choose two)
Answer: A B
Question 53
A. MAC address
B. configured multicast address
C. DLCI
D. IP address
E. VC ID
Answer: D
Question 60
Which two statement about GRE tunnel interface are true? (Choose two)
A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state
Answer: B D
Explanation
A valid tunnel destination is one which is routable (which means the destination is present or
there is a default route in the routing table). However, it does not have to be reachable ->
Answer B is correct.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and
the destination must be reachable according to your own routing table.
Question 78
A network engineer has configured GRE between two IOS routers. The state of the tunnel
interface is continuously oscillating between up and down. What is the solution to this
problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable
Answer: A
Explanation
In this question only answer A is a reasonable answer. When the state of the tunnel interface
is continuously moving between up and down we must make sure the route towards the
tunnel destination address is good. If it is not good then that route may be removed from the
routing table -> the tunnel interface comes down.
Question 79
When the tunnel interface is configured in default mode, which statement about routers and
the tunnel destination address is true?
A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP
neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination
Answer: A
Explanation
The tunnel interface is configured in default mode means the tunnel has been configured as a
point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up
state) as soon as it is configured with a valid tunnel source address or interface which is up
and a tunnel destination IP address which is routable.
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the
up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in
recursion.
Therefore if a route towards the tunnel destination has not been configured then the tunnel is
stuck in up/down state.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
Question 184
Which two statements about GRE tunnel keys are true? (Choose two)
Explanation
The command ―tunnel key <key-number>‖ uses the key-number argument to identify a
tunnel key that is carried in each packet. Tunnel ID keys can be used as a form of weak
security to prevent improper configuration or injection of packets from a foreign source (so E
is not correct).
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-
3s/ir-xe-3s-book/ir-impl-tun-xe.html
The GRE Tunnel Key feature enables the encapsulation router to add a four-byte key, as part
of the GRE header, during encapsulation. In the decapsulation router, the GRE key of an
incoming packet should match the key value configured under the GRE tunnel. During
decapsulation, if a mismatch between the key value of the incoming GRE packet and the
key value configured under the GRE tunnel is identified, the incoming packet is
dropped.
Question 185
R1(config-if)#interface Tunnel0
R1(config-if)#tunnel source 10.0.0.1
R1(config-if)#tunnel destination 10.0.0.2
R1(config-if)#ipv6 address k:k:k:k::1/64
R1(config-if)#ipv6 ospf 1 area 1
R1(config-if)#tunnel mode ipv6ip
!
R2(config-if)#interface Tunnel1
R2(config-if)#tunnel source 10.0.0.2
R2(config-if)#tunnel source 10.0.0.1
R2(config-if)#ipv6 address k:k:k:k::2/64
R2(config-if)#ipv6 ospf 1 area 1
R2(config-if)#tunnel mode ipv6ip
A user calls from another branch office with a request to establish a simple VPN tunnel to
test a new router‘s tunneling capability. Based on the configuration in the exhibit, which type
of tunnel was configured?
A. IPsec site-to-site
B. 6to4
C. PPTP
D. EZVPN
Answer: B
The command ―tunnel mode ipv6ip‖ is used to configure a manual IPv6 tunnel. In fact
without the keyword ―6to4‖ (in ―tunnel mode ipv6ip 6to4‖)
Refer to the exhibit. After configuring GRE between two routers running OSPF that are
connected to each other via a WAN link, a network engineer notices that the two routers
cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason
for this?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 57.
Answer: A
Explanation
Question 12
A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1
Answer: A
Explanation
Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to
each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the
only correct answer.
Question 55
Which two statements about NHRP in a DMVPN environment are true? (Choose two)
Answer: D E
Question 73
Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other?
(Choose two)
A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5
Answer: B C
Question 83
Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel
interface on the hub, to support multiple connections from multiple spoke devices?
A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN
Answer: A
Explanation
An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not
require a unique tunnel interface for each connection between Hub and spoke like traditional
GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE
tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all
tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.
For more information about DMVPN, please read our DMVPN tutorial.
Question 148
Which two statements about NAT in a DMVPN environment are true? (Choose two)
Answer: D E
Explanation
With the NAT-Transparency Aware DMVPN enhancement, NHRP can learn and use the
NAT public address for its mappings as long as IPsec transport mode is used (which is the
recommended IPsec mode for DMVPN networks).
With this NAT Transparency enhancement, the hub DMVPN router can be behind the static
NAT -> E is correct.
DMVPN spokes behind NAT will participate in dynamic direct spoke-to-spoke tunnels. The
spokes must be behind NAT boxes that are preforming NAT, not PAT (so answer D is
correct). The NAT box must translate the spoke to the same outside NAT IP address for the
spoke-to-spoke connections as the NAT box does for the spoke-to-hub connection.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-
dmvpn.html#GUID-284B12C0-9F18-42EE-9A77-29D368883C45
Question 166
A. IPSec
B. TACACS+
C. RTBH
D. RADIUS
Answer: A
Explanation
Question 174
Which condition prevents the establishment of a DMVPN tunnel between two spokes?
Answer: D
Explanation
If one spoke is behind one NAT device and another different spoke is behind another NAT
device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices,
then a session initiated between the two spokes cannot be established.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-
dt-spokes-b-nat.html
Question 16
Which three problems result from application mixing of UDP and TCP streams within a
network with no QoS? (Choose three)
A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput
Answer: A C E
Explanation
When TCP is mixing with UDP under congestion, TCP flows will try to lower their
transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP
flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-
dominance. This can increase latency and lower the overall throughput.
Question 31a
Which feature can mitigate fragmentation issues within network segments that are between
GRE endpoints?
A. PMTUD
B. ICMP DF bit
C. TCP Flow Control
D. TCP MSS
Explanation
The IP protocol was designed for use on a wide variety of transmission links. Although the
maximum length of an IP datagram is 65535, most transmission links enforce a smaller
maximum packet length limit, called an MTU. The value of the MTU depends on the type of
the transmission link. The design of IP accommodates MTU differences since it allows
routers to fragment IP datagrams as necessary. The receiving station is responsible for the
reassembly of the fragments back into the original full size IP datagram.
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a
host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be
fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN
segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to
popular belief, the MSS value is not negotiated between hosts. The sending host is required to
limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does
not handle the case where there is a smaller MTU link in the middle between these two
endpoints. PMTUD was developed in order to avoid fragmentation in the path between the
endpoints. It is used to dynamically determine the lowest MTU along the path from a
packet‘s source to its destination.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP
Fragmentation in this link but it is too long so if you want to read please visit this link)
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 31b
A. ICMP DF bit
B. TCP Flow Control
C. TCP MSS
D. PMTU
Answer: C
Question 45
Answer: A
Question 57
A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP
Answer: A B
Explanation
TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which
run on UDP so they can cause TCP starvation.
Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port
20/21
Question 86
Which technology was originally developed for routers to handle fragmentation in the path
between end points?
A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization
Answer: A
Explanation
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 160
A network engineer applies the command ―ip tcp adjust-mss‖ under interface configuration
mode. What is the result?
Answer: C
Question 161
Which value determines the amount of traffic that a network path can hold in transit?
Answer: C
Explanation
Bandwidth-delay product (BDP) is the maximum amount of data ―in-transit‖ at any point in
time, between two endpoints. In other words, it is the amount of data ―in flight‖ needed to
saturate the link. You can think the link between two devices as a pipe. The cross section of
the pipe represents the bandwidth and the length of the pipe represents the delay (the
propagation delay due to the length of the pipe).
Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the
BDP.
Return to our question, the formula to calculate BDP is:
BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 =
192,000 bits
For your information, BDP is very important in TCP communication as it optimizes the use
of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an
acknowledgment from the receiver before sending another data. The waiting time may be
very long and we may not utilize full bandwidth of the link for the transmission.
Based on BDP, the sending host can increase the number of data sent on a link (usually by
increasing the window size). In other words, the sending host can fill the whole pipe with
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a
host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be
fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN
segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to
popular belief, the MSS value is not negotiated between hosts. The sending host is required to
limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does
not handle the case where there is a smaller MTU link in the middle between these two
endpoints. PMTUD was developed in order to avoid fragmentation in the path between the
endpoints. It is used to dynamically determine the lowest MTU along the path from a
packet‘s source to its destination.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP
Fragmentation in this link but it is too long so if you want to read please visit this link)
Question 164
Which protocol can you use to remotely install an IOS image on a Cisco switch?
A. SFTP
B. NetFlow
C. FTP
D. SNMP
Answer: C
Explanation
Question 216
A. when DNS and TFTP traffic are transmitted on the same link
B. when TCP traffic is blocked by an ACL
C. when UDP traffic is processed in a policy-map before TCP traffic
D. when HTTP and HTTPS traffic are transmitted on the same link
E. when TCP and UDP traffic are mixed in the same class of service
Answer: E
Which option is one way to mitigate asymmetric routing on an active/active firewall setup for
TCP-based connections?
Answer: D
Explanation
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes
a different path when it returns to the source. This is commonly seen in Layer-3 routed
networks.
Reference:
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html
Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate
asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a
TCP connection even if the ASA didn‘t see the entire TCP 3-way handshake. This feature is
called TCP State Bypass.
Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-
troubleshooting-and-mitigation
Note: The active/active firewall topology uses two firewalls that are both actively providing
firewall services.
Which three TCP enhancements can be used with TCP selective acknowledgments? (Choose
three)
A. header compression
B. explicit congestion notification
C. keepalive
D. time stamps
E. TCP path discovery
F. MTU window
Answer: B C D
Explanation
For TCP (normal) acknowledgement, when a client requests data, server sends the first
three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2
was lost somewhere on the network while Segment#3 stills reached the client. Client checks
Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received
Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert
the server that it has not received any data beyond Segment#1. After receiving these ACKs,
the server must resend Segment#2,#3 and wait for the ACKs of these segments.
For TCP Selective Acknowledgement, the process is the same until the Client realizes
Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received
Segment#3 successfully (so no need to retransmit this segment. Therefore the server only
needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends
ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue
sending Segment #4,#5, …
The SACK option is not mandatory and it is used only if both parties support it.
The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to
notify end hosts of impending network congestion. It also provides enhanced support for TCP
sessions associated with applications, such as Telnet, web browsing, and transfer of audio and
video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction
of delay and packet loss in data transmissions. Use the ―ip tcp ecn‖ command in global
configuration mode to enable TCP ECN.
The TCP time-stamp option provides improved TCP round-trip time measurements. Because
the time stamps are always sent and echoed in both directions and the time-stamp value in the
header is always changing, TCP header compression will not compress the outgoing packet.
Use the ―ip tcp timestamp‖ command to enable the TCP time-stamp option.
The TCP Keepalive Timer feature provides a mechanism to identify dead connections.
When a TCP connection on a routing device is idle for too long, the device sends a TCP
keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a
response packet (a TCP ACK packet) is not received after the device sends a specific number
of probes, the connection is considered dead and the device initiating the probes frees
resources used by the TCP connection.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-
3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html
Question 38
<exhibit missing>
After configuring the routes, the network engineer executes the show ip route command.
What is the expected results?
Answer: C
Question 98
What happens when a router receives a route with an administrative distance of 255?
A. The router installs the route as the most preferred path in the routing table.
B. The router installs the route as the least preferred path in the routing table
C. The router becomes the feasible successor for the route
D. The router is unable to install the route into the routing table
Answer: D
Question 100
Refer to the exhibit. Which networking challenge is the most important issue to address to
enable optimal communication between the networks at company A and company B?
A. IPv4 fragmentation
B. unicast flooding
C. asymmetric routing
D. UDP latency
E. IPV4 MTU
Answer: C
Question 186
A router receives a routing advertisement for 10.1.1.0/24 from an EIGRP peer and from an
OSPF peer. Which route does the router install in the routing table, and for which reason?
Explanation
By default the Administrative Distance of EIGRP is 90 which is smaller than that of OSPF
110 so EIGRP will be preferred over OSPF. The Administrative Distances of popular routing
protocols are shown below:
Question 194
You are configuring a static route. Which action must you take to avoid the possibility of
recursive row?
Answer: C
Explanation
If the interface with the next hop goes down and the next hop is reachable through a recursive
route, you should specify both the next hop IP address and the alternate interface through
which the next hop should be found. For example, ip route 0.0.0.0 0.0.0.0 Serial 3/3
192.168.20.1. This enables the static route installation to become more deterministic.
Note: A recursive static route is a route whose next hop and the destination network are
covered by another learned route in the Routing Information Base (RIB). Such static routes
cannot be installed in the RIB because they are considered redundant routes.
Reference: https://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-
route/118263-technote-nexthop-00.html
Question 203
Which routing protocol routes traffic through the best path and second best path at the same
time?
A. EIGRP
B. BGP
C. OSPF
D. RIP
Answer: A or B
Explanation
Maybe this question wants to ask which routing protocols support unequal cost load
balancing. But both EIGRP and BGP support this feature (EIGRP with ―variance‖ and BGP
with ―maximum-paths‖.
Question 209
You want to configure a device to select an OSPF-learned route as the preferred path over an
EBGP-learned route. Which action must you take?
Answer: D
Explanation
The Administrative Distances of the routing protocols are compared first so we have to
decrease the OSPF administrative distance.
Question 11
A. router(config)#
B. router(config-if)#
C. router(config-router)#
D. router(config-rtr)#
Answer: D
Explanation
Question 95
A. SHA1 authentication
B. Enable password authentication
C. Plaintext authentication
D. MD5 authentication
Answer: C
Explanation
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet.
Note: RIP version 1 (RIPv1) does not support authentication.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13719-50.html
Question 122
Two routers are configured with RIPng but can‘t form neighbors as traffic traverses a
firewall. Which port does the firewall need to permit to form neighbors?
Answer: B
Question 144
A. ip routing
B. ip cef
C. ipv6 enable
D. ipv6 unicast-routing
Answer: D
Question 173
Afer configuring RIPng on two routers that are connected via a WAN link, a network
engineer notices that the two routers cannot exchange routing updates. What is the reason for
this?
A. Either a firewall between the two routers or an ACL on the router is blocking UDP 521
B. Either a firewall between the two routers or an ACL on the router is blocking TCP 520
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 521
D. Either a firewall between the two routers or an ACL on the router is blocking UDP 520
Answer: A
Explanation
Since RIPng is a new protocol, it cannot use the same UDP reserved port number 520 used
for RIPv1/RIPv2. Instead, RIPng uses well-known port number 521.
Question 175
A network engineer is enabling RIPng on a new customer link. Under which configuration
mode is RIPng enabled?
A. Global
B. Router
C. Interface
D. IPv6
Answer: C
Explanation
In order to enable RIPng, we have to do it under global configuration mode. For example:
R1(config)#ipv6 router rip RIPNG_DIGITALTUT
In this question they say ―enabling RIPng on a new customer link‖ so maybe RIPng was
configured previously for other customers and the first command (―ipv6 router rip
RIPNG_DIGITALTUT‖) was used so RIPng should be configured under interface. Therefore
the answer should be ―Interface‖ instead of ―Global‖.
Question 205
A route with default RIPv2 settings loses connectivity to it‘s next-hop neighbor. How long
does the router wait before removing the route to the next hop from its route table?
A. 30 seconds
B. 60 seconds
C. 180 seconds
D. 240 seconds
Answer: D
Explanation
The meanings of RIPv1 and RIPv2 timers (two versions have the same timers) are described
below:
Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid
since seeing a valid update; and place the route into holddown. Default invalid timer is 180
seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count
recording in the routing table, RIP does not ―believe in‖ that update. Default holddown timer
is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing
table. Default Flush timer is 240 seconds
This question asks about the Flush timer, which is 240 seconds by default.
Question 109
Customer enabled new link to partner using RIPng, how and where is RIPng configured?
A. router mode
B. interface mode
C. global – (config)#ipv6 router rip ―RIPNG‖
Answer: C
Question 210
What is the maximum number of hops on a route that RIPng advertises as reachable?
A. 15
B. 30
C. 99
D. 255
Answer: A
Explanation
The maximum number of hops on RIPng is the same as RIP, which is 15. A hop-count of 16
is considered unreachable.
Answer: A
Question 35
Which two statements about OSPF E1 routes are true? (Choose two)
Answer: B C
Question 103
OSPF has R1 router ID 172.18.1.1. What happens when R1 configure with a new loopback
interface IP address 172.17.1.1?
Answer: D
Question 113
Which two areas does OSPF send a summary route by default ? (Choose two)
A. NSSA
B. Backbone
C. Totally stubby
D. Stub
E. Normal
Answer: C D
Question 128
Refer to the exhibit. Which LSA type does R3 propagate into Area 1 for the 192.168.10.0/24
network?
A. type 3 LSA
B. type 5 LSA
C. type 7 LSA
D. type 10 LSA
Answer: C
Explanation
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it
leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA.
Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto
the ASBR.
Question 133
Answer: A
Question 138
What are two important differences between OSPFv2 and OSPFv3? (Choose two)
Answer: A C
Question 153
Device R1 has 1 Gigabit and 10 Gigabit Ethernet interfaces, which command do you enter so
that it takes full advantage of OSPF costs?
Answer: A
Explanation
The ―auto-cost reference-bandwidth‖ command affects all the OSPF costs on the local router
as all links are recalculated with formula: cost = reference-bandwidth (in Mbps) / interface
bandwidth
Therefore in this case the command ―auto-cost reference-bandwidth 10000‖ allows the local
router to calculate the link up to 10Gbps (10000 Mbps)
Question 178
Which LSA type in OSPFv3 is used for link-local updates?
Answer: B
Explanation
LSAs Type 8 (Link LSA) have link-local flooding scope. A router originates a separate link-
LSA for each attached link that supports two or more (including the originating router itself)
routers. Link-LSAs should not be originated for virtual links.
Question 188
Answer: C F
Question 207
Answer: D
When OSPF is forming an adjacency, in which state does the actual exchange of the
information in the link-state database occur?
A. INIT
B. loading
C. exstart
D. exchange
Answer: B
Explanation
Loading: In this state, the actual exchange of link state information occurs. Based on the
information provided by the DBDs, routers send link-state request packets. The neighbor then
provides the requested link-state information in link-state update packets. During the
adjacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a
link-state request packet. All link-state update packets are acknowledged.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13685-13.html
Question 219 (posted at Q.7 of http://www.digitaltut.com/ospf-questions)
A network engineer enables OSPF on a Frame Relay WAN connection to various remote
sites, but no OSPF adjacencies come up Which two actions are possible solutions for this
issue? (Choose Two)
Answer: A D
Explanation
When OSPF is run on a network, two important events happen before routing information is
exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building
process. All the routers in that segment should be able to communicate directly with the DR
and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not
necessary since there are only two routers in the segment, and hence the election does not
take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or
multicast packets to be sent.
Which two OSPF router types can perform summarization in an OSPF network? (Choose
two)
A. summary router
B. area border router
C. autonomous system boundary router
D. internal router
E. backbone router
Answer: B C
If you want to migrate an IS-IS network to another routing protocol. Which routing protocols
should you choose? (Choose two)
A. UDP
B. internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP
Answer: D E
Explanation
IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the
best answers. Although RIP is not a wrong choice but it is not widely used because of many
limitations (only 15 hops, long convergence time…).
If routers in a single area are configured with the same priority value, what value does a
router use for the OSPF Router ID in the absence of a loopback interface?
Answer: B
Question 5
A router was configured with the ―eigrp stub‖ command. The router advertises which types
of routes?
Answer: D
Explanation
The ―eigrp stub‖ command is equivalent to the ―eigrp stub connected summary‖ command
which advertises the connected routes and summarized routes.
Note: Summary routes can be created manually with the summary address command or
automatically at a major network border router with the auto-summary command enabled.
Question 17
All interfaces on each router are participating in the EIGRP 100 process. Interface Loopback
2 on HQR2 is currently in shutdown mode. An engineer issues the eigrp stub command on
router BR1. Which statements about the query messages sent from router HQ-R2 for a route
to reach the 12.12.12.12/32 network is true?
A. Router HQ-R2 sends a query message to the feasible successor for a route to
12.12.12.12/32 network.
B. BR1 receives query messages from HQ-R2 for a route to 12.12.12.12/32 network.
C. Router HQ-R1 receives query messages from HQ-R2 for a route to 12.12.12.12/32
network.
D. Router HQ-R1 and BR1 receives query messages from HQ-R2 for a route to 12.12.12/32
network.
Answer: C
Explanation
Router BR1 has been configured ―stub‖ so HQ-R2 will not send query to BR1 as it believes
this is a stub network. Query is only sent to HQ-R1.
Question 28
If this configuration is applied to a device that redistributes EIGRP routes into OSPF. which
two statements about the behavior of the device are true? (Choose two)
Answer: C E
Explanation
Answer A is not correct because only EIGRP routes of routers whose receive the routing
advertisements of the local router appear in the routing table as E2 OSPF routes.
Answer B is not correct as this router may have other loopback interfaces which have higher
IP address than loopback0
Answer C is correct as there is no route-map to limit which routes are redistributed into
OSPF. Therefore by default all EIGRP routes will be redistributed
Answer D is not correct as N2 routes only appear when redistributing into Not-so-stubby-area
(NSSA)
Answer E is correct as there is no ―subnets‖ keyword when redistributing into OSPF so only
classful EIGRP networks will be redistributed
Answer F is not correct as EIGRP routes will appear as LSA type 5, not type 3.
Question 30
The excerpt was taken from the routing table of router SATX. Which option ensures that
routes from 51.51.51.1 are preferred over routes from 52.52.52.2?
Answer: E
Explanation
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfindp
1.html
Question 39
Which two options can you use to configure an EIGRP stub router? (Choose two)
A. summary-only
B. receive-only
C. external
D. summary
E. totally-stubby
F. not-so-stubby
Answer: B D
Explanation
To configure EIGRP stub we can use this syntax:
Question 42
A. TKIP
B. MD5
C. WPA
D. Plain Text
Answer: B D
Question 43
Which three statements about IPv6 EIGRP are true? (Choose three)
Answer: A D E
A. 90
B. 170
C. 5
D. 110
Answer: C
Explanation
Question 117
A. Query
B. Reply
C. Request
D. Hello
E. Update
Answer: C D
Question 118
Answer: D
Explanation
The bandwidth is defined as the slowest bandwidth in the route to the destination.
Question 119
Answer: A
Question 120
Which statements are true to configure IPv6 EIGRP configuration for route advertisements?
(Choose two)
Answer: B D
Question 126
Which task must you preform to implement EIGRP for IPv6 on a device?
A. Use the ipv6 cef command to enable Cisco Express Forwarding on the device
B. Configure a loopback interface on the device
C. Manually configure the router ID
D. Statically configure a neighbor statement
Answer: C
Question 127
Which two features are provided by EIGRP for IPv6? (Choose two)
A. Backbone areas
B. SPF algorithm
C. Partial updates
D. Area border router
E. Scaling
Answer: C E
Question 146
Which two packet type can an EIGRP router send when a route goes into the Active state?
(Choose two)
A. reply
B. request
C. hello
D. update
E. query
Answer: A E
Explanation
The route is in Active state when a router is undergoing a route recomputation. If there are
always feasible successors, a route never has to go into Active state and avoids a route
recomputation.
When there are no feasible successors, a route goes into Active state and a route
recomputation occurs. A route recomputation commences with a router sending a query
packet to all neighbors. Neighboring routers can either reply if they have feasible successors
for the destination or optionally return a query indicating that they are performing a route
recomputation.
Queries and replies are sent when destinations go into Active state. Queries are always
multicast unless they are sent in response to a received query. In this case, it is unicast back to
the successor that originated the query. Replies are always sent in response to queries to
indicate to the originator that it does not need to go into Active state because it has feasible
successors. Replies are unicast to the originator of the query. Both queries and replies are
transmitted reliably.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/13669-1.html
Question 150
Which two EIGRP metrics have nonzero K values by default? (Choose two)
A. reliability
B. delay
C. cost
D. load
E. bandwidth
Answer: B E
Explanation
Question 151
Refer to the exhibit. You want router R1 to perform unequal-cost routing to the
192.168.10.0/24 network. What is the smallest EIGRP variance value that you can configure
on R1 to achieve this result?
A. 1
B. 2
C. 3
D. 4
Answer: C
Explanation
When using the variance command, EIGRP will add a feasible successor to the route table if
the feasible successor has a feasible distance that is less than or equal to the product of the
feasible distance of the successor times the variance setting and the feasibility condition is
met. In math terms:
FD – feasible distance
FS – feasible successor
S – successor
In this question the FD of the successor is 150 (from R1 to R2) and the FD of the feasible
successor is 300 + 150 = 450. Therefore we can deduce the minimum value of the variance
must be 3 so that 450 <= 150 * 3 -> C is the best answer.
Note: In fact the route R1 – R3 – R2 does not satisfy the feasibility condition which states:
―To qualify as a feasible successor, a router must have an AD less than the FD of the current
successor route‖
But in this question the AD from R3 is 150 which is equal to the FD of the current successor
route (from R1 to R2) so the feasibility condition is not met. However we still have to choose
one best answer.
Question 167
Answer: C
Question 170
When an EIGRP router discovers a new neighbor, which packet type does the router send to
help the neighbor build its topology table?
A. replies
B. requests
C. updates
D. queries
Answer: C
Explanation
Question 195
R1
interface Loopback0
ip address 172.16.1.1. 255.255.255.255
interface FastEthernet0/0
ip address 192.168.10.33 255.255.255.224
router eigrp 100
eigrp router-id 172.16.1.1
no auto-summary
network 192.168.10.0
network 172.16.0.0
R2
interface Loopback0
ip address 172.16.2.2 255.255.255.255
interface FastEthernet0/0
ip address 192.168.10.17 255.255.255.240
router eigrp 100
eigrp router-id 172.16.2.2
network 192.168.10.0
network 172.16.0.0
R1 and R2 are unable to establish an EIGRP adjacency. Which action corrects the problem?
A. Change the eigrp route-id on one of the routers so that values on the two routers are
different.
B. Add the no auto-summary command to the R2 configuration so that it matches the R1
configuration
C. Change the autonomous system number on one of the routers so that each router has
different values
D. Change the IP address and subnet mask on R2 so that is on the same subnet as R1.
Answer: D
Question 220
A. bandwidth * delay
B. bandwidth + delay
C. bandwidth – delay
D. bandwidth / delay
Answer: B
Explanation
The bandwidth is defined as the slowest bandwidth in the route to the destination.
Other than a working EIGRP configuration, which option must be the same on all routers for
EIGRP authentication key rollover to work correctly?
A. SMTP
B. SNMP
C. Passwords
D. Time
Answer: D
Explanation
Requirements
+ The time must be properly configured on all routers.
+ A working EIGRP configuration is recommended.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/82110-eigrp-authentication.html
Question 32
Based on the output, which option is the next hop to get to the 130.0.1.0/24 network?
A. 10.30.30.1
B. 10.0.11.1
C. 10.20.20.1
D. 10.10.10.1
Answer: C
Explanation
This is the BGP routing table. Only the best entry of each prefix (marked with ―>‖) is placed
into the routing table. In the output above, the next hop 130.0.1.0/24 network can be reached
via three next hops (which are 10.10.10.1; 10.30.30.1 and 10.20.20.1) but only 10.20.20.1 is
the best path and is placed into the routing table.
Question 101
Which two conditions can cause BGP neighbor establishment to fail? (Choose two)
A. There is an access list blocking all TCP traffic between the two BGP neighbors.
B. The IBGP neighbor is not directly connected.
C. BGP synchronization is enabled in a transit autonomous system with fully-meshed IBGP
neighbors.
D. The BGP update interval is different between the two BGP neighbors.
E. The BGP neighbor is referencing an incorrect autonomous system number in its neighbor
statement.
Answer: A E
Explanation
An underlying connection between two BGP speakers must be established before any routing
information is exchanged. This connection takes place on TCP port 179 so if an access list
blocks all TCP traffic between the two BGP neighbors, BGP neighbor relationship can not be
established -> A is correct.
The IBGP neighbors don‘t need to be directly connected -> B is not correct.
BGP synchronization only prevents routes sent to other EBGP neighbors before that route
exists in the routing table. It doesn‘t prevent BGP neighbor relationship -> C is not correct.
After the first initial exchange (which exchanges routes and synchronize their tables), a BGP
speaker will only send further updates upon a change in the network topology -> BGP does
not have a fixed update interval -> D is not correct.
BGP neighbor relationship is established when both ends (routers) are manually configured
with the ―neighborneighbor-IP remote-as neighbor-AS‖ command on both sides of the
connection. If the neighbor-AS is wrong, the neighbor relationship can not be established ->
E is correct.
Question 114
Which BGP option is required when load sharing over multiple equal-bandwidth parallel
from a single CE router to a single ISP router over eBGP?
A. eBGP Multipath
B. eBGP Multihop
C. BGP Synchronization
D. Public AS numbers
Answer: A
Explanation
The BGP Multipath Load Sharing for eBGP and iBGP feature allows you to configure
multipath load balancing with both external BGP (eBGP) and internal BGP (iBGP) paths in
Border Gateway Protocol (BGP) networks that are configured to use Multiprotocol Label
Switching (MPLS) Virtual Private Networks (VPNs).
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxeibmp.html
Question 129
Which two options are benefits of BGP peer groups? (Choose two)
A. A configuration change can be applied simultaneously to all peers in the peer group
B. They can optimize backdoor routes
C. They can be updated via multicast
D. Each neighbor in a peer group can have different inbound BGP policies
E. They use soft updates to minimize bandwidth consumption
F. They support groups of paths
Answer: A D
Explanation
Answer A is surely correct as the main purposes (and advantages) of BGP peer groups are to
simplify the BGP configuration and reduce the amount of system resources (CPU and
memory) necessary in an update generation.
+ All members of a peer group must share identical outbound announcement policies (such as
distribute-list, filter-list, and route-map), except for default-originate, which is handled on a
per-peer basis even for peer group members.
+ You can customize the inbound update policy for any member of a peer group -> D is
correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/13755-29.html
Question 130
Which criterion does the BGP maximum paths feature use for load balancing?
A. MED
B. local preference
C. weight
D. router ID
Answer: C
Explanation
BGP selects only one best path for each prefix it receives then installs in the IP routing table.
So whenever we need load-balancing across different paths, we have to enable BGP
multipath, by the ―maximum-paths‖ command.
There‘s a criteria and several conditions that BGP checks before selecting additional paths in
parallel with the best one. The following attributes of parallel paths have to match with the
best path:
+ Weight
+ Local Pref
+ Origin
+ AS-Path Length
+ MED
+ Neighbor AS or Sub-AS match for (eBGP multipath)
+ AS-PATH match (for eiBGP multipath)
+ IGP metric to BGP next hop
Question 149
A. routing loops
B. DoS attacks
C. link saturation
D. CAM table overload
Answer: B
Explanation
This question mentions about the TTL Security Check for multihop BGP Peering Sessions.
The BGP Support for TTL Security Check feature provides an effective and easy-to-deploy
solution to protect eBGP peering sessions from CPU utilization-based attacks. When this
feature is enabled, a host cannot attack a BGP session if the host is not a member of the local
or remote BGP network or if the host is not directly connected to a network segment between
the local and remote BGP networks. This solution greatly reduces the effectiveness of DoS
attacks against a BGP autonomous system. An example of configuring this feature is shown
below:
This sets the expected incoming TTL value for a directly connected eBGP peer. The hop-
count argument is set to 2 configuring BGP to only accept IP packets with a TTL count in the
header that is equal to or greater than 253. If the 10.1.1.1 neighbor is more than 2 hops away,
the peering session will not be accepted.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.pdf
Question 156
Which two tasks must you perform to configure a BGP peer group? (Choose two)
Answer: D E
Question 189
Which criterion does BGP evaluate first when determining the best path?
A. MED value
B. neighbor address
C. local preference value
D. weight
Answer: D
Explanation
This list provides the rules that are used to determine the best path:
For more information about above list, please read this link:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
Question 230
Which command do you enter on router R6 so that BGP supports multiple protocols?
Answer: A
Explanation
The command ―no bgp default ipv4-unicast‖ disables the default behavior of BGPv4 to
advertise only IPv4 unicast routes. It enables Multi protocol BGP mode where multiple
address families can be negotiated during the BGP session setup when the two peers
exchange the respective capabilities
A. Established
B. Active
C. Stuck in active
D. 2-WAY
E. Unknown
F. DROTHER
Answer: A B
Explanation
BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established
Question 102
router eigrp 1
redistribute bgp 1 route-map BGP_DEFAULT_ROUTE_RM
network 2.0.0.0
route-map BGP_DEFAULT_ROUTE_RM permit 10
match ip address prefix-list DEFAULT_ROUTE_PL
ip prefix-list DEFAULT_ROUTE_PL seq 10 permit 0.0.0.0/0
Answer: A
Explanation
When redistributing into EIGRP, we have to configure the five metrics or redistribution
would not work because of incompatible metrics.
Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not
learning routes that are received from OSPF?
router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
redistribute eigrp 1
Answer: B
Explanation
When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the
redistributed routes would never be learned. In this case we need to configure like this:
router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500
Question 142
Refer to the exhibit. How does R1 handle the route to network 10.1.80.0/24?
R1
router eigrp 1
no auto-summary
redistribute ospf 1 route-map ospf-to-eigrp
default-metric 10000 10 255 1 1500
Answer: A
Explanation
The prefix-list ccnp2 allows any subnet of that main prefix 10.1.80.0/24 as every mask is
surely less or equal than 32 bits (/32).
Question 202
Which option is an invalid redistribute command option for redistributing routes from EIGRP
into OSPF?
A route map
B. tag
C. access list
D. metric
Answer: C
Explanation
An example of configuring redistributing routes from EIGRP into OSPF with metric is shown
below:
router ospf 1
redistribute eigrp 1111 metric 200 subnets
router ospf 1
redistribute eigrp 1 subnets route-map eigrp-to-ospf
With tag:
router ospf 1
redistribute eigrp 1 subnets tag 190
Question 33
Answer: C
Question 51
A. modules
B. vendor extensions
C. options
D. Scopes
Answer: C
Question 66
After testing various dynamic IPv6 address assignment methods, an engineer decides that
more control is needed when distributing addresses to clients. Which two advantages does
DHCPv6 have over EUI-64 (Choose two)
A. DHCPv6 requires less planning and configuration than EUI-64 requires.
B. DHCPv6 allows for additional parameters to be sent to the client, such as the domain name
and DNS server.
C. DHCPv6 providers tighter control over the IPv6 addresses that are distributed to clients.
D. DHCPv6 does not require the configuration of prefix pools.
E. DHCPv6 does not require neighbor and router discovery on the network segment.
Answer: B C
Explanation
Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface
identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained
through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with
one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The
16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE
has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an
EUI-48 MAC address.
Question 67
A. Server
B. Client
C. Approver
D. Requester
E. ACK
F. Relay
Answer: A B F
Explanation
Question 70
DHCPv6 can obtain configuration parameters from a server through rapid two-way message
exchange. Which two steps are involved in this process? (Choose two)
A. solicit
B. advertise
C. request
D. auth
E. reply
Answer: A E
Question 94
Which set of actions does a network engineer perform to set the IPv6 address of a DHCP
relay server at the VLAN interface level?
A. Enter the VLAN interface configuration mode and define the IPv6 address of a DHCP
relay server
B. Enter the global configuration mode and enable the IPv6 DHCP relay
C. Enter the global configuration mode, enable IPv6 DHCP relay from interface
configuration mode and define the IPv6 address of a DHCP relay server
D. Enter the VLAN interface configuration mode, enable IPv6 DHCP relay, and define the
IPv6 address of a DHCP relay server
Answer: D
Explanation
An example of how to set the IPv6 address of a DHCP relay server at the VLAN interface
level:
Reference:
https://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/c
ommand/reference/ACE_cr/if.html
Question 96
Question 158
When a new PC is connected to the network, which step must it take first to receive a DHCP
address?
Answer: D
Explanation
When a client boots up for the first time (or try to join a new network), it needs to obtain an
IP address to communicate. So it first transmits a DHCPDISCOVER message on its local
subnet. Because the client has no way of knowing the subnet to which it belongs, the
DHCPDISCOVER is an all-subnets broadcast (destination IP address of 255.255.255.255,
which is a layer 3 broadcast address) and a destination MAC address of FF-FF-FF-FF-FF-FF
(which is a layer 2 broadcast address). The client does not have a configured IP address, so
the source IP address of 0.0.0.0 is used. The purpose of DHCPDISCOVER message is to try
to find out a DHCP Server (a server that can assign IP addresses).
To learn more about the whole DHCP process, please read our DHCP tutorial.
Question 168
Which two tasks does a DHCP relay agent perform? (Choose two)
Answer: B E
Explanation
A DHCP relay agent is any host that forwards DHCP packets between clients and servers.
Relay agents are used to forward requests (which includes the DHCPDISCOVER) and
replies (which includes DHCPOFFER) between clients and servers when they are not on the
same physical subnet.
Question 236 (posted at Q.6 of http://www.digitaltut.com/dhcp-dhcpv6-questions)
Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent
and a DHCPv6 server that is configured for prefix delegation. Which two outcomes will
result when the relay agent is rebooted? (Choose two)
Answer: A D
Explanation
Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client
and server.
Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay
agent cannot receive DHCP messages (because of port 547 is blocked) then the routers
(clients) will not obtain DHCPv6 prefixes.
We are not sure about answer D but maybe it is related to the (absence of) ―Reload Persistent
Interface ID‖ in DHCPv6 Relay Options. This feature makes the interface ID option
persistent. The interface ID is used by relay agents to decide which interface should be used
to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the
router acting as a relay agent goes offline during a reload or a power outage. When the router
acting as a relay agent returns online, it is possible that changes to the internal interface index
of the relay agent may have occurred in certain scenarios (such as, when the relay agent
reboots and the number of interfaces in the interface index changes, or when the relay agents
boot up and has more virtual interfaces than it did before the reboot). This feature prevents
such scenarios from causing any problems.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-
e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html
interface FastEthernet0/0
ip helper-address 192.168.145.5
A packet capture indicates that the router is not forwarding the DHCP packets that it receives
on interface FastEthernet0/0. Which command needs to be entered in global configuration
mode to resolve this issue?
A. ip helper-address
B. ip DHCP relay
C. service DHCP
D. ip forward-protocol
Answer: B
Explanation
The ―ip helper-address‖ command is only configured in interface mode so it is not the correct
answer.
Note: The Cisco IOS software provides the global configuration command ―ip forward-
protocol‖ to allow an administrator to forward any UDP port in addition to the eight default
UDP Services. For example, to forward UDP on port 517, use the global configuration
command ―ip forward-protocol udp 517‖. But the eight default UDP Services include DHCP
services so it is not the suitable answer.
A DHCP relay agent may receive a message from another DHCP relay agent that already
contains relay information. By default, the relay information from the previous relay agent is
replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay
information policy {drop | keep | replace} global configuration command to change it ->
Therefore this is the correct answer.
Reference:
https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html
Question 7
After reviewing the EVN configuration, a network administrator notices that a predefined
EVN, which is known as ―vnet global‖ was configured. What is the purpose of this EVN?
(OR) What is the purpose of ‗vnet global‖?
A. It defines the routing scope for each particular EVN edge interface.
B. It aggregates and carries all dot1q tagged traffic.
C. It refers to the global routing context and corresponds to the default RIB.
D. It safeguards the virtual network that is preconfigured to avoid mismatched routing
instances.
Answer: C
Question 34
hostname R1
!
hostname R2
ip vrf Yellow
!
rd 100:1
ip vrf Yellow
!
rd 100:1
interface Serial0/0
!
ip vrf forwarding Yellow
interface Serial0/0
ip address 209.165.202.129 255.255.255.224
ip vrf forwarding Yellow ip
!
address 209.165.202.130
ip route 209.165.202.129 255.255.255.224
255.255.255.224
null0
!
!
router eigrp 100
router eigrp 100
address-family ipv4 vrf Yellow
address-family ipv4 vrf Yellow
network 209.165.202.130 0.0.0.0
network 209.165.202.129 0.0.0.0
no auto-summary
no auto-summary
autonomous-system 100
autonomous-system 100
redistribute static
Answer: A
Explanation
Two connected interfaces S0/0 are in VRF Yellow so we have to put the static route into this
VRF too. So it should be ―ip route vrf Yellow 209.165.202.129 255.255.255.224 null0‖.
Question 36
A. MP-BGP
B. DMVPN
C. MPLS
D. VRF-Lite
Answer: D
Question 41
A. 802.1q
B. NAT
C. VRF-Lite
D. IS-IS
Answer: A
Explanation
An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast
Ethernet, Gigabit Ethernet, and port channels.
If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same
interface.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Question 54
A network engineer is unable to make VRF lite EIGRP adjacency work. There is nothing
wrong with communication between R1 and R2. What command will eliminate the issue
when executed on both routers?
A. (config-router-af)#autonomous-system 100
B. (config)#ip-multicast-routing
C. (config-vrf)#route-target both 100:1
D. (config-router-af)#network 209.165.202.128.0.0.0.31
Answer: A
Explanation
To configure the autonomous-system number for EIGRP to run within a VPN routing and
forwarding (VRF) instance, use the ―autonomous-system‖ command in address-family
configuration mode. In particular:
Question 65
Explanation
Path isolation can be achieved by using a unique tag for each Virtual Network (VN) ->
Answer A is correct.
Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q
is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a
VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged
packets carrying the VLAN ID are not EVN packets and could be transported over the same
trunk interfaces -> Answer E is correct.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
Question 85
What is the primary service that is provided when you implement Cisco Easy Virtual
Network?
Answer: C
Question 105
Which condition must be met before two EVN devices can connect?
A. An EtherChannel must be configured with at least two interfaces connected between the
devices
B. A fiber connection must be established between the devices.
C. One VLAN interface must be configured between the devices.
D. A trunk interface must be configured between the devices.
Answer: D
Question 121
Where does the EVN marks the traffic to separate different users?
A. On the edge interface, with VNET tag
B. On the edge, with 801.Q
C. On the trunk, with VNET tag
D. On the trunk, with 802.1Q
Answer: C
Question 135
Answer: C E
Explanation
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
According to this Cisco document EVN supports up to 32 VNs and EVN supports both SM
and SSM modes:
For answer E, it should be understood like this: different VRF configurations may have the
same configuration (like IP addresses, interfaces, AS numbers…)
Question 147
A. IS-IS
B. ODR
C. EIGRP
D. IGRP
Answer: C
Explanation
Question 171
A customer asks its service provider for VPN support for IPv4 and IPv6 address families.
Which command enables a VRF that supports these requirements?
A. Router(config-vrf)#route-target 004:006
B. Router(config-vrf)#rd 004:006
C. Router(config)#ip vrf CUSTOMER
D. Router(config-vrf)#vrf definition CUSTOMER
Answer: D
Explanation
You can now define multiple address families under the same VRF or configure separate
VRFs for each IPv4 or IPv6 address family by entering the vrf definition command. The
command ―vrf definition vrf-name‖ names the VRF and enters VRF configuration mode. An
example of using this command is shown below:
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/ios/software/15_4_1_c
g/vrf_cgr1000.html
Question 179
A. policy-based routing
B. VRF-Lite
C. On-Demand Routing
D. QoS
Answer: B
Explanation
In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and ―allows
customers to be assigned overlapping addresses‖.
Question 181
Answer: C
Explanation
An EVN trunk interface connects VRF-aware routers together and provides the core with a
means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is
used to de-multiplex the packet into the corresponding EVN. A trunk interface has one
subinterface for each EVN. The vnet trunk command is used to define an interface as an
EVN trunk interface.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual
router instances, and both technologies allow routes from one VRF to be selectively leaked to
other VRFs. However, a major difference is the way that two physical routers interconnect.
With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF.
However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies
configuration.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
Question 187
Answer: A
Explanation
The route distinguisher (RD) is used to keep all prefixes in the BGP table unique so that we
can use same subnets for different VRFs/VPNs. An example of RD is shown below:
ip vrf CustomerA
rd 65000:1
!
ip vrf CustomerB
rd 65000:2
Note: There is another question asking about the role of a route target (RT) and the answer is
B so please be careful and read the question well.
Question 199
Which statement is true about an edge interface in relation to the Cisco Easy Virtual
Network?
Answer: C
Explanation
An edge interface connects a user device to the EVN and in effect defines the boundary of the
EVN. Edge interfaces connect end devices such as hosts and servers that are not VRF-aware.
Traffic carried over the edge interface is untagged. The edge interface classifies which EVN
the received traffic belongs to. Each edge interface is configured to belong to only one EVN.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html#GUID-D8133186-33B5-4244-AAFD-60F5FEC38CEF
Answer: C E
Explanation
With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple
VRFs) between two routers you need to create a subinterface for each VRF on each router ->
VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk
(called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple
virtual networks can travel over that single trunk interface, which uses tags to identify the
virtual networks to which packets belong.
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual
router instances, and both technologies allow routes from one VRF to be selectively leaked to
other VRFs. However, a major difference is the way that two physical routers interconnect.
With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF.
However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies
configuration.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
All EVNs within a trunk interface share the same IP infrastructure as they are on the same
physical interface -> Answer C is correct.
With EVNs, a trunk interface is shared among VRFs so each command configured under this
trunk is applied by all EVNs -> Answer E is correct.
Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network?
(Choose three)
Answer: A B C
Explanation
EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN
provides enhancements in path isolation, simplified configuration and management, and
improved shared service support
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Maybe the ―improved shared services support‖ term here implies about the support of sharing
between different VRFs (through route-target, MP-BGP)
Question 234 (posted at Q.31 of http://www.digitaltut.com/new-route-questions-part-4)
What is VRF-lite?
Answer: A
Question 10
Which CLI command can you enter to permit or deny IPv6 traffic travelling through an
interface?
A. access-list
B. access-group
C. ipv6 access-class
D. ipv6 traffic-filter
Answer: D
Explanation
The command ―ipv6 traffic-filter access-list-name { in | out }‖ applies the access list to
incoming or outgoing traffic on the interface.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swv6acl.html
Question 24
Which two technologies can encapsulate an IPv6 payload in an IPv4 packet for transmission
across a network? (Choose two)
A. L2TPv3
B. trunking
C. AToM
D. ISATAP
E. NAT-PT
Answer: D E
Explanation
The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-
layer translation mechanisms designed to allow nodes that only support IPv4 to communicate
with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the
boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4
and IPv6 network, all IPv4 users are given access to the IPv6 network without modification
in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given
access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished
with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions
are initiated across IPv4-IPv6 boundaries
Question 25
When a packet is denied by an IPv6 traffic filter, which additional action does the device
perform?
A. It scans the rest of the ACL for a permit entry matching the destination
B. It generates a TCP Fin bit and sends it to the source.
C. A creates a null route for the destination and adds it to the route table
D. It generates an ICMP unreachable message for the frame.
Answer: D
Explanation
If an IPv6 router ACL is configured to deny a packet, the packet is dropped. A copy of the
packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP
unreachable message for the frame.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swv6acl.html
Question 48
Which two options are components of a dual stack? (Choose two)
A. EIGRP
B. OSPF
C. IPv6 traffic
D. IPv4 traffic
E. Layer 3 switch
F. Layer 2 switch
Answer: C D
Question 56
What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation?
(Choose two)
Answer: C F
Explanation
Question 62
Which two statements about 6to4 tunneling are accurate? (Choose two)
Explanation
6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must
remember this range). These tunnels determine the appropriate destination address by
combining the IPv6 prefix with the globally unique destination 6to4 border
router‘s IPv4 address, beginning with the 2002::/16 prefix, in this format:
2002:border-router-IPv4-address::/48
Because the border-router-IPv4-address is added, we will have a /48 prefix (we all know an
IPv4 address consists of 32 bits). An example of a 6to4 address with the border-router-IPv4-
address of 192.168.1.2 is 2002:C0A8:01:02::/48.
Question 88
The Neighbor Discovery Protocol in IPv6 is replaced with which discovery protocol in IPv4?
A. ARP
B. ICMP
C. UDP
D. TCP
E. RFC
Answer: A
Explanation
Note: This question asks about IPv4 discovery protocol, not IPv6. So the correct asnwer is
ARP.
Just for your information, the IPv6 neighbor discovery process uses Internet Control Message
Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer
address of a neighbor on the same network (local link), verify the reachability of a neighbor,
and track neighboring devices.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-
2mt/ip6-15-2mt-book/ip6-neighb-disc.html
-> Neighbor Discovery Protocol in IPv6 does not use ARP any more.
Question 159
Considering the IPv6 address independence requirements, which process do you avoid when
you use NPTv6 for translation?
A. rewriting of higher layer information
B. checksum verification
C. ipv6 duplication and conservation
D. IPSEC AH header modification
Answer: A
Question 196
Company is deploying a multicast application that must be accessible between sites, but must
not be accessible outside of the organization. Based on the scoping requirements, the
multicast group address for the application will be allocated out of which range?
A. FF00::/16
B. FF0E::/16
C. FF02::/16
D. FF08::/16
Answer: D
Explanation
All IPv6 multicast addresses begin with FF::/8 – in other words, with FF as the first two
digits. But we need to know the differences between these multicast addresses:
FF02::/16 is IPv6 prefix for a link-local multicast, meaning that routers will not forward these
packets outside the local subnet.
FF08::/16 is IPv6 prefix for a organization-local multicast. It is typically used for a multicast
application with users throughout the enterprise, have an organization-local scope, meaning
that packets sent to these addresses are forwarded throughout the organization but not out into
the Internet
FF0E::/16 is IPv6 prefix for a global multicast.
Which statement about stateless and stateful IPv6 autoconfiguration are true?
Explanation
Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6
(and based closely on DHCP), is used to pass out addressing and service information in the
same way that DHCP is used in IPv4. This is called ―stateful‖ because the DHCP server and
the client must both maintain state information to keep addresses from conflicting, to handle
leases, and to renew addresses over time.
Question 7 (https://www.digitaltut.com/ipv6-questions)
A network engineer executes the ―ipv6 flowset‖ command. What is the result?
Answer: A
Explanation
The command ―ipv6 flowset‖ allows the device to track destinations to which the device has
sent packets that are 1280 bytes or larger.
Question 11 (https://www.digitaltut.com/ipv6-questions-2-2)
The enterprise network WAN link has been receiving several denial of service attacks from
both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via
its header, in order to filter future attacks? (Choose three)
A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset
Answer: A C D
Explanation
The Traffic Class field (8 bits) is where quality of service (QoS) marking for Layer 3 can be
identified. In a nutshell, the higher the value of this field, the more important the packet. Your
Cisco routers (and some switches) can be configured to read this value and send a high-
priority packet sooner than other lower ones during times of congestion. This is very
important for some applications, especially VoIP.
The Flow Label field (20 bits) is originally created for giving real-time applications special
service. The flow label when set to a non-zero value now serves as a hint to routers and
switches with multiple outbound paths that these packets should stay on the same path so that
they will not be reordered. It has further been suggested that the flow label be used to help
detect spoofed packets.
The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header.
The value of the Hop Limit field specifies the maximum number of routers that an IPv6
packet can pass through before the packet is considered invalid. Each router decrements the
value by one. Because no checksum is in the IPv6 header, the router can decrease the value
without needing to recalculate the checksum, which saves processing resources.
Question 52
Answer: B F
Explanation
The any option enables a Loose Mode uRPF on the router. This mode allows the router to
reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router
reaches the source address only via the interface on which the packet was received.
Which command sequence can you enter on a router to configure Unicast Reverse Path
Forwarding in loose mode?
A. interface GigabitEthernet0/0
ip verify unicast source reachable-via all
B. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose
C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any
D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx
Answer: C
Question 4
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(config-ip-sla)#frequency 10
R1(config-ip-sla)#threshold 100
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2
What makes default route not removed when SLA state down or failed?
Answer: D
Explanation
The default route command (at the last line) must include the ―track‖ keyword for the
tracking feature to work.
Question 22
A network engineer wants to baseline the network to determine suitability for real-time voice
applications. Which IP SLA operation is best suited for this task?
A. ICMP-echo
B. ICMP-jitter
C. UDP-connect
D. UDP-jitter
E. TCP-connect
F. UDP-echo
Answer: D
Explanation
The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common
codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco
devices in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_udp_jitter_voip.html
Note:
+ UDP Jitter: generates UDP traffic and measures Round-trip Delay, One-way Delay, One-
way Jitter, One-way Packet Loss, and overall Connectivity.
+ UDP-echo: measures Round-trip Delay for UDP traffic.
There is also a special ―UDP Jitter for VoIP‖ which can simulate various codecs and spits out
voice quality scores (MOS, and ICPIF)
Question 71
Refer to exhibit. Which two reasons for IP SLA tracking failure are likely true? (Choose two)
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2
R1(config)#ip route 0.0.0.0 0.0.0.0 172.30.30.2 5
A. The source-interface is configured incorrectly
B. The destination must be 172.30.30.2 for icmp-echo
C. A route back to the R1 LAN network is missing in R2
D. The default route has wrong next hop IP address
E. The threshold value is wrong
Answer: C E
Explanation
There is no problem with the Fa0/0 as the source interface as we want to check the ping from
the LAN interface -> A is not correct.
Answer B is not correct as we must track the destination of the primary link, not backup link.
In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will
not know how to reply back as an ISP usually does not configure a route to a customer‘s
LAN -> C is correct.
For answer E, we need to understand about how timeout and threshold are defined:
Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response
from its request packet. In other words, the timeout specifies how long the router should wait
for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets
the upper threshold value for calculating network monitoring statistics created by an IP SLAs
operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap
or start secondary SLA operation. In other words, the threshold value is only used to indicate
over threshold events, which do not affect reachability but may be used to evaluate the proper
settings for the timeout command.
For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not
OK, reachability is down.
Therefore in this question, we are using ―Reachability‖ tracking (via the command ―track 10
ip sla 1 reachability‖) so threshold value is not important and can be ignored -> Answer E is
correct. In fact, answer E is not wrong but it is the best option left.
This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-
technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and
http://www.ciscozine.com/using-ip-sla-to-change-routing/
Note: Maybe some of us will wonder why there are these two commands:
are different. These two static routes can co-exist in the routing table. Therefore if the
tracking goes down, the first command will be removed but the second one still exists and the
backup path is not preferred. So we have to remove the second one.
Question 74a
Which IP SLA operation can be used to measure round-trip delay for the full path and hop-
by-hop round-trip delay on the network?
A. HTTP
B. ICMP path echo
C. TCP connect
D. ICMP echo
Answer: B
Explanation
Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel
from a specific source to a specific destination and back again.
An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response
time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is
useful for determining network availability and for troubleshooting network connectivity
issues.
Note: ICMP Echo only measures round-trip delay for the full path.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-
xe-3s-book/sla_icmp_pathecho.html
Question 74b
A network engineer wants to monitor hop by hop response time on the network. Which IP
SLA operation accomplishes this task?
A. UDPecho
B. ICMP echo
C. ICMP path jitter
D. ICMP path echo
Answer: D
Question 75
Which three IP SLA performance metrics can you use to monitor enterprise-class networks?
(Choose three)
A. Packet loss
B. Delay
C. bandwidth
D. Connectivity
E. Reliability
F. traps
Answer: A B D
Explanation
Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss,
jitter, packet sequence, connectivity, path, server response time, and download time are
monitored within the Cisco device and stored in both CLI and SNMP MIBs.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.ht
ml
Question 83
Which three items can you track when you use two time stamps with IP SLAs? (Choose
three)
A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path
Answer: A B C
Explanation
When enabled, the IP SLAs Responder allows the target device to take two time stamps both
when the packet arrives on the interface at interrupt level and again just as it is leaving,
eliminating the processing time. At times of high network activity, an ICMP ping test often
shows a long and inaccurate response time, while an IP SLAs test shows an accurate response
time due to the time stamping on the responder.
An additional benefit of the two time stamps at the target device is the ability to track
one-way delay, jitter, and directional packet loss. Because much network behavior is
asynchronous, it is critical to have these statistics. However, to capture one-way delay
measurements the configuration of both the source device and target device with Network
Time Protocol (NTP) is required. Both the source and target need to be synchronized to the
same clock source. One-way jitter measurements do not require clock synchronization.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_overview.html
Question 97
Which feature can be used to reduce the number of ICMP unreachable message egressing a
router?
A. uRPF
B. ICMP rate-limiting
C. ip unreachables command
D. Asymmetric routing
Answer: B
Question 145
Which LAN feature enables a default gateway to inform its end device?
A. HSRP
B. proxy ARP
C. ICMP redirects
D. ICMP unreachable messages
Answer: C
Explanation
An ICMP redirect is an error message sent by a router to the sender of an IP packet. Redirects
are used when a router believes a packet is being routed sub optimally and it would like to
inform the sending host that it should forward subsequent packets to that same destination
through a different gateway. In theory a host with multiple gateways could have one default
route and learn more optimal specific routes over time by way of ICMP redirects.
Question 152
Which IP SLA operation can be used to simulate voice traffic on a network?
A. TCP connect
B. UDP-jitter
C. ICMP-echo
D. ICMP-jitter
Answer: B
Explanation
The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common
codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco
devices in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-s/sla-
15-s-book/sla_udp_jitter_voip.pdf
Question 162
Which location within the network is preferred when using a dedicated router for Cisco IP
SLA operations?
A. user edge
B. provider edge
C. access edge
D. distribution edge
Answer: B
Explanation
If there are thousands of test destinations being sourced from the router, then a ―dedicated
router‖ or ―shadow router‖ maybe the best choice for deployment. A dedicated router is
simply a low-end router dedicated to sourcing Cisco IOS IP SLAs operations.
Dedicated routers are most appropriate when the deployment plan calls for the operations to
be sourced from the edge of the core network (ie: Provider Edge [PE]) location in a
Service Provider network. The Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800 and 7200
Series Routers are frequently used as dedicated routers.
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper090
0aecd8017f8c9.html
Question 180
Which two statements about ICMP unreachable messages are true? (Choose two)
A. They are sent when a route to the destination is missing from the routing table
B. They can be enabled and disabled on a device only on a global level
C. They are sent when a destination address responds to an ARP request
D. They include the entire packet so that the source can identify the process that generated
the message
E. They include a portion of the original data so that the source can identify the process that
generated the message
Answer: A E
Explanation
ICMP Unreachables are responses sent by a router/host/switch whenever the destination host
address, protocol unreachable, or destination networks are not listed in the forward table
(FIB) or services by the device.
Answer C is not correct as the ICMP unreachable messages are only generated when the
destination address/service is missing.
The IP header plus the first 8 bytes of the original datagram‘s data is returned to the sender.
This data is used by the host to match the message to the appropriate process. If a higher level
protocol uses port numbers, they are assumed to be in the first 64 data bits of the original
datagram‘s data -> Answer E is correct.
Question 193
Answer: D
Explanation
ICMP redirect messages are used by routers to notify the hosts on the data link that a better
route is available for a particular destination.
Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the
packet gets routed out -> Answer D is correct.
+ The subnet or network of the source IP address is on the same subnet or network of the
next-hop IP address of the routed packet.
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects.
The interface subcommand no ip redirects can be used to disable ICMP redirects.)
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13714-43.html
Question 193b
Answer: A
ICMP redirect messages are used by routers to notify the hosts on the data link that a better
route is available for a particular destination.
Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the
packet gets routed out..
+ The subnet or network of the source IP address is on the same subnet or network of the
next-hop IP address of the routed packet (-> Answer A is correct)
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects.
The interface subcommand no ip redirects can be used to disable ICMP redirects.)
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13714-43.html
Which two types of threshold can you configure for tracking objects? (Choose two)
A. percentage
B. MTU
C. bandwidth
D. weight
E. delay
F. administrative distance
Answer: A D
Explanation
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or
a percentage threshold.
If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up
threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to
satisfy the threshold weight.
This configuration can be useful if object 1 and object 2 represent two small bandwidth
connections and object 3 represents one large bandwidth connection. The configured down
10 value means that once the tracked object is up, it will not go down until the threshold
value is equal to or lower than 10, which in this example means that all connections are
down.
The below example configures tracked list 2 with three objects and a specified percentages
to measure the state of the list with an up threshold of 70 percent and a down threshold of 30
percent:
This means as long as 51% or more of the objects are up, the list will be considered ―up‖. So
in this case if two objects are up, track 2 is considered ―up‖.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-
2_58_se/configuration/guide/3020_scg/swhsrp.pdf
Which type of information is displayed when a network engineer executes the show track 1
command on the router?
A. information about tracking list 1
B. time to next poll for track object 1
C. information about the IP route track table
D. tracking information statistics
Answer: A
A network engineer wants to notify a manager in the events that the IP SLA connection loss
threshold reached. Which two feature are need to implements this functionality? (Choose
two)
A. MOS
B. Threshold action
C. Cisco IOS EEM
D. SNMP traps
E. logging local
Answer: B D
Explanation
IP SLAs reactions are configured to trigger when a monitored value exceeds or falls below a
specified level or when a monitored event, such as a timeout or connection loss, occurs. If IP
SLAs measures too high or too low of any configured reaction, IP SLAs can generate a
notification (in the form of SNMP trap) to a network management application or trigger
another IP SLA operation to gather more data.
Cisco IOS IP SLAs can send SNMP traps that are triggered by events such as the following:
+ Connection loss
+ Timeout
+ Round-trip time threshold
+ Average jitter threshold
+ One-way packet loss
+ One-way jitter
+ One-way mean opinion score (MOS)
+ One-way latency
================= SNMP Questions =================
Question 6
A. threshold
B. frequency
C. verify-data
D. timeout
Answer: A
Question 15
Answer: B C D
Explanation
The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The
Agents are the monitored device while the Manager is the monitoring device. In the picture
below, the Router, Server and Multilayer Switch are monitored devices.
Question 19
A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv
Answer: D
Explanation
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid
e/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 20
A. the mask of the files that are allowed to use community string public
B. the standard named access list 16, which contains the access rules that apply to user abcd
C. the number of concurrent users who are allowed to query the SNMP community
D. the user ID that is allowed to use the community string public
Answer: B
Question 50
A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv
Answer: D
Explanation
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid
e/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 157
A. SNMPV2 noAuthNoPriv
B. SNMPv3 authNoPriv
C. SNMPv3 authPriv
D. SNMPv3 noAuthNoPriv
Answer: C
Explanation
The authentication (auth) and privacy (priv) options are grouped into security models.
Question 169
A. The device sends SNMP traps related to BGP operations to host 192.168.1.128
B. It configures an ACL to protect SNMP managers from receiving BGP traps
C. It configures the device to use string cisotest for read and write access to any SNMP
manager on the network
D. It configures the device to communicate with other devices in the ciscotest community
using SNMPv3
Answer: A
Which SNMP verification command shows the encryption and authentication protocols that
are used in SNMPv3?
Answer: B
Explanation
The command ―show snmp user‖ displays information about the configured characteristics of
SNMP users. The following example specifies the username as abcd with authentication
method of MD5 and encryption method of 3DES.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html
================= Syslog Questions =================
Question 40
Logging Console 7
Which option is one of the effects entering this command on a Cisco IOS router, with no
additional logging configuration?
Answer: D
Question 89
A router is connected to a Windows Syslog server which does not function. What is the
reason?
Answer: A
Explanation
A syslog server opens port 514 and listens for incoming syslog event notifications (carried by
UDP protocol packets) generated by remote syslog clients. Therefore if firewall is blocking
this port the syslog server cannot operate correctly.
A network engineer executes the commands ―logging host 172.16.200.225‖ and ―logging trap
5‖. Which action results when these two commands are executed together?
A. Logging messages that have a debugging severity level are sent to the remote server
172.16.200.225.
B. Logged information is stored locally, showing the sources as 172.16.200.225
C. Logging messages that have any severity level are sent to the remote server
172.16.200.225
D. Logging messages that have a severity level of ―notifications‖ and above (numerically
lower) are sent to the remote server 172.16.200.225
Answer: D
Question 27
A network engineer has configured NTP on a Cisco router, but the time on the router is still
incorrect. What is the reason for this problem?
A. The router is not syncing with the peer, even though the NTP request and response packets
are being exchanged.
B. The router is not syncing with peer, and the NTP request and response packets are not
being exchanged.
C. The router is syncing with the peer, and the NTP request and response packets are being
exchanged.
D. The router is dropping all NTP packets.
Answer: A
Explanation
Peer reachability is a bit string reported as an octal value. This field shows whether the last
eight packets were received by the NTP process on the Cisco IOS software. The packets must
be received, processed, and accepted as valid by the NTP process and not just by the router or
switch that receives the NTP IP packets.
Reach uses the poll interval for a time out in order to decide whether a packet was received
or not. The poll interval is the time that NTP waits before it concludes that a packet was lost.
The poll time can be different for different peers, so the time before reach decides that a
packet was lost can also different for different peers.
Reach is a good indicator of whether NTP packets are being dropped because of a poor link,
CPU issues and other intermittent problems.
In our question the ―reach‖ values all are ―377‖, which indicates the NTP process received
the last eight packets -> Answer A is correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-
ntp/116161-trouble-ntp-00.html
Question 37
Which two statements about NTP stratum are true? (Choose two)
Answer: D F
Explanation
Question 58
Answer: C
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
Question 82
A. The router acts as an authoritative NTP clock and allows only 10 NTP client connections.
B. The router acts as an authoritative NTP clock at stratum 10.
C. The router acts as an authoritative NTP clock with a priority number of 10.
D. The router acts as an authoritative NTP clock for 10 minutes only.
Answer: B
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
Refer to exhibit:
Which three NTP features can be deduced on the router? (Choose three)
Answer: A C F
Explanation
First we need to understand some basic knowledge about NTP. There are two types of NTP
messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status
information. It is not used for time synchronization so we will not care about them in this
question.
+ Request/Update messages: for time synchronization. Request messages ask for
synchronization information while Update messages contains synchronization information
and may change the local clock.
There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it
permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to reply to NTP requests, but drops NTP update. This
access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to respond to NTP requests only. This access-group denies
control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no
local system time synchronization with remote system is permitted.
The ―ntp master 4‖ indicates it is running as a time source with stratum level of 4 -> Answer
B is not correct while answer C is correct.
Answer E is not correct because it can accept time requests from both 192.168.1.1 and
192.168.1.4.
*Note: In fact answer A is incorrect too because the local router can accept time requests
from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake
of this question.
Which three NTP operating modes must the trusted-key command be configured on for
authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Answer: B D E
Explanation
Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1851440
Which two statements about NTP operation are true? (Choose two)
A. If multiple NTP servers are configured, the one with the lowest stratum is preferred
B. By default, NTP communications use UDP port 123.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. Locally configured time overrides time received from an NTP server.
E. ―Stratum‖ refers to the number of hops between the NTP client and the NTP server.
Answer: A B
Explanation
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server
is. When multiple NTP servers are configured, the client will prefer the NTP server with the
lowest stratum level.
Question 2
Which statement describes what this command accomplishes when inside and outside
interfaces are correctly identified for NAT?
A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It allows external clients coming from public IP 209.165.201.1 to connect to a web server
at 192.168.1.50.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It represents an incorrect NAT configuration because it uses standard TCP ports.
Answer: C
Explanation
First we will not mention about the effect of the ―extendable‖ keyword. So the purpose of the
command ―ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080‖ is to translate
packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP
address 209.165.201.1 with port 8080. This also implies that any packet received on the
outside interface with a destination address of 209.165.201.1:8080 has the destination
translated to 192.168.1.50:80. Therefore answer C is correct.
Answer A is not correct this command ―allows host 192.168.1.50 to access external websites
using TCP port 80‖, not port 8080.
Answer B is not correct because it allows external clients to connect to a web server at
209.165.201.1. The IP addresses of clients should not be 209.165.201.1.
Usually, the ―extendable‖ keyword should be added if the same Inside Local is mapped to
different Inside Global Addresses (the IP address of an inside host as it appears to the outside
network). An example of this case is when you have two connections to the Internet on two
ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside
local IP address. For example:
NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
ip nat inside source static 192.168.1.1 200.2.2.2 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2
In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use
200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the
Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or
200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called ―ambiguous from the
inside‖). We tested in GNS3 and it worked correctly! So we guess the NAT router compared
the Inside Global addresses with all of IP addresses of the ―ip nat outside‖ interfaces and
chose the most suitable one to forward traffic.
―They might also want to define static mappings for a particular host using each provider‘s
address space. The software does not allow two static translations with the same local
address, though, because it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all addresses and ports) if
the static translations are marked as ―extendable‖. For a new outside-to-inside flow, the
appropriate static entry will act as a template for a full translation. For a new inside-to-outside
flow, the dynamic route-map rules will be used to create a full translation‖.
(Reference:
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper0918
6a0080091cb9.html)
Question 14
Answer: B
Question 44
A. static NAT
B. dynamic NAT
C. NAT-PT
D. PAT
Answer: D
Question 49
Answer: A C E
Question 59
A. ipv6 nat
B. ipv6 nat enable
C. ipv6 nat-pt
D. ipv6 nat-pt enable
Answer: A
Explanation
The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6
nat prefix 2001:DB8::/96)
Question 64
Which functionality is required within an IP router that is situated at the boundary of an IPv4
network and an IPv6 network to allow communication between IPv6-only and IPv4-only
nodes?
A. Autoconfiguration
B. Automatic 6to4 Tunnel
C. Automatic 6to4 Relay
D. Network Address Translator-Protocol Translator (NAT-PT)
E. Intrasite Automatic Tunnel Address Protocol (ISATAP)
Answer: D
Explanation
The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-
layer translation mechanisms designed to allow nodes that only support IPv4 to communicate
with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the
boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4
and IPv6 network, all IPv4 users are given access to the IPv6 network without modification
in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given
access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished
with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions
are initiated across IPv4-IPv6 boundaries
Answer: E
Explanation
The ―ip nat allow-static-host‖ command enables static IP address support. Dynamic Address
Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control
the creation and deletion of ARP entries for the static IP host.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-
4/nat-12-4-book/iadnat-addr-consv.html
Question 136
Answer: B
Explanation
When Stateful NAT64 is configured on an interface, Virtual Fragmentation Reassembly
(VFR) is configured automatically. Virtual fragmentation reassembly (VFR) enables the
Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby, protecting the network
from various fragmentation attacks.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
Question 137
What does stateful NAT64 do that stateless NAT64 does not do?
Answer: D
Explanation
Address Family Translation (AFT) using NAT64 technology can be achieved by either
stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to
IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain
any bindings or session state while performing translation, and it supports both IPv6-
initiated and IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation. It supports
both IPv6-initiated and IPv4-initiated communications using static or manual mappings.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676278.html
Question 5 (https://www.digitaltut.com/nat-questions)
A. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:80 is translated to 172.16.10.8:8080.
B. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:8080 is translated to 172.16.10.8:80.
C. The router accepts only a TCP connection from port 8080 and port 80 on IP address
172.16.10.8.
D. Any packet that is received in the inside interface with a source IP address of 172.16.10.8
is redirected to port 8080 or port 80.
Answer: B
Explanation
This is a static NAT command which translates all the packets received in the inside interface
with a source IP address of 172.16.10.8:8080 to 172.16.10.8:80. The purpose of this NAT
statement is to redirect TCP Traffic to Another TCP Port.
Question 8
What are two options for authenticating a user who is attempting to access a network device?
(Choose two)
A. CHAP
B. RADIUS
C. 802.1x
D. PAP
E. TACACS+
Answer: B E
Question 47
Which keyword of the AAA authentication PPP command supports PAP only?
A. line
B. krb5
C. local
D. local-case
E. enable
Answer: B
Explanation
Question 99
A network access serve using TACACAS+ for AAA operations receives an error message
from the TACACS+ server. Which action does the network access server take next?
Answer: D
Explanation
The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or
will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If
an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplu
s.pdf
Question 154
Answer: C
Explanation
Question 165
A user is attempting to authentication on the device connected to a TACACS+ server but the
server require more information from the user to complete authentication. Which reponse
does the TACACS+ daemon return?
A. ACCEPT
B. ERROR
C. REJECT
D. CONTINUE
Answer: D
Explanation
The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or
will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If
an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplu
s.pdf
Question 182
Which two statements about AAA with the local database are true? (Choose two)
Explanation
While authentication can be done on the router for a limited number of user names, it might
make more sense and be much more scalable to use an AAA Server -> B is correct.
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/
bba/load.pdf
You can use the local database for CLI access authentication, privileged mode authentication,
command authorization, network access authentication, and VPN authentication and
authorization. You cannot use the local database for network access authorization. The local
database does not support accounting -> C is correct.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_
aaa.pdf
A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting
Answer: C D
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to
decouple authentication and authorization.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
dial-user-service-radius/13838-10.html
Question 68
A network engineer executes the ―show ip cache flow‖ command. Which two types of
information are displayed in the report that is generated? (Choose two)
A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution
Answer: C E
Explanation
Information provided includes packet size distribution (the answer says ―IP packet
distribution‖ but maybe it is ―IP packet size distribution‖); basic statistics about number of
flows and export timer setting, a view of the protocol distribution statistics and the NetFlow
cache.
Also we can see the flow samples for TCP and UDP protocols (including Total Flows,
Flows/Sec, Packets/Flow…).
Question 112
A. Core edge
B. Access edge
C. WAN edge
D. Distribution edge
E. User edge
Answer: C
Explanation
NetFlow (network flow) is an input side-measurement technology that allows for capturing
the data required for network planning, monitoring, and accounting applications. NetFlow
should be deployed on edge/aggregation router interfaces for service providers or WAN
access router interfaces for Enterprise customers.
Reference: https://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-
NMS-bestpractice.html
Which two statements about NetFlow templates are true? (Choose two)
Answer: A D
Explanation
The distinguishing feature of the NetFlow Version 9 format is that it is template based ->
Answer A is correct.
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00
800a3db9.html
Export bandwidth increases for version 9 (because of template flowsets) versus version 5 ->
Answer D is correct.
Version 9 slightly decreases overall performance, because generating and maintaining valid
template flowsets requires additional processing -> Answer E is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html
Where can NetFlow export data for long term storage and analysis?
A. syslog
B. collector
C. another network device
D. flat file
Answer: B
Explanation
NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and
storing the flows. Usually a collector is a separate software running on a network server.
NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).
Explanation
MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow
exports up to three labels of interest from the incoming label stack, the IP address associated
with the top label, as well as traditional NetFlow data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html
Refer to the exhibit. How can you configure a second export destination for IP address
192.168.10.1?
configure terminal
ip flow-export destination 192.168.10.1 9991
ip flow-export version 9
Answer: B
Explanation
To configure multiple NetFlow export destinations to a router, use the following commands
in global configuration mode:
The following example enables the exporting of information in NetFlow cache entries:
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html
Question 87
Which two commands would be used to troubleshoot high memory usage for a process?
(Choose two)
Answer: A B
Explanation
Note: In fact the correct command should be ―show memory allocating-process totals‖ (not
―table‖)
The ―show memory summary‖ command displays a summary of all memory pools and
memory usage per Alloc PC (address of the system call that allocated the block). An example
of the output of this command is shown below:
Legend:
+ Total: the total amount of memory available after the system image loads and builds its
data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.
Note: The show memory allocating-process totals command contains the same information
as the first three lines of the show memory summary command.
An example of a high memory usage problem is large amount of free memory, but a small
value in the ―Lowest‖ column. In this case, a normal or abnormal event (for example, a large
routing instability) causes the router to use an unusually large amount of processor memory
for a short period of time, during which the memory has run out.
The show memory dead command is only used to view the memory allocated to a process
which has terminated. The memory allocated to this process is reclaimed by the kernel and
returned to the memory pool by the router itself when required. This is the way IOS handles
memory. A memory block is considered as dead if the process which created the block exits
(no longer running).
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.h
tml and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
121-mainline/6507-mallocfail.html
Question 204
Answer: B
Explanation
When the Conditionally Triggered Debugging feature is enabled, the router generates
debugging messages for packets entering or leaving the router on a specified interface; the
router will not generate debugging output for packets entering or leaving through a different
interface. You can specify the interfaces explicitly. For example, you may only want to see
debugging messages for one interface or subinterface. You can also turn on debugging for all
interfaces that meet specified conditions. This feature is useful on dial access servers, which
have a large number of ports.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcnd
tr.html
Which two debug commands can you use to view issues with CHAP and PAP authentication?
(Choose two)
A. debug tacacs
B. debug ppp authentication
C. debug radius
D. debug aaa authentication
E. debug ppp negotiation
Answer: B E
Question 26
Answer: C
Question 106
Answer: A B E
Explanation
The very cause of flooding is that destination MAC address of the packet is not in the L2
forwarding table of the switch. In this case the packet will be flooded out of all forwarding
ports in its VLAN (except the port it was received on). Below case studies display most
common reasons for destination MAC address not being known to the switch.
Question 131
What happens when unicast flood protection is triggered on a VLAN?
Answer: A
Explanation
In short, unicast flood protection feature allows the switch to monitor the amount of unicast
flooding per VLAN and take specified action if flooding exceeds specified amount. Actions
can be to syslog, limit or shutdown VLAN – the syslog being the most useful for flood
detection.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-
switches/23563-143.html
Question 140
Which adverse event can occur as a consequence of asymmetric routing on the network?
Answer: D
Explanation
The very cause of unicast flooding is that destination MAC address of the packet is not in the
L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding
ports in its VLAN (except the port it was received on). Below case studies display most
common reasons for destination MAC address not being known to the switch.
A. Configure HSRP on two routers, with one subnet preferred on the first router and a
different subnet preferred on the second router
B. Set the router‘s ARP timeout value to be the same as the timeout value for Layer 2
forwarding table entries
C. Set the router‘s ARP timeout value to greater than the timeout value for Layer 2
forwarding table entries
D. Set the router‘s ARP timeout value to less than timeout value for Layer 2 forwarding table
entries
Answer: B
Explanation
There are different approaches to limit the flooding caused by asymmetric routing. The
approach is normally to bring the router‘s ARP timeout and the switches‘ forwarding table-
aging time close to each other. This will cause the ARP packets to be broadcast. Relearning
must occur before the L2 forwarding table entry ages out.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-
switches/23563-143.html
Question 139
Answer: C
Question 155
Which three methods can a network engineer use to fix a metric-based routing loop in the
network? (Choose three)
Answer: D E F
Question 23
Which command do you enter to filter only routing updates that are sent through interface
GigabitEthernet0/0?
A. R1(config-if)#passive-interface GigabitEthernet0/0.
B. R1(config-router)#no passive-interface GigabitEthernet0/0
C. R1(config-router)#passive-interface GigabitEthernet0/0
D. R1(config-router)passive-interface default
E. R1(config-if)#passive-interface default
F. R1(config-router)#distribute-list 1 GigabitEthernet0/0 out
Answer: C
Explanation
In fact F is also a suitable answer but we don‘t know what ―distribute-list 1‖ contains so C is
a better answer.
Question 63
Given the network diagram, which address would successfully summarize only the networks
seen?
A. 192.168.0.0/24
B. 192.168.8.0/20
C. 192.168.8.0/21
D. 192.168.12.0/20
E. 192.168.16.0/21
F. These networks cannot be summarized.
Answer: C
Question 124
How big is the smallest packet that will always be fragmented on a standard Ethernet network
with default configuration?
A. 1500 bytes
B. 1800 bytes
C. 2048 bytes
D. 2100 bytes
Answer: B
Explanation
The packet with the size of 1500 bytes is the largest packet on a standard Ethernet network
(with default configuration) that is not fragmented. This includes 1460 byte frame plus 40
byte of two headers (20 bytes each). Therefore the next smallest packet that will be
fragmented in the above options is 1800 bytes.
Question 134
A. fragmentation
B. COPP
C. ICMP redirects
D. ICMP unreachable messages
Answer: B
Explanation
The Control Plane Policing (CoPP) policy is an important security feature that prevents
Denial of Service (DoS) attacks that can impact the supervisor module CPU.
CoPP protects the route processor on network devices by treating route processor resources
as a separate entity with its own ingress interface (and in some implementations, egress also).
Because of this behavior, a CoPP policy can be developed and applied only to those packets
within the control plane. Unlike interface ACLs, for example, no effort is wasted
investigating data plane (transit) packets that will never reach the control plane. This action
has a significant simplifying implication on the construction of policies for CoPP.
Refererence:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/best_practices/cli_mgmt_guid
e/cli_mgmt_bp/cpu.pdf and https://www.cisco.com/c/en/us/about/security-center/copp-best-
practices.html
Question 143
Which STP feature can reduce TCNs on ports that are connected to end devices?
A. BPDU guard
B. Root guard
C. PortFast
D. Backbone Fast
Answer: C
Explanation
In normal STP operation, a bridge keeps receiving configuration BPDUs from the root bridge
on its root port. But, it never sends out a BPDU toward the root bridge. In order to achieve
that, a special BPDU called the topology change notification (TCN) BPDU has been
introduced. Therefore, when a bridge needs to signal a topology change, it starts to send
TCNs on its root port. The designated bridge receives the TCN, acknowledges it, and
generates another one for its own root port. The process continues until the TCN hits the root
bridge. The bridge that notifies the topology change does not stop sending its TCN until the
designated bridge has acknowledged it.
The switch never generates a TCN when a port configured for Portfast goes up or down ->
Therefore PortFast can reduce TCNs on ports that are connected to end devices.
Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-
protocol/12013-17.html#anc12
Question 198
Answer: C D
Explanation
The most significant network factor in meeting the latency targets for TelePresence is
propagation delay, which can account for more than 90 percent of the network latency time
budget. Propagation delay is also a fixed component and is a function of the physical distance
that the signals have to travel between the originating endpoint and the receiving endpoint.
Propagation delay is the amount of time it takes for a single bit of data to get from one side
of a digital connection to the other. Propagation delay is usually close to the speed of light,
depending on the medium over which the packet is being carried (copper, fiber, and so on).
The propagation delay over a digital copper or fiber-optic connection is approximately 1 ms
per 100 miles. For example, the distance between New York and London is approximately
3500 miles. This means that the propagation delay between New York and London is
approximately 35 ms.
Three types of delay are inherent in today‘s telephony networks: propagation delay,
serialization delay, and handling delay (also called processing delay).
Serialization delay is the amount of time it takes to actually place a bit or byte onto an
interface. It is directly related to the clock rate on the interface.
Reference: http://www.ciscopress.com/articles/article.asp?p=606583
Answer: D
Explanation
Asymmetric routing is the scenario in which outing packet is through a path, returning packet
is through another path. VRRP can cause asymmetric routing occur, for example:
R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1
is the master router and R2 is the backup router.
These two routers are connected to an ISP gateway router, by using BGP. This topology
provides two possible outgoing and incoming paths for the traffic.
Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the
new master router -> traffic passing through R2 instead -> asymmetric routing occurs.
Question 61
The Cisco ASA 500 Series Security Appliances are built specifically for businesses with less
than 100 employees. What are three important benefits of this device? (Choose three)
A. business-grade firewall
B. premium support via SMART net
C. site-to-site VPN for remote offices
D. Cisco IOS software-based
E. email security
F. XML support
Answer: A C E
Answer: A
Explanation
Normal policy based routing (PBR) is used to route packets that pass through the device.
Packets that are generated by the router (itself) are not normally policy-routed. To control
these packets, local PBR should be used. For example: Router(config)# ip local policy route-
map map-tag (compared with normal PBR: Router(config-if)# ip policy route-map map-tag)
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
Question 90
Answer:
Explanation
The most common reason for excessive unicast flooding in steady-state Catalyst switch
networks is the lack of proper host port configuration. Hosts, servers, and any other end-
devices do not need to participate in the STP process; therefore, the link up and down states
on the respective NIC interfaces should not be considered an STP topology change.
Reference: http://www.ciscopress.com/articles/article.asp?p=336872
Question 91
Drag drop the correct descriptions on the right to the Frame Relay LMI extensions on the left.
Answer:
Question 92
Drag the descriptions on the left to the appropriate group on the right.
Answer:
Authentication:
+ supports a local database for device access
+ supports encryption
Authorization:
+ specifies a user‘s specific access privileges
+ enforces time periods during which a user can access the device
Accounting:
+ not supported with local AAA
+ verifies network usage
Explanation
AAA offers different solutions that provide access control to network devices. The following
services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined
credentials, such as passwords and other mechanisms like digital certificates. Authentication
controls access by requiring valid user credentials, which are typically a username and
password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that
means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that
regulates what tasks the user is authorized to perform. These attributes are measured against a
user database. The results are returned to the network device to determine the user‘s
qualifications and restrictions. This database can be located locally on Cisco ASA or it can be
hosted on a RADIUS or Terminal Access Controller Access-Control System Plus
(TACACS+) server. In summary, Authorization controls access per user after users
authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server
used to track login times (when the user logged in and logged off) and the services that users
access. This information can be used for billing, auditing, and reporting purposes.
Question 93
Answer:
+ if authenticated – It allows the user to perform the requested function once authenticated
+ none – It instructs the network access server to proceed without requesting authorization
information
+ local – It provides authorization for a limited set of functions only
+ krb5-instance – It uses a defined instance for authorization
+ group radius – It uses authorization information from a standards based server
+ group tacas+ – It uses authorization information stored as attribute value pair in a Cisco
proprietary server
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathe
n.html
Question 116
Refer to the exhibit. You are configuring the R1 Serial0 interface for a multipoint connection.
Drag and drop the required configuration statements from the left onto the corresponding
locations from the diagram on the right.
Answer:
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
interface Serial0
! Serial interface config
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
! subinterface config
interface Serial0.1 multipoint
ip address 192.168.1.5 255.255.255.240
frame-relay map ip 192.168.1.1 100 broadcast
Question 132
Drag and drop the GRE features from the left onto the correct description on the right.
Answer:
Question 206
Drag and drop the AAA features from the left onto the correct description on the right.
Answer:
Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.
Answer:
Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable
Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the
destination address
Refer to the exhibit. You are configuring the R1 Serial0 interface for a point-to-point
connection. Drag and drop the required configuration statements from the left onto the correct
locations from the diagram on the right. Not all commands are used.
Answer:
A – no ip address
B – interface serial0.1 point-to-point
C – frame-relay interface-dlci 100 ppp virtual-template1
D – ppp authentication chap
Explanation
It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially
Streaming-Video) within a single service-provider class because of the behaviors of these
protocols during periods of congestion. Specifically, TCP transmitters throttle back flows
when drops are detected. Although some UDP applications have application-level
windowing, flow control, and retransmission capabilities, most UDP transmitters are
completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and
the class experiences congestion, TCP flows continually lower their transmission rates,
potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is
called TCP starvation/UDP dominance.
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the
same service-provider class as UDP-based applications and the class experiences sustained
congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it
is beneficial to be aware of this behavior when making such application-mixing decisions
within a single service-provider class.
Reference:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/Qo
S-SRND-Book/VPNQoS.html
Drag and drop the statements from the left onto the correct IPv6 router security features on
the right.
Answer:
Drag and drop the statements about device security from the left onto the correct description
on the right.
Answer:
CoPP:
+ It protects the device against DoS attacks
+ It supports packet forwarding by reducing the load on the device
+ It uses QoS to limit the load on the device
MPP:
+ It designates the permitted management interfaces on the device
+ It is enabled only when an interface is configured
+ It requires only a single command to configure
Drag and drop the correct description on the right onto the corresponding ACL types on the
left.
Answer:
Explanation
The general rule when applying access lists is to apply standard IP access lists as close to the
destination as possible and to apply extended access lists as close to the source as possible.
The reasoning for this rule is that standard access lists lack granularity, it is better to
implement them as close to the destination as possible; extended access lists have more
potential granularity, thus they are better implemented close to the source.
Reference: http://www.ciscopress.com/articles/article.asp?p=1697887
Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release
11.1. This feature is dependent on Telnet, authentication (local or remote), and extended
ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic
through the router. Users that want to traverse the router are blocked by the extended ACL
until they Telnet to the router and are authenticated. The Telnet connection then drops and a
single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a
particular time period; idle and absolute timeouts are possible.
Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-
confaccesslists.html
Drag and drop the steps in the NAT process for IPv4-initiated packers from the left into the
correct sequence on the right.
Answer:
Drag the items on the left to the proper locations on the right.
Answer:
Explanation
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). There are two different forms of NAT64, stateless and stateful:
+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps
no state. It does not save any IP addresses since every v4 address maps to one v6 address.
Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation (1:N translation). It
supports both IPv6-initiated and IPv4-initiated communications using static or manual
mappings. Stateful NAT64 converses IPv4 addresses.
NPTv6 stands for Network Prefix Translation. It‘s a form of NAT for IPv6 and it supports
one-to-one translation between inside and outside addresses
Answer:
+ ip dhcp relay information option: automatically add the circuit identifier suboption and
the remote ID suboption
+ ip dhcp relay information check: check that the relay agent information option in
forwarded BOOTREPLY messages is valid
+ ip dhcp relay information policy: Configures the reforwarding policy for a DHCP relay
agent
Drag and drop the IPv6 NAT characteristic from the left to the matching IPv6 NAT category
on the right.
Answer:
NAT64:
+ Use Network-specific prefix
+ Modify session during translation
NPTv6:
+ Modify IP header in transit
+ Map one IPv6 address prefix to another IPv6 prefix
Explanation
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to
recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific
prefix (NSP), which is configured by a network administrator, or a well-known prefix (which
is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it
will proceed this packet with NAT64.
NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4
address. NAT64 translates nearly everything (source & destination IP addresses, port number,
IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64
―modifies session during translation‖.
Drag and drop the BGP states from the left to the matching definitions on the right.
Answer:
Explanation
The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm ->
Established
+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor
relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP
neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer
expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.
Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3
Drag and drop the challenge Handshake Authentication Protocol steps from the left into the
correct order in which they occur on the right.
Answer:
+ Target 1: When the LCP phase is complete and CHAP is negotiated between both devices,
the authenticator sends a challenge message to the peer
+ Target 2: The peer responds with a value calculated through a one-way hash function
(MD5)
+ Target 3: The authenticator checks the response against its own calculation of the expected
hash value if the values match the authentication is successful. Otherwise, the connection is
terminated
Explanation
The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer
by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated
between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message
Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash
value. If the values match, the authentication is successful. Otherwise, the connection is
terminated.
This authentication method depends on a ―secret‖ known only to the authenticator and the
peer. The secret is not sent over the link. Although the authentication is only one-way, you
can negotiate CHAP in both directions, with the help of the same secret set for mutual
authentication.
Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-
ppp/25647-understanding-ppp-chap.html
For more information about CHAP challenge please read our PPP tutorial.
Drag and drop each frame-relay component on the left to the correct statement on the right.
Answer:
Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type
of processing on the right.
Punt
Packets are discarded
Adjacency
Features that require special handling or features that are not yet supported in
Drop conjunction with CEF switching paths are forwarded to the next switching layer
Adjacency for handling. Features that are not supported are forwarded to the next higher
switching level.
When a router is connected directly to several hosts, the FIB table on the router
Null maintains a prefix for the subnet rather than for the individual host prefixes. The
Adjacency subnet prefix points to a glean adjacency. When packets need to be forwarded to
a specific host, the adjacency database is gleaned for the specific prefix.
Discard
Packets are dropped, but the prefix is checked.
Adjacency
Glean Packets destined for a Null0 interface are dropped. This can be used as an
Adjacency effective form of access filtering.
Answer:
Punt Adjacency: Features that require special handling or features that are not yet supported
in conjunction with CEF switching paths are forwarded to the next switching layer for
handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an
effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the
router maintains a prefix for the subnet rather than for the individual host prefixes. The
subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific
host, the adjacency database is gleaned for the specific prefix.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.ht
ml
Question 250
A network engineer configures two connected routers to run OSPF in Area 0; however, the
routers fail to establish adjacency. Which option is one of the caused for this issue?
Answer: D
Question 251
A network engineer trying to synchronize the time clock but the time is not working. What is
likely the cause of this problem?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 123.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 123.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 123.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 123.
Answer: B
Explanation
By default, NTP uses User Datagram Protocol (UDP) port 123 so we cannot synchronize if
something is blocking this port.
Answer: D
Explanation
In this topology DSW1 is the DHCPv6 Relay agent so it should relay (forward) the DHCPv6
Request packets (from the clients) out of its Gi1/2 interface to the DHCPv6 server. The
command ―ipv6 dhcp relay destination …‖ is used to complete this task.
Note: There is no ―default-router‖ command for DHCPv6. The ―ipv6 dhcp relay destination‖
is not required to configure on every router along the path between the client and server. It is
ONLY required on the router functioning as the DHCPv6 relay agent.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/whitepaper_c11-689821.html
Question 253 (posted at Q.9 of https://www.digitaltut.com/frame-relay-questions)
Which two statements about configuring Frame Relay point-to-multipoint connections are
true? (Choose two)
Answer: D E
Explanation
Question 254
A. Physical
B. loopback
C. visual-template
D. dialer
Answer: D
A. DLCI
B. route target
C. virtual network tag
D. VLAN ID
Answer: C
A. IPSec
B. PPTP
C. mGRE
D. NHRP
E. Open VPN
Answer: C D
Explanation
DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop
Resolution Protocol) to perform its job and save the administrator the need to define multiple
static crypto maps and dynamic discovery of tunnel endpoints.
Which command do you enter to display log messages with a timestamp that includes the
length of time since the device was last rebooted?
Answer: A
Explanation
The ―service timestamps log uptime‖ enables timestamps on log messages, showing the time
since the system was rebooted. For example:
Question 258
A network engineer executes the command ―show ip eigrp vrf purple topology‖. Which type
of information is displayed as a result?
Answer: D
A network engineer wants an NTP client to be able to update the local system without
updating or synchronizing with the remote system. Which option for the ntp access-group
command is needed to accomplish this?
A. Serve
B. Serve-only
C. peer
D. Query-only
Answer: A
Explanation
To control access to Network Time Protocol (NTP) services on the system, use the ntp
access-group command in global configuration mode.
+ Control messages are for reading and writing internal NTP variables and obtaining NTP
status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet
obviously asks for synchronization information, and update packet contains synchronization
information, and may change local clock.
When synchronizing system clocks on Cisco IOS devices only Request/Update messages are
used. Therefore in this question we only care about ―NTP Update message‖.
Syntax:
+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control
queries are also accepted. This is the only class which allows a router to be synchronized by
other devices -> not correct. In other words, the peer keyword enables the device to receive
time requests and NTP control queries and to synchronize itself to the servers specified in the
access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to
synchronize local system time, and does not access control queries. In other words, the serve-
only keyword enables the device to receive only time requests from servers specified in the
access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a
server or update packets from a peer). Control queries are also permitted. In other words, the
serve keyword enables the device to receive time requests and NTP control queries from the
servers specified in the access list but not to synchronize itself to the specified servers -> this
option is surely correct.
In summary, the answer ―serve‖ is surely correct but the answer ―serve-only‖ seems to be
correct too (although the definition is not clear).
Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-
n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/
Answer: D
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming
packets. If it matches with the interface used to reach this source IP then the packets are
allowed to enter (strict mode).
Drag and drop the statements about NAT64 from the left onto the correct NAT64 types on
the right.
Answer:
Stateful:
+ It supports FTP64 for ALG
+ It supports PAT and overload
+ It allows IPv6 systems to use any type of IPv6 address
Stateless:
+ ALG is not supported
+ It supports one-to-one mapping only
+ It requires IPv6 systems to use RFC6052 IPv4-translatable addresses
Explanation
Differences Between Stateful NAT64 and Stateless NAT64 are shown below:
Supported
Stateful NAT64 Stateless NAT64
Features
N:1 mapping for PAT or overload
Address One-to-one mapping — one IPv4
configuration that saves IPv4
savings address is used for each IPv6 host
addresses
IPv6 systems must have IPv4-
IPv6 systems may use any type of
Address space translatable addresses (based on RFC
IPv6 addresses
6052)
ALGs
FTP64 None
supported
Protocols
ICMP, TCP, UDP All
supported
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
Question 2
Answer: C
Question 3
Which two steps must you perform to allow access to a device when the connection to a
remote TACACS+ authentication server fails? (Choose two)
Answer: A B
Question 4
ip vrf BLUE
ip vrf RED
!
interface FastEthernet0/0
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/1
ip vrf forwarding BLUE
ip address 10.1.2.1 255.255.255.0
Network users on the 10.1.2.0/24 subnet have a default gateway of 10.1.2.254. Which
command will configure this gateway?
Answer: D
Question 5
Based on Cisco best practice, which statement about the output is true?
A. The output should be analyzed by a network engineer before allocating additional memory
and CPU usage to processes on an IOS router in production
B. The output should be analyzed by a network engineer before executing any configuration
commands on an IOS router in production
C. The output should be analyzed by a network engineer before executing any debug
commands on an IOS router in production
D. The output should be analyzed by a network engineer before executing other show
commands on an IOS router in production
Answer: C
Question 6
Users were moved from the local DHCP server to the remote corporate DHCP server. After
the move, none of the users were able to use the network. Which two issues wil prevent this
setup from working properly? (Choose two)
Answer: B E
Question 7
Which two statements about the OSPF down bit are true? (Choose two)
Answer: D E
Explanation
To prevent possibility of a loop, when the routes are redistributed from MP-BGP into OSPF,
then they are marked with a DN Bit in LSA Type 3, 5, or 7 and have the domain tag for Type
5 and 7 LSA.
Question 8
Answer: A
Answer: A E
Explanation
* Inside local address – The IP address assigned to a host on the inside network. The address
is usually not an IP address assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service
provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.
Question 10
Hostname R1
!
ip vrf Yellow
rd 100:1
interface Serial0/0
ip vrf forwarding Yellow
ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
network 192.168.1.1 0.0.0.0
no auto-summary
redistribute static
!
R1#ping vrf Yellow 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.1.2, timeout is 2 second:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1 is configured with VRF-Lite and can ping R2. R2 is fully configured, but it has no active
EIGRP neighbors in vrf Yellow If the configuration of R2 is complete, then which issue
prevents the EIGRP 100 neighbor relationship in vrf Yellow from forming?
Answer: D
Explanation
The ―network 192.168.1.1 0.0.0.0‖ should be configured under vrf Yellow as follows:
Which two LSA types were introduced to support OSPF for IPv6? (Choose two)
A. type 9
B. type 10
C. type 5
D. type 7
E. type 8
Answer: A E
Explanation
LSAs Type 8 (Link LSA) have link-local flooding scope. A router originates a separate link-
LSA for each attached link that supports two or more (including the originating router itself)
routers. Link-LSAs should not be originated for virtual links.
LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA
has one of two functions:
1. It either associates a list of IPv6 address prefixes with a transit network link by referencing
a network-LSA…
2. Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA. A
stub link‘s prefixes are associated with its attached router.
LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4
OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF
algorithm is ran.
Question 12
Answer: C E
Question 13
A netwoik engineer is configuring two dedicated Internet connections within the Internet
module One connection is the primary connection to all wired business communications
while Che other is the primary connection for all customer wireless traffic If one of the links
goes down, the affected traffic needs to be redirected to the redundant link Winch current
technology should be deployed to monitor the scenario?
A. IP SLA
B. MMC
C. IP SAA
D. PBR
E. IP QoS
Answer: A
Question 14
Which command we use to control the type of routes that are processed in incoming route
updates?
A. passive-interface
B. distribute-list 1 out
C. distribute-list 1 in
D. ip vrf forwarding
Answer: C
Question 15
Which two types of traffic can benefit from LLQ? (Choose two)
A. email
B. voice
C. telnet
D. video
E. file transfer
Answer: B D
Question 16
Answer: C
Explanation
Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to
respond to Cisco IOS IP SLA request packets. The IP SLA source sends control packets
before the operation starts to establish a connection to the responder. Once the control packet
is acknowledged, test packets are sent to the responder. The responder inserts a time-stamp
when it receives a packet and factors out the destination processing time and adds time-
stamps to the sent packets. This feature allows the calculation of unidirectional packet loss,
latency, and jitter measurements with the kind of accuracy that is not possible with ping or
other dedicated probe testing
Reference:
https://www.cisco.com/en/US/technologies/tk869/tk769/technologies_white_paper0900aecd8
06bfb52.html
Question 17
Which two actions are common methods for migrating a network from one protocol to
another? (Choose two)
A. redistributing routes from the current routing protocol to the new routing protocol
B. removing the current routing protocol and implementing the new routing protocol
C. changing the relative administrative distances of the two routing protocols
D. changing the network IP addresses and bringing up the new IP addresses using the new
routing protocol
E. disabling IP routing globally and implementing the new routing protocol
Answer: A C
Question 18
Which statements best describes the following two OSPF commands, which are used to
summarize routes?
Answer: C
Explanation
In order to RTB summarizes routes for the 192.168.16.0/22 supernet before injecting them
into Area 0, we use the command:
Recently the RIPv2 domain has been redistributed into our OSPF domain but the
administrator wants to configure a summarized route instead of 32 external type-5 LSAs (for
172.16.32.0/24 to 172.16.63.0/24) flooding into the OSPF network. In this case the
administrator has to use the ―summary-address‖ command as follows:
Question 19
Which action is the most efficient way to handle route feedback when converting a RIPv2
network to OSPF?
Answer: A
Explanation
We should use route tag to tag any routes that are redistributed from RIPv2 to OSPF. Then
when redistributing from OSPF to RIPv2 we prevents these routes from getting back to
RIPv2 domain (route feedback) by the tags we set before.
Question 20
Answer: B
Explanation
In the stub area no Type 5 AS-external LSA allowed. It only allows LSA type 1, 2 and 3.
Question 21
What is the hop count is advertised for an unreachable network by a RIP router that uses
poison reverse?
A. 16
B. 255
C. 0
D. 15
Answer: A
Question 22
aaa new-model
aaa authentication login default local-case enable
aaa authentication login ADMIN local-case
username CCNP secret Str0ngP@ssw0rd!
line 0 4
login authentication ADMIN
How can you change this configuration so that when user CCNP logs in, the show run
command is executed and the session is terminated?
Answer: F
Explanation
The ―autocommand‖ causes the specified command to be issued automatically after the user
logs in. When the command is complete, the session is terminated. Because the command can
be any length and can contain embedded spaces, commands using the autocommand keyword
must be the last option on the line. In this specific question, we have to enter this line
―username CCNP autocommand show running-config‖.
Question 23
router ospf 10
router-id 192.168.1.1
log-adjacency-changes
redistribute bgp 1 subnets route-map BGP-TO-OSPF
!
route-map BGP-TO-OSPF deny 10
match ip address 50
route-map BGP-TO-OSPF permit 20
!
access-list 50 permit 172.16.1.0 0.0.0.255
Which statement about redistribution from BGP into OSPF process 10 is true?
Answer: A
Explanation
The first statement of the above route-map will prevent network 172.16.1.0/24 from being
redistributed into OSPF.
Question 24
Which functions are included in the two-message rapid exchange that a DHCPv6 client can
receive from a server?
Answer: A
Explanation
DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode.
In Rapid-Commit mode , the DHCP client obtain configuration parameters from the server
through a rapid two message exchange (solicit and reply).
In Normal-Commit mode, the DHCP client uses four message exchanges (solicit, advertise,
request and reply). By default normal-commit is used.
Reference: https://community.cisco.com/t5/networking-documents/part-1-implementing-
dhcpv6-stateful-dhcpv6/ta-p/3145631
Question 25
Refer to the exhibit.
(exhibit missing)
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. KEY
B. MD5
C. EIGRP
D. CISCO
Answer: D
Question 26
Which two statements about redistributing EIGRP into OSPF are true? (Choose two)
A. The redistributed EIGRP routes appear as type 3 LSAs in the OSPF database
B. The redistributed EIGRP routes appear as type 5 LSAs in the OSPF database
C. The administrative distance of the redistributed routes is 170
D. The redistributed EIGRP routes appear as OSPF external type 1
E. The redistributed EIGRP routes as placed into an OSPF area whose area ID matches the
EIGRP autonomous system number
F. The redistributed EIGRP routes appear as OSPF external type 2 routes in the routing table
Answer: B F
Question 27
A network engineer executes the show ip flow interface command. Which type of
information is displayed on the interface?
Answer: D
Explanation
The command ―show ip flow interface‖ displays NetFlow accounting configuration for
interfaces. Below is an example of the output of this command:
R1# show ip flow interface
GigabitEthernet0/0
ip flow ingress
ip flow egress
Question 28
Which two statements are differences between AAA with TACACS+ and AAA with
RADIUS? (Choose two)
Answer: B D
Question 29
Which IOS commands can you use to limit the CPU impact of log generation and
transmission on an IOS router?
A. You can use the ip access-list logging interval command in conjunction with the logging
rate-limit command.
B. You can use the ip access-list logging limit command in conjunction with the logging rate-
interval command.
C You can use the ip access-list syslog-logging interval command in conjunction with the
logging rate-limit command
D. You can use the ip access-list logged interval command in conjunction with the logged
rate-limit command.
Answer: A
Question 30
You are configuring a Microsoft client to call a PPP server using CHAP. Only the client will
be authenticated but the client‘s password has expired and must be changed. Which PPP
server configuration allows the call to be completed?
Explanation
The MSCHAP Version 2 supports the Password Aging feature, which notifies clients that the
password has expired and provides a generic way for the user to change the password.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-
mt/sec-usr-aaa-15-mt-book/mschap_version_2.pdf
Note: The ―calling‖ keyword specifies that the router will refuse to answer CHAP
authentication challenges received from the peer, but will still require the peer to answer any
CHAP challenges the router sends -> Only the client will be authenticated.
Question 31
Answer: C
Question 32
A network engineer wants to implement an SNMP notification process for host machines
using the strongest security available. Which command accomplishes this task?
Answer: C
Explanation
Both SNMPv1 and v2 did not focus much on security and they provide security based on
community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception.
SNMPv3 provides significant enhancements to address the security weaknesses existing in
the earlier versions. The concept of community string does not exist in this version. SNMPv3
provides a far more secure communication using entities, users and groups. This is achieved
by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to
encrypt the contents of a packet.
Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.
Question 33
Which issue is important to address when integrating two networks with different routing
protocol?
Answer: E
Question 34
Drag and drop the DMVPN components from the left onto the correct descriptions on the
right.
Answer:
%Interfact GigabitEthernet1: IPv4 disabled and address(es) removed due to enabling VRF
CUST_A
An engineer is enabling VPN service for a customer and notices this output when placing the
customer-facing interface into a VRF. Which action corrects the issue?
Answer: A
Explanation
If the interface was assigned an IP address before joining to an VRF then that IP address
would be removed so we have to reconfigure it.
Question 36
Which two statements about VRF-Lite configurations are true? (Choose two)
Answer: B E
Explanation
In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and ―allows
customers to be assigned overlapping addresses‖. The below example shows overlapping IP
addresses configured on two interfaces which belong to two different VPNs:
Question 37
Which two statements about PPPoE packet types are true? (Choose two)
A. PADR is a broadcast packet sent from the client to request a new server
B. PADI is an initialization packet sent as a broadcast message
C. PADO is a unicast reply packet sent to the client
D. PADO is a broadcast reply packet sent to the client
E. PADR is a unicast confirmation packet sent to the client
Answer: B C
Explanation
+ PPPoE Active Discovery Initiation (PADI): The client initiates a session by broadcasting
a PADI packet to the LAN to request a service.
+ PPPoE Active Discovery Offer (PADO): Any access concentrator that can provide the
service requested by the client in the PADI packet replies with a PADO packet that contains
its own name, the unicast address of the client, and the service requested. An access
concentrator can also use the PADO packet to offer other services to the client.
+ PPPoE Active Discovery Request (PADR): From the PADOs it receives, the client selects
one access concentrator based on its name or the services offered and sends it a PADR packet
to indicate the service or services needed.
+ PPPoE Active Discovery Session-Confirmation (PADS): When the selected access
concentrator receives the PADR packet, it accepts or rejects the PPPoE session:
– To accept the session, the access concentrator sends the client a PADS packet with a unique
session ID for a PPPoE session and a service name that identifies the service under which it
accepts the session.
– To reject the session, the access concentrator sends the client a PADS packet with a service
name error and resets the session ID to zero.
+ After a session is established, the client or the access concentrator can send a PPPoE Active
Discovery Termination (PADT) packet anytime to terminate the session. The PADT packet
contains the destination address of the peer and the session ID of the session to be terminated.
After this packet is sent, the session is closed to PPPoE traffic.
Question 38
Which two statements are examples of the differences between IPv4 and IPv6 EIGRP?
(Choose two)
Answer: D E
Explanation
Although the configuration and management of EIGRP for IPv4 and EIGRP for IPv6 are
similar, they are configured and managed separately. A few (not all) examples of differences
include these:
+ The network command is not used in IPv6; EIGRP is configured via links.
+ The ipv6 keyword is used in many of the EIGRP commands.
+ Needs to be explicitly enabled on each interface when configuring EIGRP.
Note:
The following are a few (not all) examples of similarities shared by IPv4 EIGRP and IPv6
EIGRP:
+ DUAL is used for route calculation and selection with the same metrics.
+ It is scalable to large network implementations.
+ Neighbor, routing, and topology tables are maintained.
+ Both equal-cost load balancing and unequal-cost load balancing are offered.
Reference: http://www.ciscopress.com/articles/article.asp?p=2137516&seqNum=4
Question 39
VRF HUB (VRF Id = 3): default RD 100:10; VRF SPOKE (VRF Id = 4): default RD
default VPNID <not set> 200:20;
New CLI format, supports multiple address- default VPNID <not set>
families New CLI format, supports multiple
Flags: 0x180C address-families
Interfaces: Flags: 0x180C
G1/1 Interfaces:
Address family ipv4 unicast (Table ID = 0x3) G1/2
Flags: 0x0 Address family ipv4 unicast (Table ID = 0x4)
Export VPN route-target communities Flags: 0x0
RT 100:10 Export VPN route-target communities
Import VPN route-target communities RT 200:20
RT 100:10 RT 200:20 Import VPN route-target communities
No import route-map RT 200:20
No global export route-map No import route-map
No export route-map No global export route-map
VRF label distribution protocol: not No export route-map
configured VRF label distribution protocol: not
VRF label allocation mode: per-prefix configured
Address family ipv6 unicast (Table ID = VRF label allocation mode: per-prefix
0x1E000001) Address family ipv6 unicast (Table ID =
0x1E000001)
[Output omitted]
[Output omitted]
A network engineer is modifying configurations for a customer that currently uses VPN
connectivity between their sites The customer has added a new spoke site but it does not have
reachability to servers located at the hub. Based on the output which statement describes the
cause?
Answer: D
Question 40
Answer: D
Question 41
A. It ensures that there are appropriate levels of service for network applications
B. It classifies various traffic types by examining information within Layers 3 trough 7.
C. It measures how the network treats traffic for specific applications by generating traffic
that bears similar characteristics to application traffic
D. It keeps track of the number of packets and bytes that are observed in each flow by storing
information in a cache flow
Answer: C
Question 42
A network engineer is enabling conditional debugging and execute two commands: debug
condition interfaces serial0/0 and debug condition interfaces serial 0/1. Which debugging
output is displayed as a result?
Answer: B
Question 43
A. option 57
B. option 82
C. option 66
D. option 68
Answer: C
Explanation
For Cisco phones IP addresses can be assigned manually or by using DHCP. Devices also
require access to a TFTP server that contains device configuration name files (.cnf file
format), which enables the device to communicate with Cisco Call Manager.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone
starts, if it does not have both the IP address and TFTP server IP address pre-configured, it
sends a request with option 150 to the DHCP server to obtain this information.
DHCP Option 150 is Cisco proprietary. The IEEE standard that matches with this
requirement is Option 66. Like option 150, option 66 is used to specify the Name of the
TFTP server.
Question 44
What type of address OSPFv3 uses to form adjacency and send updates?
A. FF02::5
B. link-local
C. IPv4 address
D. IPv6 address multicast
Answer: B
A. authpriv
B. noauthnopriv
C. authnopriv
D. noauthpriv
Answer: B
A network engineer executes the show crypto ipsec sa command. Which three pieces of
information are displayed in the output? (Choose three)
Answer: A B C
Explanation
This command shows IPsec Security Associations (SAs) built between peers. An example of
the output of above command is shown below:
The first part shows the interface and cypto map name that are associated with the interface.
Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this
case, because you used only ESP, there are no AH inbound or outbound SAs.
Note: Maybe ―inbound crypto map‖ here mentions about crypto map name.
Question 47
Answer:
Question 48
What are two reasons to use multicast to deliver video traffic, instead of unicast or broadcast?
A. It provides reliable TCP transport
B. It enables multiple servers to send video streams simultaneously
C. It enables multiple clients to send video stream simultaneously
D. It supports distributed applications
E. It enables multiple clients to receive the video stream simultaneously
Answer: D E
Question 48
Which two statements about PAP authentication in a PPP environment are true? (Choose
two)
Answer: A B
Explanation
PPP has two built-in security mechanisms which are Password Authentication Protocol
(PAP) and Challenge Handshake Authentication Protocol (CHAP).
Another difference between PAP and CHAP is PAP performs authentication at the initial link
establishment only while CHAP performs authentication at the initial link establishment and
periodically after that. The challenge text is random and unique so the ―result‖ is also unique
from time to time. This prevents playback attack (in which a hacker tries to copy the ―result‖
text sent from Client to reuse).
Question 49
Which two tasks should you perform to begin troubleshooting a network problem? (Choose
two)
Answer: A B
Explanation
Reference: http://www.ciscopress.com/articles/article.asp?p=2273070
Question 50
Which two piece of information can you learn by viewing the routing table? (Choose two)
Answer: B E
Question 51
Which two facts must you take into account when you deploy PPPoE? (Choose two)
Explanation
The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR)
interesting traffic control list functionality of the dialer interface with a PPP over Ethernet
(PPPoE) client, but also keeps original functionality (PPPoE connection up and always on
after configuration) for those PPPoE clients that require it.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbpecls.html
But it is just an optional feature and we don‘t need DDR idle timers to be configured to
support VPDN login -> Answer A is not correct.
DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.
We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.
Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the
introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM
PVC supports multiple PPPoE clients, allowing second line connection and redundancy.
Multiple PPPoE clients can run concurrently on different PVCs, but each PPPoE client must
use a separate dialer interface and a separate dialer pool. Therefore answer E is still correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/15-
mt/bba-15-mt-book/bba-ppoe-client.pdf
Router Questions
https://www.digitaltut.com/router-questions
Question 1
What command can you enter to configure an enable password that uses an encrypted
password from another configuration?
Answer: D
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.
The enable secret has been hashed with MD5, whereas in the command:
The password has been encrypted using the weak reversible algorithm.
When we enter the ―enable secret‖ command with a number after that, the IOS can specify
that the password has been encrypted so it will not encrypt any more and accept that
password.
In new Cisco IOS (v15+), it seems the device does not recognize ―enable secret 7‖ command
as encrypted password. We tried on Cisco IOS v15.4 and see this:
Note: In fact, there is an error with the answer D. As we entered the command in answer D,
the router denied the encrypted password because it was not a valid encrypted secret
password. That means the router also checked if the password was hashed correctly or not.
But it is the best answer in this question.
Question 2
What is the optimal location from which to execute a debug command that produces an
excessive amount of information?
A. Vty lines
B. SNMP commands
C. A console port
D. An AUX port
Answer: A
Explanation
Excessive debugs to the console port of a router can cause the router to hang. This is because
the router automatically prioritizes console output ahead of other router functions. Hence if
the router is processing a large debug output to the console port, it may hang. Hence, if the
debug output is excessive use the vty (telnet) ports or the log buffers to obtain your
debugs.
Note: By default, logging is enabled on the console port. Hence, the console port always
processes debug output even if you are actually using some other port or method (such as
Aux, vty or buffer) to capture the output. Hence, Cisco recommends that, under normal
operating conditions, you have the no logging console command enabled at all times and use
other methods to capture debugs.
To enable logging logging on your virtual terminal connection (telnet), use the ―terminal
monitor‖ command under Privileged mode (Router#)
Reference: http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-
digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html
Question 3
A. a routing loop
B. a router in the packet flow path that is intermittently dropping packets
C. high latency
D. packets in a flow traversing multiple paths through the network
E. some packets in a flow being process-switched and others being interrupt-switched on a
transit Router
Answer: D E
Explanation
Per-packet load-balancing means that the router sends one packet for destination1 over the
first path, the second packet for (the same) destination1 over the second path, and so on. Per-
packet load balancing guarantees equal load across all links. However, there is potential that
the packets may arrive out of order at the destination because differential delay may exist
within the network -> Answer D is correct.
When searching the routing table, the router looks for the longest match for the destination IP
address prefix. This is done at ―process level‖ (known as process switching), which means
that the lookup is considered as just another process queued among other CPU processes
Interrupt-level switching means that when a packet arrives, an interrupt is triggered which
causes the CPU to postpone other tasks in order to handle that packet.
In general, process switching is faster then interrupt-level switching and can cause out-of-
order packets.
Question 4
Where the output will be shown of the command debug condition interface fa0/1?
Answer: A or C
Explanation
Note: If in this question there was another ―debug condition interface fa0/0‖ command
configured then the answer should be C (both interfaces will show debugging ouput).
Question 5
Which security feature can you enable to control access to the VTY lines on a router?
A. exec-time out
B. logging
C. username and password
D. transport output
Answer: C
Explanation
There are a few simple steps you can follow to ensure your VTY lines are as secure as
possible. The easiest way is to enable username / password authentication. Other ways are to
include an access-list to prevent unwanted IP addresses from connecting and use SSH to
encrypt the traffic connecting to the device.
Question 6
Under which circumstance will a branch ISR router contain interface vlan configurations?
Answer: D
Explanation
Question 7
A. Level14
B. Level0
C. Level1
D. Level15
Answer: C
Question 8
Which two statements about password-protecting device access are true? (Choose two)
Answer: D E
Access List
https://www.digitaltut.com/access-list
Question 1
What does the following access list, which is applied on the external interface FastEthernet
1/0 of the perimeter router, accomplish?
router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router (config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface FastEthernet 1/0
router (config-if)#ip access-group 101 in
Answer: C
Explanation
The first answer is not correct because the 10.0.0.0 network range is not correct. It should be
10.0.0.0. to 10.255.255.255.
Question 2
Refer to the following access list.
access-list 100 permit ip any any log
After applying the access list on a Cisco router, the network engineer notices that the router
CPU utilization has risen to 99 percent. What is the reason for this?
A. A packet that matches access-list with the ―log‖ keyword is Cisco Express Forwarding
switched.
B. A packet that matches access-list with the ―log‖ keyword is fast switched.
C. A packet that matches access-list with the ―log‖ keyword is process switched.
D. A large amount of IP traffic is being permitted on the router.
Answer: C
Explanation
Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the
network or is dropped by network devices. Unfortunately, ACL logging can be CPU
intensive and can negatively affect other functions of the network device. There are two
primary factors that contribute to the CPU load increase from ACL logging: process
switching of packets that match log-enabled access control entries (ACEs) and the
generation and transmission of log messages.
Process switching is the slowest switching methods (compared to fast switching and Cisco
Express Forwarding) because it must find a destination in the routing table. Process switching
must also construct a new Layer 2 frame header for every packet. With process switching,
when a packet comes in, the scheduler calls a process that examines the routing table,
determines which interface the packet should be switched to and then switches the packet.
The problem is, this happens for the every packet.
Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
Question 3
For troubleshooting purposes, which method can you use in combination with the ―debug ip
packet‖ command to limit the amount of output data?
Answer: C
Explanation
If you use the ―debug ip packet‖ command on a production router, you can bring it down
since it generates an output for every packet and the output can be extensive. The best way to
limit the output of debug ip packet is to create an access-list that linked to the debug. Only
packets that match the access-list criteria will be subject to debug ip packet. For example, this
is how to monitor traffic from 1.1.1.1 to 2.2.2.2
Note: The ―debug ip packet‖ command is used to monitor packets that are processed by the
routers routing engine and are not fast switched.
Question 4
Which outbound access list, applied to the WAN interface of a router, permits all traffic
except for http traffic sourced from the workstation with IP address 10.10.10.1?
B. ip access-list extended 10
deny tcp host 10.10.10.1 any eq 80
permit ip any any
Answer: D
Question 5
A route map uses an ACL, if the required matching is based on which criteria?
A. addressing information
B. route types
C. AS paths
D. metrics
Answer: A
Question 6
Which configuration can you apply to a device so that it always blocks the outbound web
traffic on Saturdays and Sunday between the hours of 1:00 AM and 11:59 PM?
Answer: B
Explanation
+ The question asks to ―always‖ block traffic (every week) so we must use keyword
―periodic‖.
+ Traffic should be blocked to 11:59 PM, which means 23:59
Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and
the minutes range from 0 to 59
Only answer B satisfies these two requirements so it is the best answer. In fact, all the above
answers are not correct as the access-list should deny web traffic, not allow them as shown in
the answers.
Question 7
Question 8
Which two different configuration can you apply to a device to block incoming SSH access?
(Choose two)
Answer: C D
Explanation
The ―ipv6 traffic-filter‖ command is used to filter IPv6 traffic flowing through an interface
while the ―ipv6 access-class‖ command is used to filter IPv6 traffic destined to the router (via
logical interfaces).
Question 9
Which access list entry checks for an ACK within a packet header?
Answer: C
Explanation
The established keyword is only applicable to TCP access list entries to match TCP segments
that have the ACK and/or RST control bit set (regardless of the source and destination ports),
which assumes that a TCP connection has already been established in one direction only.
Let‘s see an example below:
Note:
Suppose host A wants to start communicating with host B using TCP. Before they can send
real data, a three-way handshake must be established first. Let‘s see how this process takes
place:
1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with host B. This message
includes a sequence (SEQ) number for tracking purpose. This sequence number can be any
32-bit number (range from 0 to 232) so we use ―x‖ to represent it.
2. After receiving SYN message from host A, host B replies with SYN-ACK message (some
books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge).
This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let‘s called it ―y‖) is a random number and does not have any
relationship with Host A‘s SYN SEQ number.
+ ACK number is the next number of Host A‘s SYN sequence number it received, so we
represent it with ―x+1‖. It means ―I received your part. Now send me the next part (x + 1)‖.
The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if
host A still wants to talk to it as well (via SYN part).
3. After Host A received the SYN-ACK message from host B, it sends an ACK message
with ACK number ―y+1‖ to host B. This confirms host A still wants to talk to host B.
Question 10
Which type of access list allows granular session filtering for upper-level protocols?
Answer: C
Explanation
Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain
temporary entries that are automatically created when a new IP session begins. They are
nested within extended, named IP access lists that are applied to an interface. Reflexive
access lists are typically configured on border routers, which pass traffic between an internal
and external network. These are often firewall routers. Reflexive access lists do not end with
an implicit deny statement because they are nested within an access list and the subsequent
statements need to be examined.
Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-
1s/sec-access-list-ov.html
Question 11
Answer: A
Explanation
The command ―ipv6 traffic-filter access-list-name { in | out }‖ applies the access list to
incoming or outgoing traffic on the interface.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swv6acl.html
Question 12
A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.
Answer: C D
Question 13
Which option is the minimum logging level that displays a log message when an ACL drops
an incoming packet?
A. Level 6
B. Level 5
C. Level 7
D. Level 3
Answer: A
Explanation
When the ACL logging feature is configured, the system monitors ACL flows and logs
dropped packets and statistics for each flow that matches the deny conditions of the ACL
entry.
The log and log-input options apply to an individual ACE and cause packets that match the
ACE to be logged. The sample below illustrates the initial message and periodic updates sent
by an IOS device with a default configuration using the log ACE option.
Reference: https://www.cisco.com/c/en/us/about/security-center/access-control-list-
logging.html
From the example above we can see when an ACL drops a packet, it generates a level 6
Syslog (%SEC-6-)
Point-to-Point Protocol
https://www.digitaltut.com/point-to-point-protocol
Question 1
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Answer: D
Explanation
Password Authentication Protocol (PAP) is a very basic two-way process. The username and
password are sent in plain text, there is no encryption or protection. If it is accepted, the
connection is allowed. The configuration below shows how to configure PAP on two routers:
R1(config)#username R2 password digitaltut1 R2(config)#username R1 password digitaltut2
R1(config)#interface s0/0/0 R2(config)#interface s0/0/0
R1(config-if)#encapsulation ppp R2(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP R2(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 R2(config-if)#ppp pap sent-username R2
password digitaltut2 password digitaltut1
Note: The PAP ―sent-username‖ and password that each router sends must match those
specified with the ―username … password …‖ command on the other router.
Question 2
Which type of handshake does CHAP authentication use to establish a PPP link?
A. one-way
B. two-way
C. three-way
D. four-way
Answer: C
Explanation
1. When a client contacts a server that uses CHAP, the server (called the authenticator)
responds by sending the client a simple text message (sometimes called the challenge text).
This text is not important and it does not matter if anyone can intercepts it.
2. The client then takes this information and encrypts it using its password which was shared
by both the client and server. The encrypted text is then returned to the server.
3. The server has the same password and uses it as a key to encrypt the information it
previously sent to the client. It compares its results with the encrypted results sent by the
client. If they are the same, the client is assumed to be authentic.
Question 3
A. WAP
B. PAP
C. CHAP
D. EAP
E. RADIUS
Answer: B C
Question 4
In which form does PAP authentication send the username and password across the link?
A. Encrypted
B. Password protected
C. Clear text
D. Hashed
Answer: C
Explanation
PPP supports two authentication protocols: Password Authentication Protocol (PAP) and
Challenge Handshake Authentication Protocol (CHAP). PAP authentication involves a two-
way handshake where the username and password are sent across the link in clear text. For
more information about PPP Authentication methods, please read Point to Point Protocol
(PPP) Tutorial
Question 5
Answer: B C
Question 6
Which two debug commands can you use to view issues with CHAP and PAP authentication?
(Choose two)
A. debug tacacs
B. debug ppp authentication
C. debug radius
D. debug aaa authentication
E. debug ppp negotiation
Answer: B E
Question 7
Which value does a Cisco router use as its default username for CHAP authentication?
Answer: A
PPPoE Questions
https://www.digitaltut.com/pppoe-questions
Question 1
Answer: D
Explanation
PPPoE provides a standard method of employing the authentication methods of the Point-to-
Point Protocol (PPP) over an Ethernet network. When used by ISPs, PPPoE allows
authenticated assignment of IP addresses. In this type of implementation, the PPPoE client
and server are interconnected by Layer 2 bridging protocols running over a DSL or other
broadband connection.
Question 2
A. PPP options are negotiated and authentication is not performed. Once the link setup is
completed, PPPoE functions as a Layer 3 encapsulation method that allows data to be
transferred over the PPP link within PPPoE headers.
B. PPP options are not negotiated and authentication is performed. Once the link setup is
completed, PPPoE functions as a Layer 4 encapsulation method that allows data to be
transferred over the PPP link within PPPoE headers.
C. PPP options are automatically enabled and authorization is performed. Once the link setup
is completed, PPPoE functions as a Layer 2 encapsulation method that allows data to be
encrypted over the PPP link within PPPoE headers.
D. PPP options are negotiated and authentication is performed. Once the link setup is
completed, PPPoE functions as a Layer 2 encapsulation method that allows data to be
transferred over the PPP link within PPPoE headers.
Answer: D
Explanation
PPP Session Phase: In this phase, PPP options are negotiated and authentication is
performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation
method, allowing data to be transferred over the PPP link within PPPoE headers.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-
vpn-cli/vpn-pppoe.html
Question 3
A corporate policy requires PPPoE to be enabled and to maintain a connection with the ISP,
even if no interesting traffic exists. Which feature can be used to accomplish this task?
A. TCP Adjust
B. Dialer Persistent
C. PPPoE Groups
D. half-bridging
E. Peer Neighbor Route
Answer: B
Explanation
The ―dialer persistent‖ command (under interface configuration mode) allows a dial-on-
demand routing (DDR) dialer profile connection to be brought up without being triggered by
interesting traffic. When configured, the dialer persistent command starts a timer when the
dialer interface starts up and starts the connection when the timer expires. If interesting traffic
arrives before the timer expires, the connection is still brought up and set as persistent. An
example of configuring is shown below:
interface Dialer1
ip address 12.12.12.1 255.255.255.0
encapsulation ppp
dialer-pool 1
dialer persistent
Question 4
Prior to enabling PPPoE in a virtual private dialup network group, which task must be
completed?
Answer: B
Explanation
The ―vpdn enable‖ command is used to enable virtual private dialup networking (VPDN) on
the router and inform the router to look for tunnel definitions in a local database and on a
remote authorization server (home gateway). The following steps include: configure the
VPDN group; configure the virtual-template; create the IP pools.
Question 5
A network engineer has been asked to ensure that the PPPoE connection is established and
authenticated using an encrypted password. Which technology, in combination with PPPoE,
can be used for authentication in this manner?
A. PAP
B. dot1x
C. IPsec
D. CHAP
E. ESP
Answer: D
Explanation
There are three authentication methods that can be used to authenticate a PPPoE connection:
In which MS-CHAP & CHAP are two encrypted authentication protocol while PAP is
unencrypted authentication protocol.
Note: PAP authentication involves a two-way handshake where the username and password
are sent across the link in clear text; hence, PAP authentication does not provide any
protection against playback and line sniffing.
With CHAP, the server (authenticator) sends a challenge to the remote access client. The
client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5
(MD5) hash result based on the challenge and a hash result computed from the user‘s
password. The client sends the MD5 hash result to the server. The server, which also has
access to the hash result of the user‘s password, performs the same calculation using the hash
algorithm and compares the result to the one sent by the client. If the results match, the
credentials of the remote access client are considered authentic. A hash algorithm provides
one-way encryption, which means that calculating the hash result for a data block is easy, but
determining the original data block from the hash result is mathematically infeasible.
Question 6
Answer: C
Explanation
A PPPoE session is initiated by the PPPoE client. If the session has a timeout or is
disconnected, the PPPoE client will immediately attempt to reestablish the session. The
following four steps describe the exchange of packets that occurs when a PPPoE client
initiates a PPPoE session:
1. The client broadcasts a PPPoE Active Discovery Initiation (PADI) packet.
2. When the access concentrator receives a PADI that it can serve, it replies by sending a
PPPoE Active Discovery Offer (PADO) packet to the client.
3. Because the PADI was broadcast, the host may receive more than one PADO packet. The
host looks through the PADO packets it receives and chooses one. The choice can be based
on the access concentrator name or on the services offered. The host then sends a single
PPPoE Active Discovery Request (PADR) packet to the access concentrator that it has
chosen.
4. The access concentrator responds to the PADR by sending a PPPoE Active Discovery
Session-confirmation (PADS) packet. At this point a virtual access interface is created that
will then negotiate PPP, and the PPPoE session will run on this virtual access.
If a client does not receive a PADO for a preceding PADI, the client sends out a PADI at
predetermined intervals. That interval is doubled for every successive PADI that does not
evoke a response, until the interval reaches a configured maximum.
If PPP negotiation fails or the PPP line protocol is brought down for any reason, the PPPoE
session and the virtual access will be brought down. When the PPPoE session is brought
down, the client waits for a predetermined number of seconds before trying again to establish
a PPPoE.
Reference: http://www.cs.vsb.cz/grygarek/TPS/DSL/pppoe_client.pdf
Question 7
A. This configuration is incorrect because the MTU must match the ppp-max-payload that is
defined.
B. This configuration is incorrect because the dialer interface number must be the same as the
dialer pool number.
C. This configuration is missing an IP address on the dialer interface.
D. This configuration represents a complete PPPoE client configuration on an Ethernet
connection.
Answer: D
Question 8
A. pppoe-client dial-pool-number
B. PPPoE enable
C. interface dialer 1
D. encapsulation PPP
Answer: A
Question 9
Which command instruct a PPPoE client to obtain its IP address from the PPPoE server?
A. interface dialer
B. ip address negotiated
C. pppoe enable
D. ip address dhcp
E. ip address dynamic
Answer: B
Explanation
Question 10
Answer: A B
Explanation
According to this link: http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html
In the above link there is a topology shows ―DMVPN Access to Multiple Hosts from the
Same PPPoE Client‖ -> Answer B is correct.
Question 11
Which DSL encapsulation method requires client software running on the end-user PC that is
directly connected to a DSL modem?
A. PPPoA
B. PPPoE
C. PPP
D. L2TP
E. ATM
Answer: B
Question 12
Which two commands do you need to implement on a router to support PPPoE client?
Answer: B E
Question 1
Answer: C
Explanation
The command ―show ip cef‖ is used to display the CEF Forwarding Information Base (FIB)
table. There are some entries we want to explain:
+ If the ―Next Hop‖ field of a network prefix is set to receive, the entry represents an IP
address on one of the router‘s interfaces. In this case, 192.168.201.2 and 192.168.201.31 are
IP addresses assigned to interfaces on the local router.
+ If the ―Next Hop‖ field of a network prefix is set to attached, the entry represents a
network to which the router is directly attached. In this case the prefix 192.168.201.0/27 is a
network directly attached to router R2‘s Fa0/0 interface.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
Question 2
Answer: A
Explanation
The ―show adjacency‖ command is used to display information about the Cisco Express
Forwarding adjacency table or the hardware Layer 3-switching adjacency table.
Note: Two nodes in the network are considered adjacent if they can reach each other using
only one hop.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/17812-cef-
incomp.html
Question 3
Which switching method is used when entries are present in the output of the command show
ip cache?
A. fast switching
B. process switching
C. Cisco Express Forwarding switching
D. cut-through packet switching
Answer: A
Explanation
The ―show ip cache‖ command displays the contents of a router‘s fast cache. An example of
the output of this command is shown below:
Note: If CEF is disabled and fast switching is enabled, the router begins to populate its fast
cache.
Question 4
How does an IOS router process a packet that should be switched by Cisco Express
Forwarding without an FIB entry?
Answer: B
Question 5
At which layer does Cisco Express Forwarding use adjacency tables to populate addressing
information?
A. Layer 4
B. Layer 2
C. Layer 1
D. Layer 3
Answer: B
Explanation
Cisco Express Forwarding (CEF) provides the ability to switch packets through a device in a
very quick and efficient way while also keeping the load on the router‘s processor low. CEF
is made up of two different main components: the Forwarding Information Base (FIB) and
the Adjacency Table. These are automatically updated at the same time as the routing table.
The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB.
Question 6
A network administrator creates a static route that points directly to a multi-access interface,
instead of the next-hop IP address. The administrator notices that Cisco Express Forwarding
ARP requests are being sent to all destinations. Which issue might this configuration create?
Answer: C
Explanation
The explanation of this question is too lengthy so we recommend to read this article:
http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/26083-trouble-cef.html
Question 7
Refer to exhibit. What is indicated by the show ip cef command for an address?
A. CEF is unable to get routing information for this route.
B. CEF cannot switch packet for this route and passes it to the next best switching method.
C. A valid entry and is pointed to hardware based forwarding.
D. CEF cannot switch packet for this route and drops it.
Answer: B
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on the
router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency.
Punt adjacency – When packets to a destination prefix can‘t be CEF Switched, or the feature
is not supported in the CEF Switching path, the router will then use the next slower switching
mechanism configured on the router.
Question 8
A. adjacency table
B. RIB
C. dCEF
D. fast switching
E. FIB
Answer: A
Explanation
Nodes in the network are said to be adjacent if they can reach each other with a single hop
across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2
addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB
entries.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.
html
Question 9
A. Tunnel
B. Universal
C. Include-ports
D. Source
E. Destination
Answer: A B C
Question 1
Which protocol uses dynamic address mapping to request the next-hop protocol address for a
specific connection?
Answer: A
Explanation
Normal (Ethernet) ARP Request knows the Layer 3 address (IP) and requests for Layer 2
address (MAC). On the other hand, Frame Relay Inverse ARP knows the Layer 2 address
(DLCI) and requests for Layer 3 address (IP) so we called it ―Inverse‖. For detail explanation
about Inverse ARP Request please read our Frame Relay tutorial – Part 2.
Question 2
What is the default OSPF hello interval on a Frame Relay point-to-point network?
A. 10
B. 20
C. 30
D. 40
Answer: A
Explanation
When saying ―Frame Relay point-to-point‖ network, it means ―Frame Relay subinterfaces‖
run ―point-to-point‖. Notice that Frame Relay subinterfaces can run in two modes:
+ Point-to-Point: When a Frame Relay point-to-point subinterface is configured, the
subinterface emulates a point-to-point network and OSPF treats it as a point-to-point network
type
+ Multipoint: When a Frame Relay multipoint subinterface is configured, OSPF treats this
subinterface as an NBMA network type.
And there are 4 network types which can be configured with OSPF. The hello & dead
intervals of these types are listed below:
Therefore the default OSPF hello interval on a Frame Relay point-to-point network is 10
seconds.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13693-22.html
Question 3
A company has their headquarters located in a large city with a T3 frame relay link that
connects 30 remote locations that each have T1 frame relay connections. Which technology
must be configured to prevent remote sites from getting overwhelmed with traffic and
prevent packet drops from the headquarters?
A. traffic shaping
B. IPsec VPN
C. GRE VPN
D. MPLS
Answer: A
Explanation
Reference: http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/6151-traffic-
shaping-6151.html
Question 4
On which two types of interface is Frame Relay switching supported? (Choose two)
A. serial interfaces
B. Ethernet interfaces
C. fiber interfaces
D. ISDN interfaces
E. auxiliary interfaces
Answer: A D
Question 5
In which two ways can split horizon issues be overcome in a Frame Relay network
environment? (choose two)
A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites.
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
E. Disabling split horizon.
Answer: C E
Question 6
Router 1 cannot ping router 2 via the Frame Relay between them. Which two statements
describe the problems? (Chooses two)
A. Encapsulation is mismatched.
B. Frame Relay map is configured.
C. DLCI is active.
D. DLCI is inactive or deleted.
E. An access list is needed to allow ping.
Answer: A D
Question 7
How should a router that is being used in a Frame Relay network be configured to keep split
horizon issues from preventing routing updates?
A. Configure a separate subinterface for each PVC with a unique DLCI and subnet assigned
to the subinterface.
B. Configure each Frame Relay circuit as a point-to-point line to support multicast and
broadcast traffic.
C. Configure many subinterfaces in the same subnet.
D. Configure a single subinterface to establish multiple PVC connections to multiple remote
router interfaces.
Answer: A
Explanation
Each subinterface is treated like a physical interface so split horizon issues are overcome.
Question 8
Which value does Frame Relay use to identify a connection between a DTE and DCE?
A. DLCI
B. IP address
C. MAC address
D. VLAN ID
Answer: A
Explanation
Frame-relay uses data-link connection identifiers (DLCIs) to build up logical circuits. The
identifiers have local meaning only, that means that their values are unique per router, but not
necessarily in the other routers. For example, there is only one DLCI of 23 representing for
the connection from HeadQuarter to Branch 1 and only one DLCI of 51 from HeadQuarter to
Branch 2. Branch 1 can use the same DLCI of 23 to represent the connection from it to
HeadQuarter. Of course it can use other DLCIs as well because DLCIs are just local
significant.
By including a DLCI number in the Frame Relay header, HeadQuarter can communicate with
both Branch 1 and Branch 2 over the same physical circuit.
Question 9
Which two statements about configuring Frame Relay point-to-multipoint connections are
true? (Choose two)
Answer: D E
Explanation
Question 10
Which two statements about Frame Relay LMI autosense are true on a router? (Choose two)
Answer: B D
Explanation
GRE Tunnel
https://www.digitaltut.com/gre-tunnel
Question 1
Refer to the exhibit. After configuring GRE between two routers running OSPF that are
connected to each other via a WAN link, a network engineer notices that the two routers
cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason
for this?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 57.
Answer: A
Explanation
Question 2
An engineer is configuring a GRE tunnel interface in the default mode. The engineer has
assigned an IPv4 address on the tunnel and sourced the tunnel from an Ethernet interface.
Which option also is required on the tunnel interface before it is operational?
Answer: A
Explanation
interface Tunnel 0
ip address 10.10.10.1 255.255.255.0
tunnel source fa0/0
tunnel destination 172.16.0.2
In this case the ―IPv4 address on the tunnel‖ is 10.10.10.1/24 and ―sourced the tunnel from an
Ethernet interface‖ is the command ―tunnel source fa0/0‖. Therefore it only needs a tunnel
destination, which is 172.16.0.2.
Note: A multiple GRE (mGRE) interface does not require a tunnel destination address.
Question 3
When the tunnel interface is configured in default mode, which statement about routers and
the tunnel destination address is true?
A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP
neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination
Answer: A
Explanation
The tunnel interface is configured in default mode means the tunnel has been configured as a
point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up
state) as soon as it is configured with a valid tunnel source address or interface which is up
and a tunnel destination IP address which is routable.
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the
up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in
recursion.
Therefore if a route towards the tunnel destination has not been configured then the tunnel is
stuck in up/down state.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
Question 4
A network engineer has configured GRE between two IOS routers. The state of the tunnel
interface is continuously oscillating between up and down. What is the solution to this
problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable
Answer: A
Explanation
In this question only answer A is a reasonable answer. When the state of the tunnel interface
is continuously moving between up and down we must make sure the route towards the
tunnel destination address is good. If it is not good then that route may be removed from the
routing table -> the tunnel interface comes down.
Question 5
Which two GRE features can you configure to prevent fragmentation? (Choose two)
A. TCP MSS
B. DF Bit Clear
C. IP MTU
D. PMTUD
E. MTU ignore
F. UDP window sizes
Answer: A D
Explanation
The IP protocol was designed for use on a wide variety of transmission links. Although the
maximum length of an IP datagram is 65535, most transmission links enforce a smaller
maximum packet length limit, called an MTU. The value of the MTU depends on the type of
the transmission link. The design of IP accommodates MTU differences since it allows
routers to fragment IP datagrams as necessary. The receiving station is responsible for the
reassembly of the fragments back into the original full size IP datagram.
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a
host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be
fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN
segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to
popular belief, the MSS value is not negotiated between hosts. The sending host is required to
limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does
not handle the case where there is a smaller MTU link in the middle between these two
endpoints. PMTUD was developed in order to avoid fragmentation in the path between the
endpoints. It is used to dynamically determine the lowest MTU along the path from a
packet‘s source to its destination.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP
Fragmentation in this link but it is too long so if you want to read please visit this link)
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 6
A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state
Answer: B D
Explanation
A valid tunnel destination is one which is routable (which means the destination is present or
there is a default route in the routing table). However, it does not have to be reachable ->
Answer B is correct.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and
the destination must be reachable according to your own routing table.
Question 7
Answer: B
Question 8
Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a
GRE and IPsec tunnel, over the DSL connection, destined for an Enterprise network. Which
of the following answers best describes the router‘s logic that tells the router, for a given
packet, to apply GRE encapsulation to the packet?
A. When the packet received on the LAN interface is permitted by the ACL listed on the
tunnel gre acl command under the incoming interface
B. When routing the packet, matching a route whose outgoing interface is the GRE tunnel
interface
C. When routing the packet, matching a route whose outgoing interface is the IPsec tunnel
interface
D. When permitted by an ACL that was referenced in the associated crypto map
Answer: B
Question 9
What is a key benefit of using a GRE tunnel to provide connectivity between branch offices
and headquarters?
Answer: C
Explanation
GRE tunnel provides a way to encapsulate any network layer protocol over any other network
layer protocol. GRE allows routers to act as if they have a virtual point-to-point connection to
each other. GRE tunneling is accomplished by creating routable tunnel endpoints that operate
on top of existing physical and/or other logical endpoints. Especially, IPsec does not support
multicast traffic so GRE tunnel is a good solution instead (or we can combine both).
Question 10
A network administrator uses GRE over IPSec to connect two branches together via VPN
tunnel. Which one of the following is the reason for using GRE over IPSec?
A. GRE over IPSec provides better QoS mechanism and is faster than other WAN
technologies.
B. GRE over IPSec decreases the overhead of the header.
C. GRE supports use of routing protocol, while IPSec supports encryption.
D. GRE supports encryption, while IPSec supports use of routing protocol.
Answer: C
Question 11
A. The GRE tunnel source and destination addresses are specified within the IPSec transform
set.
B. An IPSec/GRE tunnel must use IPSec tunnel mode.
C. GRE encapsulation occurs before the IPSec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
Explanation
When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and
then GRE is encrypted by IPSec -> C is correct.
Question 12
What are the four main steps in configuring a GRE tunnel over IPsec on Cisco routers?
(Choose four)
A. Configure a physical interface or create a loopback interface to use as the tunnel endpoint.
B. Create the GRE tunnel interfaces.
C. Add the tunnel interfaces to the routing process so that it exchanges routing updates across
that interface.
D. Add the tunnel subnet to the routing process so that it exchanges routing updates across
that interface.
E. Add all subnets to the crypto access-list, so that IPsec encrypts the GRE tunnel traffic.
F. Add GRE traffic to the crypto access-list, so that IPsec encrypts the GRE tunnel traffic.
Answer: A B D F
Explanation
1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback
rather than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across
that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.
interface Tunnel0
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 14.38.88.10
tunnel mode gre ip
Note: The last command is enabled by default so we can ignore it in the configuration)
Question 13
Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel
was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?
A. The crypto isakmp configuration is not correct.
B. The crypto map configuration is not correct.
C. The interface tunnel configuration is not correct.
D. The network configuration is not correct; network 172.16.1.0 is missing
Answer: A
Explanation
The address of the crypto isakmp key (line ―crypto isakmp key ******* address 172.16.1.2‖)
should be 192.168.2.1, not 172.16.1.2 -> A is correct.
Question 14
Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel
was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?
Answer: B
Explanation
The access-list must also support GRE traffic with the ―access-list 102 permit gre host
192.168.1.1 host 192.168.2.1‖ command -> B is correct.
Below is the correct configuration for GRE over IPsec on router B1 along with descriptions.
The interface tunnel configuration is rather simple so I don‘t post it here.
Question 15
Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel
was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?
A. The crypto isakmp configuration is not correct.
B. The crypto map configuration is not correct.
C. The network 172.16.1.0 is not included in the OSPF process.
D. The interface tunnel configuration is not correct.
Answer: D
Explanation
The ―tunnel destination‖ in interface tunnel should be 192.168.2.1, not 172.16.1.2 -> D is
correct.
DMVPN Questions
https://www.digitaltut.com/dmvpn-questions
Question 1
What does the authoritative flag mean in regards to the NHRP information?
Answer: A
Explanation
From the output we learn that the logical address 10.2.1.2 is mapped to the NBMA address
10.12.1.2. Type ―dynamic‖ means NBMA address was obtained from NHRP Request packet.
Type ―static‖ means NBMA address is statically configured. The ―authoritative‖ flag means
that the NHRP information was obtained from the Next Hop Server (NHS).
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html
Question 2
Answer: A
Explanation
When DMVPN tunnels flap, check the neighborship between the routers as issues with
neighborship formation between routers may cause the DMVPN tunnel to flap. In order to
resolve this problem, make sure the neighborship between the routers is always up.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/29240-dcmvpn.html#Prblm1
Question 3
Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol,
NHRP, and Cisco Express Forwarding?
A. FlexVPN
B. DMVPN
C. GETVPN
D. Cisco Easy VPN
Answer: B
Explanation
For more information about DMVPN, please read our DMVPN tutorial.
Question 4
A company has just opened two remote branch offices that need to be connected to the
corporate network. Which interface configuration output can be applied to the corporate
router to allow communication to the remote sites?
A. interface Tunnel0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel source Serial0/0
tunnel mode gre multipoint
B. interface fa0/0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel mode gre multipoint
C. interface Tunnel0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 209.165.201.1
tunnel-mode dynamic
D. interface fa 0/0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 192.168.161.2
tunnel destination 209.165.201.1
tunnel-mode dynamic
Answer: A
Explanation
To allow communication to multiple sites using only one tunnel interface, we need to
configure that tunnel in ―multipoint‖ mode. Otherwise we have to create many tunnel
interfaces, each can only communicate to one site.
Question 5
Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel
interface on the hub, to support multiple connections from multiple spoke devices?
A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN
Answer: A
Explanation
An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not
require a unique tunnel interface for each connection between Hub and spoke like traditional
GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE
tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all
tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.
For more information about DMVPN, please read our DMVPN tutorial.
Question 6
A network administrator is troubleshooting a DMVPN setup between the hub and the spoke.
Which action should the administrator take before troubleshooting the IPsec configuration?
Answer: A
Explanation
GRE tunnels are the first thing we have to configure to create a DMVPN network so we
should start troubleshooting from there. NHRP can only work properly with operating GRE
tunnels.
Question 7
Answer: D
Question 8
A network engineer is troubleshooting a DMVPN setup between the hub and the spoke. The
engineer executes the command ―show crypto isakmp sa‖ and observes the output that is
displayed. What is the problem?
Answer: B
Explanation
The ―show crypto isakmp sa‖ command displays all current Internet Key Exchange (IKE)
security associations (SAs) at a peer.
QM_IDLE state means this tunnel is UP and the IKE SA key exchange was successful, but is
idle and may be used for subsequent quick mode exchanges. It is in a quiescent state (QM) ->
Answers A, C, D are incorrect so answer B is the only suitable answer left.
Question 9
A network engineer wants to display the statistics of an active tunnel on a DMVPN network.
Which command should the administrator execute to accomplish this task?
Explanation
The DMVPN is comprised of IPsec/GRE tunnels that connect branch offices to the data
center. DMVPN troubleshooting requires the network engineer to verify neighbor links,
routing and VPN peer connectivity. The GRE protocol is required to support routing
advertisements. The VPN peer connection is comprised of IKE and IPsec security association
exchanges.
The command ―show crypto ipsec sa‖ is used to verify IPsec connectivity between branch
office and data center router. We can also use this command to display the statistics of an
active tunnel on a DMVPN network.
Note:
+ The command ―show crypto isakmp sa‖ is used on DMVPN to verify IKE connectivity
status to branch offices. The normal IKE state = QM IDLE for branch routers and data center
routers.
+ The command ―show crypto engine connection active‖ displays the total encrypts and
decrypts per SA.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/29240-dcmvpn.html
Question 10
Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other?
(Choose two)
A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5
Answer: B C
Question 11
Which two commands configure on a DMVPN hub to enable phase 3? (Choose two)
A. ip nhrp interest
B. ip nhrp redirect
C. ip nhrp shortcut
D. ip network id
E. ip nhrp map
F. ip redirects
Answer: B C
Question 12
A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1
Answer: A
Explanation
Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to
each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the
only correct answer.
Question 13
A. EIGRP
B. RIPv2
C. OSPF
D. BGP
E. ISIS
Answer: A C D
Explanation
Some documents say RIPv2 also supports DMVPN but EIGPR, OSPF and BGP are the better
choices so we should choose them.
Question 14
A. IPSec
B. PPTP
C. mGRE
D. NHRP
E. Open VPN
Answer: C D
Explanation
DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop
Resolution Protocol) to perform its job and save the administrator the need to define multiple
static crypto maps and dynamic discovery of tunnel endpoints.
Question 15
Question 1
Answer: A
Explanation
It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially
Streaming-Video) within a single service-provider class because of the behaviors of these
protocols during periods of congestion. Specifically, TCP transmitters throttle back flows
when drops are detected. Although some UDP applications have application-level
windowing, flow control, and retransmission capabilities, most UDP transmitters are
completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and
the class experiences congestion, TCP flows continually lower their transmission rates,
potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is
called TCP starvation/UDP dominance.
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the
same service-provider class as UDP-based applications and the class experiences sustained
congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it
is beneficial to be aware of this behavior when making such application-mixing decisions
within a single service-provider class.
Reference:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/Qo
S-SRND-Book/VPNQoS.html
Question 2
Which two actions must you perform to enable and use window scaling on a router? (Choose
two)
Answer: A B
Question 3
Which three TCP enhancements can be used with TCP selective acknowledgments? (Choose
three)
A. header compression
B. explicit congestion notification
C. keepalive
D. time stamps
E. TCP path discovery
F. MTU window
Answer: B C D
Explanation
For TCP (normal) acknowledgement, when a client requests data, server sends the first
three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2
was lost somewhere on the network while Segment#3 stills reached the client. Client checks
Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received
Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert
the server that it has not received any data beyond Segment#1. After receiving these ACKs,
the server must resend Segment#2,#3 and wait for the ACKs of these segments.
For TCP Selective Acknowledgement, the process is the same until the Client realizes
Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received
Segment#3 successfully (so no need to retransmit this segment. Therefore the server only
needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends
ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue
sending Segment #4,#5, …
The SACK option is not mandatory and it is used only if both parties support it.
The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to
notify end hosts of impending network congestion. It also provides enhanced support for TCP
sessions associated with applications, such as Telnet, web browsing, and transfer of audio and
video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction
of delay and packet loss in data transmissions. Use the ―ip tcp ecn‖ command in global
configuration mode to enable TCP ECN.
The TCP time-stamp option provides improved TCP round-trip time measurements. Because
the time stamps are always sent and echoed in both directions and the time-stamp value in the
header is always changing, TCP header compression will not compress the outgoing packet.
Use the ―ip tcp timestamp‖ command to enable the TCP time-stamp option.
The TCP Keepalive Timer feature provides a mechanism to identify dead connections.
When a TCP connection on a routing device is idle for too long, the device sends a TCP
keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a
response packet (a TCP ACK packet) is not received after the device sends a specific number
of probes, the connection is considered dead and the device initiating the probes frees
resources used by the TCP connection.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-
3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html
Question 4
A network engineer notices that transmission rates of senders of TCP traffic sharply increase
and decrease simultaneously during periods of congestion. Which condition causes this?
A. global synchronization
B. tail drop
C. random early detection
D. queue management algorithm
Answer: A
Explanation
Global synchronization occurs when multiple TCP hosts reduce their transmission rates in
response to congestion. But when congestion is reduced, TCP hosts try to increase their
transmission rates again simultaneously (known as slow-start algorithm), which causes
another congestion. Global synchronization produces this graph:
Global synchronization reduces optimal throughput of network applications and tail drop
contributes to this phenomenon. When an interface on a router cannot transmit a packet
immediately, the packet is queued. Packets are then taken out of the queue and eventually
transmitted on the interface. But if the arrival rate of packets to the output interface exceeds
the ability of the router to buffer and forward traffic, the queues increase to their maximum
length and the interface becomes congested. Tail drop is the default queuing response to
congestion. Tail drop simply means that ―drop all the traffic that exceeds the queue limit. Tail
drop treats all traffic equally and does not differentiate among classes of service.
Question 5
Which three problems result from application mixing of UDP and TCP streams within a
network with no QoS? (Choose three)
A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput
Answer: A C E
Explanation
When TCP is mixing with UDP under congestion, TCP flows will try to lower their
transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP
flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-
dominance. This can increase latency and lower the overall throughput.
Question 6
A network administrator uses IP SLA to measure UDP performance and notices that packets
on one router have a higher one-way delay compared to the opposite direction. Which UDP
characteristic does this scenario describe?
A. latency
B. starvation
C. connectionless communication
D. nonsequencing unordered packets
E. jitter
Answer: A
Question 7
A network engineer is configuring a routed interface to forward broadcasts of UDP 69, 53,
and 49 to 172.20.14.225. Which command should be applied to the configuration to allow
this?
Answer: A
Question 8
Which traffic characteristic is the reason that UDP traffic that carries voice and video is
assigned to the queue only on a link that is at least 768 kbps?
Answer: A
Explanation
If the speed of an interface is equal or less than 768 kbps (half of a T1 link), it is considered a
low-speed interface. The half T1 only offers enough bandwidth to allow voice packets to
enter and leave without delay issues. Therefore if the speed of the link is smaller than 768
kbps, it should not be configured with a queue.
Question 9
Which two attributes describe UDP within a TCP/IP network? (Choose two)
A. Acknowledgments
B. Unreliable delivery
C. Connectionless communication
D. Connection-oriented communication
E. Increased headers
Answer: B C
Question 10
A network engineer wants to ensure an optimal end-to-end delay bandwidth product. The
delay is less than 64 KB. Which TCP feature ensures steady state throughput?
A. Window scaling
B. Network buffers
C. Round-trip timers
D. TCP acknowledgments
Answer: A
Explanation
Bandwidth-delay product (BDP) is the maximum amount of data ―in-transit‖ at any point in
time, between two endpoints. In other words, it is the amount of data ―in flight‖ needed to
saturate the link. You can think the link between two devices as a pipe. The cross section of
the pipe represents the bandwidth and the length of the pipe represents the delay (the
propagation delay due to the length of the pipe).
Therefore the Volume of the pipe = Bandwidth x Delay (or Round-Trip-Time). The volume
of the pipe is also the BDP.
For example if the total bandwidth is 64 kbps and the RTT is 3 seconds, the formula to
calculate BDP is:
BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 =
192,000 bits
For your information, BDP is very important in TCP communication as it optimizes the use
of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an
acknowledgment from the receiver before sending another data. The waiting time may be
very long and we may not utilize full bandwidth of the link for the transmission.
Based on BDP, the sending host can increase the number of data sent on a link (usually by
increasing the window size). In other words, the sending host can fill the whole pipe with
In conclusion, if we want an optimal end-to-end delay bandwidth product, TCP must use
window scaling feature so that we can fill the entire ―pipe‖ with data.
Question 1
Your company uses Voice over IP (VoIP). The system sends UDP datagrams containing the
voice data between communicating hosts. When areas of the network become busy, some of
the datagrams arrive at their destination out of order. What happens when this occurs?
A. UDP will send an ICMP Information request message to the source host.
B. UDP will pass the information in the datagrams up to the next OSI layer in the order in
which they arrive.
C. UDP will drop the datagrams that arrive out of order.
D. UDP will use the sequence numbers in the datagram headers to reassemble the data into
the correct order.
E. UDP will not acknowledge the datagrams and wait for a retransmission of the datagrams.
Answer: B
Explanation
Unlike TCP which uses the sequence numbers to rearrange the segments when they arrive out
of order, UDP just passes the received datagrams to the next OSI layer (the Session Layer) in
the order in which they arrived.
Question 2
A network engineer applies the command ―ip tcp adjust-mss‖ under interface configuration
mode. What is the result?
Answer: C
Question 3
Which option is one way to mitigate asymmetric routing on an active/active firewall setup for
TCP-based connections?
Answer: D
Explanation
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes
a different path when it returns to the source. This is commonly seen in Layer-3 routed
networks.
Asymmetric routing is not a problem by itself, but will cause problems when Network
Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls,
state information is built when the packets flow from a higher security domain to a lower
security domain. The firewall will be an exit point from one security domain to the other. If
the return path passes through another firewall, the packet will not be allowed to traverse the
firewall from the lower to higher security domain because the firewall in the return path will
not have any state information. The state information exists in the first firewall.
Reference:
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html
Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate
asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a
TCP connection even if the ASA didn‘t see the entire TCP 3-way handshake. This feature is
called TCP State Bypass.
Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-
troubleshooting-and-mitigation
Note: The active/active firewall topology uses two firewalls that are both actively providing
firewall services.
Question 4
A. The device that sends the stream is forced to hold data in the buffer for a longer period of
time.
B. The overall throughput of the stream is decreased.
C. The device that receives the stream is forced to hold data in the buffer for a longer period
of time.
D. The devices at each end of the stream are forced to negotiate a smaller window size.
Answer: C
Explanation
A device that sends UDP packets assumes that they reach the destination. There is no
mechanism to alert senders that the packet has arrived -> Answer A is not correct.
UDP throughput is not impacted by latency because the sender does not have to wait for the
ACK to be sent back -> Answer B is not correct.
UDP does not negotiate how the connection will work, UDP just transmits and hopes for the
best -> D is not correct.
Question 5
Answer: C
Explanation
The command ―show tcp brief numeric‖ displays a concise description of TCP connection
endpoints.
Question 6
Answer: C
Question 7
A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP
Answer: A B
Explanation
TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which
run on UDP so they can cause TCP starvation.
Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port
20/21
RIP Questions
https://www.digitaltut.com/rip-questions
Question 1
Refer to the exhibit. The network setup is running the RIP routing protocol. Which two
events will occur following link failure between R2 and R3? (Choose two)
A. R2 will advertise
network 192.168.2.0/27 with a hop count of 16 to R1.
B. R2 will not send any advertisements and will remove route 192.168.2.0/27 from its routing
table.
C. R1 will reply to R2 with the advertisement for network 192.168.2.0/27 with a hop count of
16.
D. After communication fails and after the hold-down timer expires, R1 will remove the
192.168.2.0/27 route from its routing table.
E. R3 will not accept any further updates from R2, due to the split-horizon loop prevention
mechanism.
Answer: A C
Question 2
A. 15
B. 255
C. 0
D. 16
Answer: A
Question 3
Answer: A
Question 4
Engineer has to enable RIP on a link. Where he will issue the command?
A. IPv6
B. Global
C. Router sub command
D. Interface sub command
Answer: C
Explanation
RIP can only be turned on under router sub command (in Router(config-router)# mode).
Unlike OSPF or EIGRP, RIP cannot be enabled from interface sub command (Router(config-
if)# mode)
OSPF Questions
https://www.digitaltut.com/ospf-questions
Question 1
The OSPF database of a router shows LSA types 1, 2, 3, and 7 only. Which type of area is
this router connected to?
A. stub area
B. totally stubby area
C. backbone area
D. not-so-stubby area
Answer: D
Explanation
LSA Type 7 is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe
routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA.
These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2
is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR -> LSA
Type 7 only exists in an NSSA area.
Question 2
Which option prevents routing updates from being sent to the DHCP router, while still
allowing routing update messages to flow to the Internet router and the distribution switches?
A.
DHCP(config-router)# passive-interface default
DHCP(config-router)# no passive-interface Gi1/0
Internet(config-router)# passive-interface Gi0/1
Internet(config-router)# passive-interface Gi0/2
B.
Core(config-router)# passive-interface Gi0/0
Core(config-router)# passive-interface Gi3/1
Core(config-router)# passive-interface Gi3/2
DHCP(config-router)# no passive-interface Gi1/0
C. Core(config-router)# passive-interface default
Core(config-router)# no passive-interface Gi0/0
Core(config-router)# no passive-interface Gi3/1
Core(config-router)# no passive-interface Gi3/2
D.
Internet(config-router)# passive-interface default
Core(config-router)# passive-interface default
DSW1(config-router)# passive-interface default
DSW2(config-router)# passive-interface default
Answer: C
Question 3
Which option prevents routing updates from being sent to the access layer switches?
A.
DWS1(config-router)# passive-interface default
DWS2(config-router)# passive-interface default
B.
ALS1(config-router)# passive-interface default
ALS2(config-router)# passive-interface default
C.
DWS1(config-router)# passive-interface gi1/1
DWS1(config-router)# passive-interface gi1/2
DWS2(config-router)# passive-interface gi1/1
DWS2(config-router)# passive-interface gi1/2
D.
ALS1(config-router)# passive-interface gi0/1
ALS1(config-router)# passive-interface gi0/2
ALS2(config-router)# passive-interface gi0/1
ALS2(config-router)# passive-interface gi0/2
Answer: C
Explanation
Answer B is not correct because using ―passive-interface‖ command on ASW1 & ASW2
does not prevent DSW1 & DSW2 from sending routing updates to two access layer switches.
Question 4
A. internal router
B. ASBR
C. ABR
D. edge router
Answer: C
Explanation
There are two areas represented on this router, which are Area 0 & Area 4. So we conclude
this is an ABR router.
Just for your information, from the Router Link States (Area 0) part, we only see one entry
15.15.15.33. It is both the Link ID and ADV Router so we can conclude this is an IP address
of one of the interfaces on the local router.
Question 5
A. That router cannot participate in the election of DR (or something like that).
B. That router has the highest priority to become a DR
C. That router will not advertise any OSPF route
D. Priority 0 does not exist
Answer: A
Question 6
Which OSPF network type doesn‘t require a DR/BDR election? (Choose two)
A. Broadcast
B. Point to point
C. Non-Broadcast
D. Point-to-multipoint
Answer: B D
Questions 7
A network engineer enables OSPF on a Frame Relay WAN connection to various remote
sites, but no OSPF adjacencies come up Which two actions are possible solutions for this
issue? (Choose Two)
Answer: A D
Explanation
When OSPF is run on a network, two important events happen before routing information is
exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building
process. All the routers in that segment should be able to communicate directly with the DR
and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not
necessary since there are only two routers in the segment, and hence the election does not
take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or
multicast packets to be sent.
Question 8
Using new backup router in spite of faulty one in OSPF domain but relationship with
neighbor in one interface only not working, what is the reason of this problem? (Choose two)
A. area ID mismatch
B. authentication mismatch
C. process id of OSPF not match
D. OSPF timers not match
Answer: A B D (?)
Explanation
OSPF forms neighbor relationship with other OSPF routers on the same segment by
exchanging hello packets. The hello packets contain various parameters. Some of them
should match between neighboring routers. These include:
+ Hello and Dead intervals
+ Area ID
+ Authentication type and password
+ Stub Area flag
+ Subnet ID and Subnet mask
So there are three correct answers in this question. Maybe in the exam you will see only two
correct answers.
Question 9
Which OSPF areas prevent LSA type 4, LSA type 5? ( choose two)
A. Not-so-stubby area
B. Total stubby area
C. Stubby area
D. Normal area
E. Backbone area
F. Not-so-stubby totally stub area
Answer: B F
Explanation
Summary ASBR LSA (Type 4) – Generated by the ABR to describe an ASBR to routers in
other areas so that routers in other areas know how to get to external routes through that
ASBR. For example, suppose R8 is redistributing external route (EIGRP, RIP…) to R3. This
makes R3 an Autonomous System Boundary Router (ASBR). When R2 (which is an ABR)
receive this LSA Type 1 update, R2 will create LSA Type 4 and flood into Area 0 to inform
them how to reach R3. When R5 receives this LSA it also floods into Area 2.
In the above example, the only ASBR belongs to area 1 so the two ABRs send LSA Type 4 to
area 0 & area 2 (not vice versa). This is an indication of the existence of the ASBR in area 1.
Note:
+ Type 4 LSAs contain the router ID of the ASBR.
+ There are no LSA Type 4 injected into Area 1 because every router inside area 1 knows
how to reach R3. R3 only uses LSA Type 1 to inform R2 about R8 and inform R2 that R3 is
an ASBR.
External Link LSA (LSA 5) – Generated by ASBR to describe routes redistributed into the
area and point the destination for these external routes to the ASBR. These routes appear as
O E1 or O E2 in the routing table. In the topology below, R3 generates LSAs Type 5 to
describe the external routes redistributed from R8 and floods them to all other routers and tell
them ―hey, if you want to reach these external routes, send your packets to me!‖. But other
routers will ask ―how can I reach you? You didn‘t tell me where you are in your LSA Type
5!‖. And that is what LSA Type 4 do – tell other routers in other areas where the ASBR is!
Each OSPF area only allows some specific LSAs to pass through. Below is a summarization
of which LSAs are allowed in each OSPF area:
Area Restriction
Normal None
Stub No Type 5 AS-external LSA allowed
Totally Stub No Type 3, 4 or 5 LSAs allowed except the default summary route
No Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to Type
NSSA
5 at the NSSA ABR can traverse
NSSA Totally No Type 3, 4 or 5 LSAs except the default summary route, but Type 7 LSAs
Stub that convert to Type 5 at the NSSA ABR are allowed
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13703-8.html
Therefore there are two OSPF areas that prevent LSAs Type 4 & 5: Totally Stub & NSSA
Totally Stub areas
OSPF Questions 2
https://www.digitaltut.com/ospf-questions-2-2
Question 1
When OSPF is forming an adjacency, in which state, the actual exchange of information in
the link?
A. INIT
B. loading
C. exstart
D. exchange
Answer: B
Explanation
Loading: In this state, the actual exchange of link state information occurs. Based on the
information provided by the DBDs, routers send link-state request packets. The neighbor then
provides the requested link-state information in link-state update packets. During the
adjacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a
link-state request packet. All link-state update packets are acknowledged.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13685-13.html
Question 2
OSPF chooses routes in which order, regardless of route‘s adminstrative distance and metric?
A. Interarea
B. Intra-area
C. NSSA type1
D. NSSA type 2
E. External type1
F. External type2
Answer:
Order: B A E F C D (Intra-Area (O); Inter-Area (O IA); External Type 1 (E1); External Type
2 (E2); NSSA Type 1 (N1); NSSA Type 2 (N2))
Question 3
Refer to the exhibit. A network engineer executes the show ipv6 ospf database command
and is presented with the output that is shown. Which flooding scope is referenced in the
link-state type?
(Exhibit missing)
A. link-local
B. area
C. AS (OSPF domain)
D. reserved
Answer: B
Question 4
Answer: A C
Question 5
A. LSA 1,2,3,4,5
B. LSA 1,2,5
C. LSA 1,2,3
D. LSA 3,5
Answer: C
Explanation
+ Standard areas can contain LSAs of type 1, 2, 3, 4, and 5, and may contain an ASBR. The
backbone is considered a standard area.
+ Stub areas can contain type 1, 2, and 3 LSAs. A default route is substituted for external
routes.
+ Totally stubby areas can only contain type 1 and 2 LSAs, and a single type 3 LSA. The
type 3 LSA describes a default route, substituted for all external and inter-area routes.
+ Not-so-stubby areas implement stub or totally stubby functionality yet contain an ASBR.
Type 7 LSAs generated by the ASBR are converted to type 5 by ABRs to be flooded to the
rest of the OSPF domain.
Reference: http://packetlife.net/blog/2008/jun/24/ospf-area-types/
Question 6
A. NSSA
B. Total stubby
C. Stubby area
D. Normal area
Answer: A
Explanation
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it
leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA.
Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto
the ASBR.
Question 7
Which type of address does OSPFv3 use to form neighbor adjacencies and to send LSAs?
Answer: C
Explanation
OSPFv3 uses the well-known IPv6 multicast addresses, FF02::5 to communicate with
neighbors. The FF02::5 multicast address is known as the AllSPFRouters address. All
OSPFv3 routers must join this multicast group and listen to packets for this multicast group.
The OSPFv3 Hello packets are sent to this address.
Note: All other routers (non DR and non BDR) establish adjacency with the DR and the BDR
and use the IPv6 multicast address FF02::6 (known as AllDRouters address) to send LSA
updates to the DR and BDR.
The answer ―link-local addresses‖ is also correct too. The reason is OSPFv3 routers use link-
local address (FE80::/10) on its interfaces (as the source address) to send Hello packets to
FF02::5 (as the destination address). So in fact this question is not clear and there are two
correct answers here.
Note: The two IPv6 multicast addresses FF02::5 and FF02::6 have link-local scope.
Question 8
A. type 7 LSA
B. type 1 LSA
C. type 5 LSA
D. type 3 LSA
Answer: A
Explanation
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it
leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA.
Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto
the ASBR.
Question 9
A route map was configured and it was distributing OSPF external routes.
A. Distributing E1 only
B. Distributing E1 and E2 using prefix list
C. Distributing E1 and E2 using access list
D. Distributing E2 routes
Answer: B
Question 10
You have a router has some interface configured with 10Gbps interface and 1Gbps interface.
Which command you use to optimize higher bandwidth?
Answer: A
OSPF Questions 3
https://www.digitaltut.com/ospf-questions-3-2
Question 1
Which are new LSA types in OSPF for IPv6 (OSPFv3)? (Choose two)
A. LSA Type 8
B. LSA Type 9
C. LSA Type 10
D. LSA Type 12
Answer: A B
Explanation
LSAs Type 8 (Link LSA) have link-local flooding scope. A router originates a separate link-
LSA for each attached link that supports two or more (including the originating router itself)
routers. Link-LSAs should not be originated for virtual links.
LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA
has one of two functions:
1. It either associates a list of IPv6 address prefixes with a transit network link by referencing
a network-LSA…
2. Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA. A
stub link‘s prefixes are associated with its attached router.
LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4
OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF
algorithm is ran.
Question 2
If routers in a single area are configured with the same priority value, what value does a
router use for the OSPF Router ID in the absence of a loopback interface?
Answer: B
Question 3
You get a call from a network administrator who tells you that he typed the following into his
router:
Router(config)#router ospf 1
Router(config-router)#network 10.0.0.0 255.0.0.0 area 0
He tells you he still can‘t see any routes in the routing table. What configuration error did the
administrator make?
Explanation
The wildcard mask should be 0.0.0.255 instead of the subnet mask 255.0.0.0.
Question 4
A. the ABR
B. the ASBR
C. Backbone Router
D. Intra Router
Answer: A B
Explanation
Route aggregation can be performed on the border routers to reduce the LSAs advertised to
other areas. Route aggregation can also minimize the influences caused by the topology
changes.
Question 5
Which two OSPF network types can operate without a DR/BDR relationship? (Choose two)
A. Point-to-multipoint
B. Point-to-point
C. nonbroadcast
D. nonbroadcast multi-access
E. broadcast
Answer: A B
Question 6
If you want to migrate an IS-IS network to another routing protocol. Which routing protocols
should you choose? (Choose two)
A. UDP
B. internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP
Answer: (maybe) D E
Explanation
IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the
best answers. Although RIP is not a wrong choice but it is not widely used because of many
limitations (only 15 hops, long convergence time…).
Question 7
If you configure one router in your network with the auto-cost reference-bandwidth 100
command, which effect on the data path is true?
Answer: C
Explanation
This command affects all the OSPF costs on the local router as all links are recalculated with
formula: cost = reference-bandwidth (in Mbps) / interface bandwidth
Note: The default reference bandwidth for OSPF is 10^8 bps or 100Mpbs so the ―auto-cost
reference-bandwidth 100‖ is in fact the default value so answer A may be a correct answer.
Question 8
Refer to the exhibit. In the network diagram, Area 1 is defined as a stub area. Because
redistribution is not allowed in the stub area, EIGRP routes cannot be propagated into the
OSPF domain. How does defining area 1 as a not-so-stubby area (NSSA) make it possible to
inject EIGRP routes into the OSPF NSSA domain?
A. by creating type 5 LSAs
B. by creating type 7 LSAs
C. by creating a link between the EIGRP domain and the RIP domain, and redistributing
EIGRP into RIP
D. by manually changing the routing metric of EIGRP so that it matches the routing metric of
OSPF
Answer: B
Explanation
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it
leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA.
Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto
the ASBR.
Question 9
A. ABR
B. ASBR
C. Summary router
D. Internal router
E. Backbone router
Answer: A B
EIGRP Questions
https://www.digitaltut.com/eigrp-questions
Question 1
A network engineer is considering enabling load balancing with EIGRP. Which consideration
should be analyzed?
A. EIGRP allows a maximum of four paths across for load balancing traffic.
B. By default, EIGRP uses a default variance of 2 for load balancing.
C. EIGRP unequal path load balancing can result in routing loops.
D. By default, EIGRP performs equal cost load balancing at least across four equal cost
paths.
Answer: D
Explanation
By default, EIGRP load-shares over four equal-cost paths. EIGRP also support unequal-cost
load balancing via the ―variance‖ command.
Question 2
A router receives a routing advertisement for the same prefix and subnet from four different
routing protocols. Which advertisement is installed in the routing table?
A. RIP
B. OSPF
C. iBGP
D. EIGRP
Answer: D
Explanation
The table below lists the default administrative distance values of popular routing protocols:
Routing Protocols Default Administrative Distance
EIGRP 90
OSPF 110
RIP 120
eBGP 20
iBGP 200
Connected interface 0
Static route 1
Question 3
Other than a working EIGRP configuration, which option must be the same on all routers for
EIGRP authentication key rollover to work correctly?
A. SMTP
B. SNMP
C. Passwords
D. Time
Answer: D
Explanation
Requirements
+ The time must be properly configured on all routers.
+ A working EIGRP configuration is recommended.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/82110-eigrp-authentication.html
Question 4
What following parameters for the EIGRP authentication need to match in order for EIGRP
neighbors to establish a neighbor relationship?
Explanation
The following list of parameters must match between EIGRP neighbors in order to
successfully establish neighbor relationships:
Question 5
EIGRP is implemented in a Frame Relay network but there is no adjacency. Which options
cause the adjacency to come up? (choose two)
Answer: A B
Explanation
When EIGRP is configured in a point-to-multipoint Frame Relay network, although the Hub
can receive routing updates sent from its Spoke routers but split horizon rule forbids the Hub
from relaying advertisements back out the interface on which they were received. For
example in the topology below, Hub can receive routing updated from two Spokes but it
cannot relay them out of S0/0 interface again (as it is the interface where it received the
updates). To solve this problem we need to disable split horizon on S0/0 interface of Hub.
Hub(config)#interface serial0/0
Hub(config-if)#no ip split-horizon eigrp 1
Another way to resolve above issue is to use the ―neighbor‖ command. This command also
make EIGRP to communicate with its neighbors via unicast -> B is correct.
Note: Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship
but the routes cannot be advertised from the Hub to the Spoke because of split horizon rule.
Question 6
In a point-to-multipoint Frame Relay topology, which two methods ensure that all routing
updates are received by all EIGRP routers within the Frame Relay network? (Choose two)
Answer: A C
Explanation
Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship but the
routes cannot be advertised from the Hub to the Spoke because of split horizon rule ->
Answer D is not correct.
To overcome the split horizon rule we can use subinterface as each subinterface is treated like
a separate physical interface so routing updates can be advertised back from Hub to
Spokes. -> Answer C is correct.
Note: The split horizon rule states that routes will not be advertised back out an interface in
which they were received on
Question 7
A. 90
B. 170
C. 5
D. 110
Answer: C
Explanation
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ire_i1.
html
Question 8
A. SHA
B. MD5
C. XDA
D. CHAP
E. Cisco
Answer: B
Question 9
Which two options are requirements for EIGRP authentication? (Choose two)
Answer: B D
Explanation
An example of how to configure EIGRP authentication on two routers that are connected to
each other is shown below:
R1,R2(config)#key chain MYKEYS
R1,R2(config-keychain)#key 1
R1,R2(config-keychain-key)#key-string SecRetThing!
R1,R2(config-keychain-key)#end
Question 10
Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not
learning routes that are received from OSPF?
router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
redistribute eigrp 1
Answer: B
Explanation
When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the
redistributed routes would never be learned. In this case we need to configure like this:
router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500
Question 11
What is true about EIGRP‘s redistributed static routes and summarized routes? (Choose two)
Answer: A B
EIGRP Questions 2
https://www.digitaltut.com/eigrp-questions-2-2
Question 1
A router was configured with the ―eigrp stub‖ command. The router advertises which types
of routes?
Answer: D
Explanation
The ―eigrp stub‖ command is equivalent to the ―eigrp stub connected summary‖ command
which advertises the connected routes and summarized routes.
Note: Summary routes can be created manually with the summary address command or
automatically at a major network border router with the auto-summary command enabled.
Question 2
An exhibit with three routers with three loopback interfaces. One of them was configured as
EIGRP stub, question was to choose what appears in the other router routing table?
Answer: A
Question 3
The excerpt was taken from the routing table of router SATX. Which option ensures that
routes from 51.51.51.1 are preferred over routes from 52.52.52.2?
A. SATX(config-router)#distance 90 51.51.51.1 0.0.0.0
B. SATX(config-router)#distance 89.52.52.52.2 0.0.0.0
C. SATX(config-router)#distance 90.52.52.52.2 0.0.0.0
D. SATX(config-router)#administrative distance 91 51.51.51 0.0.0.0
E. SATX(config-router)#distance 89 51.51.51.1 0.0.0.0
F. SATX(config-router)#administrative distance 91 52.52.52.2 0.0.0.0
Answer: E
Explanation
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfindp
1. html
Question 4
Which type of message does a device configured with the eigrp stub command send in
response to EIGRP queries?
A. invalid request
B. unavailable
C. stuck in active
D. stub-only
E. reject
F. inaccessible
Answer: F
Explanation
If an older version of code is deployed on the hub router, it will ignore the stub TLV and
continue to send QUERY packets to the stub router. However, the stub router will
immediately reply ―inaccessible‖ to any QUERY packets, and will not continue to propagate
them. Thus, the solution is backward-compatible and does not necessarily require an upgrade
on the hub routers.
Reference:
http://www.cisco.com/en/US/technologies/tk648/tk365/technologies_white_paper0900aecd8
023df6f.html
Question 5
What command would you use to set EIGRP routes to be prioritized?
A. distance 100
B. distance 89
C. distance eigrp 100
D. distance eigrp 89
Answer: D
Question 6
Which of the below mentioned conditions form a neighbor relation in EIGRP?(Choose three)
Answer: A B D
Explanation
Question 7
Which item does EIGRP IPv6 require before it can start running?
A. router ID
B. DHCP server
C. subnet mask
D. default gateway
Answer: A
Question 8
Answer: D
Question 9
You need the IP address of the devices with which the router has established an adjacency.
Also, the retransmit interval and the queue counts for the adjacent routers need to be checked.
What command will display the required information?
Answer: D
Explanation
Question 10
A. maximum delay
B. minimum delay
C. average delay
D. minimum interface bandwidth
Answer: D
Explanation
By default, EIGRP uses only the bandwidth & delay parameters to calculate the metric
(metric = bandwidth + delay). In particular, EIGRP uses the slowest bandwidth of the
outgoing interfaces of the route to calculate the metric as follows:
For an example of how EIGRP calculates the metric, please read our EIGRP tutorial (part 3).
Question 11
Which two among the following are used to indicate external type of route in routing table?
(Choose two)
A. D EX
B. IA
C. E2
D. R E2
E. i L2
Answer: A C
Question 12
Which command will display all the EIGRP feasible successor routes known to a router?
A. show ip routes
B. show ip eigrp summary
C. show ip eigrp topology
D. show ip eigrp adjacencies
Answer: C
Distribute List
https://www.digitaltut.com/distribute-list
Question 1
Answer: E
Question 2
Refer to the exhibit
access-list 1 permit 1.0.0.0 0.255.255.255
access-list 2 permit 1.2.3.0 0.0.0.255
!
router rip
Answer: D
Explanation
A distribute list is used to filter routing updates either coming to or leaving from our router.
In this case, the ―out‖ keyword specifies we want to filter traffic leaving from our router.
Access-list 2 indicates only routing update for network 1.2.3.0/24 is allowed (notice that
every access-list always has an implicit ―deny all‖ at the end).
Question 3
Which command prevents routers from sending routing updates through a router interface?
A. default-metric 0
B. distribute-list in
C. passive-interface
D. distribute-list out
Answer: C
Explanation
To prevent routing updates through a specified interface, use the passive-interface type
number command in router configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-
3s/iri-xe-3s-book/iri-default-passive-interface.html
Answer: A
Explanation
Normal policy based routing (PBR) is used to route packets that pass through the device.
Packets that are generated by the router (itself) are not normally policy-routed. To control
these packets, local PBR should be used. For example: Router(config)# ip local policy route-
map map-tag (compared with normal PBR: Router(config-if)# ip policy route-map map-tag)
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
Question 2
When policy-based routing (PBR) is being configured, which three criteria can the set
command specify? (Choose three)
Answer: A C F
Explanation
The set command specifies the action(s) to take on the packets that match the criteria. You
can specify any or all of the following:
* precedence: Sets precedence value in the IP header. You can specify either the precedence
number or name.
* df: Sets the ―Don‘t Fragment‖ (DF) bit in the ip header.
* vrf: Sets the VPN Routing and Forwarding (VRF) instance.
* next-hop: Sets next hop to which to route the packet.
* next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which
is not adjacent.
* interface: Sets output interface for the packet.
* default next-hop: Sets next hop to which to route the packet if there is no explicit route for
this destination.
* default interface: Sets output interface for the packet if there is no explicit route for this
destination.
(Reference:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Pr
oducts_Configuration_Guide_Chapter.html)
Question 3
Refer to the exhibit. Which command would verify if PBR reacts to packets sourced from
172.16.0.0/16?
A. show ip route
B. show policy-map
C. show access-lists
D. show route-map
Answer: D
Explanation
The ―show route-map ―route-map name‖ displays the policy routing match counts so we can
learn if PBR reacts to packets sourced from 172.16.0.0/16 or not.
Question 4
Refer to the exhibit. Based upon the configuration, you need to understand why the policy
routing match counts are not increasing. Which would be the first logical step to take?
A. Confirm if there are other problematic route-map statements that precede divert.
B. Check the access list for log hits.
C. Check the routing table for 212.50.185.126.
D. Remove any two of the set clauses. (Multiple set clause entries will cause PBR to use the
routing table.)
Answer: B
Explanation
First we should check the access-list log, if the hit count does not increase then no packets are
matched the access-list -> the policy based routing match counts will not increase.
BGP Questions
https://www.digitaltut.com/bgp-questions
Question 1
A. a private AS number
B. a public AS number
C. a private 4-byte AS number
D. a public 4-byte AS number
Answer: A
Explanation
Private autonomous system (AS) numbers which range from 64512 to 65535 are used to
conserve globally unique AS numbers. Globally unique AS numbers (1 – 64511) are assigned
by InterNIC. These private AS number cannot be leaked to a global Border Gateway Protocol
(BGP) table because they are not unique (BGP best path calculation expects unique AS
numbers).
Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/13756-32.html
Question 2
A network administrator notices that the BGP state drops and logs are generated for missing
BGP hello keepalives. What is the potential problem?
A. Incorrect neighbor options
B. Hello timer mismatch
C. BGP path MTU enabled
D. MTU mismatch
Answer: D
Explanation
If MTU on two interfaces are mismatched, the BGP neighbors may flap, the BGP state drops
and the logs generate missing BGP hello keepalives or the other peer terminates the session.
For more information about MTU mismatched between BGP neighbors please read:
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/116377-
troubleshoot-bgp-mtu.html
Question 3
A. 200
B. 30
C. 70
D. 20
Answer: D
Explanation
Notice that the Administrative Distance (AD) of External BGP (eBGP) is 20 while the AD of
internal BGP (iBGP) is 200.
Question 4
A. 64512-65535
B. 1-64000
C. 64512-65534
Answer: A
Explanation
Private autonomous system (AS) numbers which range from 64512 to 65535 are used to
conserve globally unique AS numbers. These private AS number cannot be leaked to a global
BGP table because they are not unique.
Question 5
A. Established
B. Active
C. Stuck in active
D. 2-WAY
E. Unknown
F. DROTHER
Answer: A B
Explanation
BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established
Question 6
A. port 179
B. port 197
C. port 180
D. port 178
Answer: A
Explanation
BGP peers are established by manual configuration between routing devices to create a TCP
session on (destination) port 179.
Question 7
A. Connect
B. Open Sent
C. Open
D. Passive
Answer: A B
Explanation
1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is waiting for a
BGP start event, generally either the establishment of a TCP connection or the re-
establishment of a previous connection. Once the connection is established, BGP moves to
the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If the TCP
connection completes, BGP will move to the OpenSent stage; if the connection cannot
complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP session with
the BGP speaker it wants to peer with. If this can be done, the BGP state goes to OpenSent
state.
4 – OpenSent: the BGP speaker is waiting to receive an OPEN message from the remote
BGP speaker
5 – OpenConfirm: Once the BGP speaker receives the OPEN message and no error is
detected, the BGP speaker sends a KEEPALIVE message to the remote BGP speaker
6 – Established: All of the neighbor negotiations are complete. You will see a number (2 in
this case), which tells us the number of prefixes the router has received from a neighbor or
peer group.
Question 8
What attribute is used to influence traffic from AS200 and AS300 so that it uses link to reach
AS100?
A. MED
B. AS_path
C. weight
D. local preference
Answer: A
Question 9
To enable BGP tunneling over an IPv4 backbone, the IPv4 address 192.168.30.1 is converted
into a valid IPv6 address. Which three IPv6 addresses are acceptable formats for the IPv4
address? (Choose three)
A. 192.168.30.1:0:0:0:0:0:0
B. 0:0:0:0:0:0:192.168.30.1
C. ::192.168.30.1
D. C0A8:1E01::
E. 192.168.30.1::
F. ::C0A8:1E01
Answer: B C F
Question 10
Answer: B C
Redistribution Questions
https://www.digitaltut.com/redistribution-questions
Question 1
Answer: A
Question 2
Redistributing BGP into OSPF what statement is correct? (there is a graphic of redistributing
BGP into OSPF with a route-map)
route-map deny 10
match ip address 10
route-map permit 20
access-list 10 permit 172.16.0.0 0.0.0.255
Answer: A
Question 3
A. ACL
B. tag
C. metric
D. route map
Answer: A
Question 1
Which DHCP option provides a TFTP server that Cisco phones can use to download a
configuration?
A. DHCP Option 66
B. DHCP Option 68
C. DHCP Option 82
D. DHCP Option 57
Answer: A
Explanation
DHCP options 3, 66, and 150 are used to configure Cisco IP Phones. Cisco IP Phones
download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does
not have both the IP address and TFTP server IP address preconfigured, it sends a request
with option 150 or 66 to the DHCP server to obtain this information.
+ DHCP option 150 provides the IP addresses of a list of TFTP servers.
+ DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_con
fig/basic_dhcp.pdf
Question 2
A. Server
B. Client
C. Approver
D. Requester
E. ACK
F. Relay
Answer: A B F
Explanation
Question 3
After testing various dynamic IPv6 address assignment methods, an engineer decides that
more control is needed when distributing addresses to clients. Which two advantages does
DHCPv6 have over EUI-64 (Choose two)
Answer: B C
Explanation
Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface
identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained
through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with
one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The
16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE
has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an
EUI-48 MAC address.
Question 4
Answer: A
Explanation
Please notice that the ―ipv6 address autoconfig‖ is configured on the DHCP Relay Agent (not
DHCP Server). A configuration example can be found at
https://community.cisco.com/t5/networking-documents/stateful-dhcpv6-relay-configuration-
example/ta-p/3149338
Question 5
Which three configuration parameters can a DHCPv6 pool contain? (Choose three)
Answer: A D E
Explanation
A DHCPv6 configuration information pool is a named entity that includes information about
available configuration parameters and policies that control assignment of the parameters to
clients from the pool. A pool is configured independently of the DHCPv6 service and is
associated with the DHCPv6 service through the command-line interface (CLI).
Each configuration pool can contain the following configuration parameters and operational
information:
– Prefix delegation information, which could include:
+ A prefix pool name and associated preferred and valid lifetimes
+ A list of available prefixes for a particular client and associated preferred and valid
lifetimes
– A list of IPv6 addresses of DNS servers
– A domain search list, which is a string containing domain names for DNS resolution
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-
2mt/ipv6-15-2mt-book/ip6-dhcp.html
ipv6 unciast-routing
ipv6 dhcp pool <pool name>
address prefix <specify address prefix> lifetime <infinite> <infinite>
dns-server <specify the dns server address>
domain-name <specify the domain name>
For example:
Reference: https://supportforums.cisco.com/document/116221/part-1-implementing-dhcpv6-
stateful-dhcpv6
So we can see DHCPv6 pool supports address prefix and domain search list, DNS servers.
Question 6
Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent
and a DHCPv6 server that is configured for prefix delegation. Which two outcomes will
result when the relay agent is rebooted? (Choose two)
Explanation
Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client
and server.
Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay
agent cannot receive DHCP messages (because of port 547 is blocked) then the routers
(clients) will not obtain DHCPv6 prefixes.
We are not sure about answer D but maybe it is related to the (absence of) ―Reload Persistent
Interface ID‖ in DHCPv6 Relay Options. This feature makes the interface ID option
persistent. The interface ID is used by relay agents to decide which interface should be used
to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the
router acting as a relay agent goes offline during a reload or a power outage. When the router
acting as a relay agent returns online, it is possible that changes to the internal interface index
of the relay agent may have occurred in certain scenarios (such as, when the relay agent
reboots and the number of interfaces in the interface index changes, or when the relay agents
boot up and has more virtual interfaces than it did before the reboot). This feature prevents
such scenarios from causing any problems.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-
e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html
Question 7
Refer to the exhibit. Router DHCP is configured to lease IPv4 and IPv6 addresses to clients
on ALS1 and ALS2. Clients on ALS2 receive IPv4 and IPv6 addresses. Clients on ALS1
receive IPv4 addresses. Which configuration on DSW1 allows clients on ALS1 to receive
IPv6 addresses?
Answer: D
Explanation
In this topology DSW1 is the DHCPv6 Relay agent so it should relay (forward) the DHCPv6
Request packets (from the clients) out of its Gi1/2 interface to the DHCPv6 server. The
command ―ipv6 dhcp relay destination …‖ is used to complete this task.
Note: There is no ―default-router‖ command for DHCPv6. The ―ipv6 dhcp relay destination‖
is not required to configure on every router along the path between the client and server. It is
ONLY required on the router functioning as the DHCPv6 relay agent.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/whitepaper_c11-689821.html
Question 8
A packet capture indicates that the router is not forwarding the DHCP packets that it receives
on interface FastEthernet0/0. Which command needs to be entered in global configuration
mode to resolve this issue?
A. ip helper-address
B. ip DHCP relay
C. service DHCP
D. ip forward-protocol
Answer: B
Explanation
The ―ip helper-address‖ command is only configured in interface mode so it is not the correct
answer.
Note: The Cisco IOS software provides the global configuration command ―ip forward-
protocol‖ to allow an administrator to forward any UDP port in addition to the eight default
UDP Services. For example, to forward UDP on port 517, use the global configuration
command ―ip forward-protocol udp 517‖. But the eight default UDP Services include DHCP
services so it is not the suitable answer.
A DHCP relay agent may receive a message from another DHCP relay agent that already
contains relay information. By default, the relay information from the previous relay agent is
replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay
information policy {drop | keep | replace} global configuration command to change it ->
Therefore this is the correct answer.
Reference:
https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html
Question 9
Refer to the exhibit. The DHCP client is unable to receive a DHCP address from the DHCP
server. Consider the following output:
hostname R2
!
interface fastethernet 0/0
ip address 172.31.1.1 255.255.255.0
interface serial 0/0
ip address 10.1.1.1 255.255.255.252
!
ip route 172.16.1.0 255.255.255.0 10.1.1.2
Which configuration is required on the R2 fastethernet 0/0 port in order to allow the DHCP
client to successfully receive an IP address from the DHCP server?
A. R2(config-
if)# ip helper-address 172.16.1.2
B. R2(config-if)# ip helper-address 172.16.1.1
C. R2(config-if)# ip helper-address 172.31.1.1
D. R2(config-if)# ip helper-address 255.255.255.255
Answer: A
Explanation
If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure
the router on the DHCP client side to act as a DHCP Relay Agent so that it can forward
DHCP messages between the DHCP Client & DHCP Server. To make a router a DHCP
Relay Agent, simply put the ―ip helper-address <IP-address-of-DHCP-Server>‖ command
under the interface that receives the DHCP messages from the DHCP Client.
Question 10
DHCPv6 can obtain configuration parameters from a server through rapid two-way message
exchange. Which two steps are involved in this process? (Choose two)
A. solicit
B. advertise
C. request
D. auth
E. reply
Answer: A E
Question 1
Which three characteristics are shared by subinterfaces and associated EVNs? (Choose three)
A. IP address
B. routing table
C. forwarding table
D. access control lists
E. NetFlow configuration
Explanation
All the subinterfaces and associated EVNs have the same IP address assigned. In other words,
a trunk interface is identified by the same IP address in different EVN contexts. EVN
automatically generates subinterfaces for each EVN. For example, both Blue and Green
VPN Routing and Forwarding (VRF) use the same IP address of 10.0.0.1 on their trunk
interface:
-> A is correct.
In fact answer B & C are not correct because each EVN has separate routing table and
forwarding table.
Note: The combination of the VPN IP routing table and the associated VPN IP forwarding
table is called a VPN routing and forwarding (VRF) instance.
Question 2
A. 802.1Q
B. ISL
C. PPP
D. Frame Relay
E. MPLS
F. HDLC
Answer: A
Explanation
EVN is supported on any interface that supports 802.1q encapsulation, for example, an
Ethernet interface. Instead of adding a new field to carry the VNET tag in a packet, the
VLAN ID field in 802.1q is repurposed to carry a VNET tag. The VNET tag uses the same
position in the packet as a VLAN ID. On a trunk interface, the packet gets re-encapsulated
with a VNET tag. Untagged packets carrying the VLAN ID are not EVN packets and could
be transported over the same trunk interfaces.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
Question 3
What is the purpose of the autonomous-system {autonomous-system-number} command?
Answer: A
Explanation
This configuration is performed under the Provide Edge (PE) router to run EIGRP with a
Customer Edge (CE) router. The ―autonomous-system 100‖ command indicates that the
EIGRP AS100 is running between PE & CE routers.
Question 4
What is the primary service that is provided when you implement Cisco Easy Virtual
Network?
Answer: C
Question 5
Which Cisco VPN technology uses AAA to implement group policies and authorization and
is also used for the XAUTH authentication method?
A. DMVPN
B. Cisco Easy VPN
C. GETVPN
D. GREVPN
Answer: B
Question 6
Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network?
(Choose three)
Answer: A B C
Explanation
EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN
provides enhancements in path isolation, simplified configuration and management, and
improved shared service support
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Maybe the ―improved shared services support‖ term here implies about the support of sharing
between different VRFs (through route-target, MP-BGP)
Question 7
A network engineer has set up VRF-Lite on two routers where all the interfaces are in the
same VRF. At a later time, a new loopback is added to Router 1, but it cannot ping any of the
existing interfaces. Which two configurations enable the local or remote router to ping the
loopback from any existing interface? (Choose two)
A. adding a static route for the VRF that points to the global route table
B. adding the loopback to the VRF
C. adding dynamic routing between the two routers and advertising the loopback
D. adding the IP address of the loopback to the export route targets for the VRF
E. adding a static route for the VRF that points to the loopback interface
F. adding all interfaces to the global and VRF routing tables
Answer: A B
Explanation
This question is not clear because we have to configure a static route pointing to the global
routing table while it stated that ―all interfaces are in the same VRF‖. But we should
understand both outside and inside interfaces want to ping the loopback interface.
Question 8
Which two routing protocols are supported by Easy Virtual Network? (Choose two)
A. RIPv2
B. OSPFv2
C. BGP
D. EIGRP
E. IS-IS
Answer: B D
Explanation
EVN supports IPv4, static routes, Open Shortest Path First version 2 (OSPFv2), and
Enhanced Interior Gateway Routing Protocol (EIGRP) for unicast routing, and Protocol
Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4
Multicast routing. EVN also supports Cisco Express Forwarding (CEF) and Simple Network
Management Protocol (SNMP).
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Question 9
Answer: C
Explanation
Route-target is is tagged to each VPN when it is exported. In other words, when a prefix is
exported with a route-target, an extended BGP community is attached to that prefix. If this
community is matched with the (import) route-target of the receiving side then the prefix is
imported to the receiving VRF.
Question 10
A. Easy Trunk
B. dot1e
C. virtual network trunk
D. VNET tags
E. MBGP
Answer: C
Explanation
Easy Virtual Network (EVN) is an IP-based virtualization technology that provides end-to-
end virtualization of two or more Layer-3 networks. You can use a single IP infrastructure to
provide separate virtual networks whose traffic paths remain isolated from each other.
An EVN trunk interface connects VRF-aware routers together and provides the core with a
means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is
used to de-multiplex the packet into the corresponding EVN. A trunk interface has one
subinterface for each EVN. The vnet trunk command is used to define an interface as an EVN
trunk interface.
In other words, EVN trunk interfaces allow multiple VRFs to use the same physical
interfaces for transmission but the data of each VRF is treated separately. Without EVN trunk
interfaces we need to create many subinterfaces. Therefore virtual network trunk (VNET)
decreases the network configuration required.
Question 1
Cisco EVN related question, a network engineer implemented Cisco EVN. Which feature
implements shared services support?
A. Edge interfacing
B. Tunnel feedback
C. Route replication
D. Route redistribution
Answer: C
Explanation
Route replication allows shared services because routes are replicated between virtual
networks and clients who reside in one virtual network can reach prefixes that exist in
another virtual network.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-shared-svcs.html
Question 2
Answer: B
Question 3
Answer: A E
Explanation
Path isolation can be achieved by using a unique tag for each Virtual Network (VN) ->
Answer A is correct.
Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q
is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a
VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged
packets carrying the VLAN ID are not EVN packets and could be transported over the same
trunk interfaces -> Answer E is correct.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
Question 4
Refer to Exhibit. R1 is unable to ping interface S0/0 of R2. What is the issue the
configuration that is shown here?
Answer: E
Explanation
We are trying to ping the 192.168.1.2 in vrf Yellow but the Serial0/0 interfaces of both
routers do not belong to this VRF so the ping fails. We need to configure S0/0 interfaces with
the ―ip vrf forwarding Yellow‖ (under interface S0/0) in order to put these interfaces into
VRF Yellow.
Question 5
After reviewing the EVN configuration, a network administrator notices that a predefined
EVN, which is known as ―vnet global‖ was configured. What is the purpose of this EVN?
(OR) What is the purpose of ‗vnet global‖?
A. It defines the routing scope for each particular EVN edge interface.
B. It aggregates and carries all dot1q tagged traffic.
C. It refers to the global routing context and corresponds to the default RIB.
D. It safeguards the virtual network that is preconfigured to avoid mismatched routing
instances.
Answer: C
Question 6
show ip vrf
A. show the vrf present in the route and their associated route distinguisher
B. Displays IP routing table information associated with a VRF
C. Show‘s routing protocol information associated with a VRF.
D. Displays the ARP table (static and dynamic entries) in the specified VRF.
Answer: A
Question 7
Which two statements about route targets that are configured with VRF-Lite are true?
(Choose two)
Answer: B C
Explanation
Answer A & F are not correct as only route distinguisher (RD) identifies the customer routing
table and ―allows customers to be assigned overlapping addresses‖.
Answer E is not correct as ―When BGP is configured, route targets are transmitted as BGP
extended communities‖
Question 8
Answer: C E
Explanation
With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple
VRFs) between two routers you need to create a subinterface for each VRF on each router ->
VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk
(called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple
virtual networks can travel over that single trunk interface, which uses tags to identify the
virtual networks to which packets belong.
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual
router instances, and both technologies allow routes from one VRF to be selectively leaked to
other VRFs. However, a major difference is the way that two physical routers interconnect.
With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF.
However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies
configuration.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
All EVNs within a trunk interface share the same IP infrastructure as they are on the same
physical interface -> Answer C is correct.
With EVNs, a trunk interface is shared among VRFs so each command configured under this
trunk is applied by all EVNs -> Answer E is correct.
Question 9
A. DLCI
B. route target
C. virtual network tag
D. VLAN ID
Answer: C
Question 10
How does an EVN provide end-to-end virtualization and separation of data traffic from
multiple networks?
Answer: C
IPv6 Questions
https://www.digitaltut.com/ipv6-questions
Question 1
Which method allows IPv4 and IPv6 to work together without requiring both to be used for a
single connection during the migration process?
A. dual-stack method
B. 6to4 tunneling
C. GRE tunneling
D. NAT-PT
Answer: A
Explanation
Dual-stack method is the most common technique which only requires edge routers to run
both IPv4 and IPv6 while the inside routers only run IPv4. At the edge network, IPv4 packets
are converted to IPv6 packets before sending out.
6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must
remember this range). These tunnels determine the appropriate destination address by
combining the IPv6 prefix with the globally unique destination 6to4 border router‘s IPv4
address, beginning with the 2002::/16 prefix, in this format:
2002:border-router-IPv4-address::/48
For example, if the border-router-IPv4-address is 64.101.64.1, the tunnel interface will have
an IPv6 prefix of 2002:4065:4001:1::/64, where 4065:4001 is the hexadecimal equivalent of
64.101.64.1. This technique allows IPv6 sites to communicate with each other over the IPv4
network without explicit tunnel setup but we have to implement it on all routers on the path.
Question 2
Answer: C
Explanation
Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4
infrastructure (a core network or the Internet). By using overlay tunnels, you can
communicate with isolated IPv6 networks without upgrading the IPv4 infrastructure between
them. Overlay tunnels can be configured between border routers or between a border router
and a host; however, both tunnel endpoints must support both the IPv4 and IPv6 protocol
stacks.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/i
p6-tunnel.html
Question 3
A router with an interface that is configured with ipv6 address autoconfig also has a link-
local address assigned. Which message is required to obtain a global unicast address when a
router is present?
A. DHCPv6 request
B. router-advertisement
C. neighbor-solicitation
D. redirect
Answer: B
Explanation
In Stateless Configuration mode, hosts will listen for Router Advertisements (RA) messages
which are transmitted periodically from the router (DHCP Server). This RA message allows a
host to create a global IPv6 address from:
+ Its interface identifier (EUI-64 address)
+ Link Prefix (obtained via RA)
Note: Global address is the combination of Link Prefix and EUI-64 address
Question 4
An engineer has configured a router to use EUI-64, and was asked to document the IPv6
address of the router. The router has the following interface parameters:
A. 2001:DB8:0:1:C601:42FF:FE0F:7
B. 2001:DB8:0:1:FFFF:C601:420F:7
C. 2001:DB8:0:1:FE80:C601:420F:7
D. 2001:DB8:0:1:C601:42FE:800F:7
Answer: A
Explanation
The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac
address is first separated into two 24-bits, with one being OUI (Organizationally Unique
Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between
these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value
which can only appear in EUI-64 generated from the an EUI-48 MAC address.
In this question, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are
―C60142‖ (OUI) and ―0F0007‖ (NIC). Then ―FFFE‖ is inserted in the middle. Therefore we
have the address: C601.42FF.FE0F.0007.
Then, according to the RFC 3513 we need to invert the Universal/Local bit (―U/L‖ bit) in the
7th position of the first octet. The ―u‖ bit is set to 1 to indicate Universal, and it is set to zero
(0) to indicate local scope. In this case we don‘t need to set this bit to 1 because it is already 1
(C6 = 11000110).
Question 5
For security purposes, an IPv6 traffic filter was configured under various interfaces on the
local router. However, shortly after implementing the traffic filter, OSPFv3 neighbor
adjacencies were lost. What caused this issue?
Answer: C
Question 6
A company‘s corporate policy has been updated to require that stateless, 1-to-1, and IPv6 to
IPv6 translations at the Internet edge are performed. What is the best solution to ensure
compliance with this new policy?
A. NAT64
B. NAT44
C. NATv6
D. NPTv4
E. NPTv6
Answer: E
Explanation
NPTv6 stands for Network Prefix Translation. It‘s a form of NAT for IPv6 and it supports
one-to-one translation between inside and outside addresses
Question 7
A network engineer executes the ―ipv6 flowset‖ command. What is the result?
Answer: A
Explanation
The command ―ipv6 flowset‖ allows the device to track destinations to which the device has
sent packets that are 1280 bytes or larger.
Question 8
IPv6 has just been deployed to all of the hosts within a network, but not to the servers. Which
feature allows IPv6 devices to communicate with IPv4 servers?
A. NAT
B. NATng
C. NAT64
D. dual-stack NAT
E. DNS64
Answer: C
Explanation
Note:
NAT44 – NAT from IPv4 to IPv4
NAT66 – NAT from IPv6 to IPv6
NAT46 – NAT from IPv4 to IPv6
NAT64 – NAT from IPv6 to IPv4
Question 9
After you review the output of the command show ipv6 interface brief, you see that several
IPv6 addresses have the 16-bit hexadecimal value of ―FFFE‖ inserted into the address. Based
on this information, what do you conclude about these IPv6 addresses?
A. IEEE EUI-64 was implemented when assigning IPv6 addresses on the device.
B. The addresses were misconfigured and will not function as intended.
C. IPv6 addresses containing ―FFFE‖ indicate that the address is reserved for multicast.
D. The IPv6 universal/local flag (bit 7) was flipped.
E. IPv6 unicast forwarding was enabled, but IPv6 Cisco Express Forwarding was disabled.
Answer: A
Explanation
The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac
address is first separated into two 24-bits, with one being OUI (Organizationally Unique
Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between
these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value
which can only appear in EUI-64 generated from the an EUI-48 MAC address.
Question 10
A packet capture log indicates that several router solicitation messages were sent from a local
host on the IPv6 segment. What is the expected acknowledgment and its usage?
A. Router acknowledgment messages will be forwarded upstream, where the DHCP server
will allocate addresses to the local host.
B. Routers on the IPv6 segment will respond with an advertisement that provides an external
path from the local subnet, as well as certain data, such as prefix discovery.
C. Duplicate Address Detection will determine if any other local host is using the same IPv6
address for communication with the IPv6 routers on the segment.
D. All local host traffic will be redirected to the router with the lowest ICMPv6 signature,
which is statically defined by the network administrator.
Answer: B
Explanation
IPv6 allows devices to configure their own IP addresses and other parameters automatically
without the need for a DHCP server. This method is called ―IPv6 Stateless Address
Autoconfiguration‖ (which contrasts to the server-based method using DHCPv6, called
―stateful‖). In Stateless Autoconfiguration method, a host sends a router solicitation to
request a prefix. The router then replies with a router advertisement (RA) message which
contains the prefix of the link. Host will use this prefix and its MAC address to create its own
unique IPv6 address.
Note:
+ RA messages are sent periodically and in response to device solicitation messages
+ In the absence of a router, a host can generate only link-local addresses. Link-local
addresses are only sufficient for allowing communication among nodes that are attached to
the same link
IPv6 Questions 2
https://www.digitaltut.com/ipv6-questions-2-2
Question 1
Answer: C
Question 2
Which two functions are completely independent when implementing NAT64 over NAT-PT?
(Choose two)
A. DNS
B. NAT
C. port redirection
D. stateless translation
E. session handling
Answer: A B
Question 3
Which two methods of deployment can you use when implementing NAT64? (Choose two)
A. stateless
B. stateful
C. manual
D. automatic
E. static
F. functional
G. dynamic
Answer: A B
Explanation
Address Family Translation (AFT) using NAT64 technology can be achieved by either
stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to
IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain any
bindings or session state while performing translation, and it supports both IPv6-initiated and
IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation. It supports both
IPv6-initiated and IPv4-initiated communications using static or manual mappings.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676278.html
Question 4
Router A and Router B are configured with IPv6 addressing and basic routing capabilities
using OSPFv3. The networks that are advertised from Router A do not show up in Router B‘s
routing table. After debugging IPv6 packets, the message ―not a router‖ is found in the
output. Why is the routing information not being learned by Router B?
Answer: D
Question 5
Explanation
When a change is made to one of the IP header fields in the IPv6 pseudo-header checksum
(such as one of the IP addresses), the checksum field in the transport layer header may
become invalid. Fortunately, an incremental change in the area covered by the Internet
standard checksum [RFC1071] will result in a well-defined change to the checksum value
[RFC1624]. So, a checksum change caused by modifying part of the area covered by the
checksum can be corrected by making a complementary change to a different 16-bit field
covered by the same checksum.
Reference: https://tools.ietf.org/html/rfc6296
Question 6
Answer: B
Question 7
Which IPv6 address type is seen as the next-hop address in the output of the show ipv6 rip
RIPng database command?
A. link-local
B. global
C. site-local
D. anycast
E. multicast
Answer: A
Explanation
Link-local addresses are always configured with the FE80::/64 prefix. Most routing protocols
use the link-local address for a next-hop.
Question 8
Refer to the exhibit. The command is executed while configuring a point-to-multipoint Frame
Relay interface. Which type of IPv6 address is portrayed in the exhibit?
frame-relay map ipv6 FE80::102 102
A. link-local
B. site-local
C. global
D. multicast
Answer: A
Explanation
A link-local address is an IPv6 unicast address that can be automatically configured on any
interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in
the modified EUI-64 format. Link-local addresses are not necessarily bound to the MAC
address (configured in a EUI-64 format). Link-local addresses can also be manually
configured in the FE80::/10 format using the ipv6 address link-local command.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113328-ipv6-
lla.html
Question 9
If IPv6 is configured with default settings on all interfaces on the router, which two dynamic
IPv6 addressing mechanisms could you use on end hosts to provide end-to-end connectivity?
(Choose two)
A. EUI-64
B. SLAAC
C. DHCPv6
D. BOOTP
Answer: A B
Explanation
Stateless Address Auto Configuration (SLAAC) is a method in which the host or router
interface is assigned a 64-bit prefix, and then the last 64 bits of its address are derived by the
host or router with help of EUI-64 process.
Question 10
Answer: B
Question 11
The enterprise network WAN link has been receiving several denial of service attacks from
both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via
its header, in order to filter future attacks? (Choose three)
A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset
Answer: A C D
Explanation
The Flow Label field (20 bits) is originally created for giving real-time applications special
service. The flow label when set to a non-zero value now serves as a hint to routers and
switches with multiple outbound paths that these packets should stay on the same path so that
they will not be reordered. It has further been suggested that the flow label be used to help
detect spoofed packets.
The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header.
The value of the Hop Limit field specifies the maximum number of routers that an IPv6
packet can pass through before the packet is considered invalid. Each router decrements the
value by one. Because no checksum is in the IPv6 header, the router can decrease the value
without needing to recalculate the checksum, which saves processing resources.
IPv6 Questions 3
https://www.digitaltut.com/ipv6-questions-3-2
Question 1
Refer to the exhibit. When summarizing these routes, which route is the summarized route?
A. OI 2001:DB8::/48 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
B. OI 2001:DB8::/24 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
C. OI 2001:DB8::/32 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
D. OI 2001:DB8::/64 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
Answer: A
Explanation
We need to summarize three IPv6 prefixes with /64 subnet mask so the summarized route
should have a smaller subnet mask. As we can see all four answers have the same
summarized route of 2001:DB8:: so /48 is the best choice.
Note: IPv6 consists of 8 fields with each 16 bits (8×16 = 128). All the above prefix starts with
2001:DB8:0 (16 bits x 3 = 48) so we need at least /48 mask to summarize them.
Question 2
What type of IPv6 packet will indicate traffic from single host and single node?
A. multicast
B. unicast
C. broadcast
D. anycast
Answer: B
Question 3
Considering the IPv6 address independence requirements, which process do you avoid when
you use NPTv6 for translation?
Question 4
An engineer is using a network sniffer to troubleshoot DHCPv6 between a router and hosts
on the LAN with the following configuration:
interface Ethernet0
ipv6 dhcp server DHCPSERVERPOOL rapid-commit
!
Which two DHCPv6 messages will appear in the sniffer logs?
A. reply
B. request
C. advertise
D. acknowledge
E. solicit
F. accept
Answer: A E
Explanation
DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode. In
Rapid-Commit mode , the DHCP client obtain configuration parameters from the server
through a rapid two message exchange (solicit and reply).
The ―solicit‖ message is sent out by the DHCP Client to verify that there is a DHCP Server
available to handle its requests.
The ―reply‖ message is sent out by the DHCP Server to the DHCP Client, and it contains the
―configurable information‖ that the DHCP Client requested.
Just for your information, in Normal-Commit mode, the DHCP client uses four message
exchanges (solicit, advertise, request and reply). By default normal-commit is used.
Question 5
What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation?
(Choose two)
Explanation
Question 6
A. 6ND
B. 6RD
C. 6VPE
D. VRF-Lite
E. DS-Lite
F. Dual-stack
Answer: B E
Question 7
An EUI-64 bit address is formed by adding a reserved 16-bit value in which position of the
MAC address?
A. between the vendor OID and the NIC-specific part of the MAC address.
B. after the NIC-specific part of the MAC address.
C. before the vendor OID part of the MAC address.
D. anywhere in the Mac address, because the value that is added is reserved.
Answer: A
Question 8
An EUI-64 bit address is formed by inserting which 16-bit value into the MAC address of a
device?
A. 3FFE
B. FFFE
C. FF02
D. 2001
Answer: B
Question 9
Refer to the exhibit. Routers R1 and R2 are IPv6 BGP peers that have been configured to
support a neighbor relationship over an IPv4 internetwork. Which three neighbor IP
addresses are valid choices to use in the highlighted section of the exhibit? (Choose three)
A – ::0A43:0002
B – 0A43:0002::
C – ::10.67.0.2
D – 10.67.0.2::
E – 0:0:0:0:0:0:10.67.0.2
F – 10.67.0.2:0:0:0:0:0:0
Answer: A C E
Explanation
The automatic tunneling mechanism uses a special type of IPv6 address, termed an ―IPv4-
compatible‖ address. An IPv4-compatible address is identified by an all-zeros 96-bit prefix,
and holds an IPv4 address in the low-order 32-bits. IPv4-compatible addresses are structured
as follows:
Therefore, an IPv4 address of 10.67.0.2 will be written as ::10.67.0.2 or 0:0:0:0:0:0:10.67.0.2
or ::0A43:0002 (with 10[decimal] = 0A[hexa] ; 67[decimal] = 43[hexa] ; 0[hexa] =
0[decimal] ; 2[hexa] = 2[decimal])
Question 10
Which of the following address types are associated with IPv6? (Choose three)
A. Unicast
B. Private
C. Broadcast
D. Public
E. Multicast
F. Anycast
Answer: A E F
IPv6 Questions 4
https://www.digitaltut.com/ipv6-questions-4-2
Question 1
Which statement is true about IPv6?
Answer: C
Question 2
What is IPv6 router solicitation?
Question 3
Which statement describes the difference between a manually configured IPv6 in IPv4 tunnel
versus an automatic 6to4 tunnel?
Answer: B
Explanation
An automatic 6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network
to remote IPv6 networks. The key difference between automatic 6to4 tunnels and manually
configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint -> it allows
multiple IPv4 destinations -> B is correct.
A is not correct because manually 6to4 is point-to-point -> only allows one IPv4 destination.
Configuring 6to4 (manually and automatic) requires dual-stack routers (which supports both
IPv4 & IPv6) at the tunnel endpoints because they are border routers between IPv4 & IPv6
networks.
(Reference: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-
tunnel_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055515)
Question 4
Which two statements are true about using IPv4 and IPv6 simultaneously on a network
segment? (Choose two)
A. Hosts can be configured to receive both IPv4 and IPv6 addresses via DHCP.
B. Host configuration: options for IPv4 can be either statically assigned or assigned via
DHCP. Host configuration: options for IPv6 can be statically assigned only.
C. IPv6 allows a host to create its own IPv6 address that will allow it to communicate to other
devices on a network configured via DHCP. IPv4 does not provide a similar capability for
hosts.
D. IPv4 and IPv6 addresses can be simultaneously assigned to a host but not to a router
interface.
E. IPv6 provides for more host IP addresses but IPv4 provides for more network addresses.
Answer: A C
Question 5
By default, which type of IPv6 address is used to build the EUI-64 bit format?
A. unique-local address
B. IPv4-compatible IPv6 address
C. link-local address
D. aggregatable-local address
Answer: ?
Explanation
In fact this question has no correct answer. The IPv6 EUI-64 format address is obtained
through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with
one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The
16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE
has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an
EUI-48 MAC address.
For example, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are
―C60142‖ (OUI) and ―0F0007‖ (NIC). Then ―FFFE‖ is inserted in the middle. Therefore we
have the address: C601.42FF.FE0F.0007.
Question 6
Refer to the exhibit. Given the partial configuration in the exhibit, which IPv6 statement is
true?
Answer: C
Explanation
6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must
remember this range). These tunnels determine the appropriate destination address by
combining the IPv6 prefix with the globally unique destination 6to4 border router‘s IPv4
address, beginning with the 2002::/16 prefix, in this format:
2002:border-router-IPv4-address::/48
For example, if the border-router-IPv4-address is 192.168.99.1, the tunnel interface will have
an IPv6 prefix of 2002:C0A8:6301::/64, where C0A8:6301 is the hexadecimal equivalent of
192.168.99.1.
Question 7
Answer: A
RIPng Questions
https://www.digitaltut.com/ripng-questions
Question 1
Answer: A
Explanation
The default timers of RIP and RIPng are the same. The meanings of these timers are
described below:
Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid
since seeing a valid update; and place the route into holddown. Default invalid timer is 180
seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count
recording in the routing table, RIP does not ―believe in‖ that update. Default holddown timer
is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing
table. Default Flush timer is 240 seconds
Question 2
Answer: A
Question 3
Answer: A
Question 4
Which IPv6 address type does RIPng use for next-hop addresses?
A. Global
B. Site-local
C. Any Cast
D. Link-local
E. Multicast
Answer: D
Question 5
Answer: C
Question 6
A. router(config-riping)#
B. router(config-rtr)#
C. router(config-if)#
D. router(config)#
Answer: B
Explanation
This is how to disable split horizon processing for the IPv6 RIP routing process named
digitaltut:
Note: For RIP (IPv4), we have to disable/enable split horizon in interface mode. For example:
Router(config-if)# ip split-horizon
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-
book/ipv6-s6.html
Question 7
A. router(config)#
B. router(config-if)#
C. router(config-router)#
D. router(config-rtr)#
Answer: D
Explanation
Security Questions
https://www.digitaltut.com/security-questions
Question 1
Answer: D
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to
decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate
authentication solutions that can still use TACACS+ for authorization and accounting. For
example, with TACACS+, it is possible to use Kerberos authentication and TACACS+
authorization and accounting. After a NAS authenticates on a Kerberos server, it requests
authorization information from a TACACS+ server without having to re-authenticate. The
NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos
server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks
with a TACACS+ server to determine if the user is granted permission to use a particular
command. This provides greater control over the commands that can be executed on the
access server while decoupling from the authentication mechanism.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
dial-user-service-radius/13838-10.html
Question 2
Which two statements about AAA implementation in a Cisco router are true? (Choose two)
Answer: B D
Explanation
Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal
Access Controller Access-Control System) Plus) are the main protocols to provide
Authentication, Authorization, and Accounting (AAA) services on network devices.
Both RADIUS and TACACS+ support accounting of commands. Command accounting
provides information about the EXEC shell commands for a specified privilege level that are
being executed on a network access server. Each command accounting record includes a list
of the commands executed for that privilege level, as well as the date and time each
command was executed, and the user who executed it.
For example, to send accounting messages to the TACACS+ accounting server when you
enter any command other than show commands at the CLI, use the aaa accounting
command command in global configuration mode
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.
html
Question 3
A. Uses UDP
B. Encrypts an entire packet
C. Offers robust accounting
D. Cisco-proprietary
Answer: B D
Explanation
TACACS+ encrypts the entire body of the packet (but leaves a standard TACACS+ header).
Question 4
What are two options for authenticating a user who is attempting to access a network device?
(Choose two)
A. CHAP
B. RADIUS
C. 802.1x
D. PAP
E. TACACS+
Answer: B E
Question 5
A. telnet
B. authentication
C. accounting
D. authorization
E. SSH
Answer: B D
Question 6
A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting
Answer: C D
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to
decouple authentication and authorization.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
dial-user-service-radius/13838-10.html
Question 1
Explanation
The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against
malformed or ―spoofed‖ IP packets passing through a router. A spoofed IP address is one that
is manipulated to have a forged IP source address. Unicast RPF enables the administrator to
drop packets that lack a verifiable source IP address at the router.
Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks
packets that arrive inbound on the interface to see whether the source address matches the
receiving interface. Cisco Express Forwarding (CEF) is required on the router because the
Forwarding Information Base (FIB) is the mechanism checked for the interface match.
Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition
Question 2
Which address is used by the Unicast Reverse Path Forwarding protocol to validate a packet
against the routing table?
A. source address
B. destination address
C. router interface
D. default gateway
Answer: A
Explanation
When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive
inbound on the interface to see whether the source address matches the receiving interface.
Question 3
A. (config)#ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx allow-default
B. (config)#ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx
C. (config)#no ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx
D. (config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via any
Answer: A
Explanation
Normally, uRPF will not allow traffic that only matches the default route. The ―allow-
default‖ keyword will override this behavior and uRPF will allow traffic matched the default
route to pass through.
In answer A, The ―ip verify unicast source reachable-via rx allow-default‖ command under
interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24
network (and any traffic) can go through this interface except the 10.0.0.0/8 network because
this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT
router from Fa0/1, thus ―limiting spoofed 10.0.0.0/8 hosts that could enter router‖.
Question 4
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming
packets. If it matches with the interface used to reach this source IP then the packets are
allowed to enter (strict mode).
Question 5
Which mode of uRPF causes a router interface to accept a packet, if the network to which the
packet‘s source IP address belongs is found in the router‘s FIB?
A. Strict mode
B. Loose mode
C. Auto mode
D. Desirable mode
Answer: B
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming
packets. If it matches with the interface used to reach this source IP then the packets are
allowed to enter (strict mode).
Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks
packets that arrive inbound on the interface to see whether the source address matches the
receiving interface. Cisco Express Forwarding (CEF) is required on the router because the
Forwarding Information Base (FIB) is the mechanism checked for the interface match.
Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition
This question only mentioned about ―the network to which the packet‘s source IP address
belongs is found in the router‘s FIB‖ so surely loose mode will accept this packet.
Question 6
When Unicast Reverse Path Forwarding is configured on an interface, which action does the
interface take first when it receives a packet?
Answer: A
Explanation
When a packet is received at the interface where Unicast RPF and ACLs have been
configured, the following actions occur:
Step 1: Input ACLs configured on the inbound interface are checked.
Step 2: Unicast RPF checks to see if the packet has arrived on the best return path to the
source, which it does by doing a reverse lookup in the FIB table.
Step 3: CEF table (FIB) lookup is carried out for packet forwarding.
Step 4: Output ACLs are checked on the outbound interface.
Step 5: The packet is forwarded.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.h
tml
Question 7
Which command sequence can you enter on a router to configure Unicast Reverse Path
Forwarding in loose mode?
A. interface GigabitEthernet0/0
ip verify unicast source reachable-via all
B. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose
C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any
D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx
Answer: C
Question 8
What option can be used for uRPF in loose mode on the command ―ip verify unicast source
reachable-via‖?
A. rx
B. any
C. allow-default
Answer: B
Explanation
The command ―ip verify unicast source reachable-via any‖ enables uRFP in loose mode,
which only checks if the router has a matching entry for the source in the routing table.
Question 9
Which command sequence can you enter a router to configure Unicast Reverse Path
Forwarding in loose mode?
A. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose.
B. interface GigabitEthernet0/0
ip verify unicast source reachable-via all.
C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any.
D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx.
Answer: C
Question 10
Answer: A
IP Services Questions
https://www.digitaltut.com/ip-services-questions
Question 1
A. discover messages
B. DHCP messages where the source MAC and client MAC do not match
C. traffic from a trusted DHCP server to client
D. DHCP messages where the destination MAC and client MAC do not match
Answer: B
Explanation
The switch validates DHCP packets received on the untrusted interfaces of VLANs with
DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following
conditions occur (in which case the packet is dropped):
+ The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
+ The switch receives a packet on an untrusted interface, and the source MAC address and
the DHCP client hardware address do not match. This check is performed only if the DHCP
snooping MAC address verification option is turned on.
+ The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted
host with an entry in the DHCP snooping binding table, and the interface information in the
binding table does not match the interface on which the message was received.
+ The switch receives a DHCP packet that includes a relay agent IP address that is not
0.0.0.0.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/snoodhcp.html#wp1101946
Question 2
A network engineer is configuring a solution to allow failover of HSRP nodes during
maintenance windows, as an alternative to powering down the active router and letting the
network respond accordingly. Which action will allow for manual switching of HSRP nodes?
A. Track the up/down state of a loopback interface and shut down this interface during
maintenance.
B. Adjust the HSRP priority without the use of preemption.
C. Disable and enable all active interfaces on the active HSRP node.
D. Enable HSRPv2 under global configuration, which allows for maintenance mode.
Answer: A
Explanation
We can test the action of HSRP by tracking the loopback interface and decrease the HSRP
priority so that the standby router can take the active role.
Question 3
Answer: A
Explanation
‖ is used to set the secure HTTP (HTTPS) server port number for listening.
Question 4
A network engineer executes the show crypto ipsec sa command. Which three pieces of
information are displayed in the output? (Choose three)
Answer: A B C
Explanation
This command shows IPsec Security Associations (SAs) built between peers. An example of
the output of above command is shown below:
The first part shows the interface and cypto map name that are associated with the interface.
Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this
case, because you used only ESP, there are no AH inbound or outbound SAs.
Note: Maybe ―inbound crypto map‖ here mentions about crypto map name.
Question 5
A. POP
B. SMTP
C. HTTP
D. SFTP
E. SSH
Answer: C E
Explanation
The Management Plane Protection (MPP) feature in Cisco IOS software provides the
capability to restrict the interfaces on which network management packets are allowed to
enter a device. The MPP feature allows a network operator to designate one or more router
interfaces as management interfaces. Device management traffic is permitted to enter a
device only through these management interfaces. After MPP is enabled, no interfaces except
designated management interfaces will accept network management traffic destined to the
device.
+ BEEP
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Therefore these are also the protocols that can be affected by MPP.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html
SNMP Questions
https://www.digitaltut.com/snmp-questions
Question 1
Answer: A
Explanation
―The engineer is not concerned with authentication or encryption‖ so we don‘t need to use
SNMP version 3. And we only use ―one-way SNMP notifications‖ so SNMP messages
should be sent as traps (no need to acknowledge from the SNMP server) -> A is correct.
Question 2
When using SNMPv3 with NoAuthNoPriv, which string is matched for authentication?
A. username
B. password
C. community-string
D. encryption-key
Answer: A
Explanation
There are three SNMP security levels (for SNMPv1, SNMPv2c, and SNMPv3):
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide
/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 3
Answer: B
Explanation
Question 4
A. auth
B. noauth
C. priv
D. secret
Answer: C
Explanation
In the CLI, we use ―priv‖ keyword for ―AuthPriv‖ (―noAuth‖ keyword for ―noAuthnoPriv‖;
―auth‖ keyword for ―AuthNoPriv‖). The following example shows how to configure a
remote user to receive traps at the ―priv‖ security level when the SNMPv3 security model is
enabled:
Router(config)# snmp-server group group1 v3 priv
Router(config)# snmp-server user PrivateUser group1 remote 1.2.3.4 v3 auth md5 password1
priv access des56
Question 5
A. To enable the device to send and receive SNMP requests and responses
B. To enable the device to send SNMP traps to the SNMP server
C. To disable SNMP messages from getting to the SNMP engine
D. To configure the SNMP server to store log data
Answer: A
Explanation
The ―snmp-server manager‖ command is used to start the SNMP manager process. In other
words, it allows the SNMP manager to begin sending and receiving SNMP requests and
responses to the SNMNP agents.
Question 6
A. v2c auth
B. v2c
C. v3
D. v1
Answer: C
Explanation
Both SNMPv1 and v2 did not focus much on security and they provide security based on
community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception.
Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.
Question 7
A. threshold
B. frequency
C. verify-data
D. timeout
Answer: A
Question 8
Which SNMP verification command shows the encryption and authentication protocols that
are used in SNMPv3?
Answer: B
Explanation
The command ―show snmp user‖ displays information about the configured characteristics of
SNMP users. The following example specifies the username as abcd with authentication
method of MD5 and encryption method of 3DES.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html
Question 9
A. SNMPv1
B. SNMPv4
C. SNMPv3
D. SNMPv2c
Answer: C
Question 10
Answer: A
Explanation
The snmp-server host global configuration command is used to specify the recipient of an
SNMP notification operation, in this case 192.168.1.3. In other words, traps of the local
router will be sent to 192.168.1.3. Therefore this command is often used to manage the
device.
Question 11
Answer: B C D
Explanation
The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The
Agents are the monitored device while the Manager is the monitoring device. In the picture
below, the Router, Server and Multilayer Switch are monitored devices.
Syslog Questions
https://www.digitaltut.com/syslog-questions
Question 1
Which alerts will be seen on the console when running the command: logging console
warnings?
A. warnings only
B. warnings, notifications, error, debugging, informational
C. warnings, errors, critical, alerts, emergencies
D. notifications, warnings, errors
E. warnings, errors, critical, alerts
Answer: C
Explanation
The highest level is level 0 (emergencies). The lowest level is level 7. If you specify a level
with the ―logging console level‖ command, that level and all the higher levels will be
displayed. For example, by using the ―logging console warnings‖ command, all the logging
of emergencies, alerts, critical, errors, warnings will be displayed.
Question 2
Network engineer wants to configure logging to compile and send information to an external
server. Which type of logging must be configured?
A. Terminal
B. Syslog
C. Buffer
D. Console
Answer: B
Explanation
Syslog can be configured to send messages to an external server for storing. The storage size
does not depend on the router‘s resources and is limited only by the available disk space on
the external Syslog server. For example, to instruct our router to send Syslog messages to
192.168.1.2 we can simply use only this command (all parameters are at default values):
R1(config)#logging 192.168.1.2
We cannot send other options (terminal, buffer, console) to external server.
Question 3
Which command do you enter to display log messages with a timestamp that includes the
length of time since the device was last rebooted?
Answer: A
Explanation
The ―service timestamps log uptime‖ enables timestamps on log messages, showing the time
since the system was rebooted. For example:
Question 4
A network engineer enables a trunk port and encounters the following message:
%LINEPROTO-5- UPDOWN: Line protocol on Interface FastEthernet 1/1, changed state to
up.
A. alert
B. critical
C. notification
D. informational
Answer: C
Explanation
Number ―5‖ in ―%LINEPROTO-5- UPDOWN‖ is the severity level of this message so in this
case it is ―notification‖.
Question 5
A. level 3
B. level 4
C. level 5
D. level 0
Answer: A
Explanation
Question 6
Question 7
A network engineer executes the commands ―logging host 172.16.200.225‖ and ―logging trap
5‖. Which action results when these two commands are executed together?
A. Logging messages that have a debugging severity level are sent to the remote server
172.16.200.225.
B. Logged information is stored locally, showing the sources as 172.16.200.225
C. Logging messages that have any severity level are sent to the remote server
172.16.200.225
D. Logging messages that have a severity level of ―notifications‖ and above (numerically
lower) are sent to the remote server 172.16.200.225
Answer: D
Question 8
After a recent DoS attack on a network, senior management asks you to implement better
logging functionality on all IOS-based devices. Which two actions can you take to provide
enhanced logging results? (Choose two)
Answer: A B
Explanation
―Increase the logging history‖ here is same as ―increase the logging buffer‖. The default
buffer size is 4096 bytes. By increasing the logging buffer size we can see more history
logging messages. But do not make the buffer size too large because the access point could
run out of memory for other tasks. We can write the logging messages to a outside logging
server instead.
NTP Questions
https://www.digitaltut.com/ntp-questions
Question 1
Refer to the following configuration command.
router (config-line)# ntp master 10
A. The router acts as an authoritative NTP clock and allows only 10 NTP client connections.
B. The router acts as an authoritative NTP clock at stratum 10.
C. The router acts as an authoritative NTP clock with a priority number of 10.
D. The router acts as an authoritative NTP clock for 10 minutes only.
Answer: B
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
Question 2
Answer: A
Explanation
The ―ntp broadcast client‖ command is used under interface mode to allow the device to
receive Network Time Protocol (NTP) broadcast packets on that interface
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf012.h
tml#wp1123148
Question 3
Which two statements indicate a valid association mode for NTP synchronization? (Choose
two)
Answer: A C
Question 4
Which two statements about NTP operation are true? (Choose two)
A. If multiple NTP servers are configured, the one with the lowest stratum is preferred
B. By default, NTP communications use UDP port 123.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. Locally configured time overrides time received from an NTP server.
E. ―Stratum‖ refers to the number of hops between the NTP client and the NTP server.
Answer: A B
Explanation
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server
is. When multiple NTP servers are configured, the client will prefer the NTP server with the
lowest stratum level.
Question 5
Refer to Exhibit:
access-list 1 permit 192.168.1.1
access-list 1 deny any
access-list 2 permit 192.168.1.4
access-list 2 deny any
!
ntp access-group peer 2
ntp access-group serve 1
ntp master 4
!
Which three NTP features can be deduced on the router? (Choose three)
Answer: A C F
Explanation
First we need to understand some basic knowledge about NTP. There are two types of NTP
messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status
information. It is not used for time synchronization so we will not care about them in this
question.
+ Request/Update messages: for time synchronization. Request messages ask for
synchronization information while Update messages contains synchronization information
and may change the local clock.
There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it
permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to reply to NTP requests, but drops NTP update. This
access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to respond to NTP requests only. This access-group denies
control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no
local system time synchronization with remote system is permitted.
The ―ntp master 4‖ indicates it is running as a time source with stratum level of 4 -> Answer
B is not correct while answer C is correct.
Answer E is not correct because it can accept time requests from both 192.168.1.1 and
192.168.1.4.
*Note: In fact answer A is incorrect too because the local router can accept time requests
from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake
of this question.
Question 6
A network engineer wants an NTP client to be able to update the local system without
updating or synchronizing with the remote system. Which option for the ntp access-group
command is needed to accomplish this?
A. Serve
B. Serve-only
C. peer
D. Query-only
Answer: A
Explanation
To control access to Network Time Protocol (NTP) services on the system, use the ntp
access-group command in global configuration mode.
+ Control messages are for reading and writing internal NTP variables and obtaining NTP
status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet
obviously asks for synchronization information, and update packet contains synchronization
information, and may change local clock.
When synchronizing system clocks on Cisco IOS devices only Request/Update messages are
used. Therefore in this question we only care about ―NTP Update message‖.
Syntax:
+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control
queries are also accepted. This is the only class which allows a router to be synchronized by
other devices -> not correct. In other words, the peer keyword enables the device to receive
time requests and NTP control queries and to synchronize itself to the servers specified in the
access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to
synchronize local system time, and does not access control queries. In other words, the serve-
only keyword enables the device to receive only time requests from servers specified in the
access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a
server or update packets from a peer). Control queries are also permitted. In other words, the
serve keyword enables the device to receive time requests and NTP control queries from the
servers specified in the access list but not to synchronize itself to the specified servers -> this
option is surely correct.
In summary, the answer ―serve‖ is surely correct but the answer ―serve-only‖ seems to be
correct too (although the definition is not clear).
Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-
n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/
Question 7
A. stratum 0
B. stratum 1
C. stratum 2
D. stratum 15
E. stratum 16
Question 8
Refer to exhibit. A network engineer receives a command output from a customer that
indicates an issue with NTP. What are two reasons for the output? (Choose two)
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18
reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
Answer: A E
Explanation
The output indicates that the local device did not receive the NTP update successfully so
something went wrong during the transmission.
Question 9
Which three NTP operating modes must the trusted-key command be configured on for
authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Answer: B D E (?)
Question 10
A network engineer wants to verify the status of a recently configured NTP setup on one of
the routers. The engineer executes the ―show ntp associations‖ command. What does the
output indicate?
Answer: A
Explanation
If there‘s an asterisk (*) next to a configured peer, then you are synced to this peer and using
them as the master clock. As long as one peer is the master then everything is fine. However,
the key to knowing that NTP is working properly is looking at the value in the reach field.
The reach field is a circular bit buffer. It gives you the status of the last eight NTP messages
(eight bits in octal is 377, so you want to see a reach field value of 377). If an NTP response
packet is lost, the missing packet is tracked over the next eight NTP update intervals in the
reach field. For more information about this field please read
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
110/15171-ntpassoc.html
Question 11
Refer to Exhibit, which statement about the configuration on the Cisco router is true?
A. The router sends only NTP traffic, using the loopback interface, and it disables eth0/0
from sending NTP traffic.
B. Eth0/0 sends NTP traffic on behalf of the loopback interface
C. The router sends only NTP traffic, using the eth0/0 interface, and it disables loopback0
from sending NTP traffic.
D. The router never sends NTP traffic, as using the loopback interface for NTP traffic is not
supported on IOS routers.
Answer: A
Question 12
Answer: C
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
NAT Questions
https://www.digitaltut.com/nat-questions
Question 1
Upon entering the command on the IOS router, the following message is seen on the console:
%Dynamic Mapping in Use, Cannot remove message or the %Pool outpool in use,
cannot destroy
What is the least impactful method that the engineer can use to modify the existing IP NAT
configuration?
A. Clear the IP NAT translations using the clear ip nat traffic * ‖ command, then replace the
NAT configuration quickly, before any new NAT entries are populated into the translation
table due to active NAT traffic.
B. Clear the IP NAT translations using the clear ip nat translation * ‖ command, then replace
the NAT configuration quickly, before any new NAT entries are populated into the
translation table due to active NAT traffic.
C. Clear the IP NAT translations using the reload command on the router, then replace the
NAT configuration quickly, before any new NAT entries are populated into the translation
table due to active NAT traffic.
D. Clear the IP NAT translations using the clear ip nat table * ‖ command, then replace the
NAT configuration quickly, before any new NAT entries are populated into the translation
table due to active NAT traffic.
Answer: B
Question 2
Which statement describes what this command accomplishes when inside and outside
interfaces are correctly identified for NAT?
ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080 extendable
A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It allows external clients coming from public IP 209.165.201.1 to connect to a web server
at 192.168.1.50.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It represents an incorrect NAT configuration because it uses standard TCP ports.
Answer: C
Explanation
First we will not mention about the effect of the ―extendable‖ keyword. So the purpose of the
command ―ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080‖ is to translate
packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP
address 209.165.201.1 with port 8080. This also implies that any packet received on the
outside interface with a destination address of 209.165.201.1:8080 has the destination
translated to 192.168.1.50:80. Therefore answer C is correct.
Answer A is not correct this command ―allows host 192.168.1.50 to access external websites
using TCP port 80‖, not port 8080.
Answer B is not correct because it allows external clients to connect to a web server at
209.165.201.1. The IP addresses of clients should not be 209.165.201.1.
Usually, the ―extendable‖ keyword should be added if the same Inside Local is mapped to
different Inside Global Addresses (the IP address of an inside host as it appears to the outside
network). An example of this case is when you have two connections to the Internet on two
ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside
local IP address. For example:
NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
ip nat inside source static 192.168.1.1 200.2.2.2 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2
In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use
200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the
Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or
200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called ―ambiguous from the
inside‖). We tested in GNS3 and it worked correctly! So we guess the NAT router compared
the Inside Global addresses with all of IP addresses of the ―ip nat outside‖ interfaces and
chose the most suitable one to forward traffic.
―They might also want to define static mappings for a particular host using each provider‘s
address space. The software does not allow two static translations with the same local
address, though, because it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all addresses and ports) if
the static translations are marked as ―extendable‖. For a new outside-to-inside flow, the
appropriate static entry will act as a template for a full translation. For a new inside-to-outside
flow, the dynamic route-map rules will be used to create a full translation‖.
(Reference:
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper0918
6a0080091cb9.html)
Question 3
A network engineer is asked to configure a ―site-to-site‖ IPsec VPN tunnel. One of the last
things that the engineer does is to configure an access list (access-list 1 permit any) along
with the command ip nat inside source list 1 int s0/0 overload. Which functions do the two
commands serve in this scenario?
A. The command access-list 1 defines interesting traffic that is allowed through the tunnel.
B. The command ip nat inside source list 1 int s0/0 overload disables ―many-to-one‖ access
for all devices on a defined segment to share a single IP address upon exiting the external
interface.
C. The command access-list 1 permit any defines only one machine that is allowed through
the tunnel.
D. The command ip nat inside source list 1 int s0/0 overload provides ―many-to-one‖
access for all devices on a defined segment to share a single IP address upon exiting the
external interface.
Answer: D
Explanation
The command ―ip nat inside source list 1 int s0/0 overload‖ translates all source addresses
that pass access list 1, which means all the IP addresses, into an address assigned to S0/0
interface. Overload keyword allows to map multiple IP addresses to a single registered IP
address (many-to-one) by using different ports.
Question 4
Which command allows hosts that are connected to FastEthernet0/2 to access the Internet?
Answer: A
Explanation
The command ―ip nat inside source list 10 interface FastEthernet0/1 overload‖ configures
NAT to overload on the address that is assigned to the Fa0/1 interface.
Question 5
Refer to the following configuration command.
A. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:80 is translated to 172.16.10.8:8080.
B. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:8080 is translated to 172.16.10.8:80.
C. The router accepts only a TCP connection from port 8080 and port 80 on IP address
172.16.10.8.
D. Any packet that is received in the inside interface with a source IP address of 172.16.10.8
is redirected to port 8080 or port 80.
Answer: B
Explanation
This is a static NAT command which translates all the packets received in the inside interface
with a source IP address of 172.16.10.8:8080 to 172.16.10.8:80. The purpose of this NAT
statement is to redirect TCP Traffic to Another TCP Port.
Question 6
Answer: B C
Explanation
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). There are two different forms of NAT64, stateless and stateful:
+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps
no state. It does not save any IP addresses since every v4 address maps to one v6 address.
Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation (1:N translation). It
supports both IPv6-initiated and IPv4-initiated communications using static or manual
mappings. Stateful NAT64 converses IPv4 addresses.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676278.html
Question 7
Answer: E
Explanation
The ―ip nat allow-static-host‖ command enables static IP address support. Dynamic Address
Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control
the creation and deletion of ARP entries for the static IP host.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-
4/nat-12-4-book/iadnat-addr-consv.html
Question 8
A. NAT
B. NAT64
C. NPTv6
D. DHCPv6
Answer: B
Explanation
NAT64 technology facilitates communication between IPv6-only and IPv4-only hosts and
networks (whether in a transit, an access, or an edge network). This solution allows both
enterprises and ISPs to accelerate IPv6 adoption while simultaneously handling IPv4 address
depletion. All viable translation scenarios are supported by NAT64, and therefore NAT64 is
becoming the most sought translation technology.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676278.html
Question 9
Which option is the first task that a device configured with NAT64 performs when it receives
an incoming IPv6 packet that matches the stateful NAT64 prefix?
Answer: A
Question 10
A. ipv6 nat
B. ipv6 nat enable
C. ipv6 nat-pt
D. ipv6 nat-pt enable
Answer: A
Explanation
The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6
nat prefix 2001:DB8::/96)
Question 11
Explanation
+ Virtual routing and forwarding (VRF)-aware NAT64 is not supported -> Answer A is
correct.
+ IP Multicast is not supported -> Answer B is correct.
+ Application-level gateways (ALGs) FTP and ICMP are not supported -> Answer C is not
correct.
+ Only TCP and UDP Layer 4 protocols are supported for header translation -> Answer E is
not correct.
+ For Domain Name System (DNS) traffic to work, you must have a separate working
installation of DNS64 -> This statement means stateful NAT64 supports DNS64 but we
cannot conclude it is the only one supported by NAT64. We are not sure but maybe stateful
NAT64 also supports DNS ALG.
Question 12
A. inside global
B. global outside
C. outside internet
D. inside internet
E. outside local
Answer: A E
Explanation
* Inside local address – The IP address assigned to a host on the inside network. The address
is usually not an IP address assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service
provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.
Question 13
NPTv6 restrictions?
Possible answers:
Question 14
You have correctly identified the inside and outside interfaces in the NAT configuration of
this device. Which effect of this configuration is true?
A. dynamic NAT
B. static NAT
C. PAT
D. NAT64
Answer: C
IP SLA Questions
https://www.digitaltut.com/ip-sla-questions
Question 1
A. HSRP
B. VRRP
C. IP SLA
D. multicast
Answer: C
Question 2
A network engineer has configured a tracking object to monitor the reachability of IP SLA 1.
In order to update the next hop for the interesting traffic, which feature must be used in
conjunction with the newly created tracking object to manipulate the traffic flow as required?
A. SNMP
B. PBR
C. IP SLA
D. SAA
E. ACLs
F. IGP
Answer: B
Explanation
IP SLA PBR (Policy-Based Routing) Object Tracking allows you to make sure that the next
hop is reachable before that route is used. If the next hop is not reachable, another route is
used as defined in the PBR configuration. If no other route is present in the route map, the
routing table is used.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-
os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-
OS_IP_SLAs_Configuration_Guide_rel_6-x/b_Cisco_Nexus_7000_Series_NX-
OS_IP_SLAs_Configuration_Guide_rel_6-x_chapter_01000.html
Question 3
A network engineer initiates the ip sla responder tcp-connect command in order to gather
statistics for performance gauging. Which type of statistics does the engineer see?
A. connectionless-oriented
B. service-oriented
C. connection-oriented
D. application-oriented
Answer: C
Explanation
The keyword ―tcp-connect‖ enables the responder for TCP connect operations. TCP is a
connection-oriented transport layer protocol -> C is correct.
Question 4
Refer to the exhibit. Which statement about the configuration is true?
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type jitter dest-ipaddr 200.0.10.3 dest-port 65051 num-packets 20
request-data-size 160
tos 128
frequency 30
ip sla monitor shedule 1 start-time after 00:05:00
Answer: A
Explanation
The ―num-packets‖ specifies the number of packets to be sent for a jitter operation.
The ―frequency‖ is the rate (in seconds) at which this IP SLA operation repeats. The ―tos‖
defines a type of service (ToS) byte in the IP header of this IP SLA operation.
Question 5
Which three items can you track when you use two time stamps with IP SLAs? (Choose
three)
A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path
Answer: A B C
Explanation
When enabled, the IP SLAs Responder allows the target device to take two time stamps both
when the packet arrives on the interface at interrupt level and again just as it is leaving,
eliminating the processing time. At times of high network activity, an ICMP ping test often
shows a long and inaccurate response time, while an IP SLAs test shows an accurate response
time due to the time stamping on the responder.
An additional benefit of the two time stamps at the target device is the ability to track
one-way delay, jitter, and directional packet loss. Because much network behavior is
asynchronous, it is critical to have these statistics. However, to capture one-way delay
measurements the configuration of both the source device and target device with Network
Time Protocol (NTP) is required. Both the source and target need to be synchronized to the
same clock source. One-way jitter measurements do not require clock synchronization.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_overview.html
Question 6
Two aspects of an IP SLA operation can be tracked: state and reachability. Which statement
about state tracking is true?
A. When tracking state, an OK return code means that the track‘s state is up; any other return
code means that the track‘s state is down.
B. When tracking state, an OK or over threshold return code means that the track‘s state is
up; any other return code means that the track‘s state is down.
C. When tracking state, an OK return code means that the track‘s state is down; any other
return code means that the track‘s state is up.
D. When tracking state, an OK or over threshold return code means that the track‘s state is
down; any other return code means that the track‘s state is up.
Answer: A
Question 7
Answer: A D
Question 8
Which three IP SLA performance metrics can you use to monitor enterprise-class networks?
(Choose three)
A. Packet loss
B. Delay
C. bandwidth
D. Connectivity
E. Reliability
F. traps
Answer: A B D
Explanation
Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss,
jitter, packet sequence, connectivity, path, server response time, and download time are
monitored within the Cisco device and stored in both CLI and SNMP MIBs.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.ht
ml
Question 9
A network engineer wants to notify a manager in the events that the IP SLA connection loss
threshold reached. Which two feature are need to implements this functionality? (Choose
two)
A. MOS
B. Threshold action
C. Cisco IOS EEM
D. SNMP traps
E. logging local
Answer: B D
Explanation
IP SLAs reactions are configured to trigger when a monitored value exceeds or falls below a
specified level or when a monitored event, such as a timeout or connection loss, occurs. If IP
SLAs measures too high or too low of any configured reaction, IP SLAs can generate a
notification (in the form of SNMP trap) to a network management application or trigger
another IP SLA operation to gather more data.
Cisco IOS IP SLAs can send SNMP traps that are triggered by events such as the following:
+ Connection loss
+ Timeout
+ Round-trip time threshold
+ Average jitter threshold
+ One-way packet loss
+ One-way jitter
+ One-way mean opinion score (MOS)
+ One-way latency
Question 10
Which IP SLA operation can be used to measure round-trip delay for the full path and hop-
by-hop round-trip delay on the network?
A. HTTP
B. ICMP path echo
C. TCP connect
D. ICMP echo
Answer: B
Explanation
Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel
from a specific source to a specific destination and back again.
An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response
time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is
useful for determining network availability and for troubleshooting network connectivity
issues.
Note: ICMP Echo only measures round-trip delay for the full path.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-
xe-3s-book/sla_icmp_pathecho.html
Question 11
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(config-ip-sla)#frequency 10
R1(config-ip-sla)#threshold 100
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2
What makes default route not removed when SLA state down or failed?
Answer: D
Explanation
The default route command (at the last line) must include the ―track‖ keyword for the
tracking feature to work.
Question 12
Which type of information is displayed when a network engineer executes the show track 1
command on the router?
IP SLA Questions 2
https://www.digitaltut.com/ip-sla-questions-2
Question 1
Answer: A
Explanation
User Datagram Protocol (UDP) Jitter for VoIP is the most common operation for networks
that carry voice traffic, video, or UDP jitter-sensitive applications. Requires Cisco endpoints.
Note: The ICMP jitter operation is similar to the IP SLAs UDP jitter operation but does not
require a Cisco endpoint (maybe only Cisco router has been designated to reply to Cisco IOS
IP SLA test packets).
The config below shows an example of configuring UDP Jitter for VoIP:
Router(config)# ip sla 10
//Configures the operation as a jitter (codec) operation that will generate VoIP scores in
addition to latency, jitter, and packet loss statistics. Notice that it requires an endpoint.
Router(config-ip-sla)# udp-jitter 209.165.200.225 16384 codec g711alaw advantage-factor
10
//The below configs are only optional
Router(config-ip-sla-jitter)# frequency 30
Router(config-ip-sla-jitter)# history hours-of-statistics-kept 4
Router(config-ip-sla-jitter)# owner admin
Router(config-ip-sla-jitter)# tag TelnetPollServer1
Router(config-ip-sla-jitter)# threshold 10000
Router(config-ip-sla-jitter)# timeout 10000
Router(config-ip-sla-jitter)# tos 160
Reference:
http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_qas0900aecd8017
bd5a.html &
http://www.cisco.com/c/en/us/td/docs/ios/ipsla/configuration/guide/15_s/sla_15_0s_book/sla
_udp_jitter_voip.pdf
Question 2
Refer to exhibit. Which two reasons for IP SLA tracking failure are likely true? (Choose two)
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2
R1(config)#ip route 0.0.0.0 0.0.0.0 172.30.30.2 5
Answer: C E
Explanation
There is no problem with the Fa0/0 as the source interface as we want to check the ping from
the LAN interface -> A is not correct.
Answer B is not correct as we must track the destination of the primary link, not backup link.
In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will
not know how to reply back as an ISP usually does not configure a route to a customer‘s
LAN -> C is correct.
There is no problem with the default route -> D is not correct.
For answer E, we need to understand about how timeout and threshold are defined:
Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response
from its request packet. In other words, the timeout specifies how long the router should wait
for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets
the upper threshold value for calculating network monitoring statistics created by an IP SLAs
operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap
or start secondary SLA operation. In other words, the threshold value is only used to indicate
over threshold events, which do not affect reachability but may be used to evaluate the proper
settings for the timeout command.
For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not
OK, reachability is down.
Therefore in this question, we are using ―Reachability‖ tracking (via the command ―track 10
ip sla 1 reachability‖) so threshold value is not important and can be ignored -> Answer E is
correct. In fact, answer E is not wrong but it is the best option left.
This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-
technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and
http://www.ciscozine.com/using-ip-sla-to-change-routing/
Note: Maybe some of us will wonder why there are these two commands:
are different. These two static routes can co-exist in the routing table. Therefore if the
tracking goes down, the first command will be removed but the second one still exists and the
backup path is not preferred. So we have to remove the second one.
Question 3
Which option must be configured on a target device to use time stamping to accurately
represent response times using IP SLA?
A. Responder
B. Jitter value
C. TCP Connect
D. ICMP Echo
Answer: A
Explanation
A primary benefit of Cisco IOS IP SLAs is accuracy, embedded flexibility, and cost-saving, a
key component of which is the Cisco IOS IP SLAs responder enabled on the target device.
When the responder is enabled, it allows the target device to take two timestamps: when the
packet arrives on the interface at interrupt level and again just as it leaves. This eliminates
processing time. This timestamping is made with a granularity of sub-millisecond (ms). The
responder timestamping is very important because all routers and switches in the industry
will prioritize switching traffic destined for other locations over packets destined for its local
IP address (this includes Cisco IOS IP SLAs and ping test packets). Therefore, at times of
high network activity, ping tests can reveal an inaccurately large response time; conversely,
timestamping on the responder allows a Cisco IOS IP SLAs test to accurately represent the
response time due.
Reference:
http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper0900
aecd8017f8c9_ps6602_Products_White_Paper.html
Note: The ICMP echo operation is used to cause ICMP echo requests to be sent to a
destination to check connectivity
Question 4
A network engineer executes the ―show ip sla statistics‖ command. What does the output of
this command show?
A. Operation availability
B. Device CPU utilization
C. Interface packet statistics
D. Packet sequencing
Answer: A
Explanation
The ―show ip sla statistics‖ command displays the current operational status and statistics of
all IP SLAs operations or a specified operation so the answer ―operation availability‖ is the
best choice here.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/ipsla/command/reference/sla_book/sla_04.html
Question 5
Which two types of threshold can you configure for tracking objects? (Choose two)
A. percentage
B. MTU
C. bandwidth
D. weight
E. delay
F. administrative distance
Answer: A D
Explanation
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or
a percentage threshold.
If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up
threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to
satisfy the threshold weight.
This configuration can be useful if object 1 and object 2 represent two small bandwidth
connections and object 3 represents one large bandwidth connection. The configured down
10 value means that once the tracked object is up, it will not go down until the threshold
value is equal to or lower than 10, which in this example means that all connections are
down.
The below example configures tracked list 2 with three objects and a specified percentages
to measure the state of the list with an up threshold of 70 percent and a down threshold of 30
percent:
This means as long as 51% or more of the objects are up, the list will be considered ―up‖. So
in this case if two objects are up, track 2 is considered ―up‖.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-
2_58_se/configuration/guide/3020_scg/swhsrp.pdf
Question 6
Which option can you use to monitor voice traffic when configuring an IP SLA?
A. UDP-Jitter
B. TCP-Jitter
C. ip sla logging traps
D. ip sla reaction-configuration
Answer: A
Question 7
Which command is used to check IP SLA when an interface is suspected to receive lots of
traffic with options?
A. show track
B. show threshold
C. show timer
D. show delay
Answer: A
Question 8
A. Timer
B. Frequency
C. Threshold
D. Queue-limit
Answer: C
Question 9
A. core edge
B. access edge
C. WAN edge
D. Distribution edge
E. User edge
Answer: C
Explanation
Maybe this question wants to ask ―which location IP SLAs are usually used to monitor the
traffic?‖ then the answer should be WAN edge as IP SLA is usually used to track a remote
device or service (usually via ping).
NetFlow Questions
https://www.digitaltut.com/netflow-questions
Question 1
A network engineer executes the show ip flow export command. Which line in the output
indicates that the send queue is full and export packets are not being sent?
A. output drops
B. enqueuing for the RP
C. fragmentation failures
D. adjacency issues
Answer: A
Explanation
The ―show ip flow export‖ command is used to display the status and the statistics for
NetFlow accounting data export, including the main cache and all other enabled caches. An
example of the output of this command is shown below:
The ―output drops‖ line indicates the total number of export packets that were dropped
because the send queue was full while the packet was being transmitted.
Reference:
http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_T
SD_Products_Command_Reference_Chapter.html#wp1188401
Question 2
Answer: A
Explanation
In general, NetFlow requires CEF to be configured in most recent IOS releases. CEF decides
which interface the traffic is sent out. With CEF disabled, router will not have specific
destination interface in the NetFlow report packets. Therefore a NetFlow Collector cannot
show the OUT traffic for the interface.
Question 3
A network engineer has left a NetFlow capture enabled over the weekend to gather
information regarding excessive bandwidth utilization. The following command is entered:
switch#show flow exporter Flow_Exporter-1
Answer: B
Explanation
This command is used to display the current status of the specific flow exporter, in this case
Flow_Exporter-1. For example
Question 4
Which statement about the output of the show flow-sampler command is true?
A. The sampler matched 10 packets, each packet randomly chosen from every group of 100
packets.
B. The sampler matched 10 packets, one packet every 100 packets.
C. The sampler matched 10 packets, each one randomly chosen from every 100-second
interval.
D. The sampler matched 10 packets, one packet every 100 seconds.
Answer: A
Explanation
The sampling mode determines the algorithm that selects a subset of traffic for NetFlow
processing. In the random sampling mode, incoming packets are randomly selected so that
one out of each n sequential packets is selected on average for NetFlow processing. For
example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the
5th, 120th, 299th, 302nd, and so on packets. This sample configuration provides NetFlow
data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you
can configure.
In the above output we can learn the number of packets that has been sampled is 10. The
sampling mode is ―random sampling mode‖ and sampling interval is 100 (NetFlow samples 1
out of 100 packets).
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfstatsa.html
Question 5
Answer: A
Explanation
The ―ip flow-export destination 10.10.10.1 5858‖ command is used to export the information
captured by the ―ip flow-capture‖ command to the destination 10.10.10.1. ―5858‖ is the UDP
port to which NetFlow packets are sent (default is 2055). The syntax of this command is:
Question 6
Which NetFlow component is applied to an interface and collects information about flows?
A. flow monitor
B. flow exporter
C. flow sampler
D. flow collector
Answer: A
Explanation
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform
network traffic monitoring. Flow monitors consist of a record and a cache. You add the
record to the flow monitor after you create the flow monitor. The flow monitor cache is
automatically created at the time the flow monitor is applied to the first interface. Flow data
is collected from the network traffic during the monitoring process based on the key and
nonkey fields in the record, which is configured for the flow monitor and stored in the flow
monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and
enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#
(Reference:
http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html
#wp1314030)
Question 7
A network engineer is notified that several employees are experiencing network performance
related issues, and bandwidth-intensive applications are identified as the root cause. In order
to identify which specific type of traffic is causing this slowness, information such as the
source/destination IP and Layer 4 port numbers is required. Which feature should the
engineer use to gather the required information?
A. SNMP
B. Cisco IOS EEM
C. NetFlow
D. Syslog
E. WCCP
Answer: C
Question 8
An engineer executes the ip flow ingress command in interface configuration mode. What is
the result of this action?
Answer: A
Explanation
The following is an example of configuring an interface to capture flows into the NetFlow
cache. CEF followed by NetFlow flow capture is configured on the interface:
Router(config)# ip cef
Router(config)# interface ethernet 1/0
Router(config-if)# ip flow ingress
or
Router(config-if)# ip route-cache flow
Note: Either ip flow ingress or ip route-cache flow command can be used depending on the
Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release
12.2(15)T or above.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-
netflow/prod_white_paper0900aecd80406232.html
Question 9
Refer to the exhibit. Which statement about the command output is true?
Answer: A
Question 10
A. CLI
B. NetFlow collector
C. built-in GUI
D. syslog server interface
E. web interface
Answer: A B
Explanation
There are two primary methods to access NetFlow data: the Command Line Interface (CLI)
with show commands or utilizing an application reporting tool. If you are interested in an
immediate view of what is happening in your network, the CLI can be used. The other choice
is to export NetFlow to a reporting server or what is called the ―NetFlow collector‖.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-
netflow/prod_white_paper0900aecd80406232.html
Question 11
A network engineer is configuring the router for NetFlow data exporting. What is required in
order for NDE to begin exporting data?
A. Source
B. Flow mask
C. Destination
D. Interface type
E. Traffic type
F. NetFlow version
Answer: C
Explanation
NetFlow collects statistics about traffic that flows through the router. NetFlow Data Export
(NDE) enables you to export those statistics to an external data collector for analysis.
Router(config)#interface fa0/1
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address
for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.
The most important parameter when configuring NetFlow is the destination where NetFlow
sends data to. Other parameters can be ignored and they will use default values (except the
command ―ip route-cache flow‖ to enable NetFlow).
Question 12
A network engineer executes the ―show ip cache flow‖ command. Which two types of
information are displayed in the report that is generated? (Choose two)
A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution
Answer: C E
Explanation
Also we can see the flow samples for TCP and UDP protocols (including Total Flows,
Flows/Sec, Packets/Flow…).
Question 13
Where can NetFlow export data for long term storage and analysis?
A. syslog
B. collector
C. another network device
D. flat file
Answer: B
Explanation
NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and
storing the flows. Usually a collector is a separate software running on a network server.
NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).
Question 14
Refer to the exhibit. How can you configure a second export destination for IP address
192.168.10.1?
configure terminal
ip flow-export destination 192.168.10.1 9991
ip flow-export version 9
Answer: B
Explanation
To configure multiple NetFlow export destinations to a router, use the following commands
in global configuration mode:
The following example enables the exporting of information in NetFlow cache entries:
ip flow-export destination 10.42.42.1 9991
ip flow-export destination 10.0.101.254 1999
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html
Question 15
Which two statements about NetFlow templates are true? (Choose two)
Answer: A D
Explanation
The distinguishing feature of the NetFlow Version 9 format is that it is template based ->
Answer A is correct.
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00
800a3db9.html
Export bandwidth increases for version 9 (because of template flowsets) versus version 5 ->
Answer D is correct.
Version 9 slightly decreases overall performance, because generating and maintaining valid
template flowsets requires additional processing -> Answer E is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html
Question 16
Answer: B
Explanation
MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow
exports up to three labels of interest from the incoming label stack, the IP address associated
with the top label, as well as traditional NetFlow data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html
Troubleshooting Questions
https://www.digitaltut.com/troubleshooting-questions
Question 1
Which two commands would be used to troubleshoot high memory usage for a process?
(Choose two)
Answer: A B
Explanation
Note: In fact the correct command should be ―show memory allocating-process totals‖ (not
―table‖)
The ―show memory summary‖ command displays a summary of all memory pools and
memory usage per Alloc PC (address of the system call that allocated the block). An example
of the output of this command is shown below:
Legend:
+ Total: the total amount of memory available after the system image loads and builds its
data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.
Note: The show memory allocating-process totals command contains the same information
as the first three lines of the show memory summary command.
An example of a high memory usage problem is large amount of free memory, but a small
value in the ―Lowest‖ column. In this case, a normal or abnormal event (for example, a large
routing instability) causes the router to use an unusually large amount of processor memory
for a short period of time, during which the memory has run out.
The show memory dead command is only used to view the memory allocated to a process
which has terminated. The memory allocated to this process is reclaimed by the kernel and
returned to the memory pool by the router itself when required. This is the way IOS handles
memory. A memory block is considered as dead if the process which created the block exits
(no longer running).
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.h
tml and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
121-mainline/6507-mallocfail.html
Question 2
A network engineer finds that a core router has crashed without warning. In this situation,
which feature can the engineer use to create a crash collection?
Answer: B
Explanation
A core dump is a file containing a process‘s address space (memory) when the process
terminates unexpectedly to identify the cause of the crash
Question 3
A network engineer is investigating the cause of a service disruption on a network segment
and executes the debug condition interface fastethernet f0/0 command. In which situation
is the debugging output generated?
A. when packets on the interface are received and the interface is operational
B. when packets on the interface are received and logging buffered is enabled
C. when packets on the interface are received and forwarded to a configured syslog server
D. when packets on the interface are received and the interface is shut down
Answer: A
Question 4
Various employees in the same department report to the network engineer about slowness in
the network connectivity to the Internet. They are also having latency issues communicating
to the network drives of various departments. Upon monitoring, the engineer finds traffic
flood in the network. Which option is the problem?
A. network outage
B. network switching loop
C. router configuration issue
D. wrong proxy configured
Answer: B
Miscellaneous Questions
https://www.digitaltut.com/miscellaneous-questions
Question 1
A network administrator executes the command clear ip route. Which two tables does this
command clear and rebuild? (Choose two)
A. IP routing
B. FIB
C. ARP cache
D. MAC address table
E. Cisco Express Forwarding table
F. topology table
Answer: A B
Explanation
The command ―clear ip route‖ clears one or more routes from both the unicast RIB (IP
routing table) and all the module Forwarding Information Bases (FIBs).
Question 2
A. 10.9.1.0/24
B. 10.8.0.0/24
C. 10.8.0.0/16
D. 10.8.0.0/23
Answer: B
Explanation
Therefore the suitable prefix that is matched by above ip prefix-list should be 10.8.x.x/24
Question 3
A user is having issues accessing file shares on a network. The network engineer advises the
user to open a web browser, input a prescribed IP address, and follow the instructions. After
doing this, the user is able to access company shares. Which type of remote access did the
engineer enable?
A. EZVPN
B. IPsec VPN client access
C. VPDN client access
D. SSL VPN client access
Answer: D
Explanation
This is a new user (client) that has not been configured to accept SSL VPN connection. So
that user must open a web browser, enter the URL and login successfully to be authenticated.
A small software will also be downloaded and installed on the client computer for the first
time. Next time the user can access file shares on that network normally.
Question 4
Which technology was originally developed for routers to handle fragmentation in the path
between end points?
A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization
Answer: A
Explanation
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 5
If the total bandwidth is 64 kbps and the RTT is 3 seconds, what is the bandwidth delay
product?
A. 8,000 bytes
B. 16,000 bytes
C. 24,000 bytes
D. 32,000 bytes
E. 62,000 bytes
Answer: C
Explanation
Bandwidth-delay product (BDP) is the maximum amount of data ―in-transit‖ at any point in
time, between two endpoints. In other words, it is the amount of data ―in flight‖ needed to
saturate the link. You can think the link between two devices as a pipe. The cross section of
the pipe represents the bandwidth and the length of the pipe represents the delay (the
propagation delay due to the length of the pipe).
Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the
BDP.
BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 =
192,000 bits
For your information, BDP is very important in TCP communication as it optimizes the use
of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an
acknowledgment from the receiver before sending another data. The waiting time may be
very long and we may not utilize full bandwidth of the link for the transmission.
Based on BDP, the sending host can increase the number of data sent on a link (usually by
increasing the window size). In other words, the sending host can fill the whole pipe with
Question 6
A network engineer receives reports about poor voice quality issues at a remote site. The
network engineer does a packet capture and sees out-of-order packets being delivered. Which
option can cause the VOIP quality to suffer?
Answer: D
Question 7
Answer: D
Explanation
Asymmetric routing is the scenario in which outing packet is through a path, returning packet
is through another path. VRRP can cause asymmetric routing occur, for example:
R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1
is the master router and R2 is the backup router.
These two routers are connected to an ISP gateway router, by using BGP. This topology
provides two possible outgoing and incoming paths for the traffic.
Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the
new master router -> traffic passing through R2 instead -> asymmetric routing occurs.
Question 8
Answer: C D
Question 9
What are three reasons to control routing updates via route filtering? (Choose three)
Question 1
Drag and drop the IPv6 NAT characteristic from the left to the matching IPv6 NAT category
on the right.
Answer:
NAT64:
+ Use Network-specific prefix
+ Modify session during translation
NPTv6:
+ Modify IP header in transit
+ Map one IPv6 address prefix to another IPv6 prefix
Explanation
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to
recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific
prefix (NSP), which is configured by a network administrator, or a well-known prefix (which
is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it
will proceed this packet with NAT64.
NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4
address. NAT64 translates nearly everything (source & destination IP addresses, port number,
IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64
―modifies session during translation‖.
Question 2
Drag and drop the BGP states from the left to the matching definitions on the right.
Answer:
Explanation
The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm ->
Established
+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor
relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP
neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer
expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.
Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3
Question 3
Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type
of processing on the right.
Punt
Packets are discarded
Adjacency
Features that require special handling or features that are not yet supported in
Drop conjunction with CEF switching paths are forwarded to the next switching layer
Adjacency for handling. Features that are not supported are forwarded to the next higher
switching level.
When a router is connected directly to several hosts, the FIB table on the router
Null maintains a prefix for the subnet rather than for the individual host prefixes. The
Adjacency subnet prefix points to a glean adjacency. When packets need to be forwarded to
a specific host, the adjacency database is gleaned for the specific prefix.
Discard
Packets are dropped, but the prefix is checked.
Adjacency
Glean Packets destined for a Null0 interface are dropped. This can be used as an
Adjacency effective form of access filtering.
Answer:
Punt Adjacency: Features that require special handling or features that are not yet supported
in conjunction with CEF switching paths are forwarded to the next switching layer for
handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an
effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the
router maintains a prefix for the subnet rather than for the individual host prefixes. The
subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific
host, the adjacency database is gleaned for the specific prefix.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.ht
ml
Question 4
Drag and drop the challenge Handshake Authentication Protocol steps from the left into the
correct order in which they occur on the right.
Answer:
+ Target 1: When the LCP phase is complete and CHAP is negotiated between both devices,
the authenticator sends a challenge message to the peer
+ Target 2: The peer responds with a value calculated through a one-way hash function
(MD5)
+ Target 3: The authenticator checks the response against its own calculation of the expected
hash value if the values match the authentication is successful. Otherwise, the connection is
terminated
Explanation
The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer
by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated
between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message
Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash
value. If the values match, the authentication is successful. Otherwise, the connection is
terminated.
This authentication method depends on a ―secret‖ known only to the authenticator and the
peer. The secret is not sent over the link. Although the authentication is only one-way, you
can negotiate CHAP in both directions, with the help of the same secret set for mutual
authentication.
Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-
ppp/25647-understanding-ppp-chap.html
For more information about CHAP challenge please read our PPP tutorial.
Question 5
Drag the descriptions on the left to the appropriate group on the right.
Answer:
Authentication:
+ supports a local database for device access
+ supports encryption
Authorization:
+ specifies a user‘s specific access privileges
+ enforces time periods during which a user can access the device
Accounting:
+ not supported with local AAA
+ verifies network usage
Explanation
AAA offers different solutions that provide access control to network devices. The following
services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined
credentials, such as passwords and other mechanisms like digital certificates. Authentication
controls access by requiring valid user credentials, which are typically a username and
password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that
means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that
regulates what tasks the user is authorized to perform. These attributes are measured against a
user database. The results are returned to the network device to determine the user‘s
qualifications and restrictions. This database can be located locally on Cisco ASA or it can be
hosted on a RADIUS or Terminal Access Controller Access-Control System Plus
(TACACS+) server. In summary, Authorization controls access per user after users
authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server
used to track login times (when the user logged in and logged off) and the services that users
access. This information can be used for billing, auditing, and reporting purposes.
Question 6
Drag the characteristics on the left to the proper authentication protocols on the right.
Answer:
PAP:
+ Provides minimal security
+ Requires a username and password only
CHAP:
+ Generates a unique string for each transaction
+ Supports mid-session re-authentication
Question 7
Drag the items on the left to the proper locations on the right.
Answer:
Radius
+ Uses UDP port 1812 (for authentication/authorization). It encrypts only the password in the
access-request packet, from the client to the server. The remainder of the packet is
unencrypted.
+ It combines authorization and accounting functions
TACAS+
+ Uses TCP port 49 and encrypts the entire packet
+ It separates authorization and accounting functions
Question 8
Drag the items on the left to the proper locations on the right.
Answer:
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). There are two different forms of NAT64, stateless and stateful:
+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps
no state. It does not save any IP addresses since every v4 address maps to one v6 address.
Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation (1:N translation). It
supports both IPv6-initiated and IPv4-initiated communications using static or manual
mappings. Stateful NAT64 converses IPv4 addresses.
NPTv6 stands for Network Prefix Translation. It‘s a form of NAT for IPv6 and it supports
one-to-one translation between inside and outside addresses
Question 9
Answer:
Question 10
Drag and drop each frame-relay component on the left to the correct statement on the right.
Answer:
Question 11
Answer:
+ DHCPv6 Server:
IPv6 address autoconfig
IPv6 enable
+ Client Interface:
IPv6 address
IPv6 DHCP Relay destination
Question 12
Answer:
RADIUS:
+ combines authentication and authorization functions
+ has no option to authorize router commands
TACAS+:
+ encrypts the entire packet
+ uses TCP port 49
Question 13
Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.
Answer:
Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable
Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the
destination address
Question 1
Drag and drop the statements about device security from the left onto the correct description
on the right.
Answer:
CoPP:
+ It protects the device against DoS attacks
+ It supports packet forwarding by reducing the load on the device
+ It uses QoS to limit the load on the device
MPP:
+ It designates the permitted management interfaces on the device
+ It is enabled only when an interface is configured
+ It requires only a single command to configure
Question 2
Drag and drop the steps in the NAT process for IPv4-initiated packers from the left into the
correct sequence on the right.
Answer:
Question 3
Answer:
Explanation
The most common reason for excessive unicast flooding in steady-state Catalyst switch
networks is the lack of proper host port configuration. Hosts, servers, and any other end-
devices do not need to participate in the STP process; therefore, the link up and down states
on the respective NIC interfaces should not be considered an STP topology change.
Reference: http://www.ciscopress.com/articles/article.asp?p=336872
Question 4
Drag and drop the statements from the left onto the correct IPv6 router security features on
the right.
Answer:
Question 5
Drag and drop steps in the TACACS+ authentication process from the left onto the actors that
perform on the right.
Answer:
Router:
+ prompts the user for a username and password
+ passes logon information to the TACAS+ server
TACAS+ Server:
User:
+ provides access credentials
+ attempts to access the router
Question 6
Drag and drop the correct description on the right onto the corresponding ACL types on the
left.
Answer:
Explanation
The general rule when applying access lists is to apply standard IP access lists as close to the
destination as possible and to apply extended access lists as close to the source as possible.
The reasoning for this rule is that standard access lists lack granularity, it is better to
implement them as close to the destination as possible; extended access lists have more
potential granularity, thus they are better implemented close to the source.
Reference: http://www.ciscopress.com/articles/article.asp?p=1697887
Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release
11.1. This feature is dependent on Telnet, authentication (local or remote), and extended
ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic
through the router. Users that want to traverse the router are blocked by the extended ACL
until they Telnet to the router and are authenticated. The Telnet connection then drops and a
single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a
particular time period; idle and absolute timeouts are possible.
Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-
confaccesslists.html
Question 1
How old is the Type 4 LSA from Router 3 for area 1 on the router R5 based on the output
you have examined?
A. 1858
B. 1601
C. 600
D. 1569
Answer: A
Question 2
Which of the following statements is true about the serial links that terminate in R3?
A. The R1-R3 link needs the neighbor command for the adjacency to stay up
B. The R2-R3 link OSPF timer values are 30, 120, 120
C. The R1-R3 link OSPF timer values should be 10,40,40
D. R3 is responsible for flooding LSUs to all the routers on the network.
Answer: B
Question 3
A. 1
B. 5
C. 9
D. 20
E. 54
F. 224
Answer: C
Question 4
Areas of Router 5 and 6 are not normal areas, inspect their routing tables and determine
which statement is true?
A. R5‘s Loopback and R6‘s Loopback are both present in R5‘s Routing table
B. R5‘s Loopback and R6‘s Loopback are both present in R6‘s Routing table
C. Only R5‘s loopback is present in R5‘s Routing table
D. Only R6‘s loopback is present in R5‘s Routing table
E. Only R5‘s loopback is present in R6‘s Routing table
Answer: A
Question 1
Traffic from R1 to R6′ s Loopback address is load shared between R1-R2-R4-R6 and R1-R3-
R5-R6 paths. What is the ratio of traffic over each path?
A. 1:1
B. 1:5
C. 6:8
D. 19:80
Answer: D
Question 2
Answer: A
Question 3
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. CISCO
B. EIGRP
C. key
D. MD5
Answer: A
Question 4
A. 333056
B. 1938688
C. 1810944
D. 307456
Answer: A
Question 5
A. 10
B. 20
C. 30
D. 40
Answer: B
Question
You are a network engineer with ROUTE.com, a small IT company. They have recently
merged two organizations and now need to merge their networks as shown in the topology
exhibit. One network is using OSPF as its IGP and the other is using EIGRP as its IGP. R4
has been added to the existing OSPF network to provide the interconnect between the OSPF
and EIGRP networks. Two links have been added that will provide redundancy.
The network requirements state that you must be able to ping and telnet from loopback 101
on R1 to the OPSF domain test address of 172.16.1.100. All traffic must use the shortest path
that provides the greatest bandwidth. The redundant paths from the OSPF network to the
EIGRP network must be available in case of a link failure. No static or default routing is
allowed in either network.
A previous network engineer has started the merger implementation and has successfully
assigned and verified all IP addressing and basic IGP routing. You have been tasked with
completing the implementation and ensuring that the network requirements are met. You may
not remove or change any of the configuration commands currently on any of the routers.
You may add new commands or change default values.
Question
Company Acan has two links which can take it to the Internet. The company policy demands
that you use web traffic to be forwarded only to Frame Relay link if available and other
traffic can go through any links. No static or default routing is allowed.
IPv6 OSPF Virtual Link Sim
http://www.digitaltut.com/route-ipv6-ospf-virtual-link-sim
Question
Acme is a small export company that has an existing enterprise network that is running IPv6
OSPFv3. Currently OSPF is configured on all routers. However, R4‘s loopback address
(FEC0:4:4) cannot be seen in R1‘s IPv6 routing table. You are tasked with identifying the
cause of this fault and implementing the needed corrective actions that uses OSPF features
and does no change the current area assignments. You will know that you have corrected the
fault when R4‘s loopback address (FEC0:4:4) can be seen in the routing table of R1.
Special Note: To gain the maximum number of points you must remove all incorrect or
unneeded configuration statements related to this issue.
Question
By increasing the first distant office, JS manufactures has extended their business. They
configured the remote office router (R3) from which they can reach all Corporate subnets. In
order to raise network stableness and lower the memory usage and broadband utilization to
R3, JS manufactures makes use of route summarization together with the EIGRP Stub
Routing feature. Another network engineer is responsible for the implementing of this
solution. However, in the process of configuring EIGRP stub routing connectivity with the
remote network devices off of R3 has been missing.
Presently JS has configured EIGRP on all routers in the network R2, R3, and R4. Your duty
is to find and solve the connectivity failure problem with the remote office router R3. You
should then configure route summarization only to the distant office router R3 to complete
the task after the problem has been solved.
The success of pings from R4 to the R3 LAN interface proves that the fault has been
corrected and the R3 IP routing table only contains two 10.0.0.0 subnets.
OSPF Sim
http://www.digitaltut.com/route-ospf-sim
Question
OSPF is configured on routers Amani and Lynaic. Amani‘s S0/0 interface and Lynaic‘s S0/1
interface are in Area 0. Lynaic‘s Loopback0 interface is in Area 2.
Your task is to configure the following:
EIGRP Simlet
http://www.digitaltut.com/route-eigrp-simlet
Question
Refer to the exhibit. BigBids Incorporated is a worldwide auction provider. The network uses
EIGRP as its routing protocol throughout the corporation. The network administrator does
not understand the convergence of EIGRP. Using the output of the show ip eigrp topology
all-links command, answer the administrator‘s questions.
Question 1
Which two networks does the Core1 device have feasible successors for? (Choose two)
A – 172.17.0.0/30
B – 172.17.1.0/24
C – 172.17.2.0/24
D – 172.17.3.0/25
E – 172.17.3.128/25
F – 10.140.0.0/24
Answer: A F
Question 2
Which three EIGRP routes will be installed for the 172.17.3.128/25 and 172.17.2.0/24
networks? (Choose three)
Answer: B C D
Question 3
Which three networks is the router at 172.17.10.2 directly connected to? (Choose three)
A – 172.17.0.0/30
B – 172.17.1.0/24
C – 172.17.2.0/24
D – 172.17.3.0/25
E – 172.17.3.128/25
F – 172.17.10.0/24
Answer: C E F