New Questions -1

Question 1

Drag and drop the statements about NAT64 from the left onto the correct NAT64 types on the right.


+ It supports FTP64 for ALG
+ It supports PAT and overload
+ It allows IPv6 systems to use any type of IPv6 address

+ ALG is not supported
+ It supports one-to-one mapping only
+ It requires IPv6 systems to use RFC6052 IPv4-translatable addresses

Differences Between Stateful NAT64 and Stateless NAT64 are shown below:

Supported Features Stateful NAT64 Stateless NAT64
Address savings N:1 mapping for PAT or overload configuration that saves IPv4 addresses One-to-one mapping — one IPv4 address is used for each IPv6 host
Address space IPv6 systems may use any type of IPv6 addresses IPv6 systems must have IPv4-translatable addresses (based on RFC 6052)
ALGs supported FTP64 None
Protocols supported ICMP, TCP, UDP All


Question 2

Which statement about the metric calculation in EIGRP is true?

A. The maximum delay along the path is used
B. The mean value of bandwidth between the source and destination is used
C. The minimum bandwidth between the source and destination is used
D. The minimum delay along the path is used

Answer: C

Question 3

Which two steps must you perform to allow access to a device when the connection to a remote TACACS+ authentication server fails? (Choose two)

A. Include the local keyword in the AAA configuration
B. Configure a local username and password on the device
C. Configure the device to accept Telnet and SSH connections
D. Configure accounting to reference the log of previously authenticated connections
E. Remove the aaa new model command from the global configuration

Answer: A B

Question 4

Refer to the exhibit.

ip vrf BLUE
ip vrf RED
interface FastEthernet0/0
ip vrf forwarding RED
ip address
interface FastEthernet0/1
ip vrf forwarding BLUE
ip address

Network users on the subnet have a default gateway of Which command will configure this gateway?

A. router(config)#ip route vrf RED
B. router(config)#ip route
C. router(config)#ip route fastethernet0/1
D. router(config)#ip route vrf BLUE

Answer: D

Question 5

Refer to the exhibit.

Router# show processes cpu sorted
Router# show processes memory sorted

Based on Cisco best practice, which statement about the output is true?

A. The output should be analyzed by a network engineer before allocating additional memory and CPU usage to processes on an IOS router in production
B. The output should be analyzed by a network engineer before executing any configuration commands on an IOS router in production
C. The output should be analyzed by a network engineer before executing any debug commands on an IOS router in production
D. The output should be analyzed by a network engineer before executing other show commands on an IOS router in production

Answer: C

Question 6

Users were moved from the local DHCP server to the remote corporate DHCP server. After the move, none of the users were able to use the network. Which two issues wil prevent this setup from working properly? (Choose two)

A. Auto-QoS is blocking DHCP traffic
B. The DHCP server IP address configuration is missing locally
C. 802.1X is blocking DHCP traffic
D. The broadcast domain is too large for proper DHCP propagation
E. The route to the new DHCP server is missing

Answer: B E

Question 7

Which two statements about the OSPF down bit are true? (Choose two)

A. It is set only when an OSPF virtual link is created
B. It is set only for LSA types 1,2, and 4
C. It is set when OSPF routes are redistributed into BGP
D. It is set only for LSA types 3,5, and 7
E. It is set when MP-BGP routes are redistributed into OSPF

Answer: D E

To prevent possibility of a loop, when the routes are redistributed from MP-BGP into OSPF, then they are marked with a DN Bit in LSA Type 3, 5, or 7 and have the domain tag for Type 5 and 7 LSA.

Good reference:

Question 8

Which command can be entered on router R5 to configure 80 percent of the bandwidth of a link for EIGRP Autonomous System 55?

A. R5(config-if)#ip bandwidth-percent eigrp 55 80
B. R5(config-pmap-c)#priori1y percent 80
C. R5(config-if)#ip bandwidth-percent eigrp 80 55
D. R5(config-if)#ipv6 bandwidth-percent eigrp 80 55
E. R5(config-if)#ipv6 bandwidth-percent eigrp 55 80

Answer: A

Question 9

Which two addresses types are included in NAT? (Choose two)

A. inside global
B. global outside
C. outside internet
D. inside internet
E. outside local

Answer: A E

NAT use four types of addresses:

* Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.

Question 10

Refer to the exhibit.

Hostname R1
ip vrf Yellow
rd 100:1
interface Serial0/0
ip vrf forwarding Yellow
ip address
router eigrp 100
no auto-summary
redistribute static
R1#ping vrf Yellow
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to, timeout is 2 second:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1 is configured with VRF-Lite and can ping R2. R2 is fully configured, but it has no active EIGRP neighbors in vrf Yellow If the configuration of R2 is complete, then which issue prevents the EIGRP 100 neighbor relationship in vrf Yellow from forming?

A. The no auto-summary command is preventing the EIGRP neighbor relationship from forming
B. There is a Layer 1 issue that prevents the EIGRP neighbor relationship from forming
C. The interface IP addresses are not in the same subnet
D. EIGRP 100 network 192 168 1 0/24 is configured in the global routing table on R1

Answer: D

The “network” should be configured under vrf Yellow as follows:

router eigrp 100
 address-family vrf Yellow

Question 11

Which two LSA types were introduced to support OSPF for IPv6? (Choose two)

A. type 9
B. type 10
C. type 5
D. type 7
E. type 8

Answer: A E

LSAs Type 8 (Link LSA) have link-local flooding scope.  A router originates a separate link-LSA for each attached link that supports two or more (including the originating router itself) routers.  Link-LSAs should not be originated for virtual links.

Link-LSAs have three purposes:
1.  They provide the router’s link-local address to all other routers attached to the link.
2.  They inform other routers attached to the link of a list of IPv6 prefixes to associate with the link.
3.  They allow the router to advertise a collection of Options bits in the network-LSA originated by the Designated Router on a broadcast or NBMA link.

LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA has one of two functions:
1.  It either associates a list of IPv6 address prefixes with a transit network link by referencing a network-LSA…
2.  Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA.  A stub link’s prefixes are associated with its attached router.

LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4 OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF algorithm is ran.

Reference (and for more information):

Question 12

Which two statements about DMVPN are true? (Choose two)

A. IPsec encryption not supported with statically addressed spokes
B. It requires full-mesh connectivity on the network
C. It uses NHRP to create a mapping database of spoke addresses
D. Multicast traffic is not supported
E. It supports dynamic addresses for spokes in a hub-and-spoke VPN topology

Answer: C E

Question 13

A netwoik engineer is configuring two dedicated Internet connections within the Internet module One connection is the primary connection to all wired business communications while Che other is the primary connection for all customer wireless traffic If one of the links goes down, the affected traffic needs to be redirected to the redundant link Winch current technology should be deployed to monitor the scenario?


Answer: A

Question 14

Refer to the exhibit.

access-list 1 permit
access-list 1 deny any

Which command we use to control the type of routes that are processed in incoming route updates?

A. passive-interface
B. distribute-list 1 out
C. distribute-list 1 in
D. ip vrf forwarding

Answer: C

Question 15

Which two types of traffic can benefit from LLQ? (Choose two)

A. email
B. voice
C. telnet
D. video
E. file transfer

Answer: B D

Question 16

A network administrator is attempting to configure IP SLA to allow one time stamp to be logged when a packet arrives on the interface and one time stamp to be logged when a packet leaves the interface. Which IP SLA accuracy tool enables this functionality?

A. Trap
C. Responder
D. Trigger
E. Logging

Answer: C

Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to respond to Cisco IOS IP SLA request packets. The IP SLA source sends control packets before the operation starts to establish a connection to the responder. Once the control packet is acknowledged, test packets are sent to the responder. The responder inserts a time-stamp when it receives a packet and factors out the destination processing time and adds time-stamps to the sent packets. This feature allows the calculation of unidirectional packet loss, latency, and jitter measurements with the kind of accuracy that is not possible with ping or other dedicated probe testing


Question 17

Which two actions are common methods for migrating a network from one protocol to another? (Choose two)

A. redistributing routes from the current routing protocol to the new routing protocol
B. removing the current routing protocol and implementing the new routing protocol
C. changing the relative administrative distances of the two routing protocols
D. changing the network IP addresses and bringing up the new IP addresses using the new routing protocol
E. disabling IP routing globally and implementing the new routing protocol

Answer: A C

Question 18

Which statements best describes the following two OSPF commands, which are used to summarize routes?

area 0 range

A. The area range command defines the area where the network resides. The summary-address command enables autosummanzation
B. The area range command defines the area where the network resides. The summary-address command summarizes a subnet for an areas
C. The area range command specifies the area where the subnet resides and summarizes it to other areas. The summary-address command summarizes external routes
D. The area range command summarizes subnets for a specific area. The summary address command summaries a subnet for all areas

Answer: C

An example of the use of “area range” command is shown below:

In order to RTB summarizes routes for the supernet before injecting them into Area 0, we use the command:

Router(config-router)#area 10 range

An example of using the command “summary-address” is shown below:

Recently the RIPv2 domain has been redistributed into our OSPF domain but the administrator wants to configure a summarized route instead of 32 external type-5 LSAs (for to flooding into the OSPF network. In this case the administrator has to use the “summary-address” command as follows:


Question 19

Which action is the most efficient way to handle route feedback when converting a RIPv2 network to OSPF?

A. Implement route tags
B. Implement IP prefix lists
C. Implement route maps with access lists
D. Implement distribute lists

Answer: A

We should use route tag to tag any routes that are redistributed from RIPv2 to OSPF. Then when redistributing from OSPF to RIPv2 we prevents these routes from getting back to RIPv2 domain (route feedback) by the tags we set before.

Question 20

Which types of LSAs are present in the stub area?

A. LSA type 1, 2, 3, 4 and 5
B. LSA type 1, 2 and 3
C. LSA type 3 and 5
D. LSA type 1 and 2

Answer: B

In the stub area no Type 5 AS-external LSA allowed. It only allows LSA type 1, 2 and 3.

Question 21

What is the hop count is advertised for an unreachable network by a RIP router that uses poison reverse?

A. 16
B. 255
C. 0
D. 15

Answer: A

Question 22

Refer to the exhibit.

aaa new-model
aaa authentication login default local-case enable
aaa authentication login ADMIN local-case
username CCNP secret Str0ngP@ssw0rd!
line 0 4
login authentication ADMIN

How can you change this configuration so that when user CCNP logs in, the show run command is executed and the session is terminated?

A. Add the autocommand keyword to the aaa authentication command
B. Assign privilege level 15 to the CCNP username
C. Add the access-class keyword to the aaa authentication command
D. Assign privilege level 14 to the CCNP username
E. Add the access-class keyword to the username command
F. Add the autocommand keyword to the username command

Answer: F

The “autocommand” causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line. In this specific question, we have to enter this line “username CCNP autocommand show running-config”.

Question 23

Refer to the exhibit.

router ospf 10
redistribute bgp 1 subnets route-map BGP-TO-OSPF
route-map BGP-TO-OSPF deny 10
match ip address 50
route-map BGP-TO-OSPF permit 20
access-list 50 permit

Which statement about redistribution from BGP into OSPF process 10 is true?

A. Network is not redistributed into OSPF
B. Network is not redistributed into OSPF
C. Network is redistributed with administrative distance of 1
D. Network is redistributed with administrative distance of 20

Answer: A

The first statement of the above route-map will prevent network from being redistributed into OSPF.

Question 24

Which functions are included in the two-message rapid exchange that a DHCPv6 client can receive from a server?

A. solicit and reply
B. advertise and request
C. solicit and request
D. advertise and reply

Answer: A

DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode.

In Rapid-Commit mode , the DHCP client obtain configuration parameters from the server through a rapid two message exchange (solicit and reply).
In Normal-Commit mode, the DHCP client uses four message exchanges (solicit, advertise, request and reply). By default normal-commit is used.


Question 25

Refer to the exhibit.

(exhibit missing)

Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?

B. MD5

Answer: D

Question 26

Which two statements about redistributing EIGRP into OSPF are true? (Choose two)

A. The redistributed EIGRP routes appear as type 3 LSAs in the OSPF database
B. The redistributed EIGRP routes appear as type 5 LSAs in the OSPF database
C. The administrative distance of the redistributed routes is 170
D. The redistributed EIGRP routes appear as OSPF external type 1
E. The redistributed EIGRP routes as placed into an OSPF area whose area ID matches the EIGRP autonomous system number
F. The redistributed EIGRP routes appear as OSPF external type 2 routes in the routing table

Answer: B F

Question 27

A network engineer executes the show ip flow interface command. Which type of information is displayed on the interface?

A. route cache information
B. IP Cisco Express Forwarding statistics
C. error statistics
D. NetFlow configuration

Answer: D

The command “show ip flow interface” displays NetFlow accounting configuration for interfaces. Below is an example of the output of this command:

R1# show ip flow interface
 ip flow ingress
 ip flow egress

Question 28

Which two statements are differences between AAA with TACACS+ and AAA with RADIUS? (Choose two)

A. Only RADIUS uses TCP
B. Unlike TACACS+, RADIUS sends packets with only the password encrypted.
C. Unlike TACACS+, RADIUS supports accounting and authorization only
D. Only TACACS+ uses TCP
E. Only TACACS+ combines authentication and authorization

Answer: B D

Question 29

Which IOS commands can you use to limit the CPU impact of log generation and transmission on an IOS router?

A. You can use the ip access-list logging interval command in conjunction with the logging rate-limit command.
B. You can use the ip access-list logging limit command in conjunction with the logging rate-interval command.
C. You can use the ip access-list syslog-logging interval command in conjunction with the logging rate-limit command
D. You can use the ip access-list logged interval command in conjunction with the logged rate-limit command.

Answer: A

Question 30

You are configuring a Microsoft client to call a PPP server using CHAP. Only the client will be authenticated but the client’s password has expired and must be changed. Which PPP server configuration allows the call to be completed?

A. ppp authentication ms-chap callin
B. ppp authentication chap
C. ppp authentication ms-chap-v2 callin
D. ppp authentication chap callin
E. ppp authentication ms-chap-v2

Answer: C

The MSCHAP Version 2 supports the Password Aging feature, which notifies clients that the password has expired and provides a generic way for the user to change the password.


Note: The “calling” keyword specifies that the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends -> Only the client will be authenticated.

Question 31

Which command creates a manual summary on an interface when using EIGRP?

A. area 100 range
B. summary-address eigrp 100
C. ip summary-address eigrp 100
D. ip summary-address 100 255.255 254.0

Answer: C

Question 32

A network engineer wants to implement an SNMP notification process for host machines using the strongest security available. Which command accomplishes this task?

A. router(config)#snmp-server host traps v2c auth
B. router(config)#snmp-server host 172 16.200.225 traps v1
C. router(config)#snmp-server host traps v3
D. router(config)#snmp-server host traps v2c

Answer: C

Both SNMPv1 and v2 did not focus much on security and they provide security based on community string only. Community string is really just a clear text password (without encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and interception.

SNMPv3 provides significant enhancements to address the security weaknesses existing in the earlier versions. The concept of community string does not exist in this version. SNMPv3 provides a far more secure communication using entities, users and groups. This is achieved by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to encrypt the contents of a packet.

Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.

Question 33

Which issue is important to address when integrating two networks with different routing protocol?

A. preventing UDP starvation
B. handing IPv4 fragmentation
C. controlling unicast flooding
D. mitigating UDP latency
E. preventing asymmetric routing

Answer: E

Question 34

Drag and drop the DMVPN components from the left onto the correct descriptions on the right.


hub – device that acts as the next-hop server
spoke – device that is usually identified with a dynamic address
mGRE – technology that allows one interface to support multiple tunnels
NHRP – protocol that allows spokes to communicate directly with one another

Question 35

Refer to the exhibit.

%Interfact GigabitEthernet1: IPv4 disabled and address(es) removed due to enabling VRF CUST_A

An engineer is enabling VPN service for a customer and notices this output when placing the customer-facing interface into a VRF. Which action corrects the issue?

A. Reconfigure the IP address on Gigabit Ethernet 1
B. Disabling the VRF CUST_A
C. Reset interface Gigabit Ethernet 1
D. Enabling IPv6 on the interface

Answer: A

If the interface was assigned an IP address before joining to an VRF then that IP address would be removed so we have to reconfigure it.

Question 36

Which two statements about VRF-Lite configurations are true? (Choose two)

A. They support the exchange of MPLS labels
B. Different customers can have overlapping IP addresses on different VPNs
C. They support a maximum of 512,000 routes
D. Each customer has its own dedicated TCAM resources
E. Each customer has its own private routing table.
F. They support IS-IS

Answer: B E

In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and “allows customers to be assigned overlapping addresses”. The below example shows overlapping IP addresses configured on two interfaces which belong to two different VPNs:

Router(config)#ip vrf VRF_BLUE
Router(config-vrf)# rd 100:1
Router(config-vrf)# exit
Router(config)#ip vrf VRF_GREEN
Router(config-vrf)# rd 100:2
Router(config-vrf)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip vrf forwarding VRF_BLUE
Router(config-if)# ip address
Router(config-vrf)# exit
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip vrf forwarding VRF_GREEN
Router(config-if)# ip address

Question 37

Which two statements about PPPoE packet types are true? (Choose two)

A. PADR is a broadcast packet sent from the client to request a new server
B. PADI is an initialization packet sent as a broadcast message
C. PADO is a unicast reply packet sent to the client
D. PADO is a broadcast reply packet sent to the client
E. PADR is a unicast confirmation packet sent to the client

Answer: B C

+ PPPoE Active Discovery Initiation (PADI): The client initiates a session by broadcasting a PADI packet to the LAN to request a service. 
+ PPPoE Active Discovery Offer (PADO): Any access concentrator that can provide the service requested by the client in the PADI packet replies with a PADO packet that contains its own name, the unicast address of the client, and the service requested. An access concentrator can also use the PADO packet to offer other services to the client. 
+ PPPoE Active Discovery Request (PADR): From the PADOs it receives, the client selects one access concentrator based on its name or the services offered and sends it a PADR packet to indicate the service or services needed.
+ PPPoE Active Discovery Session-Confirmation (PADS): When the selected access concentrator receives the PADR packet, it accepts or rejects the PPPoE session:
– To accept the session, the access concentrator sends the client a PADS packet with a unique session ID for a PPPoE session and a service name that identifies the service under which it accepts the session.
– To reject the session, the access concentrator sends the client a PADS packet with a service name error and resets the session ID to zero.
+ After a session is established, the client or the access concentrator can send a PPPoE Active Discovery Termination (PADT) packet anytime to terminate the session. The PADT packet contains the destination address of the peer and the session ID of the session to be terminated. After this packet is sent, the session is closed to PPPoE traffic. 

Question 38

Which two statements are examples of the differences between IPv4 and IPv6 EIGRP? (Choose two)

A. Network command is used in IPv6
B. DUAL is not used for route calculations
C. DUAL is used for route calculations
D. IPv6 keyword is used in many EIGRP commands
E. Network command is not used in IPv6

Answer: D E

Although the configuration and management of EIGRP for IPv4 and EIGRP for IPv6 are similar, they are configured and managed separately. A few (not all) examples of differences include these:
+ The network command is not used in IPv6; EIGRP is configured via links.
+ The ipv6 keyword is used in many of the EIGRP commands.
+ Needs to be explicitly enabled on each interface when configuring EIGRP.


The following are a few (not all) examples of similarities shared by IPv4 EIGRP and IPv6 EIGRP:
+ DUAL is used for route calculation and selection with the same metrics.
+ It is scalable to large network implementations.
+ Neighbor, routing, and topology tables are maintained.
+ Both equal-cost load balancing and unequal-cost load balancing are offered.


Question 39

Refer to the exhibit.

VRF HUB (VRF Id = 3): default RD 100:10;
default VPNID <not set>
New CLI format, supports multiple address-families
Flags: 0x180C
Address family ipv4 unicast (Table ID = 0x3)
Flags: 0x0
Export VPN route-target communities
RT 100:10
Import VPN route-target communities
RT 100:10 RT 200:20
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 unicast (Table ID = 0x1E000001) [Output omitted]
VRF SPOKE (VRF Id = 4): default RD 200:20;
default VPNID <not set>
New CLI format, supports multiple
Flags: 0x180C
Address family ipv4 unicast (Table ID = 0x4)
Flags: 0x0
Export VPN route-target communities
RT 200:20
Import VPN route-target communities
RT 200:20
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
Address family ipv6 unicast (Table ID = 0x1E000001) [Output omitted]

A network engineer is modifying configurations for a customer that currently uses VPN connectivity between their sites The customer has added a new spoke site but it does not have reachability to servers located at the hub. Based on the output which statement describes the cause?

A. The interface of VRF HUB and VRF SPOKE do not match
B. The HUB VRF is not exporting Route-Target 200:20
C. The default VPNID is not set on VRF HUB or VRF SPOKE
D. The SPOKE VRF is not importing Route-Target 100:10

Answer: D

Question 40

Which statement about dynamic NAT is true?

A. It creates a one-to-one mapping of inside addresses to a global address
B. It uses the overload command to map addresses
C. It maps inside addresses to different port numbers
D. It maps inside addresses to a pool of global addresses

Answer: D

Question 41

Which statement about the IP SLA feature is true?

A. It ensures that there are appropriate levels of service for network applications
B. It classifies various traffic types by examining information within Layers 3 trough 7.
C. It measures how the network treats traffic for specific applications by generating traffic that bears similar characteristics to application traffic
D. It keeps track of the number of packets and bytes that are observed in each flow by storing information in a cache flow

Answer: C

Question 42

A network engineer is enabling conditional debugging and execute two commands: debug condition interfaces serial0/0 and debug condition interfaces serial 0/1. Which debugging output is displayed as a result?

A. Interface cannot be used as a debug condition.
B. Output is display for both specified interfaces.
C. Output is display for interface serial 0/1 only.
D. Output is display for interface 0/0 only.

Answer: B

============================= New Updated Questions (added on 12th-Jan-2019) =============================

Question 43

What is the DHCP option to download TFTP info to a Cisco phone?

A. option 57
B. option 82
C. option 66
D. option 68

Answer: C

For Cisco phones IP addresses can be assigned manually or by using DHCP. Devices also require access to a TFTP server that contains device configuration name files (.cnf file format), which enables the device to communicate with Cisco Call Manager.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address pre-configured, it sends a request with option 150 to the DHCP server to obtain this information.
DHCP Option 150 is Cisco proprietary. The IEEE standard that matches with this requirement is Option 66. Like option 150, option 66 is used to specify the Name of the TFTP server.

Question 44

What type of address OSPFv3 uses to form adjacency and send updates?

A. FF02::5
B. link-local
C. IPv4 address
D. IPv6 address multicast

Answer: B

Question 45

What security feature is supported across all SNMP version?

A. authpriv
B. noauthnopriv
C. authnopriv
D. noauthpriv

Answer: B

Question 46

A network engineer executes the show crypto ipsec sa command. Which three pieces of information are displayed in the output? (Choose three)

A. inbound crypto map
B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets

Answer: A B C

This command shows IPsec Security Associations (SAs) built between peers. An example of the output of above command is shown below:

Router#show crypto ipsec sa
interface: FastEthernet0
    Crypto map tag: test, local addr.
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
    #pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0, #send errors 1, #recv errors 0
     local crypto endpt.:, remote crypto endpt.:
     path mtu 1500, media mtu 1500
     current outbound spi: 3D3
     inbound esp sas:
      spi: 0x136A010F(325714191)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4608000/52)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
inbound pcp sas:
outbound esp sas:
   spi: 0x3D3(979)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4608000/52)
    IV size: 8 bytes
    replay detection support: Y
outbound ah sas:
outbound pcp sas:

The first part shows the interface and cypto map name that are associated with the interface. Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this case, because you used only ESP, there are no AH inbound or outbound SAs.

Note: Maybe “inbound crypto map” here mentions about crypto map name.

Question 47

Drag drop about AAA.


+ Auth-proxy: It returns information about hosts using proxy service
+ Commands: It returns information about individual EXEC commands and permissions associated with a privilege level
+ Connection: It returns information about outbound communications from the network access server
+ Exec: It returns information about user EXEC terminal sessions with the network access server
+ Network: It returns information about SLIP, PPP and ARA sessions
+ Resources: It returns information about calls that have passed and failed user authentication

============================= New Updated Questions (added on 21st-Feb-2019) =============================

Question 48

What are two reasons to use multicast to deliver video traffic, instead of unicast or broadcast?

A. It provides reliable TCP transport
B. It enables multiple servers to send video streams simultaneously
C. It enables multiple clients to send video stream simultaneously
D. It supports distributed applications
E. It enables multiple clients to receive the video stream simultaneously

Answer: D E

Question 48

Which two statements about PAP authentication in a PPP environment are true? (Choose two)

A. It is performed at the beginning of the session only
B. It sends the password in clear text
C. It uses a username with an MD5 password to authenticate
D. It hashes the password before sending it
E. It is performed at the beginning of the session and is repeated periodically for as long as the session is maintained

Answer: A B

PPP has two built-in security mechanisms which are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

Password Authentication Protocol (PAP) is a very simple authentication protocol. The client who wants to access a server sends its username and password in clear text. The server checks the validity of the username and password and either accepts or denies connection. This is called two-way handshake. In PAP two-way handshake process, the username and password are sent in the first message.

Another difference between PAP and CHAP is PAP performs authentication at the initial link establishment only while CHAP performs authentication at the initial link establishment and periodically after that. The challenge text is random and unique so the “result” is also unique from time to time. This prevents playback attack (in which a hacker tries to copy the “result” text sent from Client to reuse).

Question 49

Which two tasks should you perform to begin troubleshooting a network problem? (Choose two)

A. Gather all the facts
B. Define the problem as a set of symptoms and causes
C. Implement an action plan
D. Monitor and verify the resolution
E. Analyse the results

Answer: A B

The main elements of diagnosis are as follows:
Gathering information: Gathering information happens after the problem has been reported by the user (or anyone). This might include interviewing all parties (user) involved, plus any other means to gather relevant information. Usually, the problem report does not contain enough information to formulate a good hypothesis without first gathering more information. Information and symptoms can be gathered directly, by observing processes, or indirectly, by executing tests.
Analyzing information: After the gathered information has been analyzed, the troubleshooter compares the symptoms against his knowledge of the system, processes, and baselines to separate normal behavior from abnormal behavior.


Question 50

Which two piece of information can you learn by viewing the routing table? (Choose two)

A. Whether an ACL was applied inbound or outbound to an interface
B. Whether the administrative distance was manually or dynamically configured
C. Which neighbor adjacencies are established
D. The EIGRP or BGP autonomous system
E. The length of time that a route has been known

Answer: B E

Question 51

Which two facts must you take into account when you deploy PPPoE? (Choose two)

A. DDR idle timers must be configured to support VPDN login.
B. PPPoE supports a maximum of 10 clients per customer premises equipment
C. DDR is not supported
D. You must manually configure IP addresses on the PPPoE interface
E. An individual PVC can support one PPPoE client

Answer: B E

The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR) interesting traffic control list functionality of the dialer interface with a PPP over Ethernet (PPPoE) client, but also keeps original functionality (PPPoE connection up and always on after configuration) for those PPPoE clients that require it.


But it is just an optional feature and we don’t need DDR idle timers to be configured to support VPDN login -> Answer A is not correct.

According to this link:

The PPPoE client does not support the following:
+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can support up to 10 clients so answer B is correct.

DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.

We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.

Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM PVC supports multiple PPPoE clients, allowing second line connection and redundancy. Multiple PPPoE clients can run concurrently on different PVCs, but each PPPoE client must use a separate dialer interface and a separate dialer pool. Therefore answer E is still correct.