New Questions -2

Question 1

What is the task you must perform when configuring SSH? (Choose two)

A. Configure TACACS+
B. Configure hostname
C. Generate RSA key
D. Disable telnet

Answer: B C

The following are the prerequisites for configuring the switch for secure shell (SSH):
– For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport.
– Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
– Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair.
– SCP relies on SSH for security.
– SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level.
– A user must have appropriate authorization to use SCP.
– A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
– The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
– Configure a hostname and host domain for your device by using the hostname and “ip domain-name” commands in global configuration mode.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01001.html

Question 2

Which two pieces of information can you determine from the output of the show ntp status command?

A. The NTP version number of the peer
B. The configured NTP servers
C. The IP address of the peer to which the clock is synchronized
D. Where the clock is synchronized

Answer: C D

Below is an example of the “show ntp status” command:

R1#show ntp status
Clock is synchronized, stratum 10, reference is 10.1.2.1 
nominal freq is 250.0000 Hz, actual freq is 249.9987 Hz, precision is 2**18 
reference time is D5E492E9.98ACB4CF (13:00:25.596 CST Wed Sep 18 2013) 
clock offset is 15.4356 msec, root delay is 52.17 msec 
root dispersion is 67.61 msec, peer dispersion is 28.12 msec

First we can see if the local device has been synchronized or not by the line “Clock is synchronized” (or “Clock is unsynchronized”) -> Answer D is correct.

Also in the same line, we see the line “reference is 10.1.2.1” which is the IP address of the peer to which the clock is synchronized. For example in this case R1 has been configured with the command “R1(config)#ntp server 10.1.2.1” -> Answer C is correct.

Question 3

You are implementing WAN access for an enterprise network while running applications that require a fully meshed network, which two design standards are appropriate for such an environment? (Choose two)

A. A centralized DMVPN solution to simplify connectivity for the enterprise
B. A dedicated WAN distribution layer to consolidate connectivity to remote sites
C. A collapsed core and distribution layer to minimize costs
D. Multiple MPLS VPN connections with static routing
E. Multiple MPLS VPN connections with dynamic routing

Answer: A B

With DMVPN phase 2 and 3, spokes can speak with each other directly like they are directly connected in a meshed network. This simplifies the connectivity for the enterprise -> Answer A is correct.

Another way to run applications that require a fully meshed network is through a WAN distribution layer that is connected to all remote sites. Therefore these sites can communicate with each other via this WAN distribution layer.

Question 4

Which task do you need to perform first when you configure IP SLA to troubleshoot a network connectivity issue?

A. Specify the test frequency
B. Enable the ICMP echo operation
C. Schedule the ICMP echo operation
D. Verify the ICMP echo operation

Answer: B

This question is a bit unclear but answer B is still the best choice here. Maybe “Enable the ICMP echo operation” here means “Configure the ICMP echo operation” which requires the following commands:

configure terminal
ip sla operation-number
icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name]
frequency seconds

Note: The “frequency” is just an optional command. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_icmp_echo.html

For example:

R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#frequency 10

After that we can schedule the above ICMP echo operation with the command (for example):

R1(config)#ip sla schedule 1 life forever start-time now

Then we can verify the ICMP echo operation at the end with the command “show ip sla group schedule” and “show ip sla configuration”.

Question 5

Which technology can combine multiple physical switches into one logical switch?

A. HSRP
B. VSS
C. VRRP
D. NHRP

Answer: B

Question 6

Which two features are compatible with port security? (Choose two)

A. Voice VLAN
B. SPAN source port
C. DTP

Answer: A B

Table 3 of the following link lists which features are compatible with port security feature: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011111.html

Question 7

Which fallback method can you configure to allow all AAA authorization requests to be granted if the other methods do not respond or return an error?

A. Radius
B. Enable
C. TACACS+
D. NONE

Answer: D

The following examples show how to use a TACACS+ server to authorize the use of network services. If the TACACS+ server is not available or an error occurs during the authorization process, the fallback method (none) is to grant all authorization requests:

aaa authorization network default group tacacs+ none

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-cfg-authorizatn.html

Question 8

By default what is the maximum number of equal metric path BGP uses for load balancing?

A. 1
B. 2
C. 4
D. 6

Answer: A

By default, BGP chooses one best path among the possible equal-cost paths that are learned from one AS. However, you can change the maximum number of parallel equal-cost paths that are allowed. In order to make this change, include the maximum-paths paths command under the BGP configuration. Use a number between 1 and 6 for the paths argument.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html

Question 9

The track objects in IP SLA and make sure that it is only up if all track objects are up, which method achieves that goal?

A. AND
B. OR
C. XOR
D. NOT

Answer: A

track track-number list boolen {and | or}

This command configures a tracked list object, and enter tracking configuration mode. The track-number can be from 1 to 500.

+ boolean – Specify the state of the tracked list based on a Boolean calculation.
+ and – Specify that the list is up if all objects are up or down if one or more objects are down.
+ or – Specify that the list is up if one object is up or down if all objects are down

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sweot.pdf

Question 10

With PCA and PCB and there are three routers between them and a different MTU value and they want a PCA to run an application with PCB and DF is set so we have to choose?

A. MSS
B. PMTUD
C. GRE
D. ?

Answer: B

It is important to note that the “don’t fragment” (DF) bit plays a central role in PMTUD because it determines whether or not a packet is allowed to be fragmented.

Packets with this flag are never fragmented, but rather dropped when a router sees that the packet does not fit outgoing link’s MTU. When dropping the packet, the router should signal back to the sending host with a special ICMP unreachable message, telling that the packet has been dropped due to the large size and suggesting the new MTU value.

Note: The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IPv4 datagram. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Question 11

Drag and Drop

Answer:

TLL – when reaches ‘0’ drops packets
ICMP Redirect – indicate to host that another route is available for a specific destination
ICMP unreachable – when destination is unreachable when IP is unable to give a packet to destination host due to some problem or issue
Proxy ARP – now wants to send traffic to 10.0.1.10 which is in another subnet but the PC believes they are connected to the same network
Fragmentation – … larger packet (maybe “breaks packets into smaller pieces when the packets are larger than the MTU of the link”

Question 12

How to implement local authentication using a list for case insensitive usernames?

A. aaa authentication login default local
B. aaa authentication login default local-case

Answer: A

Use the aaa authentication login command with the local method keyword to specify that the Cisco router or access server will use the local username database for authentication. For example, to specify the local username database as the method of user authentication at login when no other method list has been defined, enter the following command:

aaa authentication login default local

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

Note: The difference between the last keyword “local” and “local-case” is the first one uses the case-insensitive local username database while the second keyword uses case-sensitive local username for authentication.

Question 13 (incomplete question)

Drag drop about NHRP.

+ ip nhrp shortcut – configured on the spoke which is responsible to rewrite the CEF entry after getting the redirect message from hub
+ ip nhrp network-id – (?)
+ ip nhrp map – (?)
+ ip redirects – are disabled by default on a tunnel interface
+ ip nhrp responder – Specifies which interface the Next Hop Server uses for the NHRP responder IP address
+ ip nhrp nhs – Statically configures a Next Hop Server

Two left choices (at the right-side column) are:
+ Enables NHRP shortcut switching on the interface
+ designates router XXX as the Next-hop server

But they cannot be matched with two rest options on the left.

In fact the “ip nhrp shortcut” should be both “configured on the spoke which is responsible to rewrite the CEF entry after getting the redirect message from hub” and “Enables NHRP shortcut switching on the interface” so maybe there is something missing in this question.

Note: “ip redirects” (not “ip nhrp redirects”) are disabled by default on a tunnel interface

Question 14

Question about IP SLA deployment cycle. Chose best IP SLA deployment cycle that reduce deployment (Choose four)

A. baseline (network performance)
B. understand (network performance baseline)
C. Understand Quality results
D. quantify (results)
E. fine tune and optimize
F. Update Understanding

Answer: A B D E

Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper0900aecd8017f8c9.html

========================== New Updated Questions (added on 20th-May-2019) ==========================

Question 15

What are two differences between SNMP traps and SNMP informs? (Choose two)

A. Only informs provide a confirmation of receipt
B. Traps are more reliable than informs because they generate PDUs from the network manager
C. Only informs are discarded after delivery
D. Only traps are discarded after delivery
E. Informs are more reliable than traps because they require TCP three-way handshake.

Answer: A D

Traps are messages alerting the SNMP manager to a condition on the network. Informs are traps that include a request for confirmation of receipt from the SNMP manager -> Answer A is correct.

Traps are often preferred even though they are less reliable because informs consume more resources in the router and the network. Unlike a trap, which is discarded as soon as it is sent, an inform must be held in memory until a response is received or the request times out -> Answer D is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/12-4t/snmp-12-4t-book/nm-snmp-cfg-snmp-support.html

Question 16

Which protocol sort out of order packet at the receiving end?

A. UDP
B. TCP
C. IP

Answer: B

Question 17

A router in an EVN environment is choosing a route. Which value is given the highest selection priority?

A. IGP administrative distance of the route.
B. Replication status of the route
C. Vnet tag of the route
D. Default administrative distance of a route
E. Lexical value of the source VRF name

Answer: A

Question 18

Which two effects of symmetric routing are true? (Choose two)

A. unicast flooding
B. uRPF failure
C. errdisabling of ports
D. port security violations
E. excessive STP reconvergence

Answer: A B

The very cause of unicast flooding is that destination MAC address of the packet is not in the L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding ports in its VLAN (except the port it was received on). Below case studies display most common reasons for destination MAC address not being known to the switch.

Cause 1: Asymmetric Routing (-> Therefore answer “unicast flooding” is correct)

For more information about three cases above please visit: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router’s choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are present in the network (-> Therefore answer “uRPF failure” is correct)

Reference: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

Question 19

Which difference in the packet fragmentation feature between IPv4 and IPv6 devices is true?

A. Unlike IPv4 routers, IPv6 routers cannot fragment packets by default.
B. Only IPv6 packets can be fragmented at the destination.
C. Only IPv4 headers support the more fragments bit.
D. Only IPv6 headers support the DF bit

Answer: A

With IPv4, every router can fragment packets, if needed. If a router cannot forward a packet because the MTU of the next link is smaller than the packet it has to send, the router fragments the packet. It cuts it into slices that fit the smaller MTU and sends it out as a set of fragments. The packet is then reassembled at the final destination. Depending on the network design, an IPv4 packet may be fragmented more than once during its travel through the network.

With IPv6, routers do not fragment packets anymore; the sender takes care of it. Path MTU discovery tries to ensure that a packet is sent using the largest possible size that is supported on a certain route. The Path MTU is the smallest link MTU of all links from a source to a destination.

Reference: https://www.oreilly.com/library/view/ipv6-essentials/0596001258/ch04s08.html

Question 20

What are limitations of Stateful NAT64? (Choose two)

A. No requirement on the nature of IPv6 address assignment
B. Lacks in end-to-end address transparency
C. Assures end-to-end address transparency and scalability
D. No state or bindings created on the translation

Answer: A B

The two answers here are listed in the “differences between Stateless NAT64 and Stateful NAT64 at (https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676277.html)

========================== New Updated Questions (added on 20th-May-2019) ==========================

Question 21

What happens when a router receives a packet with a TTL of 0?

A. The router attempts to forward the packet along an alternate path in the route table
B. The router sends an ICMP Time Exceeded Message to the host that sent the packet
C. The router sends an ICMP Destination Unreachable Message to the host that sent the packet
D. The router flags the packet and forwards it to the next hop

Answer: B

RFC 791 requires that a router destroy any datagram with a TTL value of zero. Packets that have been dropped due to the expiration of their TTL value are known as TTL expiry packets. When an IP packet is received with a TTL less than or equal to one and is expected to be forwarded by the router, the router is required to drop the packet and reply back to the source with an ICMPv4 Type 11, Code 0 Time Exceeded message. In theory, upon receipt of this message, the originating device should detect an issue—such as a routing problem when sending to that particular destination, or an initial TTL value that is too low—and react to overcome the problem.

Reference: https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html

Question 22

Which purpose of the AAA accounting feature is true when you use TACACS+ authentication?

A. It prompts users to change their passwords when they expire
B. It saves a timestamped record of user activity
C. It controls the activities that the user is permitted to perform
D. It verifies the user identity

Answer: B

========================== New Updated Questions (added on 11th-Jun-2019) ==========================

Question 23

Refer to the exhibit.

Routing Protocol is "ospf 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 10.1.1.1
  It is an area border and autonomous system boundary router
  Redistributing External Routes from,
    bgp 800, includes subnets in redistribution
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    10.1.1.0 0.0.0.255 area 0
 Reference bandwidth unit is 100 mbps
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 110)

Based on the output from the show ip protocols vrf RED command, what is happening with the routing processes?

A. OSPF 1 is redistributing into BGP 800
B. Static routes are redistributed into OSPF 1
C. BGP 800 is redistributing into OSPF 1
D. Static routes are redistributed into BGP 800

Answer: C

From the output we notice the line “Redistributing External Routes from bgp 800, includes subnets in redistribution” so that means BGP 800 is redistributed into OSPF 1 (with the “redistribute bgp 800 subnets” under “router ospf 1”).

Question 24

Which limitation is introduced when you deploy RIPv2 on a network that uses supernet advertisement?

A. RIPv2 supports only classful supernet networks
B. RIPv2 supports only supernet component networks that use VLSM
C. Supernets are not supported in a RIPv2 environment
D. RIPv2 supports only classless supernet networks

Answer: A

Supernet advertisement (advertising anynetwork prefix less than its classful major network) is not allowed in RIP route summarization. For example , the following supernet summarization is invalid:
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#ip summary-address rip 10.0.0.0 252.0.0.0
-> We can only summarize to the classful supernet networks.

Question 25

When configuring DHCP on a Cisco router what is the function of DHCP Option 82?

A. wireless access point registration to the DHCP server
B. to be an IP DHCP relay agent
C. dynamic DHCP ARP inspection
D. IP DHCP snooping
E. Cisco phone registration to the DHCP server

Answer: B

DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources

Question 26

Which feature is not supported when fast-switched PBR is in use?

A. the set ip next-hop interface command
B. matching IP addresses to a named ACL
C. matching IP addresses to a prefix list
D. the set ip default next-hop command

Answer: D

IP PBR can now be fast-switched. Prior to Cisco IOS Release 12.0, PBR could only be process-switched, which meant that on most platforms the switching rate was approximately 1000 to 10,000 packets per second. This speed was not fast enough for many applications. Users that need PBR to occur at faster speeds can now implement PBR without slowing down the router. Fast-switched PBR supports all of the match commands and most of the set with the following restrictions:
+ The set ip default next-hop and set default interface commands are not supported.
+ The set interface command is supported only over point-to-point links, unless a route cache entry exists using the same interface specified in the set interface command in the route map.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.pdf

Question 27

Which type of Cisco Express Forwarding adjacency is created when the next hop is directly connected, but its MAC header rewrite information is missing?

A. punt
B. discard
C. null
D. glean

Answer: D

Glean adjacency – in short when the router is directly connected to hosts the FIB table on the router will maintain a prefix for the subnet rather than for the individual host prefix. This subnet prefix points to a GLEAN adjacency. A glean adjacency entry indicates that a particular next hop should be directly connected, but there is no MAC header rewrite information available. When the device needs to forward packets to a specific host on a subnet, Cisco Express Forwarding requests an ARP entry for the specific prefix, ARP sends the MAC address, and the adjacency entry for the host is built. 
Punt adjacency – When packets to a destination prefix can’t be CEF Switched, or the feature is not supported in the CEF Switching path, the router will then use the next slower switching mechanism configured on the router.

========================== New Updated Questions (added on 14th-Jun-2019) ==========================

Question 28

Which protocol will stop listening and advertising updates, when using passive-interface command? (Choose two)

A. OSPF
B. EIGRP
C. BGP
D. RIP
E. IS-IS

Answer: A B

The “passive-interface…” command in EIGRP or OSPF will shut down the neighbor relationship of these two routers (no hello packets are exchanged).

In RIP, this command will not allow sending multicast updates via a specific interface but will allow listening to incoming updates from other RIP speaking neighbors. This means that the router will still be able to receive updates o­n that passive interface and use them in its routing table.

There is no “passive-interface” command in BGP and IS-IS.

Question 29

Place the BGP commands to the proper locations

Answer:

+ show ip bgp: path selection values
+ show ip bgp summary: Memory usage
+ show ip route bgp: AD of BGP
+ show ip bgp neighbor: Notification, update…

Question 30

Which two statements about configuring OSPFv3 are true? (Choose two)

A. The OSPFv3 routing process must be explicitly configured and enabled
B. You can configure only one OSPFv3 instance per link
C. OSPFv3 requires network statements for IPv6 prefixes
D. OSPFv3 neighbors must be explicitly identified on NBMA interfaces
E. OSPFv3 interfaces must be explicitly configured and enabled

Answer: A D

When using NBMA in OSPFv3, you cannot automatically detect neighbors. On an NBMA interface, you must configure your neighbors manually using interface configuration mode.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-1sg/ip6-route-ospfv3.html

Cisco IOS routers offer two OSPF configuration methods for IPv6:

+ Using the traditional “ipv6 router ospf” global configuration command. For example:

R1(config)# ipv6 router ospf 1
R1(config-rtr)# router-id 1.1.1.1
R1(config)# interface Ethernet0/0
R1(config-if)# ipv6 ospf 1 area 0

+ Using the new-style “router ospfv3” global configuration command. For example:

R1(config)# router ospfv3 1
R1(config-router)# router-id 1.1.1.1
R1(config)# interface Ethernet0/0
R1(config-if)# ospfv3 1 ipv4 area 0

Answer C is not correct as OSPFv3 does not require “network” statement like OSPFv2.

Answer E seems to be correct too.

Question 31

Refer to the exhibit.

access-list 1 permit 1.0.0.0 0.255.255.255
router rip
 default-metric 1
 redistribute eigrp 20
 distribute-list 1 out eigrp 20

Which routes will be injected into the routing protocol?

A. the EIGRP 20 routes into RIP that match access-list 1
B. any routing update with a metric of 1
C. all RIP routes into EIGRP 20
D. the RIP routes into EIGRP 20 that match access-list 1

Answer: A

The command “distribute-list 1 out eigrp 20” creates an outbound distribute-list to filter routes being redistributed from EIGRP AS 20 into RIP according to ACL 1.

Question 32

What is the range for private AS numbers?

A. 64512 to 65535
B. 1 to 64511
C. 1024 to 65535
D. 1 to 1024

Answer: A

BGP AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511

Comments