New Questions -3

Question 33

Which routing protocol searches for a better route through other autonomous systems to achieve convergence?

A. Link-state
B. Hybrid
C. Path vector
D. Distance vector

Answer: C

Explanation

Path vector routing protocol (like BGP) can get information from other BGP autonomous systems to find the best route.

AS_Path_Selection.jpg

============================= Router Questions =============================

Question 192

Which is the minimum privilege level to allow a user to execute all user-level commands but prohibits enable-level commands by default?

A. level 1
B. level 0
C. level 16
D. level 15
E. level 14

Answer: A

Question 76

What command can you enter to configure an enable password that uses an encrypted password from another configuration?

A. enable secret $abc%!e.Cd34$!ao0
B. enable secret 7 Sabc%!e.Cd34$!ao0
C. enable secret 0 Sabc%U*.Cd34$!ao0
D. enable secret 5 $abc%!e.Cd34$!ao0
E. enable secret 15 $abc%ie.Cd34$!ao0
F. enable secret 6 $abc%!e.Cd34$!ao0

Answer: D

Explanation

To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.

For example, in the configuration command:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

The enable secret has been hashed with MD5, whereas in the command:

username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D

The password has been encrypted using the weak reversible algorithm.

When we enter the “enable secret” command with a number after that, the IOS can specify that the password has been encrypted so it will not encrypt any more and accept that password.

In new Cisco IOS (v15+), it seems the device does not recognize “enable secret 7” command as encrypted password. We tried on Cisco IOS v15.4 and see this:

enable_secret.jpg

When we tried to enter the command “enable secret 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D”, the Cisco IOS automatically change the command to “enable secret 5 $1$dLq2$qgzb4bgdsasX8dx1oHOkD.” (in the running-config file). So if you paste an “enable secret 7 …” command from an old Cisco IOS version, you cannot login any more with your password.

Note: In fact, there is an error with the answer D. As we entered the command in answer D, the router denied the encrypted password because it was not a valid encrypted secret password. That means the router also checked if the password was hashed correctly or not. But it is the best answer in this question.

enable_secret_error.jpg

Question 108

Which is minimum level for which user can see full commands but can’t change anything?

A. 0
B. 1
C. 14
D. 15
E. 16

Answer: B

Question 183

Which password takes precedence if you configure multiple passwords for Telnet connections to a Cisco IOS device?

A. console line password
B. enable secret password
C. enable password
D. aux line password

Answer: B

Question 190

Which condition must be met before you can configure SSH on a device running Cisco IOS?

A. The device must have an auxilary port
B. The device must have a modem connection
C. The IOS must be a crypto in
D. Telnet must be disabled on the device

Answer: C

Explanation

To enable SSH on Cisco IOS, you need to have crypto feature in the IOS.

Question 212

Which two statements about the enable secret and enable password commands are true? (Choose two)

A. If both commands are missing from the global configuration, vty lines use the console password
B. The enable secret command overrides enable password
C. The enable password command has a stronger encryption algorithm than enable secret
D. The enable secret command is backwards-compatible with more versions of IOS
E. The enable secret and enable password commands must be used together

Answer: A B

============================= Access-list Questions =============================

Question 1

What does the following access list, which is applied on the external interface FastEthernet 1/0 of the perimeter router, accomplish?

router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router (config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface FastEthernet 1/0
router (config-if)#ip access-group 101 in

A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 – 192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.

Answer: C

Explanation

The first answer is not correct because the 10.0.0.0 network range is not correct. It should be 10.0.0.0. to 10.255.255.255.

Question 9

Which two statements about IP access-lists are true? (Choose two)

A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.

Answer: C D

Question 69

Which two different configuration can you apply to a deviceto block incoming SSH access? (Choose two)

A. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
  ipv6 access-list VTY-ACCESS-IN out

B. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
  ipv6 access-class VTY-ACCESS-IN out

C. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
  ipv6 access-class VTY-ACCESS-IN in

D. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
interface Ethernet0/0
  ipv6 traffic-filter VTY-ACCESS-IN in

E. ipv6 access-list VTY-ACCESS-IN
sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
interface Ethernet0/0
  ipv6 traffic-filter VTY-ACCESS-IN out

Answer: C D

Explanation

The “ipv6 traffic-filter” command is used to filter IPv6 traffic flowing through an interface while the “ipv6 access-class” command is used to filter IPv6 traffic destined to the router (via logical interfaces).

Question 213

Which access list entry checks for an ACK within a packet TCP header?

A. access-list 49 permit ip any any eq 21 tcp-ack
B. access-list 49 permit tcp any any eq 21 tcp-ack
C. access-list 149 permit tcp any any eq 21 established
D. access-list 49 permit tcp any any eq 21 established

Answer: C

Explanation

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and/or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only. Let’s see an example below:

access-list_established.jpg

Suppose you only want to allow the hosts inside your company to telnet to an outside server but not vice versa, you can simply use an “established” access-list like this:

access-list 100 permit tcp any any established
access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Note:

Suppose host A wants to start communicating with host B using TCP. Before they can send real data, a three-way handshake must be established first. Let’s see how this process takes place:

TCP_Three_way_handshake.jpg

1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is short for SYNchronize) to indicate it wants to setup a connection with host B. This message includes a sequence (SEQ) number for tracking purpose. This sequence number can be any 32-bit number (range from 0 to 232) so we use “x” to represent it.

2. After receiving SYN message from host A, host B replies with SYN-ACK message (some books may call it “SYN/ACK” or “SYN, ACK” message. ACK is short for ACKnowledge). This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let’s called it “y”) is a random number and does not have any relationship with Host A’s SYN SEQ number.
+ ACK number is the next number of Host A’s SYN sequence number it received, so we represent it with “x+1”. It means “I received your part. Now send me the next part (x + 1)”.

The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if host A still wants to talk to it as well (via SYN part).

3. After Host A received the SYN-ACK message from host B, it sends an ACK message with ACK number “y+1” to host B. This confirms host A still wants to talk to host B.

============================= PPP Questions =============================

Question 84

Which PPP authentication method sends authentication information in cleartext?

A. MS CHAP
B. CDPCP
C. CHAP
D. PAP

Answer: D

Explanation

Password Authentication Protocol (PAP) is a very basic two-way process. The username and password are sent in plain text, there is no encryption or protection. If it is accepted, the connection is allowed. The configuration below shows how to configure PAP on two routers:

R1(config)#username R2 password digitaltut1
R1(config)#interface s0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 password digitaltut2
R2(config)#username R1 password digitaltut2
R2(config)#interface s0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication PAP
R2(config-if)#ppp pap sent-username R2 password digitaltut1

Note: The PAP “sent-username” and password that each router sends must match those specified with the “username … password …” command on the other router.

Question 107

Which two features were added in MSCHAP Version 2? (Choose two)

A. Backwards-compatibility with MSCHAP version 1
B. Using the MD5 hash for stronger security
C. Ability to change an expired password
D. Using three-way handshakes for authentication
E. Mutual authentication between peers

Answer: C E

Question 240

Which value does a Cisco router use as its default username for CHAP authentication?

A. Its own hostname
B. chap
C. Cisco
D. ppp

Answer: A

============================= PPPoE Questions =============================

Question 3

Which command instruct a PPPoE client to obtain its IP address from the PPPoE server? (OR What command is needed to get the ip address assigned from the PPPOE server?)

A. interface dialer
B. ip address negotiated
C. pppoe enable
D. ip address dhcp
E. ip address dynamic

Answer: B

Explanation

The picture below shows all configuration needed for PPPoE:

PPPoE_Topology_with_config.jpg

As we can see from the PPPoE Client configuration, to get the IP address assigned from the PPPoE server the command “ip address negotiated” should be used. For more information about PPPoE configuration please read our PPPoE tutorial.

Question 13

What configurations does PPPoE allow? (Choose two)

A. Client can be installed on the same network devices as server
B. 8 clients can be configured on 1 CPE
C. Clients can connect to multiple hosts over DMVPN
D. Client connecting over ATM PVC
E. Client installed on native IPv6 network

Answer: B C

Explanation

According to this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html

The PPPoE client does not support the following:
+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can support up to 10 clients so answer B is correct.
+ Coexistence of the PPPoE client and server on the same device -> answer A is not correct

In the above link there is a topology shows “DMVPN Access to Multiple Hosts from the Same PPPoE Client” -> Answer C is correct.

Question 141

Which feature can automatically assign IP addresses in a PPPoE environment?

A. DHCP
B. BOOTP
C. PPP
D. APPA

Answer: C

Explanation

The PPP negotiation includes the process of IP address assignment. An example of configuring automatic IP address assignment in PPPoE environment is shown below:

Router:
interface Serial1/2
 ip address negotiated
 encapsulation ppp

Question 222

Which two commands must you configure in the calling router to support the PPPoE client? (Choose two)

A. peer default ip address pool
B. mtu
C. bba-group pppoe
D. pppoe enable group
E. pppoe-client dial-pool-number

Answer: B E

Question 51

Which two facts must you take into account when you deploy PPPoE? (Choose two)

A. DDR idle timers must be configured to support VPDN login.
B. PPPoE supports a maximum of 10 clients per customer premises equipment
C. DDR is not supported
D. You must manually configure IP addresses on the PPPoE interface
E. An individual PVC can support one PPPoE client

Answer: B E

Explanation

The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR) interesting traffic control list functionality of the dialer interface with a PPP over Ethernet (PPPoE) client, but also keeps original functionality (PPPoE connection up and always on after configuration) for those PPPoE clients that require it.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbpecls.html

But it is just an optional feature and we don’t need DDR idle timers to be configured to support VPDN login -> Answer A is not correct.

According to this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html

The PPPoE client does not support the following:
+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can support up to 10 clients so answer B is correct.

DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.

We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.

Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM PVC supports multiple PPPoE clients, allowing second line connection and redundancy. Multiple PPPoE clients can run concurrently on different PVCs, but each PPPoE client must use a separate dialer interface and a separate dialer pool. Therefore answer E is still correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/15-mt/bba-15-mt-book/bba-ppoe-client.pdf

============================= CEF Questions =============================

Question 29

Which Cisco Express Forwarding table or tables hold forwarding information?

A. FIB table only
B. adjacency tables only
C. FIB and adjacency tables only
D. FIB,RIB, and adjacency tables

Answer: C

Question 104

Which feature eliminates the need for Cisco Express Forwarding to maintain a route cache?

A. Adjacency table
B. RIB
C. FIB
D. MAC address table

Answer: C

Explanation

The two main components of Cisco Express Forwarding operation are the forwarding information base (FIB) and the adjacency tables.

The forwarding information base (FIB) lookup table contains all known routes that exist in the routing table, it eliminates the need for route cache maintenance.

Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/xe-3se/5700/isw-cef-xe-3se-5700-book/ipswitch_cisco_express_forwarding.pdf

Question 125

Which Cisco Express Forwarding component maintains Layer 2 next-hop addresses that are used for hardware switching?

A. adjacency table
B. RIB
C. ARP table
D. FIB

Answer: A

Explanation

Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.html

Question 163

Refer to exhibit. What is indicated by the show ip cef command for an address?

show_ip_cef.jpg

A. CEF is unable to get routing information for this route.
B. CEF cannot switch packet for this route and passes it to the next best switching method.
C. A valid entry and is pointed to hardware based forwarding.
D. CEF cannot switch packet for this route and drops it.

Answer: B

Explanation

Glean adjacency – in short when the router is directly connected to hosts the FIB table on the router will maintain a prefix for the subnet rather than for the individual host prefix. This subnet prefix points to a GLEAN adjacency.
Punt adjacency – When packets to a destination prefix can’t be CEF Switched, or the feature is not supported in the CEF Switching path, the router will then use the next slower switching mechanism configured on the router.

Question 177

Which three algorithms can you configure with the ip cef load-sharing algorithm command? (Choose three)

A. per-packed
B. Tunnel
C. per-destination
D. Universal
E. Per-source
F. Include-ports

Answer: B D F

Explanation

The following load-balancing algorithms are provided for use with Cisco Express Forwarding traffic. You select a load-balancing algorithm with the ip cef load-sharing algorithm command.
+ Original algorithm – The original Cisco Express Forwarding load-balancing algorithm produces distortions in load sharing across multiple routers because the same algorithm was used on every router. Depending on your network environment, you should select either the universal algorithm (default) or the tunnel algorithm instead.
+ Universal algorithm – The universal load-balancing algorithm allows each router on the network to make a different load sharing decision for each source-destination address pair, which resolves load-sharing imbalances. The router is set to perform universal load sharing by default.
+ Tunnel algorithm – The tunnel algorithm is designed to balance the per-packet load when only a few source and destination pairs are involved.
+ Include-ports algorithm – The include-ports algorithm allows you to use the Layer 4 source and destination ports as part of the load-balancing decision. This method benefits traffic streams running over equal cost paths that are not load shared because the majority of the traffic is between peer addresses that use different port numbers, such as Real-Time Protocol (RTP) streams. The include-ports algorithm is available in Cisco IOS Release 12.4(11)T and later releases.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-mt/isw-cef-15-mt-book/isw-cef-load-balancing.html#GUID-D545ACC1-258F-4073-BC8E-94EC30AAE924

============================= Frame Relay Questions =============================

Question 18

Refer to the exhibit.

Frame_Relay_no_ip_split-horizon.jpg

A network engineer is working on the network topology and executes the command no ip split horizon on interface S0/0 of the Hub router. What is the result of this command?

A. A routing loop is created.
B. Each of the spoke routers can see the routes that are advertised from the other spoke routers.
C. The Spoke routers can see the routes that are advertised by the hub router.
D. The hub router can see the routes that are advertised by the spoke routers.

Answer: B

Question 21

If you convert a WAN connection with OSPF from T1 to a Frame Relay circuit, which two actions must you take to enable the connection? (Choose two)

A. Change the OSPF network type to nonbroadcast.
B. Manually configure neighbors in the OSPF process.
C. Manually configure the hello and dead timers.
D. Change the OSPF network type to broadcast.
E. Change the OSPF network type to multipoint nonbroadcast.

Answer: A B

Explanation

Frame Relay is a non-broadcast multi-access (NBMA) environment so when migrating to a Frame Relay circuit we must change the OSPF network to non-broadcast. This type of network does not accept broadcast and muticast packets so we must manually configure neighbors for OSPF.

Question 46

Which two statements about Frame Relay LMI autosense are true on a router? (Choose two)

A. It requires the LMI type to be explicitly configured
B. It operates on Frame Relay DTE interfaces
C. It operates on Frame Relay DCE interfaces
D. It operates when the line is up but the line protocol is down
E. It requires the line protocol to be up

Answer: B D

Explanation

LMI autosense is automatically enabled in the following situations:
+ The router is powered up or the interface changes state to up
+ The line protocol is down but the line is up
+ The interface is a Frame Relay DTE
+ The LMI type is not explicitly configured on the interface

Reference: CCIE Practical Studies: Security

Question 72

In a point-to-multipoint Frame Relay topology, which two methods ensure that all routing updates are received by all EIGRP routers within the Frame Relay network? (Choose two)

A. Disable split horizon
B. Create separate address ranges
C. Use subinterface
D. Use statically defined EIGRP neighbor on the site
E. Disable EIGRP out summary

Answer: A C

Explanation

Although we can use the “neighbor” command to set up EIGRP neighbor relationship but the routes cannot be advertised from the Hub to the Spoke because of split horizon rule -> Answer D is not correct.

To overcome the split horizon rule we can use subinterface as each subinterface is treated like a separate physical interface so routing updates can be advertised back from Hub to Spokes.  -> Answer C is correct.

Note: The split horizon rule states that routes will not be advertised back out an interface in which they were received on

Question 77

In which two ways can split horizon issues be overcome in a Frame Relay network environment? (choose two)

A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites.
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
E. Disabling split horizon.

Answer: C E

Question 80

On which two types of interface is Frame Relay switching supported? (Choose two)

A. serial interfaces
B. Ethernet interfaces
C. fiber interfaces
D. ISDN interfaces
E. auxiliary interfaces

Answer: A D

Question 123

Which task must you perform to enable a point-to-point Frame Relay connection?

A. Enable inverse ARP.
B. Configure the encapsulation type.
C. Configure static address mapping.
D. Disable inverse ARP.

Answer: C

Explanation

In a point-to-point Frame Relay connection (using subinterfaces), we don’t need to configure the encapsulation type. In fact, we just have to configure encapsulation type on the main interface. For example:

Hub(config)#interface serial 0/0
Hub(config-if)#encapsulation frame-relay
Hub(config)#interface serial 0/0.1 point-to-point
Hub(config-subif)#ip address 192.168.12.1 255.255.255.0
Hub(config-subif)#frame-relay interface-dlci 102

Spoke1(config)#interface s0/0
Spoke1(config-if)#encapsulation frame-relay
Spoke1(config-if)#exit
Spoke1(config)#interface serial 0/0.1 point-to-point
Spoke1(config-subif)#ip address 192.168.12.2 255.255.255.0
Spoke1(config-subif)#frame-relay interface-dlci 201

Question 201

Which two statements about Frame Relay Point-to-Point connections are true? (Choose two)

A. Changing a point-to-point sub interface to a different type requires the device to be reloaded.
B. They use two DLCIs to communicate with multiple endpoints over the Frame Relay cloud.
C. The device can establish a point-to-point connection to the cloud without a DLCI.
D. They can operate normally without a DLCI map.
E. Each physical interface that extends to the Frame Relay cloud can support a single SVC.

Answer: A B ============================= GRE Questions =============================

Question 53

Which value does a point-to-point GRE tunnel use to identify a peer?

A. MAC address
B. configured multicast address
C. DLCI
D. IP address
E. VC ID

Answer: D

Question 60

Which two statement about GRE tunnel interface are true? (Choose two)

A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state

Answer: B D

Explanation

A valid tunnel destination is one which is routable (which means the destination is present or there is a default route in the routing table). However, it does not have to be reachable -> Answer B is correct.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and the destination must be reachable according to your own routing table.

Question 78

A network engineer has configured GRE between two IOS routers. The state of the tunnel interface is continuously oscillating between up and down. What is the solution to this problem?

A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable

Answer: A

Explanation

In this question only answer A is a reasonable answer. When the state of the tunnel interface is continuously moving between up and down we must make sure the route towards the tunnel destination address is good. If it is not good then that route may be removed from the routing table -> the tunnel interface comes down.

Question 79

When the tunnel interface is configured in default mode, which statement about routers and the tunnel destination address is true?

A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination

Answer: A

Explanation

The tunnel interface is configured in default mode means the tunnel has been configured as a point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up state) as soon as it is configured with a valid tunnel source address or interface which is up and a tunnel destination IP address which is routable.

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in recursion.

Therefore if a route towards the tunnel destination has not been configured then the tunnel is stuck in up/down state.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

Question 184

Which two statements about GRE tunnel keys are true? (Choose two)

A. The key ID must be the same on each device.
B. They prevent the injection of unwanted frames.
C. They prevent the injection of unwanted packets.
D. They must be stored to a keychain.
E. They provide the highest level of security that is available.

Answer: A C

Explanation

An example of using the tunnel keys is shown below:

Router(config)# interface tunnel 0
Router(config-if)# tunnel source GigabitEthernet 0/0/0
Router(config-if)# tunnel destination 10.0.2.1
Router(config-if)# tunnel key 1000

The command “tunnel key <key-number>” uses the key-number argument to identify a tunnel key that is carried in each packet. Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source (so E is not correct).

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-3s/ir-xe-3s-book/ir-impl-tun-xe.html

The GRE Tunnel Key feature enables the encapsulation router to add a four-byte key, as part of the GRE header, during encapsulation. In the decapsulation router, the GRE key of an incoming packet should match the key value configured under the GRE tunnel. During decapsulation, if a mismatch between the key value of the incoming GRE packet and the key value configured under the GRE tunnel is identified, the incoming packet is dropped.

Question 185

Refer to the exhibit.

R1(config-if)#interface Tunnel0
R1(config-if)#tunnel source 10.0.0.1
R1(config-if)#tunnel destination 10.0.0.2
R1(config-if)#ipv6 address k:k:k:k::1/64
R1(config-if)#ipv6 ospf 1 area 1
R1(config-if)#tunnel mode ipv6ip
!
R2(config-if)#interface Tunnel1
R2(config-if)#tunnel source 10.0.0.2
R2(config-if)#tunnel source 10.0.0.1
R2(config-if)#ipv6 address k:k:k:k::2/64
R2(config-if)#ipv6 ospf 1 area 1
R2(config-if)#tunnel mode ipv6ip

A user calls from another branch office with a request to establish a simple VPN tunnel to test a new router’s tunneling capability. Based on the configuration in the exhibit, which type of tunnel was configured?

A. IPsec site-to-site
B. 6to4
C. PPTP
D. EZVPN

Answer: B

The command “tunnel mode ipv6ip” is used to configure a manual IPv6 tunnel. In fact without the keyword “6to4” (in “tunnel mode ipv6ip 6to4”)

Question 224

Refer to the exhibit. After configuring GRE between two routers running OSPF that are connected to each other via a WAN link, a network engineer notices that the two routers cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason for this?

GRE_Tunnel.jpg

A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 57.

Answer: A

Explanation

GRE packets are encapsulated within IP and use IP protocol type 47

============================= DMVPN Questions =============================

Question 12

During which DMVPN phase is spoke-to-spoke communication enabled?

A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1

Answer: A

Explanation

Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the only correct answer.

Question 55

Which two statements about NHRP in a DMVPN environment are true? (Choose two)

A. It requires each endpoint to have a unique network ID
B. It routes traffic through the tunnel
C. It can identify PIM-SM RPs over a tunnel
D. It can authenticate VPN endpoints
E. It provides address resolution to route traffic

Answer: D E

Question 73

Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other? (Choose two)

A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5

Answer: B C

Question 83

Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel interface on the hub, to support multiple connections from multiple spoke devices?

A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN

Answer: A

Explanation

An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not require a unique tunnel interface for each connection between Hub and spoke like traditional GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.

DMVPN_Topo_mGRE.jpg

For more information about DMVPN, please read our DMVPN tutorial.

Question 148

Which two statements about NAT in a DMVPN environment are true? (Choose two)

A. A hub router can be behind a dynamic NAT on a device
B. Spoke routers can reside only on the public side of a NAT device
C. Two spokes can establish session among themselves using PAT behind different NAT devices
D. A spoke router can be represented by a static NAT on a device
E. A hub router can use static NAT for its public IP address

Answer: D E

Explanation

With the NAT-Transparency Aware DMVPN enhancement, NHRP can learn and use the NAT public address for its mappings as long as IPsec transport mode is used (which is the recommended IPsec mode for DMVPN networks).

With this NAT Transparency enhancement, the hub DMVPN router can be behind the static NAT -> E is correct.

DMVPN spokes behind NAT will participate in dynamic direct spoke-to-spoke tunnels. The spokes must be behind NAT boxes that are preforming NAT, not PAT (so answer D is correct). The NAT box must translate the spoke to the same outside NAT IP address for the spoke-to-spoke connections as the NAT box does for the spoke-to-hub connection.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-dmvpn.html#GUID-284B12C0-9F18-42EE-9A77-29D368883C45

Question 166

Which security feature can protect DMVPN tunnels?

A. IPSec
B. TACACS+
C. RTBH
D. RADIUS

Answer: A

Explanation

In DMVPN we can use IPSec to encrypt the tunnel.

Question 174

Which condition prevents the establishment of a DMVPN tunnel between two spokes?

A. The two spokes have different tunnel keepalive settings
B. HSRP is enabled on the spoke devices
C. IPSec is enabled on the spoke devices
D. The two spokes are behind different PAT devices

Answer: D

Explanation

If one spoke is behind one NAT device and another different spoke is behind another NAT device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices, then a session initiated between the two spokes cannot be established.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-dt-spokes-b-nat.html

============================= TCP UDP Questions =============================

Question 16

Which three problems result from application mixing of UDP and TCP streams within a network with no QoS? (Choose three)

A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput

Answer: A C E

Explanation

When TCP is mixing with UDP under congestion, TCP flows will try to lower their transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-dominance. This can increase latency and lower the overall throughput.

Question 31a

Which feature can mitigate fragmentation issues within network segments that are between GRE endpoints?

A. PMTUD
B. ICMP DF bit
C. TCP Flow Control
D. TCP MSS

Answer: D (In fact A is correct too)

Explanation

The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length of an IP datagram is 65535, most transmission links enforce a smaller maximum packet length limit, called an MTU. The value of the MTU depends on the type of the transmission link. The design of IP accommodates MTU differences since it allows routers to fragment IP datagrams as necessary. The receiving station is responsible for the reassembly of the fragments back into the original full size IP datagram.

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP Fragmentation in this link but it is too long so if you want to read please visit this link)

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 31b

Which feature mitigates fragmentation issues caused by endpoint hosts?

A. ICMP DF bit
B. TCP Flow Control
C. TCP MSS
D. PMTU

Answer: C

Question 45

What is the default maximum segment size for TCP traffic?

A. 536
B. 1492
C. 1500
D. 1508
E. 3340
F. 4096

Answer: A

Question 57

Which two protocols can cause TCP starvation? (Choose two)

A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP

Answer: A B

Explanation

TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the same service-provider class as UDP-based applications and the class experiences sustained congestion.

TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which run on UDP so they can cause TCP starvation.

Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port 20/21

Question 86

Which technology was originally developed for routers to handle fragmentation in the path between end points?

A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization

Answer: A

Explanation

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 160

A network engineer applies the command “ip tcp adjust-mss” under interface configuration mode. What is the result?

A. The probability of SYN packet truncation is increased.
B. The UDP session is inversely affected.
C. The probability of dropped or segmented TCP packets is decreased.
D. The optimum MTU value for the interface is set.

Answer: C

Question 161

Which value determines the amount of traffic that a network path can hold in transit?

A. route cache setting
B. maximum window size
C. bandwidth delay product
D. MSS

Answer: C

Explanation

Bandwidth-delay product (BDP) is the maximum amount of data “in-transit” at any point in time, between two endpoints. In other words, it is the amount of data “in flight” needed to saturate the link. You can think the link between two devices as a pipe. The cross section of the pipe represents the bandwidth and the length of the pipe represents the delay (the propagation delay due to the length of the pipe).

Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the BDP.

Bandwidth-delay_Product.jpg

Return to our question, the formula to calculate BDP is:

BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 = 192,000 bits

-> BDP (bytes) = 192,000 / 8 = 24,000 bytes

Therefore we need 24KB to fulfill this link.

For your information, BDP is very important in TCP communication as it optimizes the use of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an acknowledgment from the receiver before sending another data. The waiting time may be very long and we may not utilize full bandwidth of the link for the transmission.

Bandwidth-delay_Product_Wasted.jpg
Bandwidth-delay_Product_Optimized.jpg

Based on BDP, the sending host can increase the number of data sent on a link (usually by increasing the window size). In other words, the sending host can fill the whole pipe with data and no bandwidth is wasted.

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP Fragmentation in this link but it is too long so if you want to read please visit this link)

Question 164

Which protocol can you use to remotely install an IOS image on a Cisco switch?

A. SFTP
B. NetFlow
C. FTP
D. SNMP

Answer: C

Explanation

We can use TFTP or FTP to install an IOS image remotely.

Question 216

Under which circumstance can TCP starvation occur?

A. when DNS and TFTP traffic are transmitted on the same link
B. when TCP traffic is blocked by an ACL
C. when UDP traffic is processed in a policy-map before TCP traffic
D. when HTTP and HTTPS traffic are transmitted on the same link
E. when TCP and UDP traffic are mixed in the same class of service

Answer: E

Question 248

Which option is one way to mitigate asymmetric routing on an active/active firewall setup for TCP-based connections?

A. performing packet captures
B. disabling asr-group commands on interfaces that are likely to receive asymmetric traffic
C. replacing them with redundant routers and allowing load balancing
D. disabling stateful TCP checks

Answer: D

Explanation

In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks.

Issues to Consider with Asymmetric Routing

Asymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point from one security domain to the other. If the return path passes through another firewall, the packet will not be allowed to traverse the firewall from the lower to higher security domain because the firewall in the return path will not have any state information. The state information exists in the first firewall.

Reference: http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html

Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a TCP connection even if the ASA didn’t see the entire TCP 3-way handshake. This feature is called TCP State Bypass.

Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-troubleshooting-and-mitigation

Note: The active/active firewall topology uses two firewalls that are both actively providing firewall services.

Question 250

Which three TCP enhancements can be used with TCP selective acknowledgments? (Choose three)

A. header compression
B. explicit congestion notification
C. keepalive
D. time stamps
E. TCP path discovery
F. MTU window

Answer: B C D

Explanation

TCP Selective Acknowledgement (SACK) prevents unnecessary retransmissions by specifying successfully received subsequent data. Let’s see an example of the advantages of TCP SACK.

TCP (Normal) Acknowledgement
TCP Selective Acknowledgement

For TCP (normal) acknowledgement, when a client requests data, server sends the first three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2 was lost somewhere on the network while Segment#3 stills reached the client. Client checks Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert the server that it has not received any data beyond Segment#1. After receiving these ACKs, the server must resend Segment#2,#3 and wait for the ACKs of these segments.

For TCP Selective Acknowledgement, the process is the same until the Client realizes Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received Segment#3 successfully (so no need to retransmit this segment. Therefore the server only needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue sending Segment #4,#5, …

The SACK option is not mandatory and it is used only if both parties support it.

The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to notify end hosts of impending network congestion. It also provides enhanced support for TCP sessions associated with applications, such as Telnet, web browsing, and transfer of audio and video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction of delay and packet loss in data transmissions. Use the “ip tcp ecn” command in global configuration mode to enable TCP ECN.

The TCP time-stamp option provides improved TCP round-trip time measurements. Because the time stamps are always sent and echoed in both directions and the time-stamp value in the header is always changing, TCP header compression will not compress the outgoing packet. Use the “ip tcp timestamp” command to enable the TCP time-stamp option.

The TCP Keepalive Timer feature provides a mechanism to identify dead connections. When a TCP connection on a routing device is idle for too long, the device sends a TCP keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a response packet (a TCP ACK packet) is not received after the device sends a specific number of probes, the connection is considered dead and the device initiating the probes frees resources used by the TCP connection.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html

============================= IP Routing Questions =============================

Question 38

Refer to the exhibit.

<exhibit missing>

After configuring the routes, the network engineer executes the show ip route command. What is the expected results?

A. Gateway of last resort is 10.0.2.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.2.0 is directly connected, FastEthernet0/0 10.0.1.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.2.1(1/0] via 10.0.1.1
Router #

B. Gateway of last resort is 10 0.2 1 to network 0 0 0 0
10 0.0 0/24 is subnetted, 1 subnet C 10.0.2.0 is directly connected, FastEthernet 0/0
S* 0.0.0 0/0 [1/0] via 10.0.2.1
Router #

C. Gateway of last resort is not set
Router #

D. Gateway of test resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/24 is subnetted 1 subnet
C 10.0.1.0 is directly connected FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.1.1
Router #

Answer: C

Question 98

What happens when a router receives a route with an administrative distance of 255?

A. The router installs the route as the most preferred path in the routing table.
B. The router installs the route as the least preferred path in the routing table
C. The router becomes the feasible successor for the route
D. The router is unable to install the route into the routing table

Answer: D

Question 100

Refer to the exhibit. Which networking challenge is the most important issue to address to enable optimal communication between the networks at company A and company B?

Optimal_Asymmetric_Routing.jpg

A. IPv4 fragmentation
B. unicast flooding
C. asymmetric routing
D. UDP latency
E. IPV4 MTU

Answer: C

Question 186

A router receives a routing advertisement for 10.1.1.0/24 from an EIGRP peer and from an OSPF peer. Which route does the router install in the routing table, and for which reason?

A. the OSPF route, because the administrative distance is lower.
B. the EIGRP route, because the metric is lower.
C. the OSPF route, because the metric is lower.
D. The EIGRP route, because the administrative distance is lower.

Answer: D

Explanation

By default the Administrative Distance of EIGRP is 90 which is smaller than that of OSPF 110 so EIGRP will be preferred over OSPF. The Administrative Distances of popular routing protocols are shown below:

Administrative Distances_popular_routing_protocols.jpg

Question 194

You are configuring a static route. Which action must you take to avoid the possibility of recursive row?

A. Use the ip route command to specify the next-hop IP address only
B. Specify the next hop a directly connected interface
C. Use the ip route command to specify both the next-hop IP address and the connected interface
D. User the ip route command to specify the connected interface only

Answer: C

Explanation

If the interface with the next hop goes down and the next hop is reachable through a recursive route, you should specify both the next hop IP address and the alternate interface through which the next hop should be found. For example, ip route 0.0.0.0 0.0.0.0 Serial 3/3 192.168.20.1. This enables the static route installation to become more deterministic.

Note: A recursive static route is a route whose next hop and the destination network are covered by another learned route in the Routing Information Base (RIB). Such static routes cannot be installed in the RIB because they are considered redundant routes.

Reference: https://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-route/118263-technote-nexthop-00.html

Question 203

Which routing protocol routes traffic through the best path and second best path at the same time?

A. EIGRP
B. BGP
C. OSPF
D. RIP

Answer: A or B

Explanation

Maybe this question wants to ask which routing protocols support unequal cost load balancing. But both EIGRP and BGP support this feature (EIGRP with “variance” and BGP with “maximum-paths”.

Question 209

You want to configure a device to select an OSPF-learned route as the preferred path over an EBGP-learned route. Which action must you take?

A. Increase the OSPF cost
B. Decrease the OSPF cost
C. Increase the OSPF administrative distance
D. Decrease the OSPF administrative distance

Answer: D

Explanation

The Administrative Distances of the routing protocols are compared first so we have to decrease the OSPF administrative distance.

============================= RIP & RIPng Questions =============================

Question 11

A network engineer is modifying RIPng timer configuration. Which configuration mode should the engineer use?

A. router(config)#
B. router(config-if)#
C. router(config-router)#
D. router(config-rtr)#

Answer: D

Explanation

This is how to change the timers for RIPng:

R1(config)#ipv6 router rip digitaltut
R1(config-rtr)#timers 5 15 10 30 (5: Update period; 15: Route timeout period; 10: Route holddown period; 30: Route garbage collection period)

Note: For IPv4 RIP, we have to change the timers in “(config-router)#”.

Question 95

What is the default authentication in RIPv2 when authentication is enabled?

A. SHA1 authentication
B. Enable password authentication
C. Plaintext authentication
D. MD5 authentication

Answer: C

Explanation

Plain text authentication mode is the default setting in every RIPv2 packet, when authentication is enabled. Plain text authentication should not be used when security is an issue, because the unencrypted authentication password is sent in every RIPv2 packet.
Note: RIP version 1 (RIPv1) does not support authentication.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13719-50.html

Question 122

Two routers are configured with RIPng but can’t form neighbors as traffic traverses a firewall. Which port does the firewall need to permit to form neighbors?

A. TCP Port 521
B. UDP Port 521
C. TCP Port 520
D. UDP Port 520
E. IP Protocol 520
F. IP Protocol 521

Answer: B

Question 144

Which command must you configure globally to support RIPng?

A. ip routing
B. ip cef
C. ipv6 enable
D. ipv6 unicast-routing

Answer: D

Question 173

Afer configuring RIPng on two routers that are connected via a WAN link, a network engineer notices that the two routers cannot exchange routing updates. What is the reason for this?

A. Either a firewall between the two routers or an ACL on the router is blocking UDP 521
B. Either a firewall between the two routers or an ACL on the router is blocking TCP 520
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 521
D. Either a firewall between the two routers or an ACL on the router is blocking UDP 520

Answer: A

Explanation

Since RIPng is a new protocol, it cannot use the same UDP reserved port number 520 used for RIPv1/RIPv2. Instead, RIPng uses well-known port number 521.

Question 175

A network engineer is enabling RIPng on a new customer link. Under which configuration mode is RIPng enabled?

A. Global
B. Router
C. Interface
D. IPv6

Answer: C

Explanation

In order to enable RIPng, we have to do it under global configuration mode. For example:

R1(config)#ipv6 router rip RIPNG_DIGITALTUT

Then we enable RIPng on each interface:

R1(config)#interface Ethernet 0/0
R1(config-if)#ipv6 rip RIPNG_DIGITALTUT enable
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ipv6 rip RIPNG_DIGITALTUT enable

In this question they say “enabling RIPng on a new customer link” so maybe RIPng was configured previously for other customers and the first command (“ipv6 router rip RIPNG_DIGITALTUT”) was used so RIPng should be configured under interface. Therefore the answer should be “Interface” instead of “Global”.

Question 205

A route with default RIPv2 settings loses connectivity to it’s next-hop neighbor. How long does the router wait before removing the route to the next hop from its route table?

A. 30 seconds
B. 60 seconds
C. 180 seconds
D. 240 seconds

Answer: D

Explanation

The meanings of RIPv1 and RIPv2 timers (two versions have the same timers) are described below:

Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid since seeing a valid update; and place the route into holddown. Default invalid timer is 180 seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count recording in the routing table, RIP does not “believe in” that update. Default holddown timer is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing table. Default Flush timer is 240 seconds

RIPng_timer.jpg

This question asks about the Flush timer, which is 240 seconds by default.

Question 109

Customer enabled new link to partner using RIPng, how and where is RIPng configured?

A. router mode
B. interface mode
C. global – (config)#ipv6 router rip “RIPNG”

Answer: C

Question 210

What is the maximum number of hops on a route that RIPng advertises as reachable?

A. 15
B. 30
C. 99
D. 255

Answer: A

Explanation

The maximum number of hops on RIPng is the same as RIP, which is 15. A hop-count of 16 is considered unreachable.

Question 246

A network engineer is troubleshooting connectivity issues with a directly connected RIPng neighbor. Which command should show directly connected RIPng neighbor adjacencies only?

A. router#show ipv6 rip next-hops
B. router#show ip rip neighbors
C. router#show ipv6 routers
D. router#show ipv6 rip database

Answer: A

============================= OSPF Questions =============================

Question 35

Which two statements about OSPF E1 routes are true? (Choose two)

A. They are preferred over interarea routes
B. They use the OSPF cost from redistribution and the OSPF cost to the ASBR.
C. They are preferred over E2 routes
D. They use only the OSPF cost to the ASBR
E. They use only the OSPF cost from redistribution

Answer: B C

Question 103

OSPF has R1 router ID 172.18.1.1. What happens when R1 configure with a new loopback interface IP address 172.17.1.1?

A. OSPF chooses 172.17.1.1 as new router ID when R1 is rebooted.
B. OSPF chooses 192.168.21.0 as new router ID when apply new configuration.
C. OSPF chooses 172.17.1.1 as new router ID when apply new configuration.
D. OSPF retains 172.18.1.1 as router ID until interface on which is configured goes down

Answer: D

Question 113

Which two areas does OSPF send a summary route by default ? (Choose two)

A. NSSA
B. Backbone
C. Totally stubby
D. Stub
E. Normal

Answer: C D

Question 128

Refer to the exhibit. Which LSA type does R3 propagate into Area 1 for the 192.168.10.0/24 network?

LSA_Type_5.jpg

A. type 3 LSA
B. type 5 LSA
C. type 7 LSA
D. type 10 LSA

Answer: C

Explanation

NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR.

OSPF_LSAs_Types_7.jpg

Question 133

Which OSPF network type uses a DR?

A. Nonbroadcast multi-access
B. point-to-point
C. point-to-multipoint
D. point-to-point nonbroadcast

Answer: A

Question 138

What are two important differences between OSPFv2 and OSPFv3? (Choose two)

A. Only OSPFv3 provides support for IPv6.
B. Only OSPFv3 automatically chooses a router ID for the local device.
C. Only OSPFv3 supports multiple OSPF instances on a single link.
D. Only OSPFv3 automatically enables interfaces when you create them in device configuration mode.
E. Only OSPFv3 automatically detects OSPF neighbors on an NBMA interface

Answer: A C

Question 153

Device R1 has 1 Gigabit and 10 Gigabit Ethernet interfaces, which command do you enter so that it takes full advantage of OSPF costs?

A. R1(config-router)#auto-cost reference-bandwidth 10000
B. R1 (config route-map) #set metric 10000000000
C. R1(config-if)#ip ospf cost 10000
D. R1(config router)#auto-cost reference-bandwidth 10000000000
E. R1(config-if)#ip ospf cost 10000000000
F. R1(config-route-map) #set metric 10000

Answer: A

Explanation

The “auto-cost reference-bandwidth” command affects all the OSPF costs on the local router as all links are recalculated with formula: cost = reference-bandwidth (in Mbps) / interface bandwidth

Therefore in this case the command “auto-cost reference-bandwidth 10000” allows the local router to calculate the link up to 10Gbps (10000 Mbps)

Question 178

Which LSA type in OSPFv3 is used for link-local updates?

A. Link LSA type 5
B. Link LSA type 8
C. Link LSA type 6
D. Link LSA type 4

Answer: B

Explanation

LSAs Type 8 (Link LSA) have link-local flooding scope.  A router originates a separate link-LSA for each attached link that supports two or more (including the originating router itself) routers.  Link-LSAs should not be originated for virtual links.

Link-LSAs have three purposes:
1.  They provide the router’s link-local address to all other routers attached to the link.
2.  They inform other routers attached to the link of a list of IPv6 prefixes to associate with the link.
3.  They allow the router to advertise a collection of Options bits in the network-LSA originated by the Designated Router on a broadcast or NBMA link.

Question 188

Which two statements about OSPFv3 are true? (Choose two)

A. The router ID is configured as an IPv6 address.
B. It uses loopback IPv6 addresses to from neighbor relationships.
C. The router ID is configured as an IPv4 address.
D. It uses LSA type 6 for intra-area prefixes.
E. It is backwards-compatible with OSPFv2 through the use of sham link.
F. It uses link-local addresses to form neighbor relationships.

Answer: C F

Question 207

Refer to the exhibit.

OSPF_intra_inter_areas.jpg

You notice that traffic from R1 to the 192.168.10 0/24 network prefers the path through R3 instead of the least-cost path through R2.What is the most likely reason for this route selection?

A. OSPF prefers external routes over interarea routes.
B. OSPF prefers interarea routes over intra-area routes.
C. OSPF prefers external routes over intra-area routes.
D. OSPF prefers intra-area routes over interarea routes.

Answer: D

Question 214

When OSPF is forming an adjacency, in which state does the actual exchange of the information in the link-state database occur?

A. INIT
B. loading
C. exstart
D. exchange

Answer: B

Explanation

Loading: In this state, the actual exchange of link state information occurs. Based on the information provided by the DBDs, routers send link-state request packets. The neighbor then provides the requested link-state information in link-state update packets. During the adjacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a link-state request packet. All link-state update packets are acknowledged.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13685-13.html

Question 219

A network engineer enables OSPF on a Frame Relay WAN connection to various remote sites, but no OSPF adjacencies come up Which two actions are possible solutions for this issue? (Choose Two)

A. Change the network type to point-to-multipoint under WAN interface
B. Enable virtual links
C. Change the network type to nonbroadcast multipoint access
D. Configure the neighbor command under OSPF process for each remote site
E. Ensure that the OSPF process number matches among all remote sites

Answer: A D

Explanation

When OSPF is run on a network, two important events happen before routing information is exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building process. All the routers in that segment should be able to communicate directly with the DR and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not necessary since there are only two routers in the segment, and hence the election does not take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or multicast packets to be sent.

In an NBMA network topology, which is inherently nonbroadcast, neighbors are not discovered automatically. OSPF tries to elect a DR and a BDR due to the multi-access nature of the network, but the election fails since neighbors are not discovered. Neighbors must be configured manually to overcome these problems -> C is not correct while D is correct.

In Point-to-Multipoint network: This is a collection of point-to-point links between various devices on a segment. These networks also allow broadcast or multicast packets to be sent over the network. These networks can represent the multi-access segment as multiple point-to-point links that connect all the devices on the segment. -> A is correct.

Question 225

Which two OSPF router types can perform summarization in an OSPF network? (Choose two)

A. summary router
B. area border router
C. autonomous system boundary router
D. internal router
E. backbone router

Answer: B C

Question 232

If you want to migrate an IS-IS network to another routing protocol. Which routing protocols should you choose? (Choose two)

A. UDP
B. internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP

Answer: D E

Explanation

IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the best answers. Although RIP is not a wrong choice but it is not widely used because of many limitations (only 15 hops, long convergence time…).

Question 2

If routers in a single area are configured with the same priority value, what value does a router use for the OSPF Router ID in the absence of a loopback interface?

A. The lowest IP address of any physical interface
B. The highest IP address of any physical interface
C. The lowest IP address of any logical interface
D. The highest IP address of any logical interface

Answer: B

============================= EIGRP Questions =============================

Question 5

A router was configured with the “eigrp stub” command. The router advertises which types of routes?

A. connected, static, and summary
B. static and summary
C. connected and static
D. connected and summary

Answer: D

Explanation

The “eigrp stub” command is equivalent to the “eigrp stub connected summary” command which advertises the connected routes and summarized routes.

Note: Summary routes can be created manually with the summary address command or automatically at a major network border router with the auto-summary command enabled.

Question 17

All interfaces on each router are participating in the EIGRP 100 process. Interface Loopback 2 on HQR2 is currently in shutdown mode. An engineer issues the eigrp stub command on router BR1. Which statements about the query messages sent from router HQ-R2 for a route to reach the 12.12.12.12/32 network is true?

EIGRP_Stub_Query.jpg

A. Router HQ-R2 sends a query message to the feasible successor for a route to 12.12.12.12/32 network.
B. BR1 receives query messages from HQ-R2 for a route to 12.12.12.12/32 network.
C. Router HQ-R1 receives query messages from HQ-R2 for a route to 12.12.12.12/32 network.
D. Router HQ-R1 and BR1 receives query messages from HQ-R2 for a route to 12.12.12/32 network.

Answer: C

Explanation

Router BR1 has been configured “stub” so HQ-R2 will not send query to BR1 as it believes this is a stub network. Query is only sent to HQ-R1.

Question 28

Refer to the exhibit.

router eigrp 65535
 no auto-summary
 network 10.0.0.0 0.0.0.255
router ospf 1
 network 192.168.5.0 0.0.0.255 area 0
 passive-interface loopback0
 redistribute eigrp 65535

If this configuration is applied to a device that redistributes EIGRP routes into OSPF. which two statements about the behavior of the device are true? (Choose two)

A. EIGRP routes appear in the routing table as E2 OSPF routes
B. The device router ID is set to Loopback0 automatically
C. The device redistributes all EIGRP networks into OSPF
D. EIGRP routes appears in the routing table as N2 OSPF routes
E. The device redistributes only classful EIGRP networks into OSPF
F. EIGRP routes appears as type 3 LSAs in the OSPF database

Answer: C E

Explanation

Answer A is not correct because only EIGRP routes of routers whose receive the routing advertisements of the local router appear in the routing table as E2 OSPF routes.

Answer B is not correct as this router may have other loopback interfaces which have higher IP address than loopback0

Answer C is correct as there is no route-map to limit which routes are redistributed into OSPF. Therefore by default all EIGRP routes will be redistributed

Answer D is not correct as N2 routes only appear when redistributing into Not-so-stubby-area (NSSA)

Answer E is correct as there is no “subnets” keyword when redistributing into OSPF so only classful EIGRP networks will be redistributed

Answer F is not correct as EIGRP routes will appear as LSA type 5, not type 3.

Question 30

Refer to the exhibit.

EIGRP_preferred_routes.jpg

The excerpt was taken from the routing table of router SATX. Which option ensures that routes from 51.51.51.1 are preferred over routes from 52.52.52.2?

A. SATX(config-router)#distance 90 51.51.51.1 0.0.0.0
B. SATX(config-router)#distance 89.52.52.52.2 0.0.0.0
C. SATX(config-router)#distance 90.52.52.52.2 0.0.0.0
D. SATX(config-router)#administrative distance 91 51.51.51 0.0.0.0
E. SATX(config-router)#distance 89 51.51.51.1 0.0.0.0
F. SATX(config-router)#administrative distance 91 52.52.52.2 0.0.0.0

Answer: E

Explanation

The syntax of “distance” command is:

distance {ip-address {wildcard-mask}} [ip-standard-list] [ip-extended-list]

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfindp1.html

Question 39

Which two options can you use to configure an EIGRP stub router? (Choose two)

A. summary-only
B. receive-only
C. external
D. summary
E. totally-stubby
F. not-so-stubby

Answer: B D

Explanation

To configure EIGRP stub we can use this syntax:

router(config-router)# eigrp stub [receive-only | connected | static | summary]

Question 42

Which two types of authentication does EIGRP offer? (Choose two)

A. TKIP
B. MD5
C. WPA
D. Plain Text

Answer: B D

Question 43

Which three statements about IPv6 EIGRP are true? (Choose three)

A. EIGRP neighbor relationships are formed using the link-local address.
B. EIGRP neighbor relationships can be formed only on the configured IPv6 address
C. It supports EUI-64 addresses only.
D. EIGRP route advertisement is configured under the interface configuration.
E. An IPv6 EIGRP router ID is required.

Answer: A D E

Explanation

In this question answer E is not clear as IPv6 EIGRP still uses a 32-bit router ID same as IPv4 EIGRP. But this is the most suitable answer left as B and C are not correct obviously.

Question 111

What is EIGRP Summary Route Administrative Distance?

A. 90
B. 170
C. 5
D. 110

Answer: C

Explanation

The “ip summary-address eigrp” command is used to configure interface-level address summarization. EIGRP summary routes are given an administrative distance value of 5. The administrative distance metric is used to advertise a summary without installing it in the routing table.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ire_i1.html

Question 117

Which EIGRP packets use unreliable delivery? (Choose two)

A. Query
B. Reply
C. Request
D. Hello
E. Update

Answer: C D

Question 118

What is used in EIGRP metric calculation?

A. Maximum bandwidth on the path
B. Option about bandwidth
C. Average bandwidth on the path
D. Minimum bandwidth on the path

Answer: D

Explanation

The formula to calculate EIGRP metric is:

metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability + K4)] if K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0

By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use only bandwidth & delay parameters while others are ignored. The metric formula is now reduced:

metric = bandwidth + delay

The bandwidth is defined as the slowest bandwidth in the route to the destination.

Question 119

How EIGRP metric is calculated?

A. Bandwidth+Delay
B. Bandwidth*Delay
C. Bandwidth-Delay
D. Bandwidth/Delay

Answer: A

Question 120

Which statements are true to configure IPv6 EIGRP configuration for route advertisements? (Choose two)

A. Route advertisements are configured at the router global configuration
B. Route advertisements are configured at the interface configuration
C. An IPv6 router ID
D. Uses link-local IP address for route advertisements
E. IPv6 EIGRP uses only the configured IPv6 global addresses for communication

Answer: B D

Question 126

Which task must you preform to implement EIGRP for IPv6 on a device?

A. Use the ipv6 cef command to enable Cisco Express Forwarding on the device
B. Configure a loopback interface on the device
C. Manually configure the router ID
D. Statically configure a neighbor statement

Answer: C

Question 127

Which two features are provided by EIGRP for IPv6? (Choose two)

A. Backbone areas
B. SPF algorithm
C. Partial updates
D. Area border router
E. Scaling

Answer: C E

Question 146

Which two packet type can an EIGRP router send when a route goes into the Active state? (Choose two)

A. reply
B. request
C. hello
D. update
E. query

Answer: A E

Explanation

The route is in Active state when a router is undergoing a route recomputation. If there are always feasible successors, a route never has to go into Active state and avoids a route recomputation.

When there are no feasible successors, a route goes into Active state and a route recomputation occurs. A route recomputation commences with a router sending a query packet to all neighbors. Neighboring routers can either reply if they have feasible successors for the destination or optionally return a query indicating that they are performing a route recomputation.

EIGRP uses five packet types:
+ Hello/Acks
+ Updates
+ Queries
+ Replies
+ Requests

Queries and replies are sent when destinations go into Active state. Queries are always multicast unless they are sent in response to a received query. In this case, it is unicast back to the successor that originated the query. Replies are always sent in response to queries to indicate to the originator that it does not need to go into Active state because it has feasible successors. Replies are unicast to the originator of the query. Both queries and replies are transmitted reliably.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13669-1.html

Question 150

Which two EIGRP metrics have nonzero K values by default? (Choose two)

A. reliability
B. delay
C. cost
D. load
E. bandwidth

Answer: B E

Explanation

The formula to calculate EIGRP metric is:

metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability + K4)] if K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0

By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use only bandwidth & delay parameters while others are ignored. The metric formula is now reduced:

metric = bandwidth + delay

-> K1 and K3 have nonzero values by default.

Question 151

Refer to the exhibit. You want router R1 to perform unequal-cost routing to the 192.168.10.0/24 network. What is the smallest EIGRP variance value that you can configure on R1 to achieve this result?

EIGRP_variance_2.jpg

A. 1
B. 2
C. 3
D. 4

Answer: C

Explanation

When using the variance command, EIGRP will add a feasible successor to the route table if the feasible successor has a feasible distance that is less than or equal to the product of the feasible distance of the successor times the variance setting and the feasibility condition is met. In math terms:

FD (of the FS) <= FD (of the S) * variance

FD – feasible distance
FS – feasible successor
S – successor

In this question the FD of the successor is 150 (from R1 to R2) and the FD of the feasible successor is 300 + 150 = 450. Therefore we can deduce the minimum value of the variance must be 3 so that 450 <= 150 * 3 -> C is the best answer.

Note: In fact the route R1 – R3 – R2 does not satisfy the feasibility condition which states:

“To qualify as a feasible successor, a router must have an AD less than the FD of the current successor route”

But in this question the AD from R3 is 150 which is equal to the FD of the current successor route (from R1 to R2) so the feasibility condition is not met. However we still have to choose one best answer.

Question 167

What happens when two EIGRP peers have mismatched K values?

A. The two devices are unable to correctly perform equal-cost routing
B. The two devices fail to perform EIGRP graceful shutdown when one device goes down
C. The two devices fail to form an adjacency
D. The two devices are unable to correctly perform unequal-cost load balancing

Answer: C

Question 170

When an EIGRP router discovers a new neighbor, which packet type does the router send to help the neighbor build its topology table?

A. replies
B. requests
C. updates
D. queries

Answer: C

Explanation

EIGRP use five types of packets to communicate:

+ Hello: used to identify neighbors. They are sent as periodic multicasts
+ Update: used to advertise routes, only sent as multicasts when something is changed
+ Ack: acknowledges receipt of an update. In fact, Ack is Hello packet without data. It is always unicast and uses UDP.
+ Query: used to find alternate paths when all paths to a destination have failed
+ Reply: is sent in response to query packets to instruct the originator not to recompute the route because feasible successors exist. Reply packets are always unicast to the originator of the query

Question 195

Refer to the exhibit.

R1
interface Loopback0
ip address 172.16.1.1. 255.255.255.255
interface FastEthernet0/0
ip address 192.168.10.33 255.255.255.224
router eigrp 100
eigrp router-id 172.16.1.1
no auto-summary
network 192.168.10.0
network 172.16.0.0 R2
interface Loopback0
ip address 172.16.2.2 255.255.255.255
interface FastEthernet0/0
ip address 192.168.10.17 255.255.255.240
router eigrp 100
eigrp router-id 172.16.2.2
network 192.168.10.0
network 172.16.0.0

R1 and R2 are unable to establish an EIGRP adjacency. Which action corrects the problem?

A. Change the eigrp route-id on one of the routers so that values on the two routers are different.
B. Add the no auto-summary command to the R2 configuration so that it matches the R1 configuration
C. Change the autonomous system number on one of the routers so that each router has different values
D. Change the IP address and subnet mask on R2 so that is on the same subnet as R1.

Answer: D

Question 220

Which calculation is used to determine the default EIGRP metric?

A. bandwidth * delay
B. bandwidth + delay
C. bandwidth – delay
D. bandwidth / delay

Answer: B

Explanation

The formula to calculate EIGRP metric is:

metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability + K4)] if K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0

By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use only bandwidth & delay parameters while others are ignored. The metric formula is now reduced:

metric = bandwidth + delay

The bandwidth is defined as the slowest bandwidth in the route to the destination.

Question 223

Other than a working EIGRP configuration, which option must be the same on all routers for EIGRP authentication key rollover to work correctly?

A. SMTP
B. SNMP
C. Passwords
D. Time

Answer: D

Explanation

Requirements
+ The time must be properly configured on all routers.
+ A working EIGRP configuration is recommended.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/82110-eigrp-authentication.html

============================= BGP Questions =============================

Question 32

Based on the output, which option is the next hop to get to the 130.0.1.0/24 network?

show_ip_bgp_next-hop.jpg

A. 10.30.30.1
B. 10.0.11.1
C. 10.20.20.1
D. 10.10.10.1

Answer: C

Explanation

This is the BGP routing table. Only the best entry of each prefix (marked with “>”) is placed into the routing table. In the output above, the next hop 130.0.1.0/24 network can be reached via three next hops (which are 10.10.10.1; 10.30.30.1 and 10.20.20.1) but only 10.20.20.1 is the best path and is placed into the routing table.

Question 101

Which two conditions can cause BGP neighbor establishment to fail? (Choose two)

A. There is an access list blocking all TCP traffic between the two BGP neighbors.
B. The IBGP neighbor is not directly connected.
C. BGP synchronization is enabled in a transit autonomous system with fully-meshed IBGP neighbors.
D. The BGP update interval is different between the two BGP neighbors.
E. The BGP neighbor is referencing an incorrect autonomous system number in its neighbor statement.

Answer: A E

Explanation

An underlying connection between two BGP speakers must be established before any routing information is exchanged. This connection takes place on TCP port 179 so if an access list blocks all TCP traffic between the two BGP neighbors, BGP neighbor relationship can not be established -> A is correct.

The IBGP neighbors don’t need to be directly connected -> B is not correct.

BGP synchronization only prevents routes sent to other EBGP neighbors before that route exists in the routing table. It doesn’t prevent BGP neighbor relationship -> C is not correct.

After the first initial exchange (which exchanges routes and synchronize their tables), a BGP speaker will only send further updates upon a change in the network topology -> BGP does not have a fixed update interval -> D is not correct.

BGP neighbor relationship is established when both ends (routers) are manually configured with the “neighborneighbor-IP remote-as neighbor-AS” command on both sides of the connection. If the neighbor-AS is wrong, the neighbor relationship can not be established -> E is correct.

Question 114

Which BGP option is required when load sharing over multiple equal-bandwidth parallel from a single CE router to a single ISP router over eBGP?

A. eBGP Multipath
B. eBGP Multihop
C. BGP Synchronization
D. Public AS numbers

Answer: A

Explanation

The BGP Multipath Load Sharing for eBGP and iBGP feature allows you to configure multipath load balancing with both external BGP (eBGP) and internal BGP (iBGP) paths in Border Gateway Protocol (BGP) networks that are configured to use Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs).

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxeibmp.html

Question 129

Which two options are benefits of BGP peer groups? (Choose two)

A. A configuration change can be applied simultaneously to all peers in the peer group
B. They can optimize backdoor routes
C. They can be updated via multicast
D. Each neighbor in a peer group can have different inbound BGP policies
E. They use soft updates to minimize bandwidth consumption
F. They support groups of paths

Answer: A D

Explanation

Answer A is surely correct as the main purposes (and advantages) of BGP peer groups are to simplify the BGP configuration and reduce the amount of system resources (CPU and memory) necessary in an update generation.

Requirements of Peer Groups

Peer groups have these requirements:

+ All members of a peer group must share identical outbound announcement policies (such as distribute-list, filter-list, and route-map), except for default-originate, which is handled on a per-peer basis even for peer group members.
+ You can customize the inbound update policy for any member of a peer group -> D is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13755-29.html

Question 130

Which criterion does the BGP maximum paths feature use for load balancing?

A. MED
B. local preference
C. weight
D. router ID

Answer: C

Explanation

BGP selects only one best path for each prefix it receives then installs in the IP routing table. So whenever we need load-balancing across different paths, we have to enable BGP multipath, by the “maximum-paths” command.

There’s a criteria and several conditions that BGP checks before selecting additional paths in parallel with the best one. The following attributes of parallel paths have to match with the best path:

+ Weight
+ Local Pref
+ Origin
+ AS-Path Length
+ MED
+ Neighbor AS or Sub-AS match for (eBGP multipath)
+ AS-PATH match (for eiBGP multipath)
+ IGP metric to BGP next hop

Question 149

Which adverse circumstance can the TTL feature prevent?

A. routing loops
B. DoS attacks
C. link saturation
D. CAM table overload

Answer: B

Explanation

This question mentions about the TTL Security Check for multihop BGP Peering Sessions. The BGP Support for TTL Security Check feature provides an effective and easy-to-deploy solution to protect eBGP peering sessions from CPU utilization-based attacks. When this feature is enabled, a host cannot attack a BGP session if the host is not a member of the local or remote BGP network or if the host is not directly connected to a network segment between the local and remote BGP networks. This solution greatly reduces the effectiveness of DoS attacks against a BGP autonomous system. An example of configuring this feature is shown below:

Router(config)# router bgp 65000
Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2

This sets the expected incoming TTL value for a directly connected eBGP peer. The hop-count argument is set to 2 configuring BGP to only accept IP packets with a TTL count in the header that is equal to or greater than 253. If the 10.1.1.1 neighbor is more than 2 hops away, the peering session will not be accepted.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.pdf

Question 156

Which two tasks must you perform to configure a BGP peer group? (Choose two)

A. Configure the soft-update value
B. Activate the default route
C. Set the advertisement interval
D. Activate each neighbor
E. Assign neighbors to the peer group

Answer: D E

Question 189

Which criterion does BGP evaluate first when determining the best path?

A. MED value
B. neighbor address
C. local preference value
D. weight

Answer: D

Explanation

This list provides the rules that are used to determine the best path:

1. Prefer the path with the highest WEIGHT.
2. Prefer the path with the highest LOCAL_PREF.
3. Prefer the path that was locally originated via a network or aggregate BGP subcommand or through redistribution from an IGP.
4. Prefer the path with the shortest AS_PATH
5. Prefer the path with the lowest origin type.
6. Prefer the path with the lowest multi-exit discriminator (MED)
7. Prefer eBGP over iBGP paths
8. Prefer the path with the lowest IGP metric to the BGP next hop.
9. Determine if multiple paths require installation in the routing table for BGP Multipath.
10. When both paths are external, prefer the path that was received first (the oldest one).
11. Prefer the route that comes from the BGP router with the lowest router ID
12. If the originator or router ID is the same for multiple paths, prefer the path with the minimum cluster list length
13. Prefer the path that comes from the lowest neighbor address

For more information about above list, please read this link: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html

Question 230

Which command do you enter on router R6 so that BGP supports multiple protocols?

A. R6(config-router)#no bgp default ipv4-unicast
B. R6(config-router)#bgp default ipv4-multicast
C. R6(config-router-af)#no bgp default ipv4-muticast
D. R6(config-router-af)#bgp additional-paths install
E. R6(config-router)#no address-family ipv4 unicast

Answer: A

Explanation

The command “no bgp default ipv4-unicast” disables the default behavior of BGPv4 to advertise only IPv4 unicast routes. It enables Multi protocol BGP mode where multiple address families can be negotiated during the BGP session setup when the two peers exchange the respective capabilities

Question 233

Which two BGP neighbor states are valid? (Choose two)

A. Established
B. Active
C. Stuck in active
D. 2-WAY
E. Unknown
F. DROTHER

Answer: A B

Explanation

BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established

============================= Redistribution Questions =============================

Question 102

Refer to the exhibit.

router eigrp 1
 redistribute bgp 1 route-map BGP_DEFAULT_ROUTE_RM
 network 2.0.0.0
route-map BGP_DEFAULT_ROUTE_RM permit 10
 match ip address prefix-list DEFAULT_ROUTE_PL
ip prefix-list DEFAULT_ROUTE_PL seq 10 permit 0.0.0.0/0

For which reason is EIGRP failing to redistribute the default route?

A. The EIGRP process is missing the default metric.
B. The EIGRP process is missing the no auto-summary command.
C. The EIGRP process is missing the router ID.
D. The route-map statement is missing the match any keyword.

Answer: A

Explanation

When redistributing into EIGRP, we have to configure the five metrics or redistribution would not work because of incompatible metrics.

Question 115

Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not learning routes that are received from OSPF?

router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
redistribute eigrp 1

A. The subnet defined in OSPF is not part of area 0
B. Default metrics are not configured under EIGRP
C. There is no overlap in the subnets advertised
D. The routing protocols do not have the same AS number

Answer: B

Explanation

When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the redistributed routes would never be learned. In this case we need to configure like this:

router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500

Question 142

Refer to the exhibit. How does R1 handle the route to network 10.1.80.0/24?

R1
router eigrp 1
no auto-summary
redistribute ospf 1 route-map ospf-to-eigrp
default-metric 10000 10 255 1 1500 ip prefix-list ccnp1 seq 5 permit 10.1.48.0/24 le 24
ip prefix-list ccnp2 seq 5 permit 10.1.80.0/24 le 32
ip prefix-list ccnp3 seq 5 permit 10.1.64.0/24 le 24 route-map ospf-to-eigrp permit 10
match ip address prefix-list ccnp1
route-map ospf-to-eigrp permit 20
match ip address prefix-list ccnp2

A. R1 redistributes network 10.1.80.0/24 into EIGRP without changing the mask
B. R1 changes the mask to /32 and then redistributes network 10.1.80.0/24 into EIGRP as a classful network
C. R1 changes the mask to /32 and then redistributes network 10.1.80.0/24 into EIGRP as a classless network
D. R1 fails to redistribute network 10.1.80.0/24 into EIGRP

Answer: A

Explanation

The prefix-list ccnp2 allows any subnet of that main prefix 10.1.80.0/24 as every mask is surely less or equal than 32 bits (/32).

Question 202

Which option is an invalid redistribute command option for redistributing routes from EIGRP into OSPF?

A route map
B. tag
C. access list
D. metric

Answer: C

Explanation

An example of configuring redistributing routes from EIGRP into OSPF with metric is shown below:

router ospf 1
 redistribute eigrp 1111 metric 200 subnets

With route map:

router ospf 1
 redistribute eigrp 1 subnets route-map eigrp-to-ospf

With tag:

router ospf 1
redistribute eigrp 1 subnets tag 190

============================= IP Prefix-list Questions =============================

Question 33

Which command denies the default route?

A. ip prefix-list deny-route seq 5 deny 0.0.0.0/32
B. ip prefix-list deny-route seq 5 deny 0.0.0.0/8
C. ip prefix-list deny-route seq 5 deny 0 0 0.0/0
D. ip prefix-list deny-route seq 5 deny 0.0.0.0/16

Answer: C

============================= DHCP & DHCPv6 Questions =============================

Question 51

A network engineer is configuring a DHCP server to support a specialized application. Which additional DHCP feature must be enabled to support the delivery of various additional parameters to DHCP clients?

A. modules
B. vendor extensions
C. options
D. Scopes

Answer: C

Question 66

After testing various dynamic IPv6 address assignment methods, an engineer decides that more control is needed when distributing addresses to clients. Which two advantages does DHCPv6 have over EUI-64 (Choose two)

A. DHCPv6 requires less planning and configuration than EUI-64 requires.
B. DHCPv6 allows for additional parameters to be sent to the client, such as the domain name and DNS server.
C. DHCPv6 providers tighter control over the IPv6 addresses that are distributed to clients.
D. DHCPv6 does not require the configuration of prefix pools.
E. DHCPv6 does not require neighbor and router discovery on the network segment.

Answer: B C

Explanation

Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

Question 67

Which three options are valid DHCPv6 functions? (Choose three)

A. Server
B. Client
C. Approver
D. Requester
E. ACK
F. Relay

Answer: A B F

Explanation

Most vendor’s routers/switches have the ability to function as:
+ A DHCP client and obtain an interface IPv4 address from an upstream DHCP service
+ A DHCP relay and forward UDP DHCP messages from clients on a LAN to and from a DHCP server
+ A DHCP server whereby the router/switch services DHCP requests directly

Question 70

DHCPv6 can obtain configuration parameters from a server through rapid two-way message exchange. Which two steps are involved in this process? (Choose two)

A. solicit
B. advertise
C. request
D. auth
E. reply

Answer: A E

Question 94

Which set of actions does a network engineer perform to set the IPv6 address of a DHCP relay server at the VLAN interface level?

A. Enter the VLAN interface configuration mode and define the IPv6 address of a DHCP relay server
B. Enter the global configuration mode and enable the IPv6 DHCP relay
C. Enter the global configuration mode, enable IPv6 DHCP relay from interface configuration mode and define the IPv6 address of a DHCP relay server
D. Enter the VLAN interface configuration mode, enable IPv6 DHCP relay, and define the IPv6 address of a DHCP relay server

Answer: D

Explanation

An example of how to set the IPv6 address of a DHCP relay server at the VLAN interface level:

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ipv6 dhcp relay enable
host1/Admin(config-if)# ipv6 dhcp relay server 2001:DB8:1::1/64

Reference: https://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/ACE_cr/if.html

Question 96

Where must a network engineer configure the ip helper-address command on a router?

A. On the interface that will receive the broadcasts
B. On the DHCP configuration
C. the interface that is closed to the destination DHCP server
D. on the global configuration mode

Answer: A

Question 158

When a new PC is connected to the network, which step must it take first to receive a DHCP address?

A. It sends a DHCPHELLO message to the DHCP server IP address
B. It sends a DHCPREQUEST message to the DHCP server IP address
C. It sends a DHCPREQUEST message to 255.255.255.255
D. It sends a DHCPDISCOVER message to 255.255.255.255

Answer: D

Explanation

When a client boots up for the first time (or try to join a new network), it needs to obtain an IP address to communicate. So it first transmits a DHCPDISCOVER message on its local subnet. Because the client has no way of knowing the subnet to which it belongs, the DHCPDISCOVER is an all-subnets broadcast (destination IP address of 255.255.255.255, which is a layer 3 broadcast address) and a destination MAC address of FF-FF-FF-FF-FF-FF (which is a layer 2 broadcast address). The client does not have a configured IP address, so the source IP address of 0.0.0.0 is used. The purpose of DHCPDISCOVER message is to try to find out a DHCP Server (a server that can assign IP addresses).

To learn more about the whole DHCP process, please read our DHCP tutorial.

Question 168

Which two tasks does a DHCP relay agent perform? (Choose two)

A. It forwards DHCPOFFER and DHCPCOMPLETE messages to the DHCP client
B. It forwards DHCPDISCOVER and DHCPREQUEST messages to the DHCP server
C. It forwards DHCPHELLO and DHCPREQUEST messages to the DHCP server
D. It forwards DHCPREQUEST and DHCPACK messages to the DHCP server
E. It forwards DHCPOFFER and DHCPACK messages to the DHCP client

Answer: B E

Explanation

A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay agents are used to forward requests (which includes the DHCPDISCOVER) and replies (which includes DHCPOFFER) between clients and servers when they are not on the same physical subnet.

Question 236

Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent and a DHCPv6 server that is configured for prefix delegation. Which two outcomes will result when the relay agent is rebooted? (Choose two)

A. Routers will not obtain DHCPv6 prefixes.
B. DHCPv6 clients will be unreachable.
C. Hosts will not obtain DHCPv6 addresses.
D. The DHCPv6 relay agent will resume distributing addresses.
E. DHCPv6 address conflicts will occur on downstream clients.

Answer: A D

Explanation

Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client and server.

Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay agent cannot receive DHCP messages (because of port 547 is blocked) then the routers (clients) will not obtain DHCPv6 prefixes.

We are not sure about answer D but maybe it is related to the (absence of) “Reload Persistent Interface ID” in DHCPv6 Relay Options. This feature makes the interface ID option persistent. The interface ID is used by relay agents to decide which interface should be used to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the router acting as a relay agent goes offline during a reload or a power outage. When the router acting as a relay agent returns online, it is possible that changes to the internal interface index of the relay agent may have occurred in certain scenarios (such as, when the relay agent reboots and the number of interfaces in the interface index changes, or when the relay agents boot up and has more virtual interfaces than it did before the reboot). This feature prevents such scenarios from causing any problems.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html

Question 237

Refer in the exhibit.

interface FastEthernet0/0
ip helper-address 192.168.145.5

A packet capture indicates that the router is not forwarding the DHCP packets that it receives on interface FastEthernet0/0. Which command needs to be entered in global configuration mode to resolve this issue?

A. ip helper-address
B. ip DHCP relay
C. service DHCP
D. ip forward-protocol

Answer: B

Explanation

The “ip helper-address” command is only configured in interface mode so it is not the correct answer.

Note: The Cisco IOS software provides the global configuration command “ip forward-protocol” to allow an administrator to forward any UDP port in addition to the eight default UDP Services. For example, to forward UDP on port 517, use the global configuration command “ip forward-protocol udp 517”. But the eight default UDP Services include DHCP services so it is not the suitable answer.

Reference and good resource: http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9

A DHCP relay agent may receive a message from another DHCP relay agent that already contains relay information. By default, the relay information from the previous relay agent is replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay information policy {drop | keep | replace} global configuration command to change it -> Therefore this is the correct answer.

Reference: https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html

============================= EVN & VRF Questions =============================

Question 7

After reviewing the EVN configuration, a network administrator notices that a predefined EVN, which is known as “vnet global” was configured. What is the purpose of this EVN? (OR) What is the purpose of ‘vnet global”?

A. It defines the routing scope for each particular EVN edge interface.
B. It aggregates and carries all dot1q tagged traffic.
C. It refers to the global routing context and corresponds to the default RIB.
D. It safeguards the virtual network that is preconfigured to avoid mismatched routing instances.

Answer: C

Question 34

Refer to the exhibit.

VRF_Lite_issue.jpg
hostname R1
!
ip vrf Yellow
 rd 100:1
!
interface Serial0/0
 ip vrf forwarding Yellow
 ip address 209.165.202.129 255.255.255.224
!
ip route 209.165.202.129 255.255.255.224 null0
!
router eigrp 100
 address-family ipv4 vrf Yellow
 network 209.165.202.129 0.0.0.0
 no auto-summary
 autonomous-system 100
 redistribute static
hostname R2
!
ip vrf Yellow
 rd 100:1
!
interface Serial0/0
 ip vrf forwarding Yellow
 ip address 209.165.202.130 255.255.255.224
!
router eigrp 100
 address-family ipv4 vrf Yellow
 network 209.165.202.130 0.0.0.0
 no auto-summary
 autonomous-system 100

A senior network engineer tries to propagate a summary route 209.165.201.0/27 to R2 by redistributing static route on R1, but setup is not working. What is the issue with the configuration in the exhibit.

A. The summary route is in the global routing table.
B. The wildcard bit in network command is incorrect.
C. The redistribute command is in the wrong address-family.
D. The route target is missing.

Answer: A

Explanation

Two connected interfaces S0/0 are in VRF Yellow so we have to put the static route into this VRF too. So it should be “ip route vrf Yellow 209.165.202.129 255.255.255.224 null0”.

Question 36

Which technology does Easy Virtual Network use?

A. MP-BGP
B. DMVPN
C. MPLS
D. VRF-Lite

Answer: D

Question 41

Which technology is required on an EVN trunk interface?

A. 802.1q
B. NAT
C. VRF-Lite
D. IS-IS

Answer: A

Explanation

An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast Ethernet, Gigabit Ethernet, and port channels.

If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same interface.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Question 54

Refer to the exhibit.

VRF_Lite_issue.jpg
hostname R1
!
ip vrf Yellow
 rd 100:1
!
interface Serial0/0
 ip vrf forwarding Yellow
 ip address 209.165.202.129 255.255.255.224
!
router eigrp 100
 address-family ipv4 vrf Yellow
 network 209.165.202.129 0.0.0.0
 no auto-summary
hostname R2
!
ip vrf Yellow
 rd 100:1
!
interface Serial0/0
 ip vrf forwarding Yellow
 ip address 209.165.202.130 255.255.255.224
!
router eigrp 100
 address-family ipv4 vrf Yellow
 network 209.165.202.130 0.0.0.0
 no auto-summary

A network engineer is unable to make VRF lite EIGRP adjacency work. There is nothing wrong with communication between R1 and R2. What command will eliminate the issue when executed on both routers?

A. (config-router-af)#autonomous-system 100
B. (config)#ip-multicast-routing
C. (config-vrf)#route-target both 100:1
D. (config-router-af)#network 209.165.202.128.0.0.0.31

Answer: A

Explanation

To configure the autonomous-system number for EIGRP to run within a VPN routing and forwarding (VRF) instance, use the “autonomous-system” command in address-family configuration mode. In particular:

Router(config)# router eigrp 100
Router(config-router)# address-family ipv4 vrf Yellow
Router(config-router-af)# autonomous-system 100

Question 65

Which two statements about EVN are true? (Choose two)

A. Virtual network tags are assigned per-VRF.
B. It is supported only on access ports.
C. Virtual network tags are assigned globally.
D. Routing metrics can be manipulated only from directly within the routing-context configuration.
E. The VLAN ID in the 802.1q frame carries the virtual network tag.
F. The VLAN ID is the ISL frame carries the virtual network tag.

Answer: A E

Explanation

Path isolation can be achieved by using a unique tag for each Virtual Network (VN) -> Answer A is correct.

Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged packets carrying the VLAN ID are not EVN packets and could be transported over the same trunk interfaces -> Answer E is correct.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-vpns-l3vpn/whitepaper_c11-638769.html

Question 85

What is the primary service that is provided when you implement Cisco Easy Virtual Network?

A. It requires and enhances the use of VRF-Lite.
B. It reduces the need for common services separation.
C. It allows for traffic separation and improved network efficiency.
D. It introduces multi-VRF and label-prone network segmentation.

Answer: C

Question 105

Which condition must be met before two EVN devices can connect?

A. An EtherChannel must be configured with at least two interfaces connected between the devices
B. A fiber connection must be established between the devices.
C. One VLAN interface must be configured between the devices.
D. A trunk interface must be configured between the devices.

Answer: D

Question 121

Where does the EVN marks the traffic to separate different users?

A. On the edge interface, with VNET tag
B. On the edge, with 801.Q
C. On the trunk, with VNET tag
D. On the trunk, with 802.1Q

Answer: C

Question 135

Which two statements about EVN are true? (Choose two)

A. It supports IPv6 traffic.
B. It can support up to 16 VNs.
C. It uses redistribution to share routes between VNs.
D. It supports SSM only.
E. A configuration can be based on an existing VRF configuration.

Answer: C E

Explanation

Multi-VRF achieves route exchange between VNs by redistributing VN routes indirectly through BGP using the route-target import/export feature.

Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-vpns-l3vpn/whitepaper_c11-638769.html

The following are not supported on an EVN trunk:
+ Access control lists (ACLs)
+ BGP interface commands are not inherited
+ IPv6, except on vnet global -> Only vnet global (is also known as the default routing table) supports IPv6 -> A is not correct.
+ Network address translation (NAT)
+ NetFlow
+ Web Cache Communication Protocol (WCCP)

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

According to this Cisco document EVN supports up to 32 VNs and EVN supports both SM and SSM modes:

Network virtualization solution EVN:

+ Provides a pure IP alternative to MPLS in enterprise networks for up to 32 VNs -> B is not correct.
+ Uses existing enterprise design/architecture/protocols
+ Uses existing technology to increase the effectiveness of VRFs
+ Provides either an IGP (OSPF, EIGRP) only or IGP/EGP-based alternative Reintroduces familiar concepts for access and trunks to Layer 3
+ Can be deployed with traditional MPLS VPNs or MPLS VPNs over mGRE
+ Can coexist with Multi-VRF deployments
+ Supports non-IP and IPv6 traffic through the EVN global table
+ Supports PIM and IGMP with SM and SSM modes for mVPN -> Answer D is not correct.
+ Supports shared services using route replication
+ Includes enhanced troubleshooting and usability tools:
– routing context, traceroute, debug condition, cisco-vrf-mib, and simplified VRF-aware SNMP configuration

For answer E, it should be understood like this: different VRF configurations may have the same configuration (like IP addresses, interfaces, AS numbers…)

Question 147

Which protocol does VRF-Lite support?

A. IS-IS
B. ODR
C. EIGRP
D. IGRP

Answer: C

Explanation

VRF-Lite supports BGP, OSPF, EIGRP, RIP and static routing.

Question 171

A customer asks its service provider for VPN support for IPv4 and IPv6 address families. Which command enables a VRF that supports these requirements?

A. Router(config-vrf)#route-target 004:006
B. Router(config-vrf)#rd 004:006
C. Router(config)#ip vrf CUSTOMER
D. Router(config-vrf)#vrf definition CUSTOMER

Answer: D

Explanation

You can now define multiple address families under the same VRF or configure separate VRFs for each IPv4 or IPv6 address family by entering the vrf definition command. The command “vrf definition vrf-name” names the VRF and enters VRF configuration mode. An example of using this command is shown below:

Router(config)# ipv6 unicast-routing
Router(config)# vrf definition red
Router(config-vrf)# rd 100:1
Router(config-vrf)# address family ipv6
Router(config-vrf-af)# route-target both 200:1
Router(config-vrf-af)# exit-address-family
Router(config-vrf)# interface Ethernet0/1
Router(config-if)# vrf forwarding red
Router(config-if)# ipv6 address 5000::72B/64

Reference: https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/ios/software/15_4_1_cg/vrf_cgr1000.html

Question 179

Which technology supports overlapping IP addresses on a single interface?

A. policy-based routing
B. VRF-Lite
C. On-Demand Routing
D. QoS

Answer: B

Explanation

In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and “allows customers to be assigned overlapping addresses”.

Question 181

Refer to the exhibit.

interface gigabitethernet 2/0/0
vnet trunk
ip address 192.168.1.1 255.255.255.0
vnet name cisco

Which effect of this configuration is true?

A. It designates the interface as a GRE tunnel endpoint
B. It configures 802.1q trunking on the interface
C. It designates the interfaces as an EVN trunk
D. It removes VTP from the interface

Answer: C

Explanation

An EVN trunk interface connects VRF-aware routers together and provides the core with a means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is used to de-multiplex the packet into the corresponding EVN. A trunk interface has one subinterface for each EVN. The vnet trunk command is used to define an interface as an EVN trunk interface.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual router instances, and both technologies allow routes from one VRF to be selectively leaked to other VRFs. However, a major difference is the way that two physical routers interconnect. With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF. However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies configuration.

Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide

Question 187

What is the role of a route distinguisher via a VRF-Lite setup implementation?

A. It extends the IP address to identify which VRF instance it belongs to.
B. It manages the import and export of routes between two or more VRF instances
C. It enables multicast distribution for VRF-Lite setups to enhance EGP routing protocol capabilities
D. It enables multicast distribution for VRF-Lite setups to enhance IGP routing protocol capabilities

Answer: A

Explanation

The route distinguisher (RD) is used to keep all prefixes in the BGP table unique so that we can use same subnets for different VRFs/VPNs. An example of RD is shown below:

ip vrf CustomerA
 rd 65000:1
!
ip vrf CustomerB
 rd 65000:2

Note: There is another question asking about the role of a route target (RT) and the answer is B so please be careful and read the question well.

Question 199

Which statement is true about an edge interface in relation to the Cisco Easy Virtual Network?

A. An edge interface is used to differentiate VRF instances.
B. An edge interface connects to end devices such as hosts and servers that are VRF-aware
C. An edge interface connects a user device to the EVN while defining the EVN boundaries.
D. An edge interface is configured using the vnet trunk command under the switched virtual interface.

Answer: C

Explanation

An edge interface connects a user device to the EVN and in effect defines the boundary of the EVN. Edge interfaces connect end devices such as hosts and servers that are not VRF-aware. Traffic carried over the edge interface is untagged. The edge interface classifies which EVN the received traffic belongs to. Each edge interface is configured to belong to only one EVN.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html#GUID-D8133186-33B5-4244-AAFD-60F5FEC38CEF

Question 221

Which two statements about EVNs are true? (Choose two)

A. VRFs using MPLS require a trunk interface that uses EVN
B. VRF-Lite requires a trunk interface that uses EVNs
C. All EVNs within a trunk interface can share the same IP infrastructure
D. Each EVN within a trunk interface must be configured separately
E. Commands that are specified once under a trunk interface can be inherited by all EVNs

Answer: C E

Explanation

With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple VRFs) between two routers you need to create a subinterface for each VRF on each router -> VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk (called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple virtual networks can travel over that single trunk interface, which uses tags to identify the virtual networks to which packets belong.

Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual router instances, and both technologies allow routes from one VRF to be selectively leaked to other VRFs. However, a major difference is the way that two physical routers interconnect. With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF. However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies configuration.

Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide

All EVNs within a trunk interface share the same IP infrastructure as they are on the same physical interface -> Answer C is correct.

With EVNs, a trunk interface is shared among VRFs so each command configured under this trunk is applied by all EVNs -> Answer E is correct.

Question 227

Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network? (Choose three)

A. simplified Layer 3 network virtualization
B. improved shared services support
C. enhanced management, troubleshooting, and usability
D. reduced configuration and deployment time for dot1q trunking
E. increased network performance and throughput
F. decreased BGP neighbor configurations

Answer: A B C

Explanation

EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN provides enhancements in path isolation, simplified configuration and management, and improved shared service support

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Maybe the “improved shared services support” term here implies about the support of sharing between different VRFs (through route-target, MP-BGP)

Question 234

What is VRF-lite?

A. VRF without MPLS
B. VRF without VPN
C. VRF without independent route tables
D. VRF without Cisco Express Forwarding switching

Answer: A

============================= IPv6 Questions =============================

Question 10

Which CLI command can you enter to permit or deny IPv6 traffic travelling through an interface?

A. access-list
B. access-group
C. ipv6 access-class
D. ipv6 traffic-filter

Answer: D

Explanation

The command “ipv6 traffic-filter access-list-name { in | out }” applies the access list to incoming or outgoing traffic on the interface.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6acl.html

Question 24

Which two technologies can encapsulate an IPv6 payload in an IPv4 packet for transmission across a network? (Choose two)

A. L2TPv3
B. trunking
C. AToM
D. ISATAP
E. NAT-PT

Answer: D E

Explanation

The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-layer translation mechanisms designed to allow nodes that only support IPv4 to communicate with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.

NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4 and IPv6 network, all IPv4 users are given access to the IPv6 network without modification in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4-IPv6 boundaries

(Reference: http://www.ietf.org/rfc/rfc4966.txt and http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_white_paper09186a008011ff51_ps6640_Products_White_Paper.html)

ISATAP tunneling (Intra-Site Automatic Tunnel Addressing Protocol): is a mechanism for transmitting IPv6 packets over IPv4 network. The word “automatic” means that once an ISATAP server/router has been set up, only the clients must be configured to connect to it.

Question 25

When a packet is denied by an IPv6 traffic filter, which additional action does the device perform?

A. It scans the rest of the ACL for a permit entry matching the destination
B. It generates a TCP Fin bit and sends it to the source.
C. A creates a null route for the destination and adds it to the route table
D. It generates an ICMP unreachable message for the frame.

Answer: D

Explanation

If an IPv6 router ACL is configured to deny a packet, the packet is dropped. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6acl.html

Question 48

Which two options are components of a dual stack? (Choose two)

A. EIGRP
B. OSPF
C. IPv6 traffic
D. IPv4 traffic
E. Layer 3 switch
F. Layer 2 switch

Answer: C D

Question 56

What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation? (Choose two)

A. stateful address translation
B. a limit of 32 1-to-1 translations
C. lack of overloading functionality
D. identify all interfaces as NAT inside or outside
E. 1-to-1 prefix rewrite
F. mismatched prefix allocations

Answer: C F

Explanation

The IPv6-to-IPv6 Network Prefix Translation (NPTv6) provides a mechanism to translate an inside IPv6 source address prefix to outside IPv6 source address prefix in IPv6 packet header and vice-versa. In other words, NPTv6 is simply rewriting IPv6 prefixes. NPTv6 does not allow to overload. It does not support mismatching prefix allocations sizes (so the network/host portion remains intact. For example you cannot cover /64 to /48).

Question 62

Which two statements about 6to4 tunneling are accurate? (Choose two)

A. Prepending a reserved IPv6 code to the hexadecimal representation of 192.168.0.1 facilitates 6to4 tunneling
B. Each 6to4 site receives a /48 prefix in a 6to4 tunnel
C. 2002::/48 is the address range specifically assigned to 6to4
D. Prepending 0x2002 with the IPv4 address creates an IPv6 address that is used in 6to4 tunneling
E. 6to4 is a manual tunnel method

Answer: B D

Explanation

6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must remember this range). These tunnels determine the appropriate destination address by combining the IPv6 prefix with the globally unique destination 6to4 border

router’s IPv4 address, beginning with the 2002::/16 prefix, in this format:

2002:border-router-IPv4-address::/48

Because the border-router-IPv4-address is added, we will have a /48 prefix (we all know an IPv4 address consists of 32 bits). An example of a 6to4 address with the border-router-IPv4-address of 192.168.1.2 is 2002:C0A8:01:02::/48.

Question 88

The Neighbor Discovery Protocol in IPv6 is replaced with which discovery protocol in IPv4?

A. ARP
B. ICMP
C. UDP
D. TCP
E. RFC

Answer: A

Explanation

Note: This question asks about IPv4 discovery protocol, not IPv6. So the correct asnwer is ARP.

Just for your information, the IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and track neighboring devices.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-15-2mt-book/ip6-neighb-disc.html

-> Neighbor Discovery Protocol in IPv6 does not use ARP any more.

Question 159

Considering the IPv6 address independence requirements, which process do you avoid when you use NPTv6 for translation?

A. rewriting of higher layer information
B. checksum verification
C. ipv6 duplication and conservation
D. IPSEC AH header modification

Answer: A

Question 196

Company is deploying a multicast application that must be accessible between sites, but must not be accessible outside of the organization. Based on the scoping requirements, the multicast group address for the application will be allocated out of which range?

A. FF00::/16
B. FF0E::/16
C. FF02::/16
D. FF08::/16

Answer: D

Explanation

All IPv6 multicast addresses begin with FF::/8 – in other words, with FF as the first two digits. But we need to know the differences between these multicast addresses:

FF02::/16 is IPv6 prefix for a link-local multicast, meaning that routers will not forward these packets outside the local subnet.
FF08::/16 is IPv6 prefix for a organization-local multicast. It is typically used for a multicast application with users throughout the enterprise, have an organization-local scope, meaning that packets sent to these addresses are forwarded throughout the organization but not out into the Internet
FF0E::/16 is IPv6 prefix for a global multicast.

Therefore in this question, FF08::/16 is the best answer.

Question 218

Which statement about stateless and stateful IPv6 autoconfiguration are true?

A. Both stateless and stateful autoconfiguration require additional setup
B. Stateless autoconfiguration requires no additional setup, whereas stateful autoconfiguration requires additional setup
C. Stateless autoconfiguration requires additional setup, whereas stateful autoconfiguration requires no additional setup
D. Both stateless and stateful autoconfiguration require no additional setup

Answer: B

Explanation

Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6 (and based closely on DHCP), is used to pass out addressing and service information in the same way that DHCP is used in IPv4. This is called “stateful” because the DHCP server and the client must both maintain state information to keep addresses from conflicting, to handle leases, and to renew addresses over time.

Stateless Autoconfiguration allows an interface to automatically “lease” an IPv6 address and does not require the establishment of an server to delve out address space. Stateless autoconfiguration allows a host to propose an address which will probably be unique (based on the network prefix and its Ethernet MAC address) and propose its use on the network. Because no server has to approve the use of the address, or pass it out, stateless autoconfiguration is simpler. This is the default mode of operation for most IPv6 systems, including servers.

Question 7

A network engineer executes the “ipv6 flowset” command. What is the result?

A. Flow-label marking in 1280-byte or larger packets is enabled.
B. Flow-set marking in 1280-byte or larger packets is enabled.
C. IPv6 PMTU is enabled on the router.
D. IPv6 flow control is enabled on the router.

Answer: A

Explanation

The command “ipv6 flowset” allows the device to track destinations to which the device has sent packets that are 1280 bytes or larger.

Question 11

The enterprise network WAN link has been receiving several denial of service attacks from both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via its header, in order to filter future attacks? (Choose three)

A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset

Answer: A C D

Explanation

The components of IPv6 header is shown below:

IPv6_header.jpg

The Traffic Class field (8 bits) is where quality of service (QoS) marking for Layer 3 can be identified. In a nutshell, the higher the value of this field, the more important the packet. Your Cisco routers (and some switches) can be configured to read this value and send a high-priority packet sooner than other lower ones during times of congestion. This is very important for some applications, especially VoIP.

The Flow Label field (20 bits) is originally created for giving real-time applications special service. The flow label when set to a non-zero value now serves as a hint to routers and switches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered. It has further been suggested that the flow label be used to help detect spoofed packets.

The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header. The value of the Hop Limit field specifies the maximum number of routers that an IPv6 packet can pass through before the packet is considered invalid. Each router decrements the value by one. Because no checksum is in the IPv6 header, the router can decrease the value without needing to recalculate the checksum, which saves processing resources.

============================= uRPF Questions =============================

Question 52

Which two statements about uRPF are true? (Choose two)

A. The keyword any can be used with both strict mode and loose mode
B. Strict mode may drop legitimate traffic
C. It is enabled globally
D. Strict mode is most appropriate for networks with asymmetric routing
E. Loose mode may drop traffic when asymmetric routing occurs on the network
F. It is enabled on a per interface basis

Answer: B F

Explanation

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]

  The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface. The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via the interface on which the packet was received.

Question 226 (posted at Q.7 of http://www.digitaltut.com/unicast-reverse-path-forwarding)

Which command sequence can you enter on a router to configure Unicast Reverse Path Forwarding in loose mode?

A. interface GigabitEthernet0/0
ip verify unicast source reachable-via all

B. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose

C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any

D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx

Answer: C

============================= IP SLA Questions =============================

Question 4

Refer to the exhibit.

IP_SLA_reachability.jpg

The IP SLA configuration of R1 is shown below:

R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(config-ip-sla)#frequency 10
R1(config-ip-sla)#threshold 100
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2

What makes default route not removed when SLA state down or failed?

A. the destination must be 172.30.30.2 for icmp-echo
B. the threshold value is wrong
C. the default route has wrong next hop IP address.
D. missing of track feature on default static route command

Answer: D

Explanation

The default route command (at the last line) must include the “track” keyword for the tracking feature to work.

ip route 0.0.0.0.0 0.0.0.0 172.20.20.2 track 10

Question 22

A network engineer wants to baseline the network to determine suitability for real-time voice applications. Which IP SLA operation is best suited for this task?

A. ICMP-echo
B. ICMP-jitter
C. UDP-connect
D. UDP-jitter
E. TCP-connect
F. UDP-echo

Answer: D

Explanation

The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco devices in the network.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_udp_jitter_voip.html

Note:
+ UDP Jitter: generates UDP traffic and measures Round-trip Delay, One-way Delay, One-way Jitter, One-way Packet Loss, and overall Connectivity.
+ UDP-echo: measures Round-trip Delay for UDP traffic.

There is also a special “UDP Jitter for VoIP” which can simulate various codecs and spits out voice quality scores (MOS, and ICPIF)

Question 71

Refer to exhibit. Which two reasons for IP SLA tracking failure are likely true? (Choose two)

IP_SLA_reachability.jpg
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2
R1(config)#ip route 0.0.0.0 0.0.0.0 172.30.30.2 5

A. The source-interface is configured incorrectly
B. The destination must be 172.30.30.2 for icmp-echo
C. A route back to the R1 LAN network is missing in R2
D. The default route has wrong next hop IP address
E. The threshold value is wrong

Answer: C E

Explanation

There is no problem with the Fa0/0 as the source interface as we want to check the ping from the LAN interface -> A is not correct.

Answer B is not correct as we must track the destination of the primary link, not backup link.

In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will not know how to reply back as an ISP usually does not configure a route to a customer’s LAN -> C is correct.

There is no problem with the default route -> D is not correct.

For answer E, we need to understand about how timeout and threshold are defined:

Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response from its request packet. In other words, the timeout specifies how long the router should wait for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets the upper threshold value for calculating network monitoring statistics created by an IP SLAs operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap or start secondary SLA operation. In other words, the threshold value is only used to indicate over threshold events, which do not affect reachability but may be used to evaluate the proper settings for the timeout command. For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not OK, reachability is down.

Therefore in this question, we are using “Reachability” tracking (via the command “track 10 ip sla 1 reachability”) so threshold value is not important and can be ignored -> Answer E is correct. In fact, answer E is not wrong but it is the best option left.

This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and http://www.ciscozine.com/using-ip-sla-to-change-routing/

Note: Maybe some of us will wonder why there are these two commands:

R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2

In fact the two commands:

ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
ip route 0.0.0.0 0.0.0.0 172.20.20.2

are different. These two static routes can co-exist in the routing table. Therefore if the tracking goes down, the first command will be removed but the second one still exists and the backup path is not preferred. So we have to remove the second one.

Question 74a

Which IP SLA operation can be used to measure round-trip delay for the full path and hop-by-hop round-trip delay on the network?

A. HTTP
B. ICMP path echo
C. TCP connect
D. ICMP echo

Answer: B

Explanation

Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel from a specific source to a specific destination and back again.

An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is useful for determining network availability and for troubleshooting network connectivity issues.

Note: ICMP Echo only measures round-trip delay for the full path.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-xe-3s-book/sla_icmp_pathecho.html

Question 74b

A network engineer wants to monitor hop by hop response time on the network. Which IP SLA operation accomplishes this task?

A. UDPecho
B. ICMP echo
C. ICMP path jitter
D. ICMP path echo

Answer: D

Question 75

Which three IP SLA performance metrics can you use to monitor enterprise-class networks? (Choose three)

A. Packet loss
B. Delay
C. bandwidth
D. Connectivity
E. Reliability
F. traps

Answer: A B D

Explanation

Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss, jitter, packet sequence, connectivity, path, server response time, and download time are monitored within the Cisco device and stored in both CLI and SNMP MIBs.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.html

Question 83

Which three items can you track when you use two time stamps with IP SLAs? (Choose three)

A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path

Answer: A B C

Explanation

When enabled, the IP SLAs Responder allows the target device to take two time stamps both when the packet arrives on the interface at interrupt level and again just as it is leaving, eliminating the processing time. At times of high network activity, an ICMP ping test often shows a long and inaccurate response time, while an IP SLAs test shows an accurate response time due to the time stamping on the responder.

An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics. However, to capture one-way delay measurements the configuration of both the source device and target device with Network Time Protocol (NTP) is required. Both the source and target need to be synchronized to the same clock source. One-way jitter measurements do not require clock synchronization.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_overview.html

Question 97

Which feature can be used to reduce the number of ICMP unreachable message egressing a router?

A. uRPF
B. ICMP rate-limiting
C. ip unreachables command
D. Asymmetric routing

Answer: B

Question 145

Which LAN feature enables a default gateway to inform its end device?

A. HSRP
B. proxy ARP
C. ICMP redirects
D. ICMP unreachable messages

Answer: C

Explanation

An ICMP redirect is an error message sent by a router to the sender of an IP packet. Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform the sending host that it should forward subsequent packets to that same destination through a different gateway. In theory a host with multiple gateways could have one default route and learn more optimal specific routes over time by way of ICMP redirects.

Question 152

Which IP SLA operation can be used to simulate voice traffic on a network?

A. TCP connect
B. UDP-jitter
C. ICMP-echo
D. ICMP-jitter

Answer: B

Explanation

The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco devices in the network.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-s/sla-15-s-book/sla_udp_jitter_voip.pdf

Question 162

Which location within the network is preferred when using a dedicated router for Cisco IP SLA operations?

A. user edge
B. provider edge
C. access edge
D. distribution edge

Answer: B

Explanation

If there are thousands of test destinations being sourced from the router, then a “dedicated router” or “shadow router” maybe the best choice for deployment. A dedicated router is simply a low-end router dedicated to sourcing Cisco IOS IP SLAs operations.

Dedicated routers are most appropriate when the deployment plan calls for the operations to be sourced from the edge of the core network (ie: Provider Edge [PE]) location in a Service Provider network. The Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800 and 7200 Series Routers are frequently used as dedicated routers.

Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper0900aecd8017f8c9.html

Question 180

Which two statements about ICMP unreachable messages are true? (Choose two)

A. They are sent when a route to the destination is missing from the routing table
B. They can be enabled and disabled on a device only on a global level
C. They are sent when a destination address responds to an ARP request
D. They include the entire packet so that the source can identify the process that generated the message
E. They include a portion of the original data so that the source can identify the process that generated the message

Answer: A E

Explanation

ICMP Unreachables are responses sent by a router/host/switch whenever the destination host address, protocol unreachable, or destination networks are not listed in the forward table (FIB) or services by the device.

Answer C is not correct as the ICMP unreachable messages are only generated when the destination address/service is missing.

The IP header plus the first 8 bytes of the original datagram’s data is returned to the sender. This data is used by the host to match the message to the appropriate process. If a higher level protocol uses port numbers, they are assumed to be in the first 64 data bits of the original datagram’s data -> Answer E is correct.

Reference: Cisco ISP Essentials Book, page 160

Question 193

When does a Cisco router send an ICMP redirect?

A. when the packet’s source and destination VRFs are different
B. when the packet is source-routed
C. when the packet’s destination has load-balanced entries in the route table
D. when the packet’s ingress and egress interface are the same

Answer: D

Explanation

ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.

Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the packet gets routed out -> Answer D is correct.
+ The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html

Question 193b

When does a Cisco router send an ICMP redirect?

A. when the source and destination in the same subnet
B. when the packet is source-routed
C. when the packet’s destination has load-balanced entries in the route table
D. when the packet’s ingress and egress interface are different

Answer: A

Explanation (same as above Explanation)

ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.

Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the packet gets routed out..
+ The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet (-> Answer A is correct)
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html

Question 238 (posted at Q.5 of http://www.digitaltut.com/ip-sla-questions-2)

Which two types of threshold can you configure for tracking objects? (Choose two)

A. percentage
B. MTU
C. bandwidth
D. weight
E. delay
F. administrative distance

Answer: A D

Explanation

You can configure a tracked list of objects with a Boolean expression, a weight threshold, or a percentage threshold.

The example configures track list 1 to track by weight threshold.

Switch(config)# track 1 list threshold weight
Switch(config-track)# object 1 weight 15
Switch(config-track)# object 2 weight 20
Switch(config-track)# object 3 weight 30
Switch(config-track)# threshold weight up 30 down 10

If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to satisfy the threshold weight.

This configuration can be useful if object 1 and object 2 represent two small bandwidth connections and object 3 represents one large bandwidth connection. The configured down 10 value means that once the tracked object is up, it will not go down until the threshold value is equal to or lower than 10, which in this example means that all connections are down.

The below example configures tracked list 2 with three objects and a specified percentages to measure the state of the list with an up threshold of 70 percent and a down threshold of 30 percent:

Switch(config)# track 2 list threshold percentage
Switch(config-track)# object 1
Switch(config-track)# object 2
Switch(config-track)# object 3
Switch(config-track)# threshold percentage up 51 down 10

This means as long as 51% or more of the objects are up, the list will be considered “up”. So in this case if two objects are up, track 2 is considered “up”.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-2_58_se/configuration/guide/3020_scg/swhsrp.pdf

Question 239 (posted at Q.12 of http://www.digitaltut.com/ip-sla-questions)

Which type of information is displayed when a network engineer executes the show track 1 command on the router?

A. information about tracking list 1
B. time to next poll for track object 1
C. information about the IP route track table
D. tracking information statistics

Answer: A

Question 9 (posted at https://www.digitaltut.com/ip-sla-questions)

A network engineer wants to notify a manager in the events that the IP SLA connection loss threshold reached. Which two feature are need to implements this functionality? (Choose two)

A. MOS
B. Threshold action
C. Cisco IOS EEM
D. SNMP traps
E. logging local

Answer: B D

Explanation

IP SLAs supports proactive threshold monitoring and notifications for performance parameters such as average jitter, unidirectional latency, bidirectional round-trip time (RTT), and connectivity for most IP SLAs operations. The proactive monitoring capability also provides options for configuring reaction thresholds for important VoIP related parameters including unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice quality scoring.

IP SLAs reactions are configured to trigger when a monitored value exceeds or falls below a specified level or when a monitored event, such as a timeout or connection loss, occurs. If IP SLAs measures too high or too low of any configured reaction, IP SLAs can generate a notification (in the form of SNMP trap) to a network management application or trigger another IP SLA operation to gather more data.

Cisco IOS IP SLAs can send SNMP traps that are triggered by events such as the following:
+ Connection loss
+ Timeout
+ Round-trip time threshold
+ Average jitter threshold
+ One-way packet loss
+ One-way jitter
+ One-way mean opinion score (MOS)
+ One-way latency

============================= SNMP Questions =============================

Question 6

A network engineer is asked to create an SNMP-enabled proactive monitoring solution to ensure that jitter levels remain between particular boundaries. Which IP SLA option should the engineer use?

A. threshold
B. frequency
C. verify-data
D. timeout

Answer: A

Question 15

Which three statements about SNMP are true? (Choose three)

A. The manager configures and send traps to the agent.
B. The manager sends GET and SET messages.
C. SNMPv3 supports authentication and encryption.
D. The manager polls the agent using UDP port 161
E. The MIB database can be altered only by the SNMP agent.
F. The agent is the monitoring device.

Answer: B C D

Explanation

The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The Agents are the monitored device while the Manager is the monitoring device. In the picture below, the Router, Server and Multilayer Switch are monitored devices.

SNMP_Messages_Flow.jpg

Question 19

In SNMPv3, which security level provides encryption of the data?

A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv

Answer: D

Explanation

+ noAuthNoPriv – Security level that does not provide authentication or encryption.
+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html

Question 20

What does the number 16 in the following command represent?

Router(config)#snmp-server user abcd public v2c access 16

A. the mask of the files that are allowed to use community string public
B. the standard named access list 16, which contains the access rules that apply to user abcd
C. the number of concurrent users who are allowed to query the SNMP community
D. the user ID that is allowed to use the community string public

Answer: B

Question 50

In SNMPv3, which security level provides encryption of the data?

A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv

Answer: D

Explanation

+ noAuthNoPriv – Security level that does not provide authentication or encryption.
+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html

Question 157

Which SNMP model and level can provide DES encryption?

A. SNMPV2 noAuthNoPriv
B. SNMPv3 authNoPriv
C. SNMPv3 authPriv
D. SNMPv3 noAuthNoPriv

Answer: C

Explanation

The authentication (auth) and privacy (priv) options are grouped into security models.

NoAuthPriv – no authentication and no privacy
AuthNoPriv – authentication and no privacy
AuthPriv –  authentication and privacy

Question 169

Refer to the exhibit.

snmp-server community ciscotest
snmp-server host 192.168.1.128 ciscotest
snmp-server enable traps bgp

Which effect of this configuration is true?

A. The device sends SNMP traps related to BGP operations to host 192.168.1.128
B. It configures an ACL to protect SNMP managers from receiving BGP traps
C. It configures the device to use string cisotest for read and write access to any SNMP manager on the network
D. It configures the device to communicate with other devices in the ciscotest community using SNMPv3

Answer: A

Question 215 (posted at Q.8 of http://www.digitaltut.com/snmp-questions)

Which SNMP verification command shows the encryption and authentication protocols that are used in SNMPv3?

A. show snmp group
B. show snmp user
C. show snmp
D. show snmp view

Answer: B

Explanation

The command “show snmp user” displays information about the configured characteristics of SNMP users. The following example specifies the username as abcd with authentication method of MD5 and encryption method of 3DES.

Router#show snmp user abcd
User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Group name: VacmGroupName

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html

============================= Syslog Questions =============================

Question 40

Refer to the following command.

Logging Console 7

Which option is one of the effects entering this command on a Cisco IOS router, with no additional logging configuration?

A. Debug messages can be seen on the console by enabling “terminal monitor”
B. Debug messages are logged only on active console connections.
C. A user that is connected via SSH sees level 7 messages
D. The router can experience high CPU utilization

Answer: D

Question 89

A router is connected to a Windows Syslog server which does not function. What is the reason?

A. Firewall is blocking UDP port 514
B. Firewall is blocking IP port 514
C. Firewall is blocking TCP port 514
D. Firewall is blocking UDP port 512

Answer: A

Explanation

A syslog server opens port 514 and listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients. Therefore if firewall is blocking this port the syslog server cannot operate correctly.

Question 228 (posted at Q.7 of http://www.digitaltut.com/syslog-questions)

A network engineer executes the commands “logging host 172.16.200.225” and “logging trap 5”. Which action results when these two commands are executed together?

A. Logging messages that have a debugging severity level are sent to the remote server 172.16.200.225.
B. Logged information is stored locally, showing the sources as 172.16.200.225
C. Logging messages that have any severity level are sent to the remote server 172.16.200.225
D. Logging messages that have a severity level of “notifications” and above (numerically lower) are sent to the remote server 172.16.200.225

Answer: D

============================= NTP Questions =============================

Question 27

Refer to the exhibit.

show_ntp_associations.jpg

A network engineer has configured NTP on a Cisco router, but the time on the router is still incorrect. What is the reason for this problem?

A. The router is not syncing with the peer, even though the NTP request and response packets are being exchanged.
B. The router is not syncing with peer, and the NTP request and response packets are not being exchanged.
C. The router is syncing with the peer, and the NTP request and response packets are being exchanged.
D. The router is dropping all NTP packets.

Answer: A

Explanation

The “reach” term is defined as follows:

Peer reachability is a bit string reported as an octal value. This field shows whether the last eight packets were received by the NTP process on the Cisco IOS software. The packets must be received, processed, and accepted as valid by the NTP process and not just by the router or switch that receives the NTP IP packets.
Reach uses the poll interval for a time out in order to decide whether a packet was received or not. The poll interval is the time that NTP waits before it concludes that a packet was lost. The poll time can be different for different peers, so the time before reach decides that a packet was lost can also different for different peers.

There are four different reach values:
+ 377 octal = 11111111 binary, which indicates the NTP process received the last eight packets.
+ 0 octal = 00000000, which indicates the NTP process did not receive any packet.
+ 1 octal = 00000001, which indicates the NTP process received only the latest packet.
+ 357 octal = 11101111, which indicates the packet before the latest four packets was lost.

Reach is a good indicator of whether NTP packets are being dropped because of a poor link, CPU issues and other intermittent problems.

In our question the “reach” values all are “377”, which indicates the NTP process received the last eight packets -> Answer A is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html

Question 37

Which two statements about NTP stratum are true? (Choose two)

A. Stratum 15 indicates a device that is not synchronized
B. Stratum 1 devices receive their time from a peer that is connected directly to an authoritative time source.
C. The highest stratum level a synchronized device can have is 16.
D. Stratum 2 devices receive their time from a peer that is connected directly to an authoritative time source
E. Stratum 0 devices are connected directly to an authoritative time source
F. Stratum 1 devices are connected directly to an authoritative time source

Answer: D F

Explanation

Stratum 0 – highest, GPS clock (usually called authoritative time source)
Stratum 1- primary time servers, connected to stratum 0
The upper limit for Stratum is 15;
Stratum 16 is used to indicate that a device is unsynchronized

Question 58

Refer to the exhibit. Which effect of this configuration is true?

R1# show run | include ntp
ntp master 5
ntp authenticate
ntp authentication-key 1 md4 123Cisco
ntp authentication-key 5 md4 Cisco123
ntp trusted-key 1

A. R1 synchronizes with systems that include authentication key 5 in their packets
B. R1 acts as an authoritative clock with a priority ID of 1
C. R1 acts as an authoritative clock at stratum 5
D. R1 is the NTP client for a stratum 1 server

Answer: C

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

ntp-stratum.jpg

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

Question 82

Refer to the following configuration command.

router (config-line)# ntp master 10

Which statement about this command is true?

A. The router acts as an authoritative NTP clock and allows only 10 NTP client connections.
B. The router acts as an authoritative NTP clock at stratum 10.
C. The router acts as an authoritative NTP clock with a priority number of 10.
D. The router acts as an authoritative NTP clock for 10 minutes only.

Answer: B

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

ntp-stratum.jpg

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

Question 176 (same as Q.5 at http://www.digitaltut.com/ntp-questions)

Refer to exhibit:

access-list 1 permit 192.168.1.1
access-list 1 deny any
access-list 2 permit 192.168.1.4
access-list 2 deny any
!
ntp access-group peer 2
ntp access-group serve 1
ntp master 4
!

Which three NTP features can be deduced on the router? (Choose three)

A. Only accepts time requests from 192.168.1.1
B. Only handle four requests at a time
C. Only is in stratum 4
D. Only updates its time from 192.168.1.1
E. Only accepts time requests from 192.168.1.4
F. Only updates its time from 192.168.1.4

Answer: A C F

Explanation

First we need to understand some basic knowledge about NTP. There are two types of NTP messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status information. It is not used for time synchronization so we will not care about them in this question.
+ Request/Update messages: for time synchronization. Request messages ask for synchronization information while Update messages contains synchronization information and may change the local clock.

There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other words, it permits the local router to reply to NTP requests, but drops NTP update. This access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other words, it permits the local router to respond to NTP requests only. This access-group denies control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.

From my experience, you just need to remember:
+ Peer: serve and to be served
+ Serve: serve but not to be served

Therefore in this question:
+ The “ntp access-group peer 2” command says “I can only accept NTP updates and respond to NTP (time) requests from 192.168.1.4“. -> Answer F is correct while answer D is not correct.
+ The “ntp access-group serve 1” command says “I can only reply to time requests (but cannot accept time update) from 192.168.1.1 ” -> Answer A is correct*

The “ntp master 4” indicates it is running as a time source with stratum level of 4 -> Answer B is not correct while answer C is correct.

Answer E is not correct because it can accept time requests from both 192.168.1.1 and 192.168.1.4.

*Note: In fact answer A is incorrect too because the local router can accept time requests from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake of this question.

Question 200 (same as Q.9 at http://www.digitaltut.com/ntp-questions)

Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)

A. interface
B. client
C. peer
D. server
E. broadcast

Answer: B D E

Explanation

NTP operates in four different modes.
+ Server Mode is configured such that a device will synchronize NTP clients. Servers can be configured to synchronize all clients or only a specific group of clients. NTP servers, however, will not accept synchronization information from their clients. This restriction will not allow clients to update or manipulate a server’s time settings.
+ Client Mode is configured used to allow a device to set its clock by and synchronized by an external timeserver. NTP clients can be configured to use multiple servers to set their local time and can be configured to give preference to the most accurate time sources available to them. They will not, however, provide synchronization services to any other devices.
+ Peer Mode is when one NTP-enabled device does not have any authority over another. With the peering model, each device will share its time information with its peer. Additionally, each device can also provide time synchronization to the other.
+ Broadcast/Multicast Mode is a special server mode where the NTP server broadcasts its synchronization information to all clients. Broadcast mode requires that clients be on the same subnet as the server, and multicast mode requires that clients and servers have multicast capabilities configured.

Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1851440

“Interface” is not a NTP mode so answer A is not correct.

It is sure that in “peer” mode we don’t need to use the “trusted-key” command for authentication so answer C is not correct.

Question 211 (same as Q.4 of http://www.digitaltut.com/ntp-questions)

Which two statements about NTP operation are true? (Choose two)

A. If multiple NTP servers are configured, the one with the lowest stratum is preferred
B. By default, NTP communications use UDP port 123.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. Locally configured time overrides time received from an NTP server.
E. “Stratum” refers to the number of hops between the NTP client and the NTP server.

Answer: A B

Explanation

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server is. When multiple NTP servers are configured, the client will prefer the NTP server with the lowest stratum level.

NTP uses User Datagram Protocol (UDP) port 123.

============================= NAT Questions =============================

Question 2

Which statement describes what this command accomplishes when inside and outside interfaces are correctly identified for NAT?

ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080 extendable

A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It allows external clients coming from public IP 209.165.201.1 to connect to a web server at 192.168.1.50.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It represents an incorrect NAT configuration because it uses standard TCP ports.

Answer: C

Explanation

First we will not mention about the effect of the “extendable” keyword. So the purpose of the command “ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080” is to translate packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP address 209.165.201.1 with port 8080. This also implies that any packet received on the outside interface with a destination address of 209.165.201.1:8080 has the destination translated to 192.168.1.50:80. Therefore answer C is correct.

Answer A is not correct this command “allows host 192.168.1.50 to access external websites using TCP port 80”, not port 8080.

Answer B is not correct because it allows external clients to connect to a web server at 209.165.201.1. The IP addresses of clients should not be 209.165.201.1.

Answer D is not correct because the configuration is correct.

Now we will talk about the keyword “extendable”.

Usually, the “extendable” keyword should be added if the same Inside Local is mapped to different Inside Global Addresses (the IP address of an inside host as it appears to the outside network). An example of this case is when you have two connections to the Internet on two ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside local IP address. For example:

nat_extendable.jpg
NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
ip nat inside source static 192.168.1.1 200.2.2.2 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2

In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use 200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or 200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called “ambiguous from the inside”). We tested in GNS3 and it worked correctly! So we guess the NAT router compared the Inside Global addresses with all of IP addresses of the “ip nat outside” interfaces and chose the most suitable one to forward traffic.

This is what Cisco explained about “extendable” keyword:

“They might also want to define static mappings for a particular host using each provider’s address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as “extendable”. For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation”.

(Reference: http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html)

But it is unclear, what will happen if we don’t use a route-map?

Question 14

Which option is a prerequisite for stateful NAT64?

A. IPsec for IPv6
B. DNS64
C. Application Level Gateway
D. ICMP64

Answer: B

Question 44

Which technology uses the many-to-one method of mapping IP addresses?

A. static NAT
B. dynamic NAT
C. NAT-PT
D. PAT

Answer: D

Question 49

Which three functionalities are specific to stateful NAT64? (Choose three)
A. It conserves IPv4 addresses
B. It requires either manual or DHCPv6-based address assignment for IPv6 hosts
C. A state or bindings are created on every unique translation.
D. It requires IPv4-translatable IPv6 addresses
E. No constraint is put on the number of endpoints due to 1 :N translation.
F. It helps ensure end-to-end address transparency and scalability

Answer: A C E

Question 59

Which command enables NAT-PT on an IPv6 interface?

A. ipv6 nat
B. ipv6 nat enable
C. ipv6 nat-pt
D. ipv6 nat-pt enable

Answer: A

Explanation

The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6 nat prefix 2001:DB8::/96)

Question 64

Which functionality is required within an IP router that is situated at the boundary of an IPv4 network and an IPv6 network to allow communication between IPv6-only and IPv4-only nodes?

A. Autoconfiguration
B. Automatic 6to4 Tunnel
C. Automatic 6to4 Relay
D. Network Address Translator-Protocol Translator (NAT-PT)
E. Intrasite Automatic Tunnel Address Protocol (ISATAP)

Answer: D

Explanation

The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-layer translation mechanisms designed to allow nodes that only support IPv4 to communicate with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.

NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4 and IPv6 network, all IPv4 users are given access to the IPv6 network without modification in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4-IPv6 boundaries

(Reference: http://www.ietf.org/rfc/rfc4966.txt and http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_white_paper09186a008011ff51_ps6640_Products_White_Paper.html)

Question 110 (posted at http://www.digitaltut.com/nat-questions)

Which NAT command to disable dynamic ARP learning on an interface?

A. R(config-if)# ip nat enable
B. R(config-if)# ip nat inside
C. R(config-if)# ip nat outside
D. R(config)# ip nat service
E. R(config)# ip nat allow-static-host

Answer: E

Explanation

The “ip nat allow-static-host” command enables static IP address support. Dynamic Address Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control the creation and deletion of ARP entries for the static IP host.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4/nat-12-4-book/iadnat-addr-consv.html

Question 136

Which feature or technology is supported with stateful NAT64?

A. FTP and ICMP on an application layer gateway
B. VFR
C. IP multicast
D. NAT44 and NAT64 on the same interface

Answer: B

Explanation

When Stateful NAT64 is configured on an interface, Virtual Fragmentation Reassembly (VFR) is configured automatically. Virtual fragmentation reassembly (VFR) enables the Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby, protecting the network from various fragmentation attacks.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf

Question 137

What does stateful NAT64 do that stateless NAT64 does not do?

A. Stateful NAT64 maintains bindings of IPv4 to IPv6 link-local addresses
B. Stateful NAT64 translates IPv4 to IPv6
C. Stateful NAT64 translates IPv6 to IPv4
D. Stateful NAT64 maintains bindings or session state while performing translation

Answer: D

Explanation

Address Family Translation (AFT) using NAT64 technology can be achieved by either stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain any bindings or session state while performing translation, and it supports both IPv6-initiated and IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

Question 5 (https://www.digitaltut.com/nat-questions)

Refer to the following configuration command.

router(config)# ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80

Which statement about the command is true?

A. Any packet that is received in the inside interface with a source IP port address of 172.16.10.8:80 is translated to 172.16.10.8:8080.
B. Any packet that is received in the inside interface with a source IP port address of 172.16.10.8:8080 is translated to 172.16.10.8:80.
C. The router accepts only a TCP connection from port 8080 and port 80 on IP address 172.16.10.8.
D. Any packet that is received in the inside interface with a source IP address of 172.16.10.8 is redirected to port 8080 or port 80.

Answer: B

Explanation

This is a static NAT command which translates all the packets received in the inside interface with a source IP address of 172.16.10.8:8080 to 172.16.10.8:80. The purpose of this NAT statement is to redirect TCP Traffic to Another TCP Port.

============================= AAA Questions =============================

Question 8

What are two options for authenticating a user who is attempting to access a network device? (Choose two)

A. CHAP
B. RADIUS
C. 802.1x
D. PAP
E. TACACS+

Answer: B E

Question 47

Which keyword of the AAA authentication PPP command supports PAP only?

A. line
B. krb5
C. local
D. local-case
E. enable

Answer: B

Explanation

Kerberos 5 is only supported for PAP only.

Question 99

A network access serve using TACACAS+ for AAA operations receives an error message from the TACACS+ server. Which action does the network access server take next?

A. It attempts to authenticate the user against RADIUS
B. It restarts and attempts to reconnect to the TACACS+ server
C. It rejects the user access request
D. It checks the method list for an additional AAA option

Answer: D

Explanation

The network access server will eventually receive one of the following responses from the TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the network access server. If an ERROR response is received, the network access server will typically try to use an alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplus.pdf

Question 154

In which network environment is AAA with RADIUS most appropriate?

A. when Apple Talk Remote Access is in use
B. when NetBIOS Frame Control Protocol is in use
C. when users require access to only one device at a time
D. when you need to separate all AAA services

Answer: C

Explanation

RADIUS does not support the following protocols:
+ AppleTalk Remote Access (ARA)
+ NetBIOS Frame Control Protocol (NBFCP)
+ NetWare Asynchronous Services Interface (NASI)
+ X.25 PAD connections

Therefore both A and B are not correct.

TACACS+ (not RADIUS) strongly supports separate authentication, authorization and accounting as separate and independent functions. RADIUS does not separate authentication and authorization in its transaction -> D is not correct.

Therefore C is the best choice.

Question 165

A user is attempting to authentication on the device connected to a TACACS+ server but the server require more information from the user to complete authentication. Which reponse does the TACACS+ daemon return?

A. ACCEPT
B. ERROR
C. REJECT
D. CONTINUE

Answer: D

Explanation

The network access server will eventually receive one of the following responses from the TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the network access server. If an ERROR response is received, the network access server will typically try to use an alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplus.pdf

Question 182

Which two statements about AAA with the local database are true? (Choose two)

A. The local database can serve only as a backup authentication method
B. It supports a limited number of usernames and passwords
C. Accounting is not supported locally
D. By default, it is queried before a TACACS+ or RADIUS server
E. Authorization is available only for one-time-use logins

Answer: B C

Explanation

While authentication can be done on the router for a limited number of user names, it might make more sense and be much more scalable to use an AAA Server -> B is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/bba/load.pdf

You can use the local database for CLI access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization. You cannot use the local database for network access authorization. The local database does not support accounting -> C is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.pdf

Question 247 (posted at Q.14 of http://www.digitaltut.com/new-route-questions)

Which two features does RADIUS combine? (Choose two)

A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting

Answer: C D

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

============================= NetFlow Questions =============================

Question 68

A network engineer executes the “show ip cache flow” command. Which two types of information are displayed in the report that is generated? (Choose two)

A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution

Answer: C E

Explanation

Below is an example of the “show ip cache flow” output:

show_ip_cache_flow.jpg

Information provided includes packet size distribution (the answer says “IP packet distribution” but maybe it is “IP packet size distribution”); basic statistics about number of flows and export timer setting, a view of the protocol distribution statistics and the NetFlow cache.

Also we can see the flow samples for TCP and UDP protocols (including Total Flows, Flows/Sec, Packets/Flow…).

Question 112

Where is the best place to position a NetFlow server?

A. Core edge
B. Access edge
C. WAN edge
D. Distribution edge
E. User edge

Answer: C

Explanation

NetFlow (network flow) is an input side-measurement technology that allows for capturing the data required for network planning, monitoring, and accounting applications. NetFlow should be deployed on edge/aggregation router interfaces for service providers or WAN access router interfaces for Enterprise customers.

Reference: https://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMS-bestpractice.html

Question 172 (same as Question 15 at http://www.digitaltut.com/netflow-questions)

Which two statements about NetFlow templates are true? (Choose two)

A. Only NetFlow version 9 is template based
B. NetFlow Version 5 and version 9 are template based
C. Only NetFlow version 5 is template based
D. Template can increased bandwidth usage
E. They can increase overall performance
F. They can reduce bandwidth usage

Answer: A D

Explanation

The distinguishing feature of the NetFlow Version 9 format is that it is template based -> Answer A is correct.

Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

Export bandwidth increases for version 9 (because of template flowsets) versus version 5 -> Answer D is correct.

Version 9 slightly decreases overall performance, because generating and maintaining valid template flowsets requires additional processing -> Answer E is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html

Question 197 (same as Q.13 at http://www.digitaltut.com/netflow-questions)

Where can NetFlow export data for long term storage and analysis?

A. syslog
B. collector
C. another network device
D. flat file

Answer: B

Explanation

NetFlow_example.jpg

NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and storing the flows. Usually a collector is a separate software running on a network server. NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).

Question 241 (posted at Q.16 of http://www.digitaltut.com/netflow-questions)

Which version or versions of NetFlow support MPLS?

A. all versions of NetFlow
B. NetFlow version 9
C. NetFlow version 8
D. NetFlow version 5
E. NetFlow version 8 and 9

Answer: B

Explanation

MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow exports up to three labels of interest from the incoming label stack, the IP address associated with the top label, as well as traditional NetFlow data.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html

Question 242 (posted at Q.14 of http://www.digitaltut.com/netflow-questions)

Refer to the exhibit. How can you configure a second export destination for IP address 192.168.10.1?

configure terminal
ip flow-export destination 192.168.10.1 9991
ip flow-export version 9

A. Specify a different TCP port
B. Specify a different UDP port
C. Specify a VRF
D. Configure a version 5 flow-export to the same destination
E. Specify a different flow ID

Answer: B

Explanation

To configure multiple NetFlow export destinations to a router, use the following commands in global configuration mode:

Step 1: Router(config)# ip flow-export destination ip-address udp-port
Step 2: Router(config)# ip flow-export destination ip-address udp-port

The following example enables the exporting of information in NetFlow cache entries:

ip flow-export destination 10.42.42.1 9991
ip flow-export destination 10.0.101.254 1999

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html

============================= Troubleshooting Questions =============================

Question 87

Which two commands would be used to troubleshoot high memory usage for a process? (Choose two)

A. router#show memory allocating-process table
B. router#show memory summary
C. router#show memory dead
D. router#show memory events
E. router#show memory processor statistics

Answer: A B

Explanation

The “show memory allocating-process table” command displays statistics on allocated memory with corresponding allocating processes. This command can be also used to find out memory leaks. A memory leak occurs when a process requests or allocates memory and then forgets to free (de-allocate) the memory when it is finished that task.

Note: In fact the correct command should be “show memory allocating-process totals” (not “table”)

The “show memory summary” command displays a summary of all memory pools and memory usage per Alloc PC (address of the system call that allocated the block). An example of the output of this command is shown below:

show_memory_summary.jpg

Legend:

+ Total: the total amount of memory available after the system image loads and builds its data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.

Note: The show memory allocating-process totals command contains the same information as the first three lines of the show memory summary command.

An example of a high memory usage problem is large amount of free memory, but a small value in the “Lowest” column. In this case, a normal or abnormal event (for example, a large routing instability) causes the router to use an unusually large amount of processor memory for a short period of time, during which the memory has run out.

The show memory dead command is only used to view the memory allocated to a process which has terminated. The memory allocated to this process is reclaimed by the kernel and returned to the memory pool by the router itself when required. This is the way IOS handles memory. A memory block is considered as dead if the process which created the block exits (no longer running).

The command show memory events does not exist.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.html and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/6507-mallocfail.html

Question 204

Which statement about conditional debugging is true?

A. It can support only one condition at a time
B. You can limit the output to a specific interface
C. It generates debug messages only for packets entering the router
D. It is limited to Ethernet, serial, and multilink interfaces

Answer: B

Explanation

When the Conditionally Triggered Debugging feature is enabled, the router generates debugging messages for packets entering or leaving the router on a specified interface; the router will not generate debugging output for packets entering or leaving through a different interface. You can specify the interfaces explicitly. For example, you may only want to see debugging messages for one interface or subinterface. You can also turn on debugging for all interfaces that meet specified conditions. This feature is useful on dial access servers, which have a large number of ports.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcndtr.html

Question 229 (posted at Q.6 of http://www.digitaltut.com/point-to-point-protocol)

Which two debug commands can you use to view issues with CHAP and PAP authentication? (Choose two)

A. debug tacacs
B. debug ppp authentication
C. debug radius
D. debug aaa authentication
E. debug ppp negotiation

Answer: B E

============================= Unicast Flooding Questions =============================

Question 26

Which action can you take to mitigate unicast flooding in a network?

A. Configure VLANs to span multiple access-layer switches.
B. Implement a nonlooped network topology.
C. Set the ARP timer value to less than the CAM timer value.
D. Set the CAM timer value to less than the ARP timer value.

Answer: C

Question 106

Which three causes of unicast flooding are true? (Choose three)

A. forwarding table overflow
B. changes in STP topology
C. excess space in the forwarding table
D. consistent STP topology
E. asymmetric routing
F. symmetric routing

Answer: A B E

Explanation

The very cause of flooding is that destination MAC address of the packet is not in the L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding ports in its VLAN (except the port it was received on). Below case studies display most common reasons for destination MAC address not being known to the switch.

Cause 1: Asymmetric Routing
Cause 2: Spanning-Tree Protocol Topology Changes
Cause 3: Forwarding Table Overflow

For more information about three cases above please visit: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

Question 131

What happens when unicast flood protection is triggered on a VLAN?

A. The VLAN is shut down
B. Traffic on the VLAN is load-balanced across multiple links
C The VLAN is removed from the VLAN database
D. Traffic on the VLAN is passed to another VLAN with lower load

Answer: A

Explanation

In short, unicast flood protection feature allows the switch to monitor the amount of unicast flooding per VLAN and take specified action if flooding exceeds specified amount. Actions can be to syslog, limit or shutdown VLAN – the syslog being the most useful for flood detection.

Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

Question 140

Which adverse event can occur as a consequence of asymmetric routing on the network?

A. vulnerability to a main-in-the-middle attack
B. inadvertent HSRP active router preemption
C. errdisabled port
D. unicast flooding

Answer: D

Explanation

The very cause of unicast flooding is that destination MAC address of the packet is not in the L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding ports in its VLAN (except the port it was received on). Below case studies display most common reasons for destination MAC address not being known to the switch.

Cause 1: Asymmetric Routing
Cause 2: Spanning-Tree Protocol Topology Changes
Cause 3: Forwarding Table Overflow

For more information about three cases above please visit: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

Question 191 (nearly the same as Question 26 above)

How can you minimize unicast flooding in a network?

A. Configure HSRP on two routers, with one subnet preferred on the first router and a different subnet preferred on the second router
B. Set the router’s ARP timeout value to be the same as the timeout value for Layer 2 forwarding table entries
C. Set the router’s ARP timeout value to greater than the timeout value for Layer 2 forwarding table entries
D. Set the router’s ARP timeout value to less than timeout value for Layer 2 forwarding table entries

Answer: B

Explanation

There are different approaches to limit the flooding caused by asymmetric routing. The approach is normally to bring the router’s ARP timeout and the switches’ forwarding table-aging time close to each other. This will cause the ARP packets to be broadcast. Relearning must occur before the L2 forwarding table entry ages out.

Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

============================= Loop Prevention Questions =============================

Question 139

Which of the following situations results in a routing loop?

A. when you implement noncontiguous IP routing blocks
B. when you have a single point of redistribution
C. when you have multiple points of redistribution
D. when you use NAT translation on the edge of your network
E. when you implement contiguous IP routing blocks

Answer: C

Question 155

Which three methods can a network engineer use to fix a metric-based routing loop in the network? (Choose three)

A. Filter routes manually using prefix lists
B. Implement proper network summarization on key routing points
C. Utilize route database filters
D. Filter routes based on tags
E. Implement offset lists at network boundaries
F. Filter routes manually using distribute lists

Answer: D E F

============================= Miscellaneous Questions =============================

Question 23

Which command do you enter to filter only routing updates that are sent through interface GigabitEthernet0/0?

A. R1(config-if)#passive-interface GigabitEthernet0/0.
B. R1(config-router)#no passive-interface GigabitEthernet0/0
C. R1(config-router)#passive-interface GigabitEthernet0/0
D. R1(config-router)passive-interface default
E. R1(config-if)#passive-interface default
F. R1(config-router)#distribute-list 1 GigabitEthernet0/0 out

Answer: C

Explanation

In fact F is also a suitable answer but we don’t know what “distribute-list 1” contains so C is a better answer.

Question 63

Given the network diagram, which address would successfully summarize only the networks seen?

summarize_all_networks.jpg

A. 192.168.0.0/24
B. 192.168.8.0/20
C. 192.168.8.0/21
D. 192.168.12.0/20
E. 192.168.16.0/21
F. These networks cannot be summarized.

Answer: C

Question 124

How big is the smallest packet that will always be fragmented on a standard Ethernet network with default configuration?

A. 1500 bytes
B. 1800 bytes
C. 2048 bytes
D. 2100 bytes

Answer: B

Explanation

The packet with the size of 1500 bytes is the largest packet on a standard Ethernet network (with default configuration) that is not fragmented. This includes 1460 byte frame plus 40 byte of two headers (20 bytes each). Therefore the next smallest packet that will be fragmented in the above options is 1800 bytes.

Question 134

Which option is the best for protecting CPU ultilization on a device?

A. fragmentation
B. COPP
C. ICMP redirects
D. ICMP unreachable messages

Answer: B

Explanation

The Control Plane Policing (CoPP) policy is an important security feature that prevents Denial of Service (DoS) attacks that can impact the supervisor module CPU.

CoPP protects the route processor on network devices by treating route processor resources as a separate entity with its own ingress interface (and in some implementations, egress also). Because of this behavior, a CoPP policy can be developed and applied only to those packets within the control plane. Unlike interface ACLs, for example, no effort is wasted investigating data plane (transit) packets that will never reach the control plane. This action has a significant simplifying implication on the construction of policies for CoPP.

Refererence: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/best_practices/cli_mgmt_guide/cli_mgmt_bp/cpu.pdf and https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html

Question 143

Which STP feature can reduce TCNs on ports that are connected to end devices?

A. BPDU guard
B. Root guard
C. PortFast
D. Backbone Fast

Answer: C

Explanation

In normal STP operation, a bridge keeps receiving configuration BPDUs from the root bridge on its root port. But, it never sends out a BPDU toward the root bridge. In order to achieve that, a special BPDU called the topology change notification (TCN) BPDU has been introduced. Therefore, when a bridge needs to signal a topology change, it starts to send TCNs on its root port. The designated bridge receives the TCN, acknowledges it, and generates another one for its own root port. The process continues until the TCN hits the root bridge. The bridge that notifies the topology change does not stop sending its TCN until the designated bridge has acknowledged it.

The switch never generates a TCN when a port configured for Portfast goes up or down -> Therefore PortFast can reduce TCNs on ports that are connected to end devices.

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/12013-17.html#anc12

Question 198

Which two causes of latency are true? (Choose two)

A. High bandwidth on a link
B. Split horizon
C. Propagation delay
D. Serialization delay
E. Under-utilization of a link

Answer: C D

Explanation

The most significant network factor in meeting the latency targets for TelePresence is propagation delay, which can account for more than 90 percent of the network latency time budget. Propagation delay is also a fixed component and is a function of the physical distance that the signals have to travel between the originating endpoint and the receiving endpoint.

Reference: Ciso TelePresence Fundamentals Book

Propagation delay is the amount of time it takes for a single bit of data to get from one side of a digital connection to the other. Propagation delay is usually close to the speed of light, depending on the medium over which the packet is being carried (copper, fiber, and so on). The propagation delay over a digital copper or fiber-optic connection is approximately 1 ms per 100 miles. For example, the distance between New York and London is approximately 3500 miles. This means that the propagation delay between New York and London is approximately 35 ms.

Three types of delay are inherent in today’s telephony networks: propagation delay, serialization delay, and handling delay (also called processing delay).

Serialization delay is the amount of time it takes to actually place a bit or byte onto an interface. It is directly related to the clock rate on the interface.

Reference: http://www.ciscopress.com/articles/article.asp?p=606583

Question 231 (posted at Q.7 of http://www.digitaltut.com/miscellaneous-questions)

In which scenario can asymmetric routing occur?

A. active/active firewall setup
B. single path in and out of the network.
C. active/standby firewall setup
D. redundant routers running VRRP

Answer: D

Explanation

Asymmetric routing is the scenario in which outing packet is through a path, returning packet is through another path. VRRP can cause asymmetric routing occur, for example:

R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1 is the master router and R2 is the backup router.

These two routers are connected to an ISP gateway router, by using BGP. This topology provides two possible outgoing and incoming paths for the traffic.

Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the new master router -> traffic passing through R2 instead -> asymmetric routing occurs.

Question 61

The Cisco ASA 500 Series Security Appliances are built specifically for businesses with less than 100 employees. What are three important benefits of this device? (Choose three)

A. business-grade firewall
B. premium support via SMART net
C. site-to-site VPN for remote offices
D. Cisco IOS software-based
E. email security
F. XML support

Answer: A C E

Question 1 (posted at https://www.digitaltut.com/policy-based-routing)

Which statement about local policy routing is true?

A. It is used to policy route packets that are generated by the device.
B. It requires all packets to be packet switched.
C. It is used to policy route packets that pass through the device.
D. It requires all packets to be CEF switched.
E. It supports IPv4 packets only.
F. It requires an ip address or access list as the matching criteria.

Answer: A

Explanation

Normal policy based routing (PBR) is used to route packets that pass through the device. Packets that are generated by the router (itself) are not normally policy-routed. To control these packets, local PBR should be used. For example: Router(config)# ip local policy route-map map-tag (compared with normal PBR: Router(config-if)# ip policy route-map map-tag)

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

============================= Drag and Drop Questions =============================

Question 90

Drag and drop for adverse network conditions.

Adverse_Network_Conditions.jpg

Answer:

Excessive unicast flooding condition: caused by including a host port in STP
Out-of-order packets: potential result of disabling FIFO
TCP starvation: potential effect of excessive UDP traffic on link
Asymmetric routing: cause of inconsistent traffic patterns
Latency: condition in which packets require an excessive length of time to traverse a switch

Explanation

The most common reason for excessive unicast flooding in steady-state Catalyst switch networks is the lack of proper host port configuration. Hosts, servers, and any other end-devices do not need to participate in the STP process; therefore, the link up and down states on the respective NIC interfaces should not be considered an STP topology change.

Reference: http://www.ciscopress.com/articles/article.asp?p=336872

Question 91

Drag drop the correct descriptions on the right to the Frame Relay LMI extensions on the left.

Frame_Relay_LMI_Extensions.jpg

Answer:

+ Address registration – It allows neighboring Cisco devices to exchange management IP addresses
+ Global addressing – It enables the Frame Relay network to identify interfaces in the same manner as a LAN
+ Multicasting – It provides the most efficient transmission of routing protocol messages and supports address resolution
+ Simple flow control – It supports devices that are unable to use congestion notification
+ Virtual circuit status messages – It prevents data from being transmitted into black holes

Question 92

Drag the descriptions on the left to the appropriate group on the right.

AAA.jpg

Answer:

Authentication:
+ supports a local database for device access
+ supports encryption

Authorization:
+ specifies a user’s specific access privileges
+ enforces time periods during which a user can access the device

Accounting:
+ not supported with local AAA
+ verifies network usage

Explanation

AAA offers different solutions that provide access control to network devices. The following services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates. Authentication controls access by requiring valid user credentials, which are typically a username and password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that regulates what tasks the user is authorized to perform. These attributes are measured against a user database. The results are returned to the network device to determine the user’s qualifications and restrictions. This database can be located locally on Cisco ASA or it can be hosted on a RADIUS or Terminal Access Controller Access-Control System Plus (TACACS+) server. In summary, Authorization controls access per user after users authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server used to track login times (when the user logged in and logged off) and the services that users access. This information can be used for billing, auditing, and reporting purposes.

Question 93

Drag drop about AAA commands.

AAA_Authentication_commands.jpg

Answer:

+ if authenticated – It allows the user to perform the requested function once authenticated
+ none – It instructs the network access server to proceed without requesting authorization information
+ local – It provides authorization for a limited set of functions only
+ krb5-instance – It uses a defined instance for authorization
+ group radius – It uses authorization information from a standards based server
+ group tacas+ – It uses authorization information stored as attribute value pair in a Cisco proprietary server

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html

Question 116

Refer to the exhibit. You are configuring the R1 Serial0 interface for a multipoint connection. Drag and drop the required configuration statements from the left onto the corresponding locations from the diagram on the right.

Frame_Relay_Point_to_multipoint_2.jpg
Frame_Relay_point_to_multipoint.jpg

Answer:

interface Ethernet0
  ip address 10.1.1.2 255.255.255.0
interface Serial0
! Serial interface config
  no ip address
  encapsulation frame-relay
  frame-relay lmi-type ansi
! subinterface config
interface Serial0.1 multipoint
  ip address 192.168.1.5 255.255.255.240
  frame-relay map ip 192.168.1.1 100 broadcast

Question 132

Drag and drop the GRE features from the left onto the correct description on the right.

GRE_Features.jpg

Answer:

+ mGRE: technology that supports dynamic tunnel endpoints
+ IPSec: encryption protocol used to source tunnels
+ Keepalive: technology that prevents one side of the tunnel from going down while the other stays up
+ Tunnel Key: clear-text password that confirms the peer connection
+ MSS: configurable value that prevents an interface from sending packets that are too large for the tunnel

Question 206

Drag and drop the AAA features from the left onto the correct description on the right.

AAA_features.jpg

Answer:

+ Authentication: challenge and response operation
+ Accounting: feature that logs network usage
+ TACACS+: authentication method that uses TCP
+ RADIUS: authentication method that uses UDP
+ Authorization: controls specific access privileges of a user

Question 208 (posted at Q.13 of http://www.digitaltut.com/drag-and-drop)

Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.

uRPF.jpg

Answer:

Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable

Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the destination address

Question 217 (posted at Q.33 http://www.digitaltut.com/new-route-questions-part-4)

Refer to the exhibit. You are configuring the R1 Serial0 interface for a point-to-point connection. Drag and drop the required configuration statements from the left onto the correct locations from the diagram on the right. Not all commands are used.

Frame_Relay_config.jpg
Frame_Relay_subinterface_config.jpg

Answer:

A – no ip address
B – interface serial0.1 point-to-point
C – frame-relay interface-dlci 100 ppp virtual-template1
D – ppp authentication chap

Question 235 (posted at Q.4 of http://www.digitaltut.com/drag-and-drop-2-2)

Drag and drop the statements from the left onto the correct IPv6 router security features on the right.

IPv6_router_security.jpg

Answer:

IPv6 Traffic Filter
+ It filters traffic on the interface level
+ It supports tagged ACLs

IPv6 Access Classes
+ It controls traffic to and from the router
+ It requires the destination address for inbound traffic to be a local address
+ It filters management traffic

Question 243 (posted at Q.1 of http://www.digitaltut.com/drag-and-drop-2-2)

Drag and drop the statements about device security from the left onto the correct description on the right.

COPP_MPP.jpg

Answer:

CoPP:
+ It protects the device against DoS attacks
+ It supports packet forwarding by reducing the load on the device
+ It uses QoS to limit the load on the device

MPP:
+ It designates the permitted management interfaces on the device
+ It is enabled only when an interface is configured
+ It requires only a single command to configure

Question 244 (posted at Q.6 of http://www.digitaltut.com/drag-and-drop-2-2)

Drag and drop the correct description on the right onto the corresponding ACL types on the left.

ACL_types.jpg

Answer:

+ Dynamic: ACL that uses Telnet for Authentication
+ Extended: ACL type that should be placed closest to the traffic source
+ Reflexive: ACL that must be defined with a named ACL
+ Standard: ACL numbered from 1300 through 1999
+ Time-based: ACL that applied to traffic only during specifically defined periods

Explanation

The general rule when applying access lists is to apply standard IP access lists as close to the destination as possible and to apply extended access lists as close to the source as possible. The reasoning for this rule is that standard access lists lack granularity, it is better to implement them as close to the destination as possible; extended access lists have more potential granularity, thus they are better implemented close to the source.

Reference: http://www.ciscopress.com/articles/article.asp?p=1697887

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router. Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and static extended ACLs. Outbound ACL will have the ‘reflect’ keyword. It is the ACL that matches the originating traffic. Inbound ACL will have the ‘evaluate’ keyword. It is the ACL that matches the returning traffic.

Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release 11.1. This feature is dependent on Telnet, authentication (local or remote), and extended ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic through the router. Users that want to traverse the router are blocked by the extended ACL until they Telnet to the router and are authenticated. The Telnet connection then drops and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular time period; idle and absolute timeouts are possible.

Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Question 245 (posted at Q.2 of http://www.digitaltut.com/drag-and-drop-2-2)

Drag and drop the steps in the NAT process for IPv4-initiated packers from the left into the correct sequence on the right.

NAT_process.jpg

Answer:

Step 1: The packet is routed to an NVI
Step 2: The packet is assigned a dynamic or static binding
Step 3: The IPV4 source address is translated to IPv6
Step 4: The translation information is used to create a session

Question 249 (posted at Q.8 of http://www.digitaltut.com/drag-and-drop)

Drag the items on the left to the proper locations on the right.

NPTv6_NAT64.jpg

Answer:

+ network-specific stateful NAT64 prefix: IPv6 prefix assigned by an organization
+ NAT64 : supports application layer gateway
+ NPTv6 : translates 2001:1::/64 to 2001:2::/64
+ well-known stateful NAT64 prefix: supports IPv6 prefix 64:FF9B::/96

Explanation

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). There are two different forms of NAT64, stateless and stateful:

+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps no state. It does not save any IP addresses since every v4 address maps to one v6 address. Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation (1:N translation). It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings. Stateful NAT64 converses IPv4 addresses.

NPTv6 stands for Network Prefix Translation. It’s a form of NAT for IPv6 and it supports one-to-one translation between inside and outside addresses

Question 22 (posted at https://www.digitaltut.com/new-route-questions-part-3)

Drag drop about DHCP Relay information.

DHCP_Relay_information.jpg

Answer:

+ ip dhcp relay information option: automatically add the circuit identifier suboption and the remote ID suboption

+ ip dhcp relay information check: check that the relay agent information option in forwarded BOOTREPLY messages is valid

+ ip dhcp relay information policy: Configures the reforwarding policy for a DHCP relay agent

+ ip dhcp relay information subscriber-id: enable an ISP to add a unique identifier

+ ip dhcp relay information: configured in global configuration mode applies to all interfaces

+ ip dhcp relay information trusted-sources: configures interfaces on a router as trusted sources

Question 1 (posted at https://www.digitaltut.com/drag-and-drop)

Drag and drop the IPv6 NAT characteristic from the left to the matching IPv6 NAT category on the right.

NAT64_NPTv6.jpg

Answer:

NAT64:
+ Use Network-specific prefix
+ Modify session during translation

NPTv6:
+ Modify IP header in transit
+ Map one IPv6 address prefix to another IPv6 prefix

Explanation

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific prefix (NSP), which is configured by a network administrator, or a well-known prefix (which is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it will proceed this packet with NAT64.

NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4 address. NAT64 translates nearly everything (source & destination IP addresses, port number, IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64 “modifies session during translation”.

Question 2 (posted at https://www.digitaltut.com/drag-and-drop)

Drag and drop the BGP states from the left to the matching definitions on the right.

BGP_States.jpg

Answer:

+ OpenSent: wait for an OPEN message
+ OpenConfirm: wait for a KEEPALIVE or NOTIFICATION message
+ Established: UPDATE, NOTIFICATION and KEEPALIVE messages are exchanged with peers
+ Idle: refuse connections
+ Active: listen for and accept connection
+ Connect: wait for the connection to be completed

Explanation

The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm -> Established

+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.

Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3

Question 4 (posted at https://www.digitaltut.com/drag-and-drop)

Drag and drop the challenge Handshake Authentication Protocol steps from the left into the correct order in which they occur on the right.

CHAP_steps.jpg

Answer:

+ Target 1: When the LCP phase is complete and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer
+ Target 2: The peer responds with a value calculated through a one-way hash function (MD5)
+ Target 3: The authenticator checks the response against its own calculation of the expected hash value if the values match the authentication is successful. Otherwise, the connection is terminated

Explanation

The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated.

This authentication method depends on a “secret” known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication.

Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-chap.html

For more information about CHAP challenge please read our PPP tutorial.

Question 10 (posted at https://www.digitaltut.com/drag-and-drop)

Drag and drop each frame-relay component on the left to the correct statement on the right.

Frame_Relay_2.jpg

Answer:

+ SVC: A circuit that provides temporary on-demand connections between DTEs
+ LMI: A signaling mechanism for Frame Relay devices
+ DLCI: A locally significant ID
+ FECN: An indicator of congestion on the network
+ PVC: A logical connection comprising two endpoints and a CIR

Question 3 (posted at https://www.digitaltut.com/drag-and-drop)

Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type of processing on the right.

Punt AdjacencyPackets are discarded
Drop AdjacencyFeatures that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level.
Null AdjacencyWhen a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.
Discard AdjacencyPackets are dropped, but the prefix is checked.
Glean AdjacencyPackets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering.

Answer:

Punt Adjacency: Features that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.html

============================ New Updated Questions (posted on 28th-Feb-2019) ============================

Question 250

A network engineer configures two connected routers to run OSPF in Area 0; however, the routers fail to establish adjacency. Which option is one of the caused for this issue?

A. Area numbers match
B. OSPF process numbers do not match on both neighbor routers
C. The Same MTU sizes are configured on both sides
D. The Same OSPF router IDs are configured on both routers

Answer: D

Question 251

A network engineer trying to synchronize the time clock but the time is not working. What is likely the cause of this problem?

A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 123.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 123.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 123.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 123.

Answer: B

Explanation

By default, NTP uses User Datagram Protocol (UDP) port 123 so we cannot synchronize if something is blocking this port.

Question 252 (posted at Q.7 of https://www.digitaltut.com/dhcp-dhcpv6-questions)

Refer to the exhibit. Router DHCP is configured to lease IPv4 and IPv6 addresses to clients on ALS1 and ALS2. Clients on ALS2 receive IPv4 and IPv6 addresses. Clients on ALS1 receive IPv4 addresses. Which configuration on DSW1 allows clients on ALS1 to receive IPv6 addresses?

DHCP_IPv6.jpg
DSW1#sh run int f0/0
Building configuration…
!
interface FastEhternet0/0
ip address 10.4.10.1 255.255.255.0
ip helper-address 4.4.4.4
duplex auto
speed auto
ipv6 address 2002:A04:A01:A04:A01/120
ipv6 enable
end

A. DSW1(config-if)#ipv6 helper address 2002:404:404::404:404
B. DSW1(config)#ipv6 route 2002:404:404::404:404/128 FastEthernet1/0
C. DSW1(dhcp-config)#default-router 2002:A04:A01::A04:A01
D. DSW1(config-if)#ipv6 dhcp relay destination 2002:404:404::404:404 GigabitEthernet1/2

Answer: D

Explanation

In this topology DSW1 is the DHCPv6 Relay agent so it should relay (forward) the DHCPv6 Request packets (from the clients) out of its Gi1/2 interface to the DHCPv6 server. The command “ipv6 dhcp relay destination …” is used to complete this task.

Note: There is no “default-router” command for DHCPv6. The “ipv6 dhcp relay destination” is not required to configure on every router along the path between the client and server. It is ONLY required on the router functioning as the DHCPv6 relay agent.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-689821.html

Question 253 (posted at Q.9 of https://www.digitaltut.com/frame-relay-questions)

Which two statements about configuring Frame Relay point-to-multipoint connections are true? (Choose two)

A. They ignore the broadcast keyword in the frame-relay DLCI mapping
B. They require the same DLCI on each side of the link
C. Changing a point-to-multipoint subinterface to a different type requires the interface to be deleted and recreated
D. They require the frame-relay mapping command to be configured
E. They require inverse ARP

Answer: D E

Explanation

An example of configuring Frame Relay point-to-multipoint connections is described at: http://www.9tut.com/frame-relay-gns3-lab. Frame Relay point-to-multipoint requires inverse ARP (which is enabled by default). It requires the frame-relay mapping command to be configured also. For example: R1(config-if)#frame-relay route 102 interface Serial0/1 201.

Question 254

Which interface type does a PPPoE client use to establish a session?

A. Physical
B. loopback
C. visual-template
D. dialer

Answer: D

Question 255 (posted at Q.9 of https://www.digitaltut.com/evn-vrf-questions-2)

Which values identifies VPNs in an EVN environment?

A. DLCI
B. route target
C. virtual network tag
D. VLAN ID

Answer: C

Question 256 (posted at Q.14 of https://www.digitaltut.com/dmvpn-questions)

Which two protocols are required for DMVPN? (Choose two)

A. IPSec
B. PPTP
C. mGRE
D. NHRP
E. Open VPN

Answer: C D

Explanation

DMVPN is not a protocol, it is the combination of the following technologies:
+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) to perform its job and save the administrator the need to define multiple static crypto maps and dynamic discovery of tunnel endpoints.

Question 257

Which command do you enter to display log messages with a timestamp that includes the length of time since the device was last rebooted?

A. service timestamps log uptime
B. logging facility 20
C. service timestamps debugging localtime msec
D. logging console errors
E. logging monitor 7
F. service timestamps log datetime msec

Answer: A

Explanation

The “service timestamps log uptime” enables timestamps on log messages, showing the time since the system was rebooted. For example:

00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up

Question 258

A network engineer executes the command “show ip eigrp vrf purple topology”. Which type of information is displayed as a result?

A. routes for a global routing table
B. updates that were sent for a specific routing table
C. active neighbors for a global routing table
D. route successors for a specific routing table

Answer: D

Question 259

A network engineer wants an NTP client to be able to update the local system without updating or synchronizing with the remote system. Which option for the ntp access-group command is needed to accomplish this?

A. Serve
B. Serve-only
C. peer
D. Query-only

Answer: A

Explanation

To control access to Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode.

NTP supports “Control messages” and “Request/Update messages”.

+ Control messages are for reading and writing internal NTP variables and obtaining NTP status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet obviously asks for synchronization information, and update packet contains synchronization information, and may change local clock.

When synchronizing system clocks on Cisco IOS devices only Request/Update messages are used. Therefore in this question we only care about “NTP Update message”.

Syntax:

ntp access-group [ipv4 | ipv6] {peer | query-only | serve | serve-only} {access-list-number | access-list-number-expanded | access-list-name} [kod]

+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices -> not correct. In other words, the peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries. In other words, the serve-only keyword enables the device to receive only time requests from servers specified in the access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted. In other words, the serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers -> this option is surely correct.

In summary, the answer “serve” is surely correct but the answer “serve-only” seems to be correct too (although the definition is not clear).

An example of using the “ntp access-group” command is shown below:

R1(config)#ntp server 178.240.12.1
R1(config)#access-list 2 permit 165.16.4.1 0.0.0.0
R1(config)#access-list 2 deny any
R1(config)#ntp access-group peer 2 // peer only to 165.16.4.1
R1(config)#access-list 3 permit 160.1.0.0 0.0.255.255
R1(config)#access-list 3 deny any
R1(config)#ntp access-group serve-only 3 //provide time services only to internal network 160.1.0.0/16

Reference:

+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/

Question 260

Which option is invalid when configuring Unicast Reverse Path Forwarding?

A. allow self ping to router
B. allow default route
C. allow based on ACL match
D. source reachable via both

Answer: D

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

uRPF.jpg

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]

The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface. The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via the interface on which the packet was received. You can also use the allow-default option, so that the default route can match when checking source address -> Answer “allow default route” is a valid option The allow-self-ping option allows the router to ping itself -> Answer “allow self ping to router” is a valid option. Reference: http://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/bba/urpf.pdf Another feature of uRPF is we can use an access-list to specify the traffic we want or don’t want to check -> Answer “allow based on ACL match” is a valid option. An example is shown below:

Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110

Note: Access-list “permit” statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF check. The last option is “source reachable via both” is not clear and it is the best answer in this case. Although it may mention about the uRPF loose mode.