Most Popular Questions: Enable Secret 5 $1$Iujj$Cdz03Kkgh7Mhfx2Rsbdqp

Most Popular Questions
================= Router Questions =================
Question 192 (similar to Q.7 http://www.digitaltut.com/router-questions)
Which is the minimum privilege level to allow a user to execute all user-level commands but
prohibits enable-level commands by default?
A. level 1
B. level 0
C. level 16
D. level 15
E. level 14
Answer: A
Question 76
What command can you enter to configure an enable password that uses an encrypted
password from another configuration?
A. enable secret $abc%!e.Cd34$!ao0

B. enable secret 7 Sabc%!e.Cd34$!ao0
C. enable secret 0 Sabc%U*.Cd34$!ao0
D. enable secret 5 $abc%!e.Cd34$!ao0
E. enable secret 15 $abc%ie.Cd34$!ao0
F. enable secret 6 $abc%!e.Cd34$!ao0
Answer: D
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.
For example, in the configuration command:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command:
username jdoe password 7
07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.
When we enter the ―enable secret‖ command with a number after that, the IOS can specify
that the password has been encrypted so it will not encrypt any more and accept that
password.
In new Cisco IOS (v15+), it seems the device does not recognize ―enable secret 7‖ command
as encrypted password. We tried on Cisco IOS v15.4 and see this:
When we tried to enter the command ―enable secret 7

07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D‖, the Cisco IOS
automatically change the command to ―enable secret 5
$1$dLq2$qgzb4bgdsasX8dx1oHOkD.‖ (in the running-config file). So if you paste an
―enable secret 7 …‖ command from an old Cisco IOS version, you cannot login any more
with your password.
Note: In fact, there is an error with the answer D. As we entered the command in answer D,
the router denied the encrypted password because it was not a valid encrypted secret
password. That means the router also checked if the password was hashed correctly or not.
But it is the best answer in this question.
Question 108
Which is minimum level for which user can see full commands but can‘t change anything?
A. 0
B. 1
C. 14
D. 15
E. 16
Answer: B
Question 183
Which password takes precedence if you configure multiple passwords for Telnet
connections to a Cisco IOS device?
A. console line password

B. enable secret password
C. enable password
D. aux line password
Answer: B
Question 190
Which condition must be met before you can configure SSH on a device running Cisco IOS?
A. The device must have an auxilary port

B. The device must have a modem connection
C. The IOS must be a crypto in
D. Telnet must be disabled on the device
Answer: C
Explanation
To enable SSH on Cisco IOS, you need to have crypto feature in the IOS.
Question 212
Which two statements about the enable secret and enable password commands are true?
(Choose two)
A. If both commands are missing from the global configuration, vty lines use the console
password
B. The enable secret command overrides enable password
C. The enable password command has a stronger encryption algorithm than enable secret
D. The enable secret command is backwards-compatible with more versions of IOS
E. The enable secret and enable password commands must be used together
Answer: A B
================= Access-list Questions =================
Question 1
What does the following access list, which is applied on the external interface FastEthernet
1/0 of the perimeter router, accomplish?
router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router (config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface FastEthernet 1/0
router (config-if)#ip access-group 101 in
A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 –

172.31.255.255, 192.168.0.0 – 192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and
logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any
intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.
Answer: C
Explanation
The first answer is not correct because the 10.0.0.0 network range is not correct. It should be
10.0.0.0. to 10.255.255.255.
Question 9
Which two statements about IP access-lists are true? (Choose two)
A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.
Answer: C D
Question 69
Which two different configuration can you apply to a deviceto block incoming SSH access?
(Choose two)
A. ipv6 access-list VTY-ACCESS-IN

sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
ipv6 access-list VTY-ACCESS-IN out
B. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-class VTY-ACCESS-IN out
C. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-class VTY-ACCESS-IN in
D. ipv6 access-list VTY-ACCESS-IN

interface Ethernet0/0
ipv6 traffic-filter VTY-ACCESS-IN in
E. ipv6 access-list VTY-ACCESS-IN

interface Ethernet0/0
ipv6 traffic-filter VTY-ACCESS-IN out
Answer: C D
Explanation
The ―ipv6 traffic-filter‖ command is used to filter IPv6 traffic flowing through an interface
while the ―ipv6 access-class‖ command is used to filter IPv6 traffic destined to the router (via
logical interfaces).
Question 213 (posted at Q.9 of http://www.digitaltut.com/access-list)
Which access list entry checks for an ACK within a packet TCP header?
A. access-list 49 permit ip any any eq 21 tcp-ack

B. access-list 49 permit tcp any any eq 21 tcp-ack
C. access-list 149 permit tcp any any eq 21 established
D. access-list 49 permit tcp any any eq 21 established
Answer: C
Explanation
The established keyword is only applicable to TCP access list entries to match TCP segments
that have the ACK and/or RST control bit set (regardless of the source and destination ports),
which assumes that a TCP connection has already been established in one direction only.
Let‘s see an example below:
Suppose you only want to allow

the hosts inside your company to telnet to an outside server but not vice versa, you can
simply use an ―established‖ access-list like this:
access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out
Note:
Suppose host A wants to start communicating with host B using TCP. Before they can send
real data, a three-way handshake must be established first. Let‘s see how this process takes
place:
1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with host B. This message
includes a sequence (SEQ) number for tracking purpose. This sequence number can be any
32-bit number (range from 0 to 232) so we use ―x‖ to represent it.
2. After receiving SYN message from host A, host B replies with SYN-ACK message (some
books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge).
This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let‘s called it ―y‖) is a random number and does not have any
relationship with Host A‘s SYN SEQ number.
+ ACK number is the next number of Host A‘s SYN sequence number it received, so we
represent it with ―x+1‖. It means ―I received your part. Now send me the next part (x + 1)‖.
The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if
host A still wants to talk to it as well (via SYN part).
3. After Host A received the SYN-ACK message from host B, it sends an ACK message
with ACK number ―y+1‖ to host B. This confirms host A still wants to talk to host B.
================= PPP Questions =================
Question 84
Which PPP authentication method sends authentication information in cleartext?
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Answer: D
Explanation
Password Authentication Protocol (PAP) is a very basic two-way process. The username and
password are sent in plain text, there is no encryption or protection. If it is accepted, the
connection is allowed. The configuration below shows how to configure PAP on two routers:
R1(config)#username R2 password digitaltut1 R2(config)#username R1 password digitaltut2

R1(config)#interface s0/0/0 R2(config)#interface s0/0/0
R1(config-if)#encapsulation ppp R2(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP R2(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 R2(config-if)#ppp pap sent-username R2
password digitaltut2 password digitaltut1
Note: The PAP ―sent-username‖ and password that each router sends must match those
specified with the ―username … password …‖ command on the other router.
Question 107
Which two features were added in MSCHAP Version 2? (Choose two)
A. Backwards-compatibility with MSCHAP version 1

B. Using the MD5 hash for stronger security
C. Ability to change an expired password
D. Using three-way handshakes for authentication
E. Mutual authentication between peers
Answer: C E
Question 240 (posted at Q.7 of http://www.digitaltut.com/point-to-point-protocol)
Which value does a Cisco router use as its default username for CHAP authentication?
A. Its own hostname

B. chap
C. Cisco
D. ppp
Answer: A
================= PPPoE Questions =================
Question 3
Which command instruct a PPPoE client to obtain its IP address from the PPPoE server? (OR
What command is needed to get the ip address assigned from the PPPOE server?)
A. interface dialer
B. ip address negotiated
C. pppoe enable
D. ip address dhcp
E. ip address dynamic
Answer: B
Explanation
The picture below shows all configuration needed for PPPoE:

As we can see from the PPPoE Client configuration, to get the IP address assigned from the
PPPoE server the command ―ip address negotiated‖ should be used. For more information
about PPPoE configuration please read our PPPoE tutorial.
Question 13
What configurations does PPPoE allow? (Choose two)
A. Client can be installed on the same network devices as server

B. 8 clients can be configured on 1 CPE
C. Clients can connect to multiple hosts over DMVPN
D. Client connecting over ATM PVC
E. Client installed on native IPv6 network
Answer: B C
Explanation
According to this link: http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html
The PPPoE client does not support the following:

+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can
support up to 10 clients so answer A is correct.
+ Coexistence of the PPPoE client and server on the same device -> answer C is not correct
In the above link there is a topology shows ―DMVPN Access to Multiple Hosts from the
Same PPPoE Client‖ -> Answer B is correct.
Question 141
Which feature can automatically assign IP addresses in a PPPoE environment?
A. DHCP
B. BOOTP
C. PPP
D. APPA
Answer: C
Explanation
The PPP negotiation includes the process of IP address assignment. An example of

configuring automatic IP address assignment in PPPoE environment is shown below:
Router:
interface Serial1/2
ip address negotiated
encapsulation ppp
Question 222
Which two commands must you configure in the calling router to support the PPPoE client?
(Choose two)
A. peer default ip address pool

B. mtu
C. bba-group pppoe
D. pppoe enable group
E. pppoe-client dial-pool-number
Answer: B E
================= CEF Questions =================

Question 29
Which Cisco Express Forwarding table or tables hold forwarding information?
A. FIB table only

B. adjacency tables only
C. FIB and adjacency tables only
D. FIB,RIB, and adjacency tables
Answer: C
Question 104
Which feature eliminates the need for Cisco Express Forwarding to maintain a route cache?
A. Adjacency table
B. RIB
C. FIB
D. MAC address table
Answer: C
Explanation
The two main components of Cisco Express Forwarding operation are the forwarding
information base (FIB) and the adjacency tables.
The forwarding information base (FIB) lookup table contains all known routes that exist in
the routing table, it eliminates the need for route cache maintenance.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/xe-
3se/5700/isw-cef-xe-3se-5700-book/ipswitch_cisco_express_forwarding.pdf
Question 125
Which Cisco Express Forwarding component maintains Layer 2 next-hop addresses that are
used for hardware switching?
A. adjacency table
B. RIB
C. ARP table
D. FIB
Answer: A
Explanation
Nodes in the network are said to be adjacent if they can reach each other with a single hop
across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2
addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB
entries.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.
html
Question 163
Refer to exhibit. What is indicated by the show ip cef command for an address?
A. CEF is unable to get routing information for this route.

B. CEF cannot switch packet for this route and passes it to the next best switching method.
C. A valid entry and is pointed to hardware based forwarding.
D. CEF cannot switch packet for this route and drops it.
Answer: B
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on the
router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency.
Punt adjacency – When packets to a destination prefix can‘t be CEF Switched, or the feature
is not supported in the CEF Switching path, the router will then use the next slower switching
mechanism configured on the router.
Question 177
Which three algorithms can you configure with the ip cef load-sharing algorithm
command? (Choose three)
A. per-packed
B. Tunnel
C. per-destination
D. Universal
E. Per-source
F. Include-ports
Answer: B D F
Explanation
The following load-balancing algorithms are provided for use with Cisco Express Forwarding
traffic. You select a load-balancing algorithm with the ip cef load-sharing algorithm
command.
+ Original algorithm – The original Cisco Express Forwarding load-balancing algorithm
produces distortions in load sharing across multiple routers because the same algorithm was
used on every router. Depending on your network environment, you should select either the
universal algorithm (default) or the tunnel algorithm instead.
+ Universal algorithm – The universal load-balancing algorithm allows each router on the
network to make a different load sharing decision for each source-destination address pair,
which resolves load-sharing imbalances. The router is set to perform universal load sharing
by default.
+ Tunnel algorithm – The tunnel algorithm is designed to balance the per-packet load when
only a few source and destination pairs are involved.
+ Include-ports algorithm – The include-ports algorithm allows you to use the Layer 4
source and destination ports as part of the load-balancing decision. This method benefits
traffic streams running over equal cost paths that are not load shared because the majority of
the traffic is between peer addresses that use different port numbers, such as Real-Time
Protocol (RTP) streams. The include-ports algorithm is available in Cisco IOS Release
12.4(11)T and later releases.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-
mt/isw-cef-15-mt-book/isw-cef-load-balancing.html#GUID-D545ACC1-258F-4073-BC8E-
94EC30AAE924
================= Frame Relay Questions =================
Question 18
Refer to the exhibit.

A network engineer is working on the network topology and executes the command no ip
split horizon on interface S0/0 of the Hub router. What is the result of this command?
A. A routing loop is created.

B. Each of the spoke routers can see the routes that are advertised from the other spoke
routers.
C. The Spoke routers can see the routes that are advertised by the hub router.
D. The hub router can see the routes that are advertised by the spoke routers.
Answer: B
Question 21
If you convert a WAN connection with OSPF from T1 to a Frame Relay circuit, which two
actions must you take to enable the connection? (Choose two)
A. Change the OSPF network type to nonbroadcast.

B. Manually configure neighbors in the OSPF process.
C. Manually configure the hello and dead timers.
D. Change the OSPF network type to broadcast.
E. Change the OSPF network type to multipoint nonbroadcast.
Answer: A B
Explanation
Frame Relay is a non-broadcast multi-access (NBMA) environment so when migrating to a

Frame Relay circuit we must change the OSPF network to non-broadcast. This type of
network does not accept broadcast and muticast packets so we must manually configure
neighbors for OSPF.
Question 46
Which two statements about Frame Relay LMI autosense are true on a router? (Choose two)
A. It requires the LMI type to be explicitly configured

B. It operates on Frame Relay DTE interfaces
C. It operates on Frame Relay DCE interfaces
D. It operates when the line is up but the line protocol is down
E. It requires the line protocol to be up
Answer: B D
Explanation
LMI autosense is automatically enabled in the following situations:

+ The router is powered up or the interface changes state to up
+ The line protocol is down but the line is up
+ The interface is a Frame Relay DTE
+ The LMI type is not explicitly configured on the interface
Reference: CCIE Practical Studies: Security
Question 72
In a point-to-multipoint Frame Relay topology, which two methods ensure that all routing
updates are received by all EIGRP routers within the Frame Relay network? (Choose two)
A. Disable split horizon

B. Create separate address ranges
C. Use subinterface
D. Use statically defined EIGRP neighbor on the site
E. Disable EIGRP out summary
Answer: A C
Explanation
Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship but the
routes cannot be advertised from the Hub to the Spoke because of split horizon rule ->
Answer D is not correct.
To overcome the split horizon rule we can use subinterface as each subinterface is treated like
a separate physical interface so routing updates can be advertised back from Hub to
Spokes. -> Answer C is correct.
Note: The split horizon rule states that routes will not be advertised back out an interface in
which they were received on
Question 77
In which two ways can split horizon issues be overcome in a Frame Relay network
environment? (choose two)
A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites.
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
E. Disabling split horizon.
Answer: C E
Question 80
On which two types of interface is Frame Relay switching supported? (Choose two)
A. serial interfaces
B. Ethernet interfaces
C. fiber interfaces
D. ISDN interfaces
E. auxiliary interfaces
Answer: A D
Question 123
Which task must you perform to enable a point-to-point Frame Relay connection?
A. Enable inverse ARP.

B. Configure the encapsulation type.
C. Configure static address mapping.
D. Disable inverse ARP.
Answer: C
Question 201 (same as Q.29 at http://www.digitaltut.com/new-route-questions-part-4)
Which two statements about Frame Relay Point-to-Point connections are true? (Choose two)
A. Changing a point-to-point sub interface to a different type requires the device to be
reloaded.
B. They use two DLCIs to communicate with multiple endpoints over the Frame Relay cloud.
C. The device can establish a point-to-point connection to the cloud without a DLCI.
D. They can operate normally without a DLCI map.
E. Each physical interface that extends to the Frame Relay cloud can support a single SVC.
Answer: A B
================= GRE Questions =================
Question 53
Which value does a point-to-point GRE tunnel use to identify a peer?
A. MAC address
B. configured multicast address
C. DLCI
D. IP address
E. VC ID
Answer: D
Question 60
Which two statement about GRE tunnel interface are true? (Choose two)
A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state
Answer: B D
Explanation
A valid tunnel destination is one which is routable (which means the destination is present or
there is a default route in the routing table). However, it does not have to be reachable ->
Answer B is correct.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and
the destination must be reachable according to your own routing table.
Question 78
A network engineer has configured GRE between two IOS routers. The state of the tunnel
interface is continuously oscillating between up and down. What is the solution to this
problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable
Answer: A
Explanation
In this question only answer A is a reasonable answer. When the state of the tunnel interface
is continuously moving between up and down we must make sure the route towards the
tunnel destination address is good. If it is not good then that route may be removed from the
routing table -> the tunnel interface comes down.
Question 79
When the tunnel interface is configured in default mode, which statement about routers and
the tunnel destination address is true?
A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP
neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination
Answer: A
Explanation
The tunnel interface is configured in default mode means the tunnel has been configured as a
point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up
state) as soon as it is configured with a valid tunnel source address or interface which is up
and a tunnel destination IP address which is routable.
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the
up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in
recursion.
Therefore if a route towards the tunnel destination has not been configured then the tunnel is
stuck in up/down state.
gre/118361-technote-gre-00.html
Question 184
Which two statements about GRE tunnel keys are true? (Choose two)
A. The key ID must be the same on each device.

B. They prevent the injection of unwanted frames.
C. They prevent the injection of unwanted packets.
D. They must be stored to a keychain.
E. They provide the highest level of security that is available.
Answer: A C
Explanation
An example of using the tunnel keys is shown below:
Router(config)# interface tunnel 0

Router(config-if)# tunnel source GigabitEthernet 0/0/0
Router(config-if)# tunnel destination 10.0.2.1
Router(config-if)# tunnel key 1000
The command ―tunnel key <key-number>‖ uses the key-number argument to identify a
tunnel key that is carried in each packet. Tunnel ID keys can be used as a form of weak
security to prevent improper configuration or injection of packets from a foreign source (so E
is not correct).
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-
3s/ir-xe-3s-book/ir-impl-tun-xe.html
The GRE Tunnel Key feature enables the encapsulation router to add a four-byte key, as part
of the GRE header, during encapsulation. In the decapsulation router, the GRE key of an
incoming packet should match the key value configured under the GRE tunnel. During
decapsulation, if a mismatch between the key value of the incoming GRE packet and the
key value configured under the GRE tunnel is identified, the incoming packet is
dropped.
Question 185
R1(config-if)#interface Tunnel0
R1(config-if)#tunnel source 10.0.0.1
R1(config-if)#tunnel destination 10.0.0.2
R1(config-if)#ipv6 address k:k:k:k::1/64
R1(config-if)#ipv6 ospf 1 area 1
R1(config-if)#tunnel mode ipv6ip
!
R2(config-if)#interface Tunnel1
R2(config-if)#ipv6 address k:k:k:k::2/64
R2(config-if)#ipv6 ospf 1 area 1
R2(config-if)#tunnel mode ipv6ip
A user calls from another branch office with a request to establish a simple VPN tunnel to
test a new router‘s tunneling capability. Based on the configuration in the exhibit, which type
of tunnel was configured?
A. IPsec site-to-site
B. 6to4
C. PPTP
D. EZVPN
Answer: B
The command ―tunnel mode ipv6ip‖ is used to configure a manual IPv6 tunnel. In fact
without the keyword ―6to4‖ (in ―tunnel mode ipv6ip 6to4‖)
Question 224 (posted at Q.1 of http://www.digitaltut.com/gre-tunnel)
Refer to the exhibit. After configuring GRE between two routers running OSPF that are
connected to each other via a WAN link, a network engineer notices that the two routers
cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason
for this?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 57.
Answer: A
Explanation
GRE packets are encapsulated within IP and use IP protocol type 47
================= DMVPN Questions =================
Question 12
During which DMVPN phase is spoke-to-spoke communication enabled?
A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1
Answer: A
Explanation
Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to
each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the
only correct answer.
Question 55
Which two statements about NHRP in a DMVPN environment are true? (Choose two)
A. It requires each endpoint to have a unique network ID

B. It routes traffic through the tunnel
C. It can identify PIM-SM RPs over a tunnel
D. It can authenticate VPN endpoints
E. It provides address resolution to route traffic
Answer: D E
Question 73
Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other?
(Choose two)
A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5
Answer: B C
Question 83
Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel
interface on the hub, to support multiple connections from multiple spoke devices?
A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN
Answer: A
Explanation
An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not
require a unique tunnel interface for each connection between Hub and spoke like traditional
GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE
tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all
tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.
For more information about DMVPN, please read our DMVPN tutorial.
Question 148
Which two statements about NAT in a DMVPN environment are true? (Choose two)
A. A hub router can be behind a dynamic NAT on a device

B. Spoke routers can reside only on the public side of a NAT device
C. Two spokes can establish session among themselves using PAT behind different NAT
devices
D. A spoke router can be represented by a static NAT on a device
E. A hub router can use static NAT for its public IP address
Answer: D E
Explanation
With the NAT-Transparency Aware DMVPN enhancement, NHRP can learn and use the
NAT public address for its mappings as long as IPsec transport mode is used (which is the
recommended IPsec mode for DMVPN networks).
With this NAT Transparency enhancement, the hub DMVPN router can be behind the static
NAT -> E is correct.
DMVPN spokes behind NAT will participate in dynamic direct spoke-to-spoke tunnels. The
spokes must be behind NAT boxes that are preforming NAT, not PAT (so answer D is
correct). The NAT box must translate the spoke to the same outside NAT IP address for the
spoke-to-spoke connections as the NAT box does for the spoke-to-hub connection.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-
dmvpn.html#GUID-284B12C0-9F18-42EE-9A77-29D368883C45
Question 166
Which security feature can protect DMVPN tunnels?
A. IPSec
B. TACACS+
C. RTBH
D. RADIUS
Answer: A
Explanation
In DMVPN we can use IPSec to encrypt the tunnel.
Question 174
Which condition prevents the establishment of a DMVPN tunnel between two spokes?
A. The two spokes have different tunnel keepalive settings

B. HSRP is enabled on the spoke devices
C. IPSec is enabled on the spoke devices
D. The two spokes are behind different PAT devices
Answer: D
Explanation
If one spoke is behind one NAT device and another different spoke is behind another NAT
device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices,
then a session initiated between the two spokes cannot be established.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-
dt-spokes-b-nat.html
================= TCP UDP Questions =================
Question 16
Which three problems result from application mixing of UDP and TCP streams within a
network with no QoS? (Choose three)
A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput
Answer: A C E
Explanation
When TCP is mixing with UDP under congestion, TCP flows will try to lower their
transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP
flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-
dominance. This can increase latency and lower the overall throughput.
Question 31a
Which feature can mitigate fragmentation issues within network segments that are between
GRE endpoints?
A. PMTUD
B. ICMP DF bit
C. TCP Flow Control
D. TCP MSS
Answer: D (In fact A is correct too)
Explanation
The IP protocol was designed for use on a wide variety of transmission links. Although the
maximum length of an IP datagram is 65535, most transmission links enforce a smaller
maximum packet length limit, called an MTU. The value of the MTU depends on the type of
the transmission link. The design of IP accommodates MTU differences since it allows
routers to fragment IP datagrams as necessary. The receiving station is responsible for the
reassembly of the fragments back into the original full size IP datagram.
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a

standardized technique to determine the maximum transmission unit (MTU) size on the
network path between two hosts, usually with the goal of avoiding IP fragmentation.
PMTUD was originally intended for routers in IPv4. However, all modern operating systems
use it on endpoints.
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a
host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be
fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN
segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to
popular belief, the MSS value is not negotiated between hosts. The sending host is required to
limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does
not handle the case where there is a smaller MTU link in the middle between these two
endpoints. PMTUD was developed in order to avoid fragmentation in the path between the
endpoints. It is used to dynamically determine the lowest MTU along the path from a
packet‘s source to its destination.
gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP
Fragmentation in this link but it is too long so if you want to read please visit this link)
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 31b
Which feature mitigates fragmentation issues caused by endpoint hosts?
A. ICMP DF bit
B. TCP Flow Control
C. TCP MSS
D. PMTU
Answer: C
Question 45
What is the default maximum segment size for TCP traffic?
A. 536
B. 1492
C. 1500
D. 1508
E. 3340
F. 4096
Answer: A
Question 57
Which two protocols can cause TCP starvation? (Choose two)
A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP
Answer: A B
Explanation
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the

same service-provider class as UDP-based applications and the class experiences sustained
congestion.
TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which
run on UDP so they can cause TCP starvation.
Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port
20/21
Question 86
Which technology was originally developed for routers to handle fragmentation in the path
between end points?
A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization
Answer: A
Explanation
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized

technique to determine the maximum transmission unit (MTU) size on the network path
between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was
originally intended for routers in IPv4. However, all modern operating systems use it on
endpoints.
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 160
A network engineer applies the command ―ip tcp adjust-mss‖ under interface configuration
mode. What is the result?
A. The probability of SYN packet truncation is increased.

B. The UDP session is inversely affected.
C. The probability of dropped or segmented TCP packets is decreased.
D. The optimum MTU value for the interface is set.
Answer: C
Question 161
Which value determines the amount of traffic that a network path can hold in transit?
A. route cache setting

B. maximum window size
C. bandwidth delay product
D. MSS
Answer: C
Explanation
Bandwidth-delay product (BDP) is the maximum amount of data ―in-transit‖ at any point in
time, between two endpoints. In other words, it is the amount of data ―in flight‖ needed to
saturate the link. You can think the link between two devices as a pipe. The cross section of
the pipe represents the bandwidth and the length of the pipe represents the delay (the
propagation delay due to the length of the pipe).
Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the
BDP.
Return to our question, the formula to calculate BDP is:
BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 =
192,000 bits
-> BDP (bytes) = 192,000 / 8 = 24,000 bytes
Therefore we need 24KB to fulfill this link.
For your information, BDP is very important in TCP communication as it optimizes the use
of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an
acknowledgment from the receiver before sending another data. The waiting time may be
very long and we may not utilize full bandwidth of the link for the transmission.
Based on BDP, the sending host can increase the number of data sent on a link (usually by
increasing the window size). In other words, the sending host can fill the whole pipe with
data and no bandwidth is wasted.
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a
host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be
fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN
segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to
popular belief, the MSS value is not negotiated between hosts. The sending host is required to
limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does
not handle the case where there is a smaller MTU link in the middle between these two
endpoints. PMTUD was developed in order to avoid fragmentation in the path between the
endpoints. It is used to dynamically determine the lowest MTU along the path from a
packet‘s source to its destination.
gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP
Fragmentation in this link but it is too long so if you want to read please visit this link)
Question 164
Which protocol can you use to remotely install an IOS image on a Cisco switch?
A. SFTP
B. NetFlow
C. FTP
D. SNMP
Answer: C
Explanation
We can use TFTP or FTP to install an IOS image remotely.
Question 216
Under which circumstance can TCP starvation occur?
A. when DNS and TFTP traffic are transmitted on the same link
B. when TCP traffic is blocked by an ACL
C. when UDP traffic is processed in a policy-map before TCP traffic
D. when HTTP and HTTPS traffic are transmitted on the same link
E. when TCP and UDP traffic are mixed in the same class of service
Answer: E
Question 248 (posted at Q.3 of http://www.digitaltut.com/tcp-udp-questions-2)
Which option is one way to mitigate asymmetric routing on an active/active firewall setup for
TCP-based connections?
A. performing packet captures
B. disabling asr-group commands on interfaces that are likely to receive asymmetric traffic
C. replacing them with redundant routers and allowing load balancing
D. disabling stateful TCP checks
Answer: D
Explanation
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes
a different path when it returns to the source. This is commonly seen in Layer-3 routed
networks.
Issues to Consider with Asymmetric Routing
Asymmetric routing is not a problem by itself, but will cause problems when Network
Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls,
state information is built when the packets flow from a higher security domain to a lower
security domain. The firewall will be an exit point from one security domain to the other. If
the return path passes through another firewall, the packet will not be allowed to traverse the
firewall from the lower to higher security domain because the firewall in the return path will
not have any state information. The state information exists in the first firewall.
Reference:
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html
Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate
asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a
TCP connection even if the ASA didn‘t see the entire TCP 3-way handshake. This feature is
called TCP State Bypass.
Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-
troubleshooting-and-mitigation
Note: The active/active firewall topology uses two firewalls that are both actively providing
firewall services.
Question 250 (posted at Q.3 of http://www.digitaltut.com/tcp-udp-questions)
Which three TCP enhancements can be used with TCP selective acknowledgments? (Choose
three)
A. header compression
B. explicit congestion notification
C. keepalive
D. time stamps
E. TCP path discovery
F. MTU window
Answer: B C D
Explanation
TCP Selective Acknowledgement (SACK) prevents unnecessary retransmissions by

specifying successfully received subsequent data. Let‘s see an example of the advantages of
TCP SACK.
TCP Selective Acknowledgement
TCP (Normal) Acknowledgement
For TCP (normal) acknowledgement, when a client requests data, server sends the first
three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2
was lost somewhere on the network while Segment#3 stills reached the client. Client checks
Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received
Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert
the server that it has not received any data beyond Segment#1. After receiving these ACKs,
the server must resend Segment#2,#3 and wait for the ACKs of these segments.
For TCP Selective Acknowledgement, the process is the same until the Client realizes
Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received
Segment#3 successfully (so no need to retransmit this segment. Therefore the server only
needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends
ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue
sending Segment #4,#5, …
The SACK option is not mandatory and it is used only if both parties support it.
The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to
notify end hosts of impending network congestion. It also provides enhanced support for TCP
sessions associated with applications, such as Telnet, web browsing, and transfer of audio and
video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction
of delay and packet loss in data transmissions. Use the ―ip tcp ecn‖ command in global
configuration mode to enable TCP ECN.
The TCP time-stamp option provides improved TCP round-trip time measurements. Because
the time stamps are always sent and echoed in both directions and the time-stamp value in the
header is always changing, TCP header compression will not compress the outgoing packet.
Use the ―ip tcp timestamp‖ command to enable the TCP time-stamp option.
The TCP Keepalive Timer feature provides a mechanism to identify dead connections.
When a TCP connection on a routing device is idle for too long, the device sends a TCP
keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a
response packet (a TCP ACK packet) is not received after the device sends a specific number
of probes, the connection is considered dead and the device initiating the probes frees
resources used by the TCP connection.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-
3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html
================= IP Routing Questions =================
Question 38
<exhibit missing>
After configuring the routes, the network engineer executes the show ip route command.
What is the expected results?
A. Gateway of last resort is 10.0.2.1 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
C 10.0.2.0 is directly connected, FastEthernet0/0 10.0.1.0 is directly connected,
FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.2.1(1/0] via 10.0.1.1
Router #
B. Gateway of last resort is 10 0.2 1 to network 0 0 0 0

10 0.0 0/24 is subnetted, 1 subnet C 10.0.2.0 is directly connected, FastEthernet 0/0
S* 0.0.0 0/0 [1/0] via 10.0.2.1
Router #
C. Gateway of last resort is not set

Router #
D. Gateway of test resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/24 is subnetted 1 subnet

C 10.0.1.0 is directly connected FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.1.1
Router #
Answer: C
Question 98
What happens when a router receives a route with an administrative distance of 255?
A. The router installs the route as the most preferred path in the routing table.
B. The router installs the route as the least preferred path in the routing table
C. The router becomes the feasible successor for the route
D. The router is unable to install the route into the routing table
Answer: D
Question 100
Refer to the exhibit. Which networking challenge is the most important issue to address to
enable optimal communication between the networks at company A and company B?
A. IPv4 fragmentation
B. unicast flooding
C. asymmetric routing
D. UDP latency
E. IPV4 MTU
Answer: C
Question 186
A router receives a routing advertisement for 10.1.1.0/24 from an EIGRP peer and from an
OSPF peer. Which route does the router install in the routing table, and for which reason?
A. the OSPF route, because the administrative distance is lower.

B. the EIGRP route, because the metric is lower.
C. the OSPF route, because the metric is lower.
D. The EIGRP route, because the administrative distance is lower.
Answer: D
Explanation
By default the Administrative Distance of EIGRP is 90 which is smaller than that of OSPF
110 so EIGRP will be preferred over OSPF. The Administrative Distances of popular routing
protocols are shown below:
Question 194
You are configuring a static route. Which action must you take to avoid the possibility of
recursive row?
A. Use the ip route command to specify the next-hop IP address only

B. Specify the next hop a directly connected interface
C. Use the ip route command to specify both the next-hop IP address and the connected
interface
D. User the ip route command to specify the connected interface only
Answer: C
Explanation
If the interface with the next hop goes down and the next hop is reachable through a recursive
route, you should specify both the next hop IP address and the alternate interface through
which the next hop should be found. For example, ip route 0.0.0.0 0.0.0.0 Serial 3/3
192.168.20.1. This enables the static route installation to become more deterministic.
Note: A recursive static route is a route whose next hop and the destination network are
covered by another learned route in the Routing Information Base (RIB). Such static routes
cannot be installed in the RIB because they are considered redundant routes.
Reference: https://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-
route/118263-technote-nexthop-00.html
Question 203
Which routing protocol routes traffic through the best path and second best path at the same
time?
A. EIGRP
B. BGP
C. OSPF
D. RIP
Answer: A or B
Explanation
Maybe this question wants to ask which routing protocols support unequal cost load
balancing. But both EIGRP and BGP support this feature (EIGRP with ―variance‖ and BGP
with ―maximum-paths‖.
Question 209
You want to configure a device to select an OSPF-learned route as the preferred path over an
EBGP-learned route. Which action must you take?
A. Increase the OSPF cost

B. Decrease the OSPF cost
C. Increase the OSPF administrative distance
D. Decrease the OSPF administrative distance
Answer: D
Explanation
The Administrative Distances of the routing protocols are compared first so we have to
decrease the OSPF administrative distance.
================= RIP & RIPng Questions =================
Question 11
A network engineer is modifying RIPng timer configuration. Which configuration mode
should the engineer use?
A. router(config)#
B. router(config-if)#
C. router(config-router)#
D. router(config-rtr)#
Answer: D
Explanation
This is how to change the timers for RIPng:
R1(config)#ipv6 router rip digitaltut

R1(config-rtr)#timers 5 15 10 30 (5: Update period; 15: Route timeout period; 10: Route
holddown period; 30: Route garbage collection period)
Note: For IPv4 RIP, we have to change the timers in ―(config-router)#‖.
Question 95
What is the default authentication in RIPv2 when authentication is enabled?
A. SHA1 authentication
B. Enable password authentication
C. Plaintext authentication
D. MD5 authentication
Answer: C
Explanation
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet.
Note: RIP version 1 (RIPv1) does not support authentication.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13719-50.html
Question 122
Two routers are configured with RIPng but can‘t form neighbors as traffic traverses a
firewall. Which port does the firewall need to permit to form neighbors?
A. TCP Port 521
B. UDP Port 521
C. TCP Port 520
D. UDP Port 520
E. IP Protocol 520
F. IP Protocol 521
Answer: B
Question 144
Which command must you configure globally to support RIPng?
A. ip routing
B. ip cef
C. ipv6 enable
D. ipv6 unicast-routing
Answer: D
Question 173
Afer configuring RIPng on two routers that are connected via a WAN link, a network
engineer notices that the two routers cannot exchange routing updates. What is the reason for
this?
A. Either a firewall between the two routers or an ACL on the router is blocking UDP 521
B. Either a firewall between the two routers or an ACL on the router is blocking TCP 520
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 521
D. Either a firewall between the two routers or an ACL on the router is blocking UDP 520
Answer: A
Explanation
Since RIPng is a new protocol, it cannot use the same UDP reserved port number 520 used
for RIPv1/RIPv2. Instead, RIPng uses well-known port number 521.
Question 175
A network engineer is enabling RIPng on a new customer link. Under which configuration
mode is RIPng enabled?
A. Global
B. Router
C. Interface
D. IPv6
Answer: C
Explanation
In order to enable RIPng, we have to do it under global configuration mode. For example:
R1(config)#ipv6 router rip RIPNG_DIGITALTUT
Then we enable RIPng on each interface:
R1(config)#interface Ethernet 0/0

R1(config-if)#ipv6 rip RIPNG_DIGITALTUT enable
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ipv6 rip RIPNG_DIGITALTUT enable
In this question they say ―enabling RIPng on a new customer link‖ so maybe RIPng was
configured previously for other customers and the first command (―ipv6 router rip
RIPNG_DIGITALTUT‖) was used so RIPng should be configured under interface. Therefore
the answer should be ―Interface‖ instead of ―Global‖.
Question 205
A route with default RIPv2 settings loses connectivity to it‘s next-hop neighbor. How long
does the router wait before removing the route to the next hop from its route table?
A. 30 seconds
B. 60 seconds
C. 180 seconds
D. 240 seconds
Answer: D
Explanation
The meanings of RIPv1 and RIPv2 timers (two versions have the same timers) are described
below:
Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid
since seeing a valid update; and place the route into holddown. Default invalid timer is 180
seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count
recording in the routing table, RIP does not ―believe in‖ that update. Default holddown timer
is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing
table. Default Flush timer is 240 seconds
This question asks about the Flush timer, which is 240 seconds by default.
Question 109
Customer enabled new link to partner using RIPng, how and where is RIPng configured?
A. router mode
B. interface mode
C. global – (config)#ipv6 router rip ―RIPNG‖
Answer: C
Question 210
What is the maximum number of hops on a route that RIPng advertises as reachable?
A. 15
B. 30
C. 99
D. 255
Answer: A
Explanation
The maximum number of hops on RIPng is the same as RIP, which is 15. A hop-count of 16
is considered unreachable.
Question 246 (posted at Q.3 of http://www.digitaltut.com/ripng-questions)
A network engineer is troubleshooting connectivity issues with a directly connected RIPng

neighbor. Which command should show directly connected RIPng neighbor adjacencies
only?
A. router#show ipv6 rip next-hops

B. router#show ip rip neighbors
C. router#show ipv6 routers
D. router#show ipv6 rip database
Answer: A
================= OSPF Questions =================
Question 35
Which two statements about OSPF E1 routes are true? (Choose two)
A. They are preferred over interarea routes

B. They use the OSPF cost from redistribution and the OSPF cost to the ASBR.
C. They are preferred over E2 routes
D. They use only the OSPF cost to the ASBR
E. They use only the OSPF cost from redistribution
Answer: B C
Question 103
OSPF has R1 router ID 172.18.1.1. What happens when R1 configure with a new loopback
interface IP address 172.17.1.1?
A. OSPF chooses 172.17.1.1 as new router ID when R1 is rebooted.

B. OSPF chooses 192.168.21.0 as new router ID when apply new configuration.
C. OSPF chooses 172.17.1.1 as new router ID when apply new configuration.
D. OSPF retains 172.18.1.1 as router ID until interface on which is configured goes down
Answer: D
Question 113
Which two areas does OSPF send a summary route by default ? (Choose two)
A. NSSA
B. Backbone
C. Totally stubby
D. Stub
E. Normal
Answer: C D
Question 128
Refer to the exhibit. Which LSA type does R3 propagate into Area 1 for the 192.168.10.0/24
network?
A. type 3 LSA
B. type 5 LSA
C. type 7 LSA
D. type 10 LSA
Answer: C
Explanation
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it
leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA.
Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto
the ASBR.
Question 133
Which OSPF network type uses a DR?
A. Nonbroadcast multi-access
B. point-to-point
C. point-to-multipoint
D. point-to-point nonbroadcast
Answer: A
Question 138
What are two important differences between OSPFv2 and OSPFv3? (Choose two)
A. Only OSPFv3 provides support for IPv6.

B. Only OSPFv3 automatically chooses a router ID for the local device.
C. Only OSPFv3 supports multiple OSPF instances on a single link.
D. Only OSPFv3 automatically enables interfaces when you create them in device
configuration mode.
E. Only OSPFv3 automatically detects OSPF neighbors on an NBMA interface
Answer: A C
Question 153
Device R1 has 1 Gigabit and 10 Gigabit Ethernet interfaces, which command do you enter so
that it takes full advantage of OSPF costs?
A. R1(config-router)#auto-cost reference-bandwidth 10000

B. R1 (config route-map) #set metric 10000000000
C. R1(config-if)#ip ospf cost 10000
D. R1(config router)#auto-cost reference-bandwidth 10000000000
E. R1(config-if)#ip ospf cost 10000000000
F. R1(config-route-map) #set metric 10000
Answer: A
Explanation
The ―auto-cost reference-bandwidth‖ command affects all the OSPF costs on the local router
as all links are recalculated with formula: cost = reference-bandwidth (in Mbps) / interface
bandwidth
Therefore in this case the command ―auto-cost reference-bandwidth 10000‖ allows the local
router to calculate the link up to 10Gbps (10000 Mbps)
Question 178
Which LSA type in OSPFv3 is used for link-local updates?
A. Link LSA type 5

B. Link LSA type 8
C. Link LSA type 6
D. Link LSA type 4
Answer: B
Explanation
LSAs Type 8 (Link LSA) have link-local flooding scope. A router originates a separate link-
LSA for each attached link that supports two or more (including the originating router itself)
routers. Link-LSAs should not be originated for virtual links.
Link-LSAs have three purposes:

1. They provide the router‘s link-local address to all other routers attached to the link.
2. They inform other routers attached to the link of a list of IPv6 prefixes to associate with
the link.
3. They allow the router to advertise a collection of Options bits in the network-LSA
originated by the Designated Router on a broadcast or NBMA link.
Question 188
Which two statements about OSPFv3 are true? (Choose two)
A. The router ID is configured as an IPv6 address.

B. It uses loopback IPv6 addresses to from neighbor relationships.
C. The router ID is configured as an IPv4 address.
D. It uses LSA type 6 for intra-area prefixes.
E. It is backwards-compatible with OSPFv2 through the use of sham link.
F. It uses link-local addresses to form neighbor relationships.
Answer: C F
Question 207

You notice that traffic from R1 to the 192.168.10 0/24 network prefers the path through R3
instead of the least-cost path through R2.What is the most likely reason for this route
selection?
A. OSPF prefers external routes over interarea routes.

B. OSPF prefers interarea routes over intra-area routes.
C. OSPF prefers external routes over intra-area routes.
D. OSPF prefers intra-area routes over interarea routes.
Answer: D
Question 214 (posted at Q.1 of http://www.digitaltut.com/ospf-questions-2-2)
When OSPF is forming an adjacency, in which state does the actual exchange of the
information in the link-state database occur?
A. INIT
B. loading
C. exstart
D. exchange
Answer: B
Explanation
Loading: In this state, the actual exchange of link state information occurs. Based on the
information provided by the DBDs, routers send link-state request packets. The neighbor then
provides the requested link-state information in link-state update packets. During the
adjacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a
link-state request packet. All link-state update packets are acknowledged.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13685-13.html
Question 219 (posted at Q.7 of http://www.digitaltut.com/ospf-questions)
A network engineer enables OSPF on a Frame Relay WAN connection to various remote
sites, but no OSPF adjacencies come up Which two actions are possible solutions for this
issue? (Choose Two)
A. Change the network type to point-to-multipoint under WAN interface

B. Enable virtual links
C. Change the network type to nonbroadcast multipoint access
D. Configure the neighbor command under OSPF process for each remote site
E. Ensure that the OSPF process number matches among all remote sites
Answer: A D
Explanation
When OSPF is run on a network, two important events happen before routing information is
exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building
process. All the routers in that segment should be able to communicate directly with the DR
and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not
necessary since there are only two routers in the segment, and hence the election does not
take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or
multicast packets to be sent.
In an NBMA network topology, which is inherently nonbroadcast, neighbors are not

discovered automatically. OSPF tries to elect a DR and a BDR due to the multi-access
nature of the network, but the election fails since neighbors are not discovered. Neighbors
must be configured manually to overcome these problems -> C is not correct while D is
correct.
In Point-to-Multipoint network: This is a collection of point-to-point links between various

devices on a segment. These networks also allow broadcast or multicast packets to be sent
over the network. These networks can represent the multi-access segment as multiple point-
to-point links that connect all the devices on the segment. -> A is correct.
Question 225 (posted at Q.26 of http://www.digitaltut.com/new-route-questions-part-4)
Which two OSPF router types can perform summarization in an OSPF network? (Choose
two)
A. summary router
B. area border router
C. autonomous system boundary router
D. internal router
E. backbone router
Answer: B C
Question 232 (posted at Q.6 of http://www.digitaltut.com/ospf-questions-3-2)
If you want to migrate an IS-IS network to another routing protocol. Which routing protocols
should you choose? (Choose two)
A. UDP
B. internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP
Answer: D E
Explanation
IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the
best answers. Although RIP is not a wrong choice but it is not widely used because of many
limitations (only 15 hops, long convergence time…).
================= EIGRP Questions =================
Question 5
A router was configured with the ―eigrp stub‖ command. The router advertises which types
of routes?
A. connected, static, and summary

B. static and summary
C. connected and static
D. connected and summary
Answer: D
Explanation
The ―eigrp stub‖ command is equivalent to the ―eigrp stub connected summary‖ command
which advertises the connected routes and summarized routes.
Note: Summary routes can be created manually with the summary address command or
automatically at a major network border router with the auto-summary command enabled.
Question 17
All interfaces on each router are participating in the EIGRP 100 process. Interface Loopback
2 on HQR2 is currently in shutdown mode. An engineer issues the eigrp stub command on
router BR1. Which statements about the query messages sent from router HQ-R2 for a route
to reach the 12.12.12.12/32 network is true?
A. Router HQ-R2 sends a query message to the feasible successor for a route to
12.12.12.12/32 network.
B. BR1 receives query messages from HQ-R2 for a route to 12.12.12.12/32 network.
C. Router HQ-R1 receives query messages from HQ-R2 for a route to 12.12.12.12/32
network.
D. Router HQ-R1 and BR1 receives query messages from HQ-R2 for a route to 12.12.12/32
network.
Answer: C
Explanation
Router BR1 has been configured ―stub‖ so HQ-R2 will not send query to BR1 as it believes
this is a stub network. Query is only sent to HQ-R1.
Question 28
router eigrp 65535

no auto-summary
network 10.0.0.0 0.0.0.255
router ospf 1
network 192.168.5.0 0.0.0.255 area 0
passive-interface loopback0
redistribute eigrp 65535
If this configuration is applied to a device that redistributes EIGRP routes into OSPF. which
two statements about the behavior of the device are true? (Choose two)
A. EIGRP routes appear in the routing table as E2 OSPF routes

B. The device router ID is set to Loopback0 automatically
C. The device redistributes all EIGRP networks into OSPF
D. EIGRP routes appears in the routing table as N2 OSPF routes
E. The device redistributes only classful EIGRP networks into OSPF
F. EIGRP routes appears as type 3 LSAs in the OSPF database
Answer: C E
Explanation
Answer A is not correct because only EIGRP routes of routers whose receive the routing
advertisements of the local router appear in the routing table as E2 OSPF routes.
Answer B is not correct as this router may have other loopback interfaces which have higher
IP address than loopback0
Answer C is correct as there is no route-map to limit which routes are redistributed into
OSPF. Therefore by default all EIGRP routes will be redistributed
Answer D is not correct as N2 routes only appear when redistributing into Not-so-stubby-area
(NSSA)
Answer E is correct as there is no ―subnets‖ keyword when redistributing into OSPF so only
classful EIGRP networks will be redistributed
Answer F is not correct as EIGRP routes will appear as LSA type 5, not type 3.
Question 30
The excerpt was taken from the routing table of router SATX. Which option ensures that
routes from 51.51.51.1 are preferred over routes from 52.52.52.2?
A. SATX(config-router)#distance 90 51.51.51.1 0.0.0.0
B. SATX(config-router)#distance 89.52.52.52.2 0.0.0.0
C. SATX(config-router)#distance 90.52.52.52.2 0.0.0.0
D. SATX(config-router)#administrative distance 91 51.51.51 0.0.0.0
E. SATX(config-router)#distance 89 51.51.51.1 0.0.0.0
F. SATX(config-router)#administrative distance 91 52.52.52.2 0.0.0.0
Answer: E
Explanation
The syntax of ―distance‖ command is:
distance {ip-address {wildcard-mask}} [ip-standard-list] [ip-extended-list]
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfindp
1.html
Question 39
Which two options can you use to configure an EIGRP stub router? (Choose two)
A. summary-only
B. receive-only
C. external
D. summary
E. totally-stubby
F. not-so-stubby
Answer: B D
Explanation
To configure EIGRP stub we can use this syntax:
router(config-router)# eigrp stub [receive-only | connected | static | summary]
Question 42
Which two types of authentication does EIGRP offer? (Choose two)
A. TKIP
B. MD5
C. WPA
D. Plain Text
Answer: B D
Question 43
Which three statements about IPv6 EIGRP are true? (Choose three)
A. EIGRP neighbor relationships are formed using the link-local address.

B. EIGRP neighbor relationships can be formed only on the configured IPv6 address
C. It supports EUI-64 addresses only.
D. EIGRP route advertisement is configured under the interface configuration.
E. An IPv6 EIGRP router ID is required.
Answer: A D E
Question 111 (posted at http://www.digitaltut.com/eigrp-questions)
What is EIGRP Summary Route Administrative Distance?
A. 90
B. 170
C. 5
D. 110
Answer: C
Explanation
The ―ip summary-address eigrp‖ command is used to configure interface-level address

summarization. EIGRP summary routes are given an administrative distance value of 5. The
administrative distance metric is used to advertise a summary without installing it in the
routing table.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ire_i1.
html
Question 117
Which EIGRP packets use unreliable delivery? (Choose two)
A. Query
B. Reply
C. Request
D. Hello
E. Update
Answer: C D
Question 118
What is used in EIGRP metric calculation?
A. Maximum bandwidth on the path

B. Option about bandwidth
C. Average bandwidth on the path
D. Minimum bandwidth on the path
Answer: D
Explanation
The formula to calculate EIGRP metric is:
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability +

K4)] if K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0
By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use

only bandwidth & delay parameters while others are ignored. The metric formula is now
reduced:
metric = bandwidth + delay
The bandwidth is defined as the slowest bandwidth in the route to the destination.
Question 119
How EIGRP metric is calculated?
A. Bandwidth+Delay
B. Bandwidth*Delay
C. Bandwidth-Delay
D. Bandwidth/Delay
Answer: A
Question 120
Which statements are true to configure IPv6 EIGRP configuration for route advertisements?
(Choose two)
A. Route advertisements are configured at the router global configuration

B. Route advertisements are configured at the interface configuration
C. An IPv6 router ID
D. Uses link-local IP address for route advertisements
E. IPv6 EIGRP uses only the configured IPv6 global addresses for communication
Answer: B D
Question 126
Which task must you preform to implement EIGRP for IPv6 on a device?
A. Use the ipv6 cef command to enable Cisco Express Forwarding on the device
B. Configure a loopback interface on the device
C. Manually configure the router ID
D. Statically configure a neighbor statement
Answer: C
Question 127
Which two features are provided by EIGRP for IPv6? (Choose two)
A. Backbone areas
B. SPF algorithm
C. Partial updates
D. Area border router
E. Scaling
Answer: C E
Question 146
Which two packet type can an EIGRP router send when a route goes into the Active state?
(Choose two)
A. reply
B. request
C. hello
D. update
E. query
Answer: A E
Explanation
The route is in Active state when a router is undergoing a route recomputation. If there are
always feasible successors, a route never has to go into Active state and avoids a route
recomputation.
When there are no feasible successors, a route goes into Active state and a route
recomputation occurs. A route recomputation commences with a router sending a query
packet to all neighbors. Neighboring routers can either reply if they have feasible successors
for the destination or optionally return a query indicating that they are performing a route
recomputation.
EIGRP uses five packet types:

+ Hello/Acks
+ Updates
+ Queries
+ Replies
+ Requests
Queries and replies are sent when destinations go into Active state. Queries are always
multicast unless they are sent in response to a received query. In this case, it is unicast back to
the successor that originated the query. Replies are always sent in response to queries to
indicate to the originator that it does not need to go into Active state because it has feasible
successors. Replies are unicast to the originator of the query. Both queries and replies are
transmitted reliably.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/13669-1.html
Question 150
Which two EIGRP metrics have nonzero K values by default? (Choose two)
A. reliability
B. delay
C. cost
D. load
E. bandwidth
Answer: B E
Explanation

K4)] if K5 > 0

reduced:
-> K1 and K3 have nonzero values by default.
Question 151
Refer to the exhibit. You want router R1 to perform unequal-cost routing to the
192.168.10.0/24 network. What is the smallest EIGRP variance value that you can configure
on R1 to achieve this result?
A. 1
B. 2
C. 3
D. 4
Answer: C
Explanation
When using the variance command, EIGRP will add a feasible successor to the route table if
the feasible successor has a feasible distance that is less than or equal to the product of the
feasible distance of the successor times the variance setting and the feasibility condition is
met. In math terms:
FD (of the FS) <= FD (of the S) * variance
FD – feasible distance
FS – feasible successor
S – successor
In this question the FD of the successor is 150 (from R1 to R2) and the FD of the feasible
successor is 300 + 150 = 450. Therefore we can deduce the minimum value of the variance
must be 3 so that 450 <= 150 * 3 -> C is the best answer.
Note: In fact the route R1 – R3 – R2 does not satisfy the feasibility condition which states:
―To qualify as a feasible successor, a router must have an AD less than the FD of the current
successor route‖
But in this question the AD from R3 is 150 which is equal to the FD of the current successor
route (from R1 to R2) so the feasibility condition is not met. However we still have to choose
one best answer.
Question 167
What happens when two EIGRP peers have mismatched K values?
A. The two devices are unable to correctly perform equal-cost routing

B. The two devices fail to perform EIGRP graceful shutdown when one device goes down
C. The two devices fail to form an adjacency
D. The two devices are unable to correctly perform unequal-cost load balancing
Answer: C
Question 170
When an EIGRP router discovers a new neighbor, which packet type does the router send to
help the neighbor build its topology table?
A. replies
B. requests
C. updates
D. queries
Answer: C
Explanation
EIGRP use five types of packets to communicate:
+ Hello: used to identify neighbors. They are sent as periodic multicasts

+ Update: used to advertise routes, only sent as multicasts when something is changed
+ Ack: acknowledges receipt of an update. In fact, Ack is Hello packet without data. It is
always unicast and uses UDP.
+ Query: used to find alternate paths when all paths to a destination have failed
+ Reply: is sent in response to query packets to instruct the originator not to recompute the
route because feasible successors exist. Reply packets are always unicast to the originator of
the query
Question 195
R1
interface Loopback0
ip address 172.16.1.1. 255.255.255.255
interface FastEthernet0/0
ip address 192.168.10.33 255.255.255.224
router eigrp 100
eigrp router-id 172.16.1.1
no auto-summary
network 192.168.10.0
network 172.16.0.0
R2
interface Loopback0
ip address 172.16.2.2 255.255.255.255
ip address 192.168.10.17 255.255.255.240
router eigrp 100
eigrp router-id 172.16.2.2
network 192.168.10.0
network 172.16.0.0
R1 and R2 are unable to establish an EIGRP adjacency. Which action corrects the problem?
A. Change the eigrp route-id on one of the routers so that values on the two routers are
different.
B. Add the no auto-summary command to the R2 configuration so that it matches the R1
configuration
C. Change the autonomous system number on one of the routers so that each router has
different values
D. Change the IP address and subnet mask on R2 so that is on the same subnet as R1.
Answer: D
Question 220
Which calculation is used to determine the default EIGRP metric?
A. bandwidth * delay
B. bandwidth + delay
C. bandwidth – delay
D. bandwidth / delay
Answer: B
Explanation

K4)] if K5 > 0

reduced:
The bandwidth is defined as the slowest bandwidth in the route to the destination.
Question 223 (posted at Q.3 of http://www.digitaltut.com/eigrp-questions)
Other than a working EIGRP configuration, which option must be the same on all routers for
EIGRP authentication key rollover to work correctly?
A. SMTP
B. SNMP
C. Passwords
D. Time
Answer: D
Explanation
Requirements
+ The time must be properly configured on all routers.
+ A working EIGRP configuration is recommended.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/82110-eigrp-authentication.html
================= BGP Questions =================
Question 32
Based on the output, which option is the next hop to get to the 130.0.1.0/24 network?
A. 10.30.30.1
B. 10.0.11.1
C. 10.20.20.1
D. 10.10.10.1
Answer: C
Explanation
This is the BGP routing table. Only the best entry of each prefix (marked with ―>‖) is placed
into the routing table. In the output above, the next hop 130.0.1.0/24 network can be reached
via three next hops (which are 10.10.10.1; 10.30.30.1 and 10.20.20.1) but only 10.20.20.1 is
the best path and is placed into the routing table.
Question 101
Which two conditions can cause BGP neighbor establishment to fail? (Choose two)
A. There is an access list blocking all TCP traffic between the two BGP neighbors.
B. The IBGP neighbor is not directly connected.
C. BGP synchronization is enabled in a transit autonomous system with fully-meshed IBGP
neighbors.
D. The BGP update interval is different between the two BGP neighbors.
E. The BGP neighbor is referencing an incorrect autonomous system number in its neighbor
statement.
Answer: A E
Explanation
An underlying connection between two BGP speakers must be established before any routing
information is exchanged. This connection takes place on TCP port 179 so if an access list
blocks all TCP traffic between the two BGP neighbors, BGP neighbor relationship can not be
established -> A is correct.
The IBGP neighbors don‘t need to be directly connected -> B is not correct.
BGP synchronization only prevents routes sent to other EBGP neighbors before that route
exists in the routing table. It doesn‘t prevent BGP neighbor relationship -> C is not correct.
After the first initial exchange (which exchanges routes and synchronize their tables), a BGP
speaker will only send further updates upon a change in the network topology -> BGP does
not have a fixed update interval -> D is not correct.
BGP neighbor relationship is established when both ends (routers) are manually configured
with the ―neighborneighbor-IP remote-as neighbor-AS‖ command on both sides of the
connection. If the neighbor-AS is wrong, the neighbor relationship can not be established ->
E is correct.
Question 114
Which BGP option is required when load sharing over multiple equal-bandwidth parallel
from a single CE router to a single ISP router over eBGP?
A. eBGP Multipath
B. eBGP Multihop
C. BGP Synchronization
D. Public AS numbers
Answer: A
Explanation
The BGP Multipath Load Sharing for eBGP and iBGP feature allows you to configure
multipath load balancing with both external BGP (eBGP) and internal BGP (iBGP) paths in
Border Gateway Protocol (BGP) networks that are configured to use Multiprotocol Label
Switching (MPLS) Virtual Private Networks (VPNs).
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxeibmp.html
Question 129
Which two options are benefits of BGP peer groups? (Choose two)
A. A configuration change can be applied simultaneously to all peers in the peer group
B. They can optimize backdoor routes
C. They can be updated via multicast
D. Each neighbor in a peer group can have different inbound BGP policies
E. They use soft updates to minimize bandwidth consumption
F. They support groups of paths
Answer: A D
Explanation
Answer A is surely correct as the main purposes (and advantages) of BGP peer groups are to
simplify the BGP configuration and reduce the amount of system resources (CPU and
memory) necessary in an update generation.
Requirements of Peer Groups
Peer groups have these requirements:
+ All members of a peer group must share identical outbound announcement policies (such as
distribute-list, filter-list, and route-map), except for default-originate, which is handled on a
per-peer basis even for peer group members.
+ You can customize the inbound update policy for any member of a peer group -> D is
correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/13755-29.html
Question 130
Which criterion does the BGP maximum paths feature use for load balancing?
A. MED
B. local preference
C. weight
D. router ID
Answer: C
Explanation
BGP selects only one best path for each prefix it receives then installs in the IP routing table.
So whenever we need load-balancing across different paths, we have to enable BGP
multipath, by the ―maximum-paths‖ command.
There‘s a criteria and several conditions that BGP checks before selecting additional paths in
parallel with the best one. The following attributes of parallel paths have to match with the
best path:
+ Weight
+ Local Pref
+ Origin
+ AS-Path Length
+ MED
+ Neighbor AS or Sub-AS match for (eBGP multipath)
+ AS-PATH match (for eiBGP multipath)
+ IGP metric to BGP next hop
Question 149
Which adverse circumstance can the TTL feature prevent?
A. routing loops
B. DoS attacks
C. link saturation
D. CAM table overload
Answer: B
Explanation
This question mentions about the TTL Security Check for multihop BGP Peering Sessions.
The BGP Support for TTL Security Check feature provides an effective and easy-to-deploy
solution to protect eBGP peering sessions from CPU utilization-based attacks. When this
feature is enabled, a host cannot attack a BGP session if the host is not a member of the local
or remote BGP network or if the host is not directly connected to a network segment between
the local and remote BGP networks. This solution greatly reduces the effectiveness of DoS
attacks against a BGP autonomous system. An example of configuring this feature is shown
below:
Router(config)# router bgp 65000

Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2
This sets the expected incoming TTL value for a directly connected eBGP peer. The hop-
count argument is set to 2 configuring BGP to only accept IP packets with a TTL count in the
header that is equal to or greater than 253. If the 10.1.1.1 neighbor is more than 2 hops away,
the peering session will not be accepted.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.pdf
Question 156
Which two tasks must you perform to configure a BGP peer group? (Choose two)
A. Configure the soft-update value

B. Activate the default route
C. Set the advertisement interval
D. Activate each neighbor
E. Assign neighbors to the peer group
Answer: D E
Question 189
Which criterion does BGP evaluate first when determining the best path?
A. MED value
B. neighbor address
C. local preference value
D. weight
Answer: D
Explanation
This list provides the rules that are used to determine the best path:
1. Prefer the path with the highest WEIGHT.

2. Prefer the path with the highest LOCAL_PREF.
3. Prefer the path that was locally originated via a network or aggregate BGP subcommand or
through redistribution from an IGP.
4. Prefer the path with the shortest AS_PATH
5. Prefer the path with the lowest origin type.
6. Prefer the path with the lowest multi-exit discriminator (MED)
7. Prefer eBGP over iBGP paths
8. Prefer the path with the lowest IGP metric to the BGP next hop.
9. Determine if multiple paths require installation in the routing table for BGP Multipath.
10. When both paths are external, prefer the path that was received first (the oldest one).
11. Prefer the route that comes from the BGP router with the lowest router ID
12. If the originator or router ID is the same for multiple paths, prefer the path with the
minimum cluster list length
13. Prefer the path that comes from the lowest neighbor address
For more information about above list, please read this link:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
Question 230
Which command do you enter on router R6 so that BGP supports multiple protocols?
A. R6(config-router)#no bgp default ipv4-unicast

B. R6(config-router)#bgp default ipv4-multicast
C. R6(config-router-af)#no bgp default ipv4-muticast
D. R6(config-router-af)#bgp additional-paths install
E. R6(config-router)#no address-family ipv4 unicast
Answer: A
Explanation
The command ―no bgp default ipv4-unicast‖ disables the default behavior of BGPv4 to
advertise only IPv4 unicast routes. It enables Multi protocol BGP mode where multiple
address families can be negotiated during the BGP session setup when the two peers
exchange the respective capabilities
Question 233 (posted at Q.5 of http://www.digitaltut.com/bgp-questions)
Which two BGP neighbor states are valid? (Choose two)
A. Established
B. Active
C. Stuck in active
D. 2-WAY
E. Unknown
F. DROTHER
Answer: A B
Explanation
BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established
================= Redistribution Questions =================
Question 102
router eigrp 1
redistribute bgp 1 route-map BGP_DEFAULT_ROUTE_RM
network 2.0.0.0
route-map BGP_DEFAULT_ROUTE_RM permit 10
match ip address prefix-list DEFAULT_ROUTE_PL
ip prefix-list DEFAULT_ROUTE_PL seq 10 permit 0.0.0.0/0
For which reason is EIGRP failing to redistribute the default route?
A. The EIGRP process is missing the default metric.

B. The EIGRP process is missing the no auto-summary command.
C. The EIGRP process is missing the router ID.
D. The route-map statement is missing the match any keyword.
Answer: A
Explanation
When redistributing into EIGRP, we have to configure the five metrics or redistribution
would not work because of incompatible metrics.
Question 115 (posted at http://www.digitaltut.com/eigrp-questions)
Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not
learning routes that are received from OSPF?
router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
redistribute eigrp 1
A. The subnet defined in OSPF is not part of area 0

B. Default metrics are not configured under EIGRP
C. There is no overlap in the subnets advertised
D. The routing protocols do not have the same AS number
Answer: B
Explanation
When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the
redistributed routes would never be learned. In this case we need to configure like this:
router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500
Question 142
Refer to the exhibit. How does R1 handle the route to network 10.1.80.0/24?
R1
router eigrp 1
no auto-summary
redistribute ospf 1 route-map ospf-to-eigrp
default-metric 10000 10 255 1 1500
ip prefix-list ccnp1 seq 5 permit 10.1.48.0/24 le 24

route-map ospf-to-eigrp permit 10
match ip address prefix-list ccnp1
route-map ospf-to-eigrp permit 20
match ip address prefix-list ccnp2
A. R1 redistributes network 10.1.80.0/24 into EIGRP without changing the mask

B. R1 changes the mask to /32 and then redistributes network 10.1.80.0/24 into EIGRP as a
classful network
C. R1 changes the mask to /32 and then redistributes network 10.1.80.0/24 into EIGRP as a
classless network
D. R1 fails to redistribute network 10.1.80.0/24 into EIGRP
Answer: A
Explanation
The prefix-list ccnp2 allows any subnet of that main prefix 10.1.80.0/24 as every mask is
surely less or equal than 32 bits (/32).
Question 202
Which option is an invalid redistribute command option for redistributing routes from EIGRP
into OSPF?
A route map
B. tag
C. access list
D. metric
Answer: C
Explanation
An example of configuring redistributing routes from EIGRP into OSPF with metric is shown
below:
router ospf 1
redistribute eigrp 1111 metric 200 subnets
With route map:
router ospf 1
redistribute eigrp 1 subnets route-map eigrp-to-ospf
With tag:
router ospf 1
redistribute eigrp 1 subnets tag 190
================= IP Prefix-list Questions =================
Question 33
Which command denies the default route?
A. ip prefix-list deny-route seq 5 deny 0.0.0.0/32

B. ip prefix-list deny-route seq 5 deny 0.0.0.0/8
C. ip prefix-list deny-route seq 5 deny 0 0 0.0/0
D. ip prefix-list deny-route seq 5 deny 0.0.0.0/16
Answer: C
================= DHCP & DHCPv6 Questions =================
Question 51
A network engineer is configuring a DHCP server to support a specialized application. Which

additional DHCP feature must be enabled to support the delivery of various additional
parameters to DHCP clients?
A. modules
B. vendor extensions
C. options
D. Scopes
Answer: C
Question 66
After testing various dynamic IPv6 address assignment methods, an engineer decides that
more control is needed when distributing addresses to clients. Which two advantages does
DHCPv6 have over EUI-64 (Choose two)
A. DHCPv6 requires less planning and configuration than EUI-64 requires.

B. DHCPv6 allows for additional parameters to be sent to the client, such as the domain name
and DNS server.
C. DHCPv6 providers tighter control over the IPv6 addresses that are distributed to clients.
D. DHCPv6 does not require the configuration of prefix pools.
E. DHCPv6 does not require neighbor and router discovery on the network segment.
Answer: B C
Explanation
Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface
identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained
through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with
one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The
16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE
has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an
EUI-48 MAC address.
Question 67
Which three options are valid DHCPv6 functions? (Choose three)
A. Server
B. Client
C. Approver
D. Requester
E. ACK
F. Relay
Answer: A B F
Explanation
Most vendor‘s routers/switches have the ability to function as:

+ A DHCP client and obtain an interface IPv4 address from an upstream DHCP service
+ A DHCP relay and forward UDP DHCP messages from clients on a LAN to and from a
DHCP server
+ A DHCP server whereby the router/switch services DHCP requests directly
Question 70
DHCPv6 can obtain configuration parameters from a server through rapid two-way message
exchange. Which two steps are involved in this process? (Choose two)
A. solicit
B. advertise
C. request
D. auth
E. reply
Answer: A E
Question 94
Which set of actions does a network engineer perform to set the IPv6 address of a DHCP
relay server at the VLAN interface level?
A. Enter the VLAN interface configuration mode and define the IPv6 address of a DHCP
relay server
B. Enter the global configuration mode and enable the IPv6 DHCP relay
C. Enter the global configuration mode, enable IPv6 DHCP relay from interface
configuration mode and define the IPv6 address of a DHCP relay server
D. Enter the VLAN interface configuration mode, enable IPv6 DHCP relay, and define the
IPv6 address of a DHCP relay server
Answer: D
Explanation
An example of how to set the IPv6 address of a DHCP relay server at the VLAN interface
level:
host1/Admin(config)# interface vlan 50

host1/Admin(config-if)# ipv6 dhcp relay enable
host1/Admin(config-if)# ipv6 dhcp relay server 2001:DB8:1::1/64
Reference:
https://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/c
ommand/reference/ACE_cr/if.html
Question 96
Where must a network engineer configure the ip helper-address command on a router?
A. On the interface that will receive the broadcasts

B. On the DHCP configuration
C. the interface that is closed to the destination DHCP server
D. on the global configuration mode
Answer: A
Question 158
When a new PC is connected to the network, which step must it take first to receive a DHCP
address?
A. It sends a DHCPHELLO message to the DHCP server IP address

B. It sends a DHCPREQUEST message to the DHCP server IP address
C. It sends a DHCPREQUEST message to 255.255.255.255
D. It sends a DHCPDISCOVER message to 255.255.255.255
Answer: D
Explanation
When a client boots up for the first time (or try to join a new network), it needs to obtain an
IP address to communicate. So it first transmits a DHCPDISCOVER message on its local
subnet. Because the client has no way of knowing the subnet to which it belongs, the
DHCPDISCOVER is an all-subnets broadcast (destination IP address of 255.255.255.255,
which is a layer 3 broadcast address) and a destination MAC address of FF-FF-FF-FF-FF-FF
(which is a layer 2 broadcast address). The client does not have a configured IP address, so
the source IP address of 0.0.0.0 is used. The purpose of DHCPDISCOVER message is to try
to find out a DHCP Server (a server that can assign IP addresses).
To learn more about the whole DHCP process, please read our DHCP tutorial.
Question 168
Which two tasks does a DHCP relay agent perform? (Choose two)
A. It forwards DHCPOFFER and DHCPCOMPLETE messages to the DHCP client

B. It forwards DHCPDISCOVER and DHCPREQUEST messages to the DHCP server
C. It forwards DHCPHELLO and DHCPREQUEST messages to the DHCP server
D. It forwards DHCPREQUEST and DHCPACK messages to the DHCP server
E. It forwards DHCPOFFER and DHCPACK messages to the DHCP client
Answer: B E
Explanation
A DHCP relay agent is any host that forwards DHCP packets between clients and servers.
Relay agents are used to forward requests (which includes the DHCPDISCOVER) and
replies (which includes DHCPOFFER) between clients and servers when they are not on the
same physical subnet.
Question 236 (posted at Q.6 of http://www.digitaltut.com/dhcp-dhcpv6-questions)
Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent
and a DHCPv6 server that is configured for prefix delegation. Which two outcomes will
result when the relay agent is rebooted? (Choose two)
A. Routers will not obtain DHCPv6 prefixes.

B. DHCPv6 clients will be unreachable.
C. Hosts will not obtain DHCPv6 addresses.
D. The DHCPv6 relay agent will resume distributing addresses.
E. DHCPv6 address conflicts will occur on downstream clients.
Answer: A D
Explanation
Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client
and server.
Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay
agent cannot receive DHCP messages (because of port 547 is blocked) then the routers
(clients) will not obtain DHCPv6 prefixes.
We are not sure about answer D but maybe it is related to the (absence of) ―Reload Persistent
Interface ID‖ in DHCPv6 Relay Options. This feature makes the interface ID option
persistent. The interface ID is used by relay agents to decide which interface should be used
to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the
router acting as a relay agent goes offline during a reload or a power outage. When the router
acting as a relay agent returns online, it is possible that changes to the internal interface index
of the relay agent may have occurred in certain scenarios (such as, when the relay agent
reboots and the number of interfaces in the interface index changes, or when the relay agents
boot up and has more virtual interfaces than it did before the reboot). This feature prevents
such scenarios from causing any problems.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-
e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html
Question 237 (posted at Q.8 of http://www.digitaltut.com/dhcp-dhcpv6-questions)
Refer in the exhibit.
ip helper-address 192.168.145.5
A packet capture indicates that the router is not forwarding the DHCP packets that it receives
on interface FastEthernet0/0. Which command needs to be entered in global configuration
mode to resolve this issue?
A. ip helper-address
B. ip DHCP relay
C. service DHCP
D. ip forward-protocol
Answer: B
Explanation
The ―ip helper-address‖ command is only configured in interface mode so it is not the correct
answer.
Note: The Cisco IOS software provides the global configuration command ―ip forward-
protocol‖ to allow an administrator to forward any UDP port in addition to the eight default
UDP Services. For example, to forward UDP on port 517, use the global configuration
command ―ip forward-protocol udp 517‖. But the eight default UDP Services include DHCP
services so it is not the suitable answer.
Reference and good resource:

http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9
A DHCP relay agent may receive a message from another DHCP relay agent that already
contains relay information. By default, the relay information from the previous relay agent is
replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay
information policy {drop | keep | replace} global configuration command to change it ->
Therefore this is the correct answer.
Reference:
https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html
================= EVN & VRF Questions =================
Question 7
After reviewing the EVN configuration, a network administrator notices that a predefined
EVN, which is known as ―vnet global‖ was configured. What is the purpose of this EVN?
(OR) What is the purpose of ‗vnet global‖?
A. It defines the routing scope for each particular EVN edge interface.
B. It aggregates and carries all dot1q tagged traffic.
C. It refers to the global routing context and corresponds to the default RIB.
D. It safeguards the virtual network that is preconfigured to avoid mismatched routing
instances.
Answer: C
Question 34

hostname R1
!
hostname R2
ip vrf Yellow
!
rd 100:1
ip vrf Yellow
!
rd 100:1
interface Serial0/0
!
ip vrf forwarding Yellow
interface Serial0/0
ip address 209.165.202.129 255.255.255.224
!
ip address 209.165.202.130
ip route 209.165.202.129 255.255.255.224
255.255.255.224
null0
!
!
router eigrp 100
router eigrp 100
address-family ipv4 vrf Yellow
address-family ipv4 vrf Yellow
network 209.165.202.130 0.0.0.0
network 209.165.202.129 0.0.0.0
no auto-summary
no auto-summary
autonomous-system 100
autonomous-system 100
redistribute static
A senior network engineer tries to propagate a summary route 209.165.201.0/27 to R2 by

redistributing static route on R1, but setup is not working. What is the issue with the
configuration in the exhibit.
A. The summary route is in the global routing table.

B. The wildcard bit in network command is incorrect.
C. The redistribute command is in the wrong address-family.
D. The route target is missing.
Answer: A
Explanation
Two connected interfaces S0/0 are in VRF Yellow so we have to put the static route into this
VRF too. So it should be ―ip route vrf Yellow 209.165.202.129 255.255.255.224 null0‖.
Question 36
Which technology does Easy Virtual Network use?

A. MP-BGP
B. DMVPN
C. MPLS
D. VRF-Lite
Answer: D
Question 41
Which technology is required on an EVN trunk interface?
A. 802.1q
B. NAT
C. VRF-Lite
D. IS-IS
Answer: A
Explanation
An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast
Ethernet, Gigabit Ethernet, and port channels.
If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same
interface.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Question 54
hostname R1 hostname R2
! !
ip vrf Yellow ip vrf Yellow
rd 100:1 rd 100:1
! !
interface Serial0/0 interface Serial0/0
ip vrf forwarding Yellow ip vrf forwarding Yellow
ip address 209.165.202.129 255.255.255.224 ip address 209.165.202.130 255.255.255.224
! !
router eigrp 100 router eigrp 100
address-family ipv4 vrf Yellow address-family ipv4 vrf Yellow
network 209.165.202.129 0.0.0.0 network 209.165.202.130 0.0.0.0
no auto-summary no auto-summary
A network engineer is unable to make VRF lite EIGRP adjacency work. There is nothing
wrong with communication between R1 and R2. What command will eliminate the issue
when executed on both routers?
A. (config-router-af)#autonomous-system 100
B. (config)#ip-multicast-routing
C. (config-vrf)#route-target both 100:1
D. (config-router-af)#network 209.165.202.128.0.0.0.31
Answer: A
Explanation
To configure the autonomous-system number for EIGRP to run within a VPN routing and
forwarding (VRF) instance, use the ―autonomous-system‖ command in address-family
configuration mode. In particular:
Router(config)# router eigrp 100

Router(config-router)# address-family ipv4 vrf Yellow
Router(config-router-af)# autonomous-system 100
Question 65
Which two statements about EVN are true? (Choose two)
A. Virtual network tags are assigned per-VRF.

B. It is supported only on access ports.
C. Virtual network tags are assigned globally.
D. Routing metrics can be manipulated only from directly within the routing-context
configuration.
E. The VLAN ID in the 802.1q frame carries the virtual network tag.
F. The VLAN ID is the ISL frame carries the virtual network tag.
Answer: A E
Explanation
Path isolation can be achieved by using a unique tag for each Virtual Network (VN) ->
Answer A is correct.
Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q
is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a
VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged
packets carrying the VLAN ID are not EVN packets and could be transported over the same
trunk interfaces -> Answer E is correct.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
Question 85
What is the primary service that is provided when you implement Cisco Easy Virtual
Network?
A. It requires and enhances the use of VRF-Lite.

B. It reduces the need for common services separation.
C. It allows for traffic separation and improved network efficiency.
D. It introduces multi-VRF and label-prone network segmentation.
Answer: C
Question 105
Which condition must be met before two EVN devices can connect?
A. An EtherChannel must be configured with at least two interfaces connected between the
devices
B. A fiber connection must be established between the devices.
C. One VLAN interface must be configured between the devices.
D. A trunk interface must be configured between the devices.
Answer: D
Question 121
Where does the EVN marks the traffic to separate different users?
A. On the edge interface, with VNET tag

B. On the edge, with 801.Q
C. On the trunk, with VNET tag
D. On the trunk, with 802.1Q
Answer: C
Question 135
Which two statements about EVN are true? (Choose two)
A. It supports IPv6 traffic.

B. It can support up to 16 VNs.
C. It uses redistribution to share routes between VNs.
D. It supports SSM only.
E. A configuration can be based on an existing VRF configuration.
Answer: C E
Explanation
Multi-VRF achieves route exchange between VNs by redistributing VN routes indirectly

through BGP using the route-target import/export feature.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
The following are not supported on an EVN trunk:

+ Access control lists (ACLs)
+ BGP interface commands are not inherited
+ IPv6, except on vnet global -> Only vnet global (is also known as the default routing
table) supports IPv6 -> A is not correct.
+ Network address translation (NAT)
+ NetFlow
+ Web Cache Communication Protocol (WCCP)
According to this Cisco document EVN supports up to 32 VNs and EVN supports both SM
and SSM modes:
Network virtualization solution EVN:
+ Provides a pure IP alternative to MPLS in enterprise networks for up to 32 VNs -> B

is not correct.
+ Uses existing enterprise design/architecture/protocols
+ Uses existing technology to increase the effectiveness of VRFs
+ Provides either an IGP (OSPF, EIGRP) only or IGP/EGP-based alternative Reintroduces
familiar concepts for access and trunks to Layer 3
+ Can be deployed with traditional MPLS VPNs or MPLS VPNs over mGRE
+ Can coexist with Multi-VRF deployments
+ Supports non-IP and IPv6 traffic through the EVN global table
+ Supports PIM and IGMP with SM and SSM modes for mVPN -> Answer D is not
correct.
+ Supports shared services using route replication
+ Includes enhanced troubleshooting and usability tools:
– routing context, traceroute, debug condition, cisco-vrf-mib, and simplified VRF-aware
SNMP configuration
For answer E, it should be understood like this: different VRF configurations may have the
same configuration (like IP addresses, interfaces, AS numbers…)
Question 147
Which protocol does VRF-Lite support?
A. IS-IS
B. ODR
C. EIGRP
D. IGRP
Answer: C
Explanation
VRF-Lite supports BGP, OSPF, EIGRP, RIP and static routing.
Question 171
A customer asks its service provider for VPN support for IPv4 and IPv6 address families.
Which command enables a VRF that supports these requirements?
A. Router(config-vrf)#route-target 004:006
B. Router(config-vrf)#rd 004:006
C. Router(config)#ip vrf CUSTOMER
D. Router(config-vrf)#vrf definition CUSTOMER
Answer: D
Explanation
You can now define multiple address families under the same VRF or configure separate
VRFs for each IPv4 or IPv6 address family by entering the vrf definition command. The
command ―vrf definition vrf-name‖ names the VRF and enters VRF configuration mode. An
example of using this command is shown below:
Router(config)# ipv6 unicast-routing
Router(config)# vrf definition red
Router(config-vrf)# rd 100:1
Router(config-vrf)# address family ipv6
Router(config-vrf-af)# route-target both 200:1
Router(config-vrf-af)# exit-address-family
Router(config-vrf)# interface Ethernet0/1
Router(config-if)# vrf forwarding red
Router(config-if)# ipv6 address 5000::72B/64
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/ios/software/15_4_1_c
g/vrf_cgr1000.html
Question 179
Which technology supports overlapping IP addresses on a single interface?
A. policy-based routing
B. VRF-Lite
C. On-Demand Routing
D. QoS
Answer: B
Explanation
In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and ―allows
customers to be assigned overlapping addresses‖.
Question 181
interface gigabitethernet 2/0/0

vnet trunk
ip address 192.168.1.1 255.255.255.0
vnet name cisco
Which effect of this configuration is true?
A. It designates the interface as a GRE tunnel endpoint

B. It configures 802.1q trunking on the interface
C. It designates the interfaces as an EVN trunk
D. It removes VTP from the interface
Answer: C
Explanation
An EVN trunk interface connects VRF-aware routers together and provides the core with a
means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is
used to de-multiplex the packet into the corresponding EVN. A trunk interface has one
subinterface for each EVN. The vnet trunk command is used to define an interface as an
EVN trunk interface.
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual
router instances, and both technologies allow routes from one VRF to be selectively leaked to
other VRFs. However, a major difference is the way that two physical routers interconnect.
With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF.
However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies
configuration.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
Question 187
What is the role of a route distinguisher via a VRF-Lite setup implementation?
A. It extends the IP address to identify which VRF instance it belongs to.

B. It manages the import and export of routes between two or more VRF instances
C. It enables multicast distribution for VRF-Lite setups to enhance EGP routing protocol
capabilities
D. It enables multicast distribution for VRF-Lite setups to enhance IGP routing protocol
capabilities
Answer: A
Explanation
The route distinguisher (RD) is used to keep all prefixes in the BGP table unique so that we
can use same subnets for different VRFs/VPNs. An example of RD is shown below:
ip vrf CustomerA
rd 65000:1
!
ip vrf CustomerB
rd 65000:2
Note: There is another question asking about the role of a route target (RT) and the answer is
B so please be careful and read the question well.
Question 199
Which statement is true about an edge interface in relation to the Cisco Easy Virtual
Network?
A. An edge interface is used to differentiate VRF instances.

B. An edge interface connects to end devices such as hosts and servers that are VRF-aware
C. An edge interface connects a user device to the EVN while defining the EVN boundaries.
D. An edge interface is configured using the vnet trunk command under the switched virtual
interface.
Answer: C
Explanation
An edge interface connects a user device to the EVN and in effect defines the boundary of the
EVN. Edge interfaces connect end devices such as hosts and servers that are not VRF-aware.
Traffic carried over the edge interface is untagged. The edge interface classifies which EVN
the received traffic belongs to. Each edge interface is configured to belong to only one EVN.
xe-3s-book/evn-overview.html#GUID-D8133186-33B5-4244-AAFD-60F5FEC38CEF
Question 221 (posted at Q.8 of http://www.digitaltut.com/evn-vrf-questions-2)
Which two statements about EVNs are true? (Choose two)
A. VRFs using MPLS require a trunk interface that uses EVN

B. VRF-Lite requires a trunk interface that uses EVNs
C. All EVNs within a trunk interface can share the same IP infrastructure
D. Each EVN within a trunk interface must be configured separately
E. Commands that are specified once under a trunk interface can be inherited by all EVNs
Answer: C E
Explanation
With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple
VRFs) between two routers you need to create a subinterface for each VRF on each router ->
VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk
(called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple
virtual networks can travel over that single trunk interface, which uses tags to identify the
virtual networks to which packets belong.
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual
router instances, and both technologies allow routes from one VRF to be selectively leaked to
other VRFs. However, a major difference is the way that two physical routers interconnect.
With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF.
However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies
configuration.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
All EVNs within a trunk interface share the same IP infrastructure as they are on the same
physical interface -> Answer C is correct.
With EVNs, a trunk interface is shared among VRFs so each command configured under this
trunk is applied by all EVNs -> Answer E is correct.
Question 227 (posted at Q.6 of http://www.digitaltut.com/evn-vrf-questions)
Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network?
(Choose three)
A. simplified Layer 3 network virtualization

B. improved shared services support
C. enhanced management, troubleshooting, and usability
D. reduced configuration and deployment time for dot1q trunking
E. increased network performance and throughput
F. decreased BGP neighbor configurations
Answer: A B C
Explanation
EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN
provides enhancements in path isolation, simplified configuration and management, and
improved shared service support
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
Maybe the ―improved shared services support‖ term here implies about the support of sharing
between different VRFs (through route-target, MP-BGP)
What is VRF-lite?
A. VRF without MPLS

B. VRF without VPN
C. VRF without independent route tables
D. VRF without Cisco Express Forwarding switching
Answer: A
================= IPv6 Questions =================
Question 10
Which CLI command can you enter to permit or deny IPv6 traffic travelling through an
interface?
A. access-list
B. access-group
C. ipv6 access-class
D. ipv6 traffic-filter
Answer: D
Explanation
The command ―ipv6 traffic-filter access-list-name { in | out }‖ applies the access list to
incoming or outgoing traffic on the interface.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swv6acl.html
Question 24
Which two technologies can encapsulate an IPv6 payload in an IPv4 packet for transmission
across a network? (Choose two)
A. L2TPv3
B. trunking
C. AToM
D. ISATAP
E. NAT-PT
Answer: D E
Explanation
The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-
layer translation mechanisms designed to allow nodes that only support IPv4 to communicate
with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the
boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4
and IPv6 network, all IPv4 users are given access to the IPv6 network without modification
in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given
access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished
with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions
are initiated across IPv4-IPv6 boundaries
(Reference: http://www.ietf.org/rfc/rfc4966.txt and

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_white_pap
er09186a008011ff51_ps6640_Products_White_Paper.html)
ISATAP tunneling (Intra-Site Automatic Tunnel Addressing Protocol): is a mechanism for

transmitting IPv6 packets over IPv4 network. The word ―automatic‖ means that once an
ISATAP server/router has been set up, only the clients must be configured to connect to it.
Question 25
When a packet is denied by an IPv6 traffic filter, which additional action does the device
perform?
A. It scans the rest of the ACL for a permit entry matching the destination
B. It generates a TCP Fin bit and sends it to the source.
C. A creates a null route for the destination and adds it to the route table
D. It generates an ICMP unreachable message for the frame.
Answer: D
Explanation
If an IPv6 router ACL is configured to deny a packet, the packet is dropped. A copy of the
packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP
unreachable message for the frame.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swv6acl.html
Question 48
Which two options are components of a dual stack? (Choose two)
A. EIGRP
B. OSPF
C. IPv6 traffic
D. IPv4 traffic
E. Layer 3 switch
F. Layer 2 switch
Answer: C D
Question 56
What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation?
(Choose two)
A. stateful address translation

B. a limit of 32 1-to-1 translations
C. lack of overloading functionality
D. identify all interfaces as NAT inside or outside
E. 1-to-1 prefix rewrite
F. mismatched prefix allocations
Answer: C F
Explanation
The IPv6-to-IPv6 Network Prefix Translation (NPTv6) provides a mechanism to translate an

inside IPv6 source address prefix to outside IPv6 source address prefix in IPv6 packet header
and vice-versa. In other words, NPTv6 is simply rewriting IPv6 prefixes. NPTv6 does not
allow to overload. It does not support mismatching prefix allocations sizes (so the
network/host portion remains intact. For example you cannot cover /64 to /48).
Question 62
Which two statements about 6to4 tunneling are accurate? (Choose two)
A. Prepending a reserved IPv6 code to the hexadecimal representation of 192.168.0.1

facilitates 6to4 tunneling
B. Each 6to4 site receives a /48 prefix in a 6to4 tunnel
C. 2002::/48 is the address range specifically assigned to 6to4
D. Prepending 0x2002 with the IPv4 address creates an IPv6 address that is used in 6to4
tunneling
E. 6to4 is a manual tunnel method
Answer: B D
Explanation
6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must
remember this range). These tunnels determine the appropriate destination address by
combining the IPv6 prefix with the globally unique destination 6to4 border
router‘s IPv4 address, beginning with the 2002::/16 prefix, in this format:
2002:border-router-IPv4-address::/48
Because the border-router-IPv4-address is added, we will have a /48 prefix (we all know an
IPv4 address consists of 32 bits). An example of a 6to4 address with the border-router-IPv4-
address of 192.168.1.2 is 2002:C0A8:01:02::/48.
Question 88
The Neighbor Discovery Protocol in IPv6 is replaced with which discovery protocol in IPv4?
A. ARP
B. ICMP
C. UDP
D. TCP
E. RFC
Answer: A
Explanation
Note: This question asks about IPv4 discovery protocol, not IPv6. So the correct asnwer is
ARP.
Just for your information, the IPv6 neighbor discovery process uses Internet Control Message
Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer
address of a neighbor on the same network (local link), verify the reachability of a neighbor,
and track neighboring devices.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-
2mt/ip6-15-2mt-book/ip6-neighb-disc.html
-> Neighbor Discovery Protocol in IPv6 does not use ARP any more.
Question 159
Considering the IPv6 address independence requirements, which process do you avoid when
you use NPTv6 for translation?
A. rewriting of higher layer information

B. checksum verification
C. ipv6 duplication and conservation
D. IPSEC AH header modification
Answer: A
Question 196
Company is deploying a multicast application that must be accessible between sites, but must
not be accessible outside of the organization. Based on the scoping requirements, the
multicast group address for the application will be allocated out of which range?
A. FF00:/16
B. FF0E:/16
C. FF02:/16
D. FF08:/16
Answer: C
Explanation
All IPv6 multicast addresses begin with FF::/8 – in other words, with FF as the first two
digits. Multicasts with a link local scope, like most of the multicast addresses referenced,
begin with FF02::/16, the 2 in the fourth hex digit identifies the scope as link local. A fourth
digit of hex 5 identifies the broadcast as site local scope, with those multicasts beginning with
FF05::/16
Reference: CCNP ROUTE 300-101 Official Certification Guide
Which statement about stateless and stateful IPv6 autoconfiguration are true?
A. Both stateless and stateful autoconfiguration require additional setup

B. Stateless autoconfiguration requires no additional setup, whereas stateful
autoconfiguration requires additional setup
C. Stateless autoconfiguration requires additional setup, whereas stateful autoconfiguration
requires no additional setup
D. Both stateless and stateful autoconfiguration require no additional setup
Answer: B
Explanation
Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6
(and based closely on DHCP), is used to pass out addressing and service information in the
same way that DHCP is used in IPv4. This is called ―stateful‖ because the DHCP server and
the client must both maintain state information to keep addresses from conflicting, to handle
leases, and to renew addresses over time.
Stateless Autoconfiguration allows an interface to automatically ―lease‖ an IPv6 address and

does not require the establishment of an server to delve out address space. Stateless
autoconfiguration allows a host to propose an address which will probably be unique (based
on the network prefix and its Ethernet MAC address) and propose its use on the network.
Because no server has to approve the use of the address, or pass it out, stateless
autoconfiguration is simpler. This is the default mode of operation for most IPv6 systems,
including servers.
================= uRPF Questions =================
Question 52
Which two statements about uRPF are true? (Choose two)
A. The keyword any can be used with both strict mode and loose mode
B. Strict mode may drop legitimate traffic
C. It is enabled globally
D. Strict mode is most appropriate for networks with asymmetric routing
E. Loose mode may drop traffic when asymmetric routing occurs on the network
F. It is enabled on a per interface basis
Answer: B F
Explanation
The syntax of configuring uRPF in interface mode is:
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-

list-number]
The any option enables a Loose Mode uRPF on the router. This mode allows the router to
reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router
reaches the source address only via the interface on which the packet was received.
Question 226 (posted at Q.7 of http://www.digitaltut.com/unicast-reverse-path-forwarding)
Which command sequence can you enter on a router to configure Unicast Reverse Path
Forwarding in loose mode?
A. interface GigabitEthernet0/0
ip verify unicast source reachable-via all
B. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose
C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any
D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx
Answer: C
================= IP SLA Questions =================
Question 4
The IP SLA configuration of R1 is shown below:
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(config-ip-sla)#frequency 10
R1(config-ip-sla)#threshold 100
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2
What makes default route not removed when SLA state down or failed?
A. the destination must be 172.30.30.2 for icmp-echo

B. the threshold value is wrong
C. the default route has wrong next hop IP address.
D. missing of track feature on default static route command
Answer: D
Explanation
The default route command (at the last line) must include the ―track‖ keyword for the
tracking feature to work.
ip route 0.0.0.0.0 0.0.0.0 172.20.20.2 track 10
Question 22
A network engineer wants to baseline the network to determine suitability for real-time voice
applications. Which IP SLA operation is best suited for this task?
A. ICMP-echo
B. ICMP-jitter
C. UDP-connect
D. UDP-jitter
E. TCP-connect
F. UDP-echo
Answer: D
Explanation
The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common
codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco
devices in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_udp_jitter_voip.html
Note:
+ UDP Jitter: generates UDP traffic and measures Round-trip Delay, One-way Delay, One-
way Jitter, One-way Packet Loss, and overall Connectivity.
+ UDP-echo: measures Round-trip Delay for UDP traffic.
There is also a special ―UDP Jitter for VoIP‖ which can simulate various codecs and spits out
voice quality scores (MOS, and ICPIF)
Question 71
Refer to exhibit. Which two reasons for IP SLA tracking failure are likely true? (Choose two)
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#frequency 10
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2
R1(config)#ip route 0.0.0.0 0.0.0.0 172.30.30.2 5
A. The source-interface is configured incorrectly

B. The destination must be 172.30.30.2 for icmp-echo
C. A route back to the R1 LAN network is missing in R2
D. The default route has wrong next hop IP address
E. The threshold value is wrong
Answer: C E
Explanation
There is no problem with the Fa0/0 as the source interface as we want to check the ping from
the LAN interface -> A is not correct.
Answer B is not correct as we must track the destination of the primary link, not backup link.
In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will
not know how to reply back as an ISP usually does not configure a route to a customer‘s
LAN -> C is correct.
There is no problem with the default route -> D is not correct.
For answer E, we need to understand about how timeout and threshold are defined:
Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response
from its request packet. In other words, the timeout specifies how long the router should wait
for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets
the upper threshold value for calculating network monitoring statistics created by an IP SLAs
operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap
or start secondary SLA operation. In other words, the threshold value is only used to indicate
over threshold events, which do not affect reachability but may be used to evaluate the proper
settings for the timeout command.
For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not
OK, reachability is down.
Therefore in this question, we are using ―Reachability‖ tracking (via the command ―track 10
ip sla 1 reachability‖) so threshold value is not important and can be ignored -> Answer E is
correct. In fact, answer E is not wrong but it is the best option left.
This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-
technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and
http://www.ciscozine.com/using-ip-sla-to-change-routing/
Note: Maybe some of us will wonder why there are these two commands:
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10

R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2
In fact the two commands:
ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10

ip route 0.0.0.0 0.0.0.0 172.20.20.2
are different. These two static routes can co-exist in the routing table. Therefore if the
tracking goes down, the first command will be removed but the second one still exists and the
backup path is not preferred. So we have to remove the second one.
Question 74a
Which IP SLA operation can be used to measure round-trip delay for the full path and hop-
by-hop round-trip delay on the network?
A. HTTP
B. ICMP path echo
C. TCP connect
D. ICMP echo
Answer: B
Explanation
Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel
from a specific source to a specific destination and back again.
An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response
time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is
useful for determining network availability and for troubleshooting network connectivity
issues.
Note: ICMP Echo only measures round-trip delay for the full path.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-
xe-3s-book/sla_icmp_pathecho.html
Question 74b
A network engineer wants to monitor hop by hop response time on the network. Which IP
SLA operation accomplishes this task?
A. UDPecho
B. ICMP echo
C. ICMP path jitter
D. ICMP path echo
Answer: D
Question 75
Which three IP SLA performance metrics can you use to monitor enterprise-class networks?
(Choose three)
A. Packet loss
B. Delay
C. bandwidth
D. Connectivity
E. Reliability
F. traps
Answer: A B D
Explanation
Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss,
jitter, packet sequence, connectivity, path, server response time, and download time are
monitored within the Cisco device and stored in both CLI and SNMP MIBs.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.ht
ml
Question 83
Which three items can you track when you use two time stamps with IP SLAs? (Choose
three)
A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path
Answer: A B C
Explanation
When enabled, the IP SLAs Responder allows the target device to take two time stamps both
when the packet arrives on the interface at interrupt level and again just as it is leaving,
eliminating the processing time. At times of high network activity, an ICMP ping test often
shows a long and inaccurate response time, while an IP SLAs test shows an accurate response
time due to the time stamping on the responder.
An additional benefit of the two time stamps at the target device is the ability to track
one-way delay, jitter, and directional packet loss. Because much network behavior is
asynchronous, it is critical to have these statistics. However, to capture one-way delay
measurements the configuration of both the source device and target device with Network
Time Protocol (NTP) is required. Both the source and target need to be synchronized to the
same clock source. One-way jitter measurements do not require clock synchronization.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_overview.html
Question 97
Which feature can be used to reduce the number of ICMP unreachable message egressing a
router?
A. uRPF
B. ICMP rate-limiting
C. ip unreachables command
D. Asymmetric routing
Answer: B
Question 145
Which LAN feature enables a default gateway to inform its end device?
A. HSRP
B. proxy ARP
C. ICMP redirects
D. ICMP unreachable messages
Answer: C
Explanation
An ICMP redirect is an error message sent by a router to the sender of an IP packet. Redirects
are used when a router believes a packet is being routed sub optimally and it would like to
inform the sending host that it should forward subsequent packets to that same destination
through a different gateway. In theory a host with multiple gateways could have one default
route and learn more optimal specific routes over time by way of ICMP redirects.
Question 152
Which IP SLA operation can be used to simulate voice traffic on a network?
A. TCP connect
B. UDP-jitter
C. ICMP-echo
D. ICMP-jitter
Answer: B
Explanation
The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common
codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco
devices in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-s/sla-
15-s-book/sla_udp_jitter_voip.pdf
Question 162
Which location within the network is preferred when using a dedicated router for Cisco IP
SLA operations?
A. user edge
B. provider edge
C. access edge
D. distribution edge
Answer: B
Explanation
If there are thousands of test destinations being sourced from the router, then a ―dedicated
router‖ or ―shadow router‖ maybe the best choice for deployment. A dedicated router is
simply a low-end router dedicated to sourcing Cisco IOS IP SLAs operations.
Dedicated routers are most appropriate when the deployment plan calls for the operations to
be sourced from the edge of the core network (ie: Provider Edge [PE]) location in a
Service Provider network. The Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800 and 7200
Series Routers are frequently used as dedicated routers.
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper090
0aecd8017f8c9.html
Question 180
Which two statements about ICMP unreachable messages are true? (Choose two)
A. They are sent when a route to the destination is missing from the routing table
B. They can be enabled and disabled on a device only on a global level
C. They are sent when a destination address responds to an ARP request
D. They include the entire packet so that the source can identify the process that generated
the message
E. They include a portion of the original data so that the source can identify the process that
generated the message
Answer: A C
Explanation
ICMP Unreachables are responses sent by a router/host/switch whenever the destination host
address, protocol unreachable, or destination networks are not listed in the forward table
(FIB) or services by the device.
Reference: Cisco ISP Essentials Book, page 160
Question 193
When does a Cisco router send an ICMP redirect?
A. when the packet‘s source and destination VRFs are different

B. when the packet is source-routed
C. when the packet‘s destination has load-balanced entries in the route table
D. when the packet‘s ingress and egress interface are the same
Answer: D
Explanation
ICMP redirect messages are used by routers to notify the hosts on the data link that a better
route is available for a particular destination.
Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the
packet gets routed out -> Answer D is correct.
+ The subnet or network of the source IP address is on the same subnet or network of the
next-hop IP address of the routed packet.
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects.
The interface subcommand no ip redirects can be used to disable ICMP redirects.)
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13714-43.html
Question 238 (posted at Q.5 of http://www.digitaltut.com/ip-sla-questions-2)
Which two types of threshold can you configure for tracking objects? (Choose two)
A. percentage
B. MTU
C. bandwidth
D. weight
E. delay
F. administrative distance
Answer: A D
Explanation
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or
a percentage threshold.
The example configures track list 1 to track by weight threshold.
Switch(config)# track 1 list threshold weight

Switch(config-track)# object 1 weight 15
Switch(config-track)# threshold weight up 30 down 10
If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up
threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to
satisfy the threshold weight.
This configuration can be useful if object 1 and object 2 represent two small bandwidth
connections and object 3 represents one large bandwidth connection. The configured down
10 value means that once the tracked object is up, it will not go down until the threshold
value is equal to or lower than 10, which in this example means that all connections are
down.
The below example configures tracked list 2 with three objects and a specified percentages
to measure the state of the list with an up threshold of 70 percent and a down threshold of 30
percent:
Switch(config)# track 2 list threshold percentage

Switch(config-track)# object 1
Switch(config-track)# threshold percentage up 51 down 10
This means as long as 51% or more of the objects are up, the list will be considered ―up‖. So
in this case if two objects are up, track 2 is considered ―up‖.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-
2_58_se/configuration/guide/3020_scg/swhsrp.pdf
Question 239 (posted at Q.12 of http://www.digitaltut.com/ip-sla-questions)
Which type of information is displayed when a network engineer executes the show track 1
command on the router?
A. information about tracking list 1

B. time to next poll for track object 1
C. information about the IP route track table
D. tracking information statistics
Answer: A
================= SNMP Questions =================
Question 6
A network engineer is asked to create an SNMP-enabled proactive monitoring solution to

ensure that jitter levels remain between particular boundaries. Which IP SLA option should
the engineer use?
A. threshold
B. frequency
C. verify-data
D. timeout
Answer: A
Question 15
Which three statements about SNMP are true? (Choose three)
A. The manager configures and send traps to the agent.

B. The manager sends GET and SET messages.
C. SNMPv3 supports authentication and encryption.
D. The manager polls the agent using UDP port 161
E. The MIB database can be altered only by the SNMP agent.
F. The agent is the monitoring device.
Answer: B C D
Explanation
The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The
Agents are the monitored device while the Manager is the monitoring device. In the picture
below, the Router, Server and Multilayer Switch are monitored devices.
Question 19
In SNMPv3, which security level provides encryption of the data?
A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv
Answer: D
Explanation
+ noAuthNoPriv – Security level that does not provide authentication or encryption.

+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid
e/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 20
What does the number 16 in the following command represent?
Router(config)#snmp-server user abcd public v2c access 16
A. the mask of the files that are allowed to use community string public
B. the standard named access list 16, which contains the access rules that apply to user abcd
C. the number of concurrent users who are allowed to query the SNMP community
D. the user ID that is allowed to use the community string public
Answer: B
Question 50
In SNMPv3, which security level provides encryption of the data?
A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv
Answer: D
Explanation
+ noAuthNoPriv – Security level that does not provide authentication or encryption.

+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid
e/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 157
Which SNMP model and level can provide DES encryption?
A. SNMPV2 noAuthNoPriv
B. SNMPv3 authNoPriv
C. SNMPv3 authPriv
D. SNMPv3 noAuthNoPriv
Answer: C
Explanation
The authentication (auth) and privacy (priv) options are grouped into security models.
NoAuthPriv – no authentication and no privacy

AuthNoPriv – authentication and no privacy
AuthPriv – authentication and privacy
Question 169
snmp-server community ciscotest

snmp-server host 192.168.1.128 ciscotest
snmp-server enable traps bgp
Which effect of this configuration is true?
A. The device sends SNMP traps related to BGP operations to host 192.168.1.128
B. It configures an ACL to protect SNMP managers from receiving BGP traps
C. It configures the device to use string cisotest for read and write access to any SNMP
manager on the network
D. It configures the device to communicate with other devices in the ciscotest community
using SNMPv3
Answer: A
Question 215 (posted at Q.8 of http://www.digitaltut.com/snmp-questions)
Which SNMP verification command shows the encryption and authentication protocols that
are used in SNMPv3?
A. show snmp group

B. show snmp user
C. show snmp
D. show snmp view
Answer: B
Explanation
The command ―show snmp user‖ displays information about the configured characteristics of
SNMP users. The following example specifies the username as abcd with authentication
method of MD5 and encryption method of 3DES.
Router#show snmp user abcd

User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Group name: VacmGroupName
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html
================= Syslog Questions =================
Question 40
Refer to the following command.
Logging Console 7
Which option is one of the effects entering this command on a Cisco IOS router, with no
additional logging configuration?
A. Debug messages can be seen on the console by enabling ―terminal monitor‖

B. Debug messages are logged only on active console connections.
C. A user that is connected via SSH sees level 7 messages
D. The router can experience high CPU utilization
Answer: D
Question 89
A router is connected to a Windows Syslog server which does not function. What is the
reason?
A. Firewall is blocking UDP port 514
B. Firewall is blocking IP port 514
C. Firewall is blocking TCP port 514
D. Firewall is blocking UDP port 512
Answer: A
Explanation
A syslog server opens port 514 and listens for incoming syslog event notifications (carried by
UDP protocol packets) generated by remote syslog clients. Therefore if firewall is blocking
this port the syslog server cannot operate correctly.
Question 228 (posted at Q.7 of http://www.digitaltut.com/syslog-questions)
A network engineer executes the commands ―logging host 172.16.200.225‖ and ―logging trap
5‖. Which action results when these two commands are executed together?
A. Logging messages that have a debugging severity level are sent to the remote server
172.16.200.225.
B. Logged information is stored locally, showing the sources as 172.16.200.225
C. Logging messages that have any severity level are sent to the remote server
172.16.200.225
D. Logging messages that have a severity level of ―notifications‖ and above (numerically
lower) are sent to the remote server 172.16.200.225
Answer: D
================= NTP Questions =================
Question 27

A network engineer has configured NTP on a Cisco router, but the time on the router is still
incorrect. What is the reason for this problem?
A. The router is not syncing with the peer, even though the NTP request and response packets
are being exchanged.
B. The router is not syncing with peer, and the NTP request and response packets are not
being exchanged.
C. The router is syncing with the peer, and the NTP request and response packets are being
exchanged.
D. The router is dropping all NTP packets.
Answer: A
Explanation
The ―reach‖ term is defined as follows:
Peer reachability is a bit string reported as an octal value. This field shows whether the last
eight packets were received by the NTP process on the Cisco IOS software. The packets must
be received, processed, and accepted as valid by the NTP process and not just by the router or
switch that receives the NTP IP packets.
Reach uses the poll interval for a time out in order to decide whether a packet was received
or not. The poll interval is the time that NTP waits before it concludes that a packet was lost.
The poll time can be different for different peers, so the time before reach decides that a
packet was lost can also different for different peers.
There are four different reach values:

+ 377 octal = 11111111 binary, which indicates the NTP process received the last eight
packets.
+ 0 octal = 00000000, which indicates the NTP process did not receive any packet.
+ 1 octal = 00000001, which indicates the NTP process received only the latest packet.
+ 357 octal = 11101111, which indicates the packet before the latest four packets was lost.
Reach is a good indicator of whether NTP packets are being dropped because of a poor link,
CPU issues and other intermittent problems.
In our question the ―reach‖ values all are ―377‖, which indicates the NTP process received
the last eight packets -> Answer A is correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-
ntp/116161-trouble-ntp-00.html
Question 37
Which two statements about NTP stratum are true? (Choose two)
A. Stratum 15 indicates a device that is not synchronized

B. Stratum 1 devices receive their time from a peer that is connected directly to an
authoritative time source.
C. The highest stratum level a synchronized device can have is 16.
D. Stratum 2 devices receive their time from a peer that is connected directly to an
authoritative time source
E. Stratum 0 devices are connected directly to an authoritative time source
F. Stratum 1 devices are connected directly to an authoritative time source
Answer: D F
Explanation
Stratum 0 – highest, GPS clock (usually called authoritative time source)

Stratum 1- primary time servers, connected to stratum 0
The upper limit for Stratum is 15;
Stratum 16 is used to indicate that a device is unsynchronized
Question 58
Refer to the exhibit. Which effect of this configuration is true?
R1# show run | include ntp

ntp master 5
ntp authenticate
ntp authentication-key 1 md4 123Cisco
ntp authentication-key 5 md4 Cisco123
ntp trusted-key 1
A. R1 synchronizes with systems that include authentication key 5 in their packets

B. R1 acts as an authoritative clock with a priority ID of 1
C. R1 acts as an authoritative clock at stratum 5
D. R1 is the NTP client for a stratum 1 server
Answer: C
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
Question 82
Refer to the following configuration command.
router (config-line)# ntp master 10
Which statement about this command is true?
A. The router acts as an authoritative NTP clock and allows only 10 NTP client connections.
B. The router acts as an authoritative NTP clock at stratum 10.
C. The router acts as an authoritative NTP clock with a priority number of 10.
D. The router acts as an authoritative NTP clock for 10 minutes only.
Answer: B
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
time standard.
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
Question 176 (same as Q.5 at http://www.digitaltut.com/ntp-questions)
Refer to exhibit:
access-list 1 permit 192.168.1.1

access-list 1 deny any
access-list 2 permit 192.168.1.4
!
ntp access-group peer 2
ntp access-group serve 1
ntp master 4
!
Which three NTP features can be deduced on the router? (Choose three)
A. Only accepts time requests from 192.168.1.1

B. Only handle four requests at a time
C. Only is in stratum 4
D. Only updates its time from 192.168.1.1
E. Only accepts time requests from 192.168.1.4
F. Only updates its time from 192.168.1.4
Answer: A C F
Explanation
First we need to understand some basic knowledge about NTP. There are two types of NTP
messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status
information. It is not used for time synchronization so we will not care about them in this
question.
+ Request/Update messages: for time synchronization. Request messages ask for
synchronization information while Update messages contains synchronization information
and may change the local clock.
There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it
permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to reply to NTP requests, but drops NTP update. This
access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to respond to NTP requests only. This access-group denies
control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no
local system time synchronization with remote system is permitted.
From my experience, you just need to remember:

+ Peer: serve and to be served
+ Serve: serve but not to be served
Therefore in this question:

+ The ―ntp access-group peer 2‖ command says ―I can only accept NTP updates and
respond to NTP (time) requests from 192.168.1.4―. -> Answer F is correct while answer D is
not correct.
+ The ―ntp access-group serve 1‖ command says ―I can only reply to time requests (but
cannot accept time update) from 192.168.1.1 ‖ -> Answer A is correct*
The ―ntp master 4‖ indicates it is running as a time source with stratum level of 4 -> Answer
B is not correct while answer C is correct.
Answer E is not correct because it can accept time requests from both 192.168.1.1 and
192.168.1.4.
*Note: In fact answer A is incorrect too because the local router can accept time requests
from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake
of this question.
Question 200 (same as Q.9 at http://www.digitaltut.com/ntp-questions)
Which three NTP operating modes must the trusted-key command be configured on for
authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Answer: B D E
Explanation
NTP operates in four different modes.

+ Server Mode is configured such that a device will synchronize NTP clients. Servers can be
configured to synchronize all clients or only a specific group of clients. NTP servers,
however, will not accept synchronization information from their clients. This restriction will
not allow clients to update or manipulate a server‘s time settings.
+ Client Mode is configured used to allow a device to set its clock by and synchronized by
an external timeserver. NTP clients can be configured to use multiple servers to set their local
time and can be configured to give preference to the most accurate time sources available to
them. They will not, however, provide synchronization services to any other devices.
+ Peer Mode is when one NTP-enabled device does not have any authority over another.
With the peering model, each device will share its time information with its peer.
Additionally, each device can also provide time synchronization to the other.
+ Broadcast/Multicast Mode is a special server mode where the NTP server broadcasts its
synchronization information to all clients. Broadcast mode requires that clients be on the
same subnet as the server, and multicast mode requires that clients and servers have multicast
capabilities configured.
Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1851440
―Interface‖ is not a NTP mode so answer A is not correct.
It is sure that in ―peer‖ mode we don‘t need to use the ―trusted-key‖ command for
authentication so answer C is not correct.
Question 211 (same as Q.4 of http://www.digitaltut.com/ntp-questions)
Which two statements about NTP operation are true? (Choose two)
A. If multiple NTP servers are configured, the one with the lowest stratum is preferred
B. By default, NTP communications use UDP port 123.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. Locally configured time overrides time received from an NTP server.
E. ―Stratum‖ refers to the number of hops between the NTP client and the NTP server.
Answer: A B
Explanation
time standard.
stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server
is. When multiple NTP servers are configured, the client will prefer the NTP server with the
lowest stratum level.
NTP uses User Datagram Protocol (UDP) port 123.
================= NAT Questions =================
Question 2
Which statement describes what this command accomplishes when inside and outside
interfaces are correctly identified for NAT?
ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080 extendable
A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It allows external clients coming from public IP 209.165.201.1 to connect to a web server
at 192.168.1.50.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It represents an incorrect NAT configuration because it uses standard TCP ports.
Answer: C
Explanation
First we will not mention about the effect of the ―extendable‖ keyword. So the purpose of the
command ―ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080‖ is to translate
packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP
address 209.165.201.1 with port 8080. This also implies that any packet received on the
outside interface with a destination address of 209.165.201.1:8080 has the destination
translated to 192.168.1.50:80. Therefore answer C is correct.
Answer A is not correct this command ―allows host 192.168.1.50 to access external websites
using TCP port 80‖, not port 8080.
Answer B is not correct because it allows external clients to connect to a web server at
209.165.201.1. The IP addresses of clients should not be 209.165.201.1.
Answer D is not correct because the configuration is correct.
Now we will talk about the keyword ―extendable‖.

Usually, the ―extendable‖ keyword should be added if the same Inside Local is mapped to
different Inside Global Addresses (the IP address of an inside host as it appears to the outside
network). An example of this case is when you have two connections to the Internet on two
ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside
local IP address. For example:
NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
ip nat inside source static 192.168.1.1 200.2.2.2 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2
In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use
200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the
Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or
200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called ―ambiguous from the
inside‖). We tested in GNS3 and it worked correctly! So we guess the NAT router compared
the Inside Global addresses with all of IP addresses of the ―ip nat outside‖ interfaces and
chose the most suitable one to forward traffic.
This is what Cisco explained about ―extendable‖ keyword:
―They might also want to define static mappings for a particular host using each provider‘s
address space. The software does not allow two static translations with the same local
address, though, because it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all addresses and ports) if
the static translations are marked as ―extendable‖. For a new outside-to-inside flow, the
appropriate static entry will act as a template for a full translation. For a new inside-to-outside
flow, the dynamic route-map rules will be used to create a full translation‖.
(Reference:
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper0918
6a0080091cb9.html)
But it is unclear, what will happen if we don‘t use a route-map?
Question 14
Which option is a prerequisite for stateful NAT64?

A. IPsec for IPv6
B. DNS64
C. Application Level Gateway
D. ICMP64
Answer: B
Question 44
Which technology uses the many-to-one method of mapping IP addresses?
A. static NAT
B. dynamic NAT
C. NAT-PT
D. PAT
Answer: D
Question 49
Which three functionalities are specific to stateful NAT64? (Choose three)

A. It conserves IPv4 addresses
B. It requires either manual or DHCPv6-based address assignment for IPv6 hosts
C. A state or bindings are created on every unique translation.
D. It requires IPv4-translatable IPv6 addresses
E. No constraint is put on the number of endpoints due to 1 :N translation.
F. It helps ensure end-to-end address transparency and scalability
Answer: A C E
Question 59
Which command enables NAT-PT on an IPv6 interface?
A. ipv6 nat
B. ipv6 nat enable
C. ipv6 nat-pt
D. ipv6 nat-pt enable
Answer: A
Explanation
The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6
nat prefix 2001:DB8::/96)
Question 64
Which functionality is required within an IP router that is situated at the boundary of an IPv4
network and an IPv6 network to allow communication between IPv6-only and IPv4-only
nodes?
A. Autoconfiguration
B. Automatic 6to4 Tunnel
C. Automatic 6to4 Relay
D. Network Address Translator-Protocol Translator (NAT-PT)
E. Intrasite Automatic Tunnel Address Protocol (ISATAP)
Answer: D
Explanation
The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-
layer translation mechanisms designed to allow nodes that only support IPv4 to communicate
with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the
boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4
and IPv6 network, all IPv4 users are given access to the IPv6 network without modification
in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given
access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished
with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions
are initiated across IPv4-IPv6 boundaries
(Reference: http://www.ietf.org/rfc/rfc4966.txt and

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_white_pap
er09186a008011ff51_ps6640_Products_White_Paper.html)
Question 110 (posted at http://www.digitaltut.com/nat-questions)
Which NAT command to disable dynamic ARP learning on an interface?
A. R(config-if)# ip nat enable

B. R(config-if)# ip nat inside
C. R(config-if)# ip nat outside
D. R(config)# ip nat service
E. R(config)# ip nat allow-static-host
Answer: E
Explanation
The ―ip nat allow-static-host‖ command enables static IP address support. Dynamic Address
Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control
the creation and deletion of ARP entries for the static IP host.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-
4/nat-12-4-book/iadnat-addr-consv.html
Question 136
Which feature or technology is supported with stateful NAT64?
A. FTP and ICMP on an application layer gateway

B. VFR
C. IP multicast
D. NAT44 and NAT64 on the same interface
Answer: B
Explanation
When Stateful NAT64 is configured on an interface, Virtual Fragmentation Reassembly

(VFR) is configured automatically. Virtual fragmentation reassembly (VFR) enables the
Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby, protecting the network
from various fragmentation attacks.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
Question 137
What does stateful NAT64 do that stateless NAT64 does not do?
A. Stateful NAT64 maintains bindings of IPv4 to IPv6 link-local addresses

B. Stateful NAT64 translates IPv4 to IPv6
C. Stateful NAT64 translates IPv6 to IPv4
D. Stateful NAT64 maintains bindings or session state while performing translation
Answer: D
Explanation
Address Family Translation (AFT) using NAT64 technology can be achieved by either
stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to
IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain
any bindings or session state while performing translation, and it supports both IPv6-
initiated and IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation. It supports
both IPv6-initiated and IPv4-initiated communications using static or manual mappings.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676278.html
================= AAA Questions =================
Question 8
What are two options for authenticating a user who is attempting to access a network device?
(Choose two)
A. CHAP
B. RADIUS
C. 802.1x
D. PAP
E. TACACS+
Answer: B E
Question 47
Which keyword of the AAA authentication PPP command supports PAP only?
A. line
B. krb5
C. local
D. local-case
E. enable
Answer: B
Explanation
Kerberos 5 is only supported for PAP only.
Question 99
A network access serve using TACACAS+ for AAA operations receives an error message
from the TACACS+ server. Which action does the network access server take next?
A. It attempts to authenticate the user against RADIUS
B. It restarts and attempts to reconnect to the TACACS+ server
C. It rejects the user access request
D. It checks the method list for an additional AAA option
Answer: D
Explanation
The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or
will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If
an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplu
s.pdf
Question 154
In which network environment is AAA with RADIUS most appropriate?
A. when Apple Talk Remote Access is in use

B. when NetBIOS Frame Control Protocol is in use
C. when users require access to only one device at a time
D. when you need to separate all AAA services
Answer: C
Explanation
RADIUS does not support the following protocols:

+ AppleTalk Remote Access (ARA)
+ NetBIOS Frame Control Protocol (NBFCP)
+ NetWare Asynchronous Services Interface (NASI)
+ X.25 PAD connections
Therefore both A and B are not correct.

TACACS+ (not RADIUS) strongly supports separate authentication, authorization and
accounting as separate and independent functions. RADIUS does not separate authentication
and authorization in its transaction -> D is not correct.
Therefore C is the best choice.
Question 165
A user is attempting to authentication on the device connected to a TACACS+ server but the
server require more information from the user to complete authentication. Which reponse
does the TACACS+ daemon return?
A. ACCEPT
B. ERROR
C. REJECT
D. CONTINUE
Answer: D
Explanation
The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or
will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If
an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplu
s.pdf
Question 182
Which two statements about AAA with the local database are true? (Choose two)
A. The local database can serve only as a backup authentication method

B. It supports a limited number of usernames and passwords
C. Accounting is not supported locally
D. By default, it is queried before a TACACS+ or RADIUS server
E. Authorization is available only for one-time-use logins
Answer: B C
Explanation
While authentication can be done on the router for a limited number of user names, it might
make more sense and be much more scalable to use an AAA Server -> B is correct.
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/
bba/load.pdf
You can use the local database for CLI access authentication, privileged mode authentication,
command authorization, network access authentication, and VPN authentication and
authorization. You cannot use the local database for network access authorization. The local
database does not support accounting -> C is correct.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_
aaa.pdf
Question 247 (posted at Q.14 of http://www.digitaltut.com/new-route-questions)
Which two features does RADIUS combine? (Choose two)
A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting
Answer: C D
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to
decouple authentication and authorization.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
dial-user-service-radius/13838-10.html
================= NetFlow Questions =================
Question 68
A network engineer executes the ―show ip cache flow‖ command. Which two types of
information are displayed in the report that is generated? (Choose two)
A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution
Answer: C E
Explanation
Below is an example of the ―show ip cache flow‖ output:
Information provided includes packet size distribution (the answer says ―IP packet
distribution‖ but maybe it is ―IP packet size distribution‖); basic statistics about number of
flows and export timer setting, a view of the protocol distribution statistics and the NetFlow
cache.
Also we can see the flow samples for TCP and UDP protocols (including Total Flows,
Flows/Sec, Packets/Flow…).
Question 112
Where is the best place to position a NetFlow server?
A. Core edge
B. Access edge
C. WAN edge
D. Distribution edge
E. User edge
Answer: C
Explanation
NetFlow (network flow) is an input side-measurement technology that allows for capturing
the data required for network planning, monitoring, and accounting applications. NetFlow
should be deployed on edge/aggregation router interfaces for service providers or WAN
access router interfaces for Enterprise customers.
Reference: https://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-
NMS-bestpractice.html
Question 172 (same as Question 15 at http://www.digitaltut.com/netflow-questions)
Which two statements about NetFlow templates are true? (Choose two)
A. Only NetFlow version 9 is template based

B. NetFlow Version 5 and version 9 are template based
C. Only NetFlow version 5 is template based
D. Template can increased bandwidth usage
E. They can increase overall performance
F. They can reduce bandwidth usage
Answer: A D
Explanation
The distinguishing feature of the NetFlow Version 9 format is that it is template based ->
Answer A is correct.
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00
800a3db9.html
Export bandwidth increases for version 9 (because of template flowsets) versus version 5 ->
Answer D is correct.
Version 9 slightly decreases overall performance, because generating and maintaining valid
template flowsets requires additional processing -> Answer E is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html
Question 197 (same as Q.13 at http://www.digitaltut.com/netflow-questions)
Where can NetFlow export data for long term storage and analysis?
A. syslog
B. collector
C. another network device
D. flat file
Answer: B
Explanation
NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and
storing the flows. Usually a collector is a separate software running on a network server.
NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).
Question 241 (posted at Q.16 of http://www.digitaltut.com/netflow-questions)
Which version or versions of NetFlow support MPLS?
A. all versions of NetFlow

B. NetFlow version 9
C. NetFlow version 8
D. NetFlow version 5
E. NetFlow version 8 and 9
Answer: B
Explanation
MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow
exports up to three labels of interest from the incoming label stack, the IP address associated
with the top label, as well as traditional NetFlow data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html
Question 242 (posted at Q.14 of http://www.digitaltut.com/netflow-questions)
Refer to the exhibit. How can you configure a second export destination for IP address
192.168.10.1?
configure terminal
ip flow-export destination 192.168.10.1 9991
ip flow-export version 9
A. Specify a different TCP port

B. Specify a different UDP port
C. Specify a VRF
D. Configure a version 5 flow-export to the same destination
E. Specify a different flow ID
Answer: B
Explanation
To configure multiple NetFlow export destinations to a router, use the following commands
in global configuration mode:
Step 1: Router(config)# ip flow-export destination ip-address udp-port

Step 2: Router(config)# ip flow-export destination ip-address udp-port
The following example enables the exporting of information in NetFlow cache entries:

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html
================= Troubleshooting Questions =================
Question 87
Which two commands would be used to troubleshoot high memory usage for a process?
(Choose two)
A. router#show memory allocating-process table

B. router#show memory summary
C. router#show memory dead
D. router#show memory events
E. router#show memory processor statistics
Answer: A B
Explanation
The ―show memory allocating-process table‖ command displays statistics on allocated

memory with corresponding allocating processes. This command can be also used to find out
memory leaks. A memory leak occurs when a process requests or allocates memory and then
forgets to free (de-allocate) the memory when it is finished that task.
Note: In fact the correct command should be ―show memory allocating-process totals‖ (not
―table‖)
The ―show memory summary‖ command displays a summary of all memory pools and
memory usage per Alloc PC (address of the system call that allocated the block). An example
of the output of this command is shown below:
Legend:
+ Total: the total amount of memory available after the system image loads and builds its
data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.
Note: The show memory allocating-process totals command contains the same information
as the first three lines of the show memory summary command.
An example of a high memory usage problem is large amount of free memory, but a small
value in the ―Lowest‖ column. In this case, a normal or abnormal event (for example, a large
routing instability) causes the router to use an unusually large amount of processor memory
for a short period of time, during which the memory has run out.
The show memory dead command is only used to view the memory allocated to a process
which has terminated. The memory allocated to this process is reclaimed by the kernel and
returned to the memory pool by the router itself when required. This is the way IOS handles
memory. A memory block is considered as dead if the process which created the block exits
(no longer running).
The command show memory events does not exist.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.h
tml and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
121-mainline/6507-mallocfail.html
Question 204
Which statement about conditional debugging is true?
A. It can support only one condition at a time

B. You can limit the output to a specific interface
C. It generates debug messages only for packets entering the router
D. It is limited to Ethernet, serial, and multilink interfaces
Answer: B
Explanation
When the Conditionally Triggered Debugging feature is enabled, the router generates
debugging messages for packets entering or leaving the router on a specified interface; the
router will not generate debugging output for packets entering or leaving through a different
interface. You can specify the interfaces explicitly. For example, you may only want to see
debugging messages for one interface or subinterface. You can also turn on debugging for all
interfaces that meet specified conditions. This feature is useful on dial access servers, which
have a large number of ports.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcnd
tr.html
Question 229 (posted at Q.6 of http://www.digitaltut.com/point-to-point-protocol)
Which two debug commands can you use to view issues with CHAP and PAP authentication?
(Choose two)
A. debug tacacs
B. debug ppp authentication
C. debug radius
D. debug aaa authentication
E. debug ppp negotiation
Answer: B E
================= Unicast Flooding Questions =================
Question 26
Which action can you take to mitigate unicast flooding in a network?
A. Configure VLANs to span multiple access-layer switches.

B. Implement a nonlooped network topology.
C. Set the ARP timer value to less than the CAM timer value.
D. Set the CAM timer value to less than the ARP timer value.
Answer: C
Question 106
Which three causes of unicast flooding are true? (Choose three)
A. forwarding table overflow

B. changes in STP topology
C. excess space in the forwarding table
D. consistent STP topology
E. asymmetric routing
F. symmetric routing
Answer: A B E
Explanation
The very cause of flooding is that destination MAC address of the packet is not in the L2
forwarding table of the switch. In this case the packet will be flooded out of all forwarding
ports in its VLAN (except the port it was received on). Below case studies display most
common reasons for destination MAC address not being known to the switch.
Cause 1: Asymmetric Routing

Cause 2: Spanning-Tree Protocol Topology Changes
Cause 3: Forwarding Table Overflow
For more information about three cases above please visit:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-
143.html
Question 131
What happens when unicast flood protection is triggered on a VLAN?
A. The VLAN is shut down

B. Traffic on the VLAN is load-balanced across multiple links
C The VLAN is removed from the VLAN database
D. Traffic on the VLAN is passed to another VLAN with lower load
Answer: A
Explanation
In short, unicast flood protection feature allows the switch to monitor the amount of unicast
flooding per VLAN and take specified action if flooding exceeds specified amount. Actions
can be to syslog, limit or shutdown VLAN – the syslog being the most useful for flood
detection.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-
switches/23563-143.html
Question 140
Which adverse event can occur as a consequence of asymmetric routing on the network?
A. vulnerability to a main-in-the-middle attack

B. inadvertent HSRP active router preemption
C. errdisabled port
D. unicast flooding
Answer: D
Explanation
The very cause of unicast flooding is that destination MAC address of the packet is not in the
L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding
ports in its VLAN (except the port it was received on). Below case studies display most
common reasons for destination MAC address not being known to the switch.
Cause 1: Asymmetric Routing

Cause 2: Spanning-Tree Protocol Topology Changes
Cause 3: Forwarding Table Overflow
For more information about three cases above please visit:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-
143.html
Question 191 (nearly the same as Question 26 above)

How can you minimize unicast flooding in a network?
A. Configure HSRP on two routers, with one subnet preferred on the first router and a
different subnet preferred on the second router
B. Set the router‘s ARP timeout value to be the same as the timeout value for Layer 2
forwarding table entries
C. Set the router‘s ARP timeout value to greater than the timeout value for Layer 2
forwarding table entries
D. Set the router‘s ARP timeout value to less than timeout value for Layer 2 forwarding table
entries
Answer: B
Explanation
There are different approaches to limit the flooding caused by asymmetric routing. The
approach is normally to bring the router‘s ARP timeout and the switches‘ forwarding table-
aging time close to each other. This will cause the ARP packets to be broadcast. Relearning
must occur before the L2 forwarding table entry ages out.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-
switches/23563-143.html
================= Loop Prevention Questions =================
Question 139
Which of the following situations results in a routing loop?
A. when you implement noncontiguous IP routing blocks

B. when you have a single point of redistribution
C. when you have multiple points of redistribution
D. when you use NAT translation on the edge of your network
E. when you implement contiguous IP routing blocks
Answer: C
Question 155
Which three methods can a network engineer use to fix a metric-based routing loop in the
network? (Choose three)
A. Filter routes manually using prefix lists

B. Implement proper network summarization on key routing points
C. Utilize route database filters
D. Filter routes based on tags
E. Implement offset lists at network boundaries
F. Filter routes manually using distribute lists
Answer: D E F
================= Miscellaneous Questions =================
Question 23
Which command do you enter to filter only routing updates that are sent through interface
GigabitEthernet0/0?
A. R1(config-if)#passive-interface GigabitEthernet0/0.
B. R1(config-router)#no passive-interface GigabitEthernet0/0
C. R1(config-router)#passive-interface GigabitEthernet0/0
D. R1(config-router)passive-interface default
E. R1(config-if)#passive-interface default
F. R1(config-router)#distribute-list 1 GigabitEthernet0/0 out
Answer: C
Explanation
In fact F is also a suitable answer but we don‘t know what ―distribute-list 1‖ contains so C is
a better answer.
Question 63
Given the network diagram, which address would successfully summarize only the networks
seen?
A. 192.168.0.0/24
B. 192.168.8.0/20
C. 192.168.8.0/21
D. 192.168.12.0/20
E. 192.168.16.0/21
F. These networks cannot be summarized.
Answer: C
Question 124
How big is the smallest packet that will always be fragmented on a standard Ethernet network
with default configuration?
A. 1500 bytes
B. 1800 bytes
C. 2048 bytes
D. 2100 bytes
Answer: B
Explanation
The packet with the size of 1500 bytes is the largest packet on a standard Ethernet network
(with default configuration) that is not fragmented. This includes 1460 byte frame plus 40
byte of two headers (20 bytes each). Therefore the next smallest packet that will be
fragmented in the above options is 1800 bytes.
Question 134
Which option is the best for protecting CPU ultilization on a device?
A. fragmentation
B. COPP
C. ICMP redirects
D. ICMP unreachable messages
Answer: B
Explanation
The Control Plane Policing (CoPP) policy is an important security feature that prevents
Denial of Service (DoS) attacks that can impact the supervisor module CPU.
CoPP protects the route processor on network devices by treating route processor resources
as a separate entity with its own ingress interface (and in some implementations, egress also).
Because of this behavior, a CoPP policy can be developed and applied only to those packets
within the control plane. Unlike interface ACLs, for example, no effort is wasted
investigating data plane (transit) packets that will never reach the control plane. This action
has a significant simplifying implication on the construction of policies for CoPP.
Refererence:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/best_practices/cli_mgmt_guid
e/cli_mgmt_bp/cpu.pdf and https://www.cisco.com/c/en/us/about/security-center/copp-best-
practices.html
Question 143
Which STP feature can reduce TCNs on ports that are connected to end devices?
A. BPDU guard
B. Root guard
C. PortFast
D. Backbone Fast
Answer: C
Explanation
In normal STP operation, a bridge keeps receiving configuration BPDUs from the root bridge
on its root port. But, it never sends out a BPDU toward the root bridge. In order to achieve
that, a special BPDU called the topology change notification (TCN) BPDU has been
introduced. Therefore, when a bridge needs to signal a topology change, it starts to send
TCNs on its root port. The designated bridge receives the TCN, acknowledges it, and
generates another one for its own root port. The process continues until the TCN hits the root
bridge. The bridge that notifies the topology change does not stop sending its TCN until the
designated bridge has acknowledged it.
The switch never generates a TCN when a port configured for Portfast goes up or down ->
Therefore PortFast can reduce TCNs on ports that are connected to end devices.
Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-
protocol/12013-17.html#anc12
Question 198
Which two causes of latency are true? (Choose two)
A. High bandwidth on a link

B. Split horizon
C. Propagation delay
D. Serialization delay
E. Under-utilization of a link
Answer: C D
Explanation
The most significant network factor in meeting the latency targets for TelePresence is
propagation delay, which can account for more than 90 percent of the network latency time
budget. Propagation delay is also a fixed component and is a function of the physical distance
that the signals have to travel between the originating endpoint and the receiving endpoint.
Reference: Ciso TelePresence Fundamentals Book
Propagation delay is the amount of time it takes for a single bit of data to get from one side
of a digital connection to the other. Propagation delay is usually close to the speed of light,
depending on the medium over which the packet is being carried (copper, fiber, and so on).
The propagation delay over a digital copper or fiber-optic connection is approximately 1 ms
per 100 miles. For example, the distance between New York and London is approximately
3500 miles. This means that the propagation delay between New York and London is
approximately 35 ms.
Three types of delay are inherent in today‘s telephony networks: propagation delay,
serialization delay, and handling delay (also called processing delay).
Serialization delay is the amount of time it takes to actually place a bit or byte onto an
interface. It is directly related to the clock rate on the interface.
Reference: http://www.ciscopress.com/articles/article.asp?p=606583
Question 231 (posted at Q.7 of http://www.digitaltut.com/miscellaneous-questions)

In which scenario can asymmetric routing occur?
A. active/active firewall setup

B. single path in and out of the network.
C. active/standby firewall setup
D. redundant routers running VRRP
Answer: D
Explanation
Asymmetric routing is the scenario in which outing packet is through a path, returning packet
is through another path. VRRP can cause asymmetric routing occur, for example:
R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1
is the master router and R2 is the backup router.
These two routers are connected to an ISP gateway router, by using BGP. This topology
provides two possible outgoing and incoming paths for the traffic.
Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the
new master router -> traffic passing through R2 instead -> asymmetric routing occurs.
Question 61
The Cisco ASA 500 Series Security Appliances are built specifically for businesses with less
than 100 employees. What are three important benefits of this device? (Choose three)
A. business-grade firewall
B. premium support via SMART net
C. site-to-site VPN for remote offices
D. Cisco IOS software-based
E. email security
F. XML support
Answer: A C E
================= Drag and Drop Questions =================
Question 90
Drag and drop for adverse network conditions.

Answer:
Excessive unicast flooding condition: caused by including a host port in STP

Out-of-order packets: potential result of disabling FIFO
TCP starvation: potential effect of excessive UDP traffic on link
Asymmetric routing: cause of inconsistent traffic patterns
Latency: condition in which packets require an excessive length of time to traverse a switch
Explanation
The most common reason for excessive unicast flooding in steady-state Catalyst switch
networks is the lack of proper host port configuration. Hosts, servers, and any other end-
devices do not need to participate in the STP process; therefore, the link up and down states
on the respective NIC interfaces should not be considered an STP topology change.
Question 91
Drag drop the correct descriptions on the right to the Frame Relay LMI extensions on the left.
Answer:
+ Address registration – It allows neighboring Cisco devices to exchange management IP

addresses
+ Global addressing – It enables the Frame Relay network to identify interfaces in the same
manner as a LAN
+ Multicasting – It provides the most efficient transmission of routing protocol messages and
supports address resolution
+ Simple flow control – It supports devices that are unable to use congestion notification
+ Virtual circuit status messages – It prevents data from being transmitted into black holes
Question 92
Drag the descriptions on the left to the appropriate group on the right.
Answer:
Authentication:
+ supports a local database for device access
+ supports encryption
Authorization:
+ specifies a user‘s specific access privileges
+ enforces time periods during which a user can access the device
Accounting:
+ not supported with local AAA
+ verifies network usage
Explanation
AAA offers different solutions that provide access control to network devices. The following
services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined
credentials, such as passwords and other mechanisms like digital certificates. Authentication
controls access by requiring valid user credentials, which are typically a username and
password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that
means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that
regulates what tasks the user is authorized to perform. These attributes are measured against a
user database. The results are returned to the network device to determine the user‘s
qualifications and restrictions. This database can be located locally on Cisco ASA or it can be
hosted on a RADIUS or Terminal Access Controller Access-Control System Plus
(TACACS+) server. In summary, Authorization controls access per user after users
authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server
used to track login times (when the user logged in and logged off) and the services that users
access. This information can be used for billing, auditing, and reporting purposes.
Question 93
Drag drop about AAA commands.
Answer:
+ if authenticated – It allows the user to perform the requested function once authenticated
+ none – It instructs the network access server to proceed without requesting authorization
information
+ local – It provides authorization for a limited set of functions only
+ krb5-instance – It uses a defined instance for authorization
+ group radius – It uses authorization information from a standards based server
+ group tacas+ – It uses authorization information stored as attribute value pair in a Cisco
proprietary server
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathe
n.html
Question 116
Refer to the exhibit. You are configuring the R1 Serial0 interface for a multipoint connection.
Drag and drop the required configuration statements from the left onto the corresponding
locations from the diagram on the right.
Answer:
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
interface Serial0
! Serial interface config
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
! subinterface config
interface Serial0.1 multipoint
ip address 192.168.1.5 255.255.255.240
frame-relay map ip 192.168.1.1 100 broadcast
Question 132
Drag and drop the GRE features from the left onto the correct description on the right.
Answer:
+ mGRE: technology that supports dynamic tunnel endpoints

+ IPSec: encryption protocol used to source tunnels
+ Keepalive: technology that prevents one side of the tunnel from going down while the other
stays up
+ Tunnel Key: clear-text password that confirms the peer connection
+ MSS: configurable value that prevents an interface from sending packets that are too large
for the tunnel
Question 206
Drag and drop the AAA features from the left onto the correct description on the right.
Answer:
+ Authentication: challenge and response operation
+ Accounting: feature that logs network usage
+ TACACS+: authentication method that uses TCP
+ RADIUS: authentication method that uses UDP
+ Authorization: controls specific access privileges of a user
Question 208 (posted at Q.13 of http://www.digitaltut.com/drag-and-drop)
Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.
Answer:
Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable
Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the
destination address
Question 217 (posted at Q.33 http://www.digitaltut.com/new-route-questions-part-4)
Refer to the exhibit. You are configuring the R1 Serial0 interface for a point-to-point
connection. Drag and drop the required configuration statements from the left onto the correct
locations from the diagram on the right. Not all commands are used.
Answer:
A – no ip address
B – interface serial0.1 point-to-point
C – frame-relay interface-dlci 100 ppp virtual-template1
D – ppp authentication chap
Explanation
It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially
Streaming-Video) within a single service-provider class because of the behaviors of these
protocols during periods of congestion. Specifically, TCP transmitters throttle back flows
when drops are detected. Although some UDP applications have application-level
windowing, flow control, and retransmission capabilities, most UDP transmitters are
completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and
the class experiences congestion, TCP flows continually lower their transmission rates,
potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is
called TCP starvation/UDP dominance.
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the
same service-provider class as UDP-based applications and the class experiences sustained
congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it
is beneficial to be aware of this behavior when making such application-mixing decisions
within a single service-provider class.
Reference:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/Qo
S-SRND-Book/VPNQoS.html
Question 235 (posted at Q.4 of http://www.digitaltut.com/drag-and-drop-2-2)
Drag and drop the statements from the left onto the correct IPv6 router security features on
the right.
Answer:
IPv6 Traffic Filter

+ It filters traffic on the interface level
+ It supports tagged ACLs
IPv6 Access Classes

+ It controls traffic to and from the router
+ It requires the destination address for inbound traffic to be a local address
+ It filters management traffic
Drag and drop the statements about device security from the left onto the correct description
on the right.
Answer:
CoPP:
+ It protects the device against DoS attacks
+ It supports packet forwarding by reducing the load on the device
+ It uses QoS to limit the load on the device
MPP:
+ It designates the permitted management interfaces on the device
+ It is enabled only when an interface is configured
+ It requires only a single command to configure
Drag and drop the correct description on the right onto the corresponding ACL types on the
left.
Answer:
+ Dynamic: ACL that uses Telnet for Authentication

+ Extended: ACL type that should be placed closest to the traffic source
+ Reflexive: ACL that must be defined with a named ACL
+ Standard: ACL numbered from 1300 through 1999
+ Time-based: ACL that applied to traffic only during specifically defined periods
Explanation
The general rule when applying access lists is to apply standard IP access lists as close to the
destination as possible and to apply extended access lists as close to the source as possible.
The reasoning for this rule is that standard access lists lack granularity, it is better to
implement them as close to the destination as possible; extended access lists have more
potential granularity, thus they are better implemented close to the source.
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.

They are generally used to allow outbound traffic and to limit inbound traffic in response to
sessions that originate inside the router. Reflexive ACLs can be defined only with extended
named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with
other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and
static extended ACLs. Outbound ACL will have the ‗reflect‘ keyword. It is the ACL that
matches the originating traffic. Inbound ACL will have the ‗evaluate‘ keyword. It is the ACL
that matches the returning traffic.
Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release
11.1. This feature is dependent on Telnet, authentication (local or remote), and extended
ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic
through the router. Users that want to traverse the router are blocked by the extended ACL
until they Telnet to the router and are authenticated. The Telnet connection then drops and a
single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a
particular time period; idle and absolute timeouts are possible.
Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-
confaccesslists.html
Drag and drop the steps in the NAT process for IPv4-initiated packers from the left into the
correct sequence on the right.
Answer:
Step 1: The packet is routed to an NVI

Step 2: The packet is assigned a dynamic or static binding
Step 3: The IPV4 source address is translated to IPv6
Step 4: The translation information is used to create a session
Question 249 (posted at Q.8 of http://www.digitaltut.com/drag-and-drop)
Drag the items on the left to the proper locations on the right.
Answer:
+ network-specific stateful NAT64 prefix: IPv6 prefix assigned by an organization

+ NAT64 : supports application layer gateway
+ NPTv6 : translates 2001:1::/64 to 2001:2::/64
+ well-known stateful NAT64 prefix: supports IPv6 prefix 64:FF9B::/96
Explanation
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). There are two different forms of NAT64, stateless and stateful:
+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps
no state. It does not save any IP addresses since every v4 address maps to one v6 address.
Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation (1:N translation). It
supports both IPv6-initiated and IPv4-initiated communications using static or manual
mappings. Stateful NAT64 converses IPv4 addresses.
NPTv6 stands for Network Prefix Translation. It‘s a form of NAT for IPv6 and it supports
one-to-one translation between inside and outside addresses
New ROUTE Questions

Question 1
Drag and drop the statements about NAT64 from the left onto the correct NAT64 types on
the right.
Answer:
Stateful:
+ It supports FTP64 for ALG
+ It supports PAT and overload
+ It allows IPv6 systems to use any type of IPv6 address
Stateless:
+ ALG is not supported
+ It supports one-to-one mapping only
+ It requires IPv6 systems to use RFC6052 IPv4-translatable addresses
Explanation
Differences Between Stateful NAT64 and Stateless NAT64 are shown below:
Supported
Stateful NAT64 Stateless NAT64
Features
N:1 mapping for PAT or overload
Address One-to-one mapping — one IPv4
configuration that saves IPv4
savings address is used for each IPv6 host
addresses
IPv6 systems must have IPv4-
IPv6 systems may use any type of
Address space translatable addresses (based on RFC
IPv6 addresses
6052)
ALGs
FTP64 None
supported
Protocols
ICMP, TCP, UDP All
supported
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
Question 2
Which statement about the metric calculation in EIGRP is true?
A. The maximum delay along the path is used

B. The mean value of bandwidth between the source and destination is used
C. The minimum bandwidth between the source and destination is used
D. The minimum delay along the path is used
Answer: C
Question 3
Which two steps must you perform to allow access to a device when the connection to a
remote TACACS+ authentication server fails? (Choose two)
A. Include the local keyword in the AAA configuration

B. Configure a local username and password on the device
C. Configure the device to accept Telnet and SSH connections
D. Configure accounting to reference the log of previously authenticated connections
E. Remove the aaa new model command from the global configuration
Answer: A B
Question 4

ip vrf BLUE
ip vrf RED
!
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
!
ip vrf forwarding BLUE
ip address 10.1.2.1 255.255.255.0
Network users on the 10.1.2.0/24 subnet have a default gateway of 10.1.2.254. Which
command will configure this gateway?
A. router(config)#ip route vrf RED 0.0.0.0 0.0.0.0 10.1.2.254

B. router(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.254
C. router(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/1
D. router(config)#ip route vrf BLUE 0.0.0.0 0.0.0.0 10.1.2.254
Answer: D
Question 5
Router# show processes cpu sorted

Router# show processes memory sorted
Based on Cisco best practice, which statement about the output is true?
A. The output should be analyzed by a network engineer before allocating additional memory
and CPU usage to processes on an IOS router in production
B. The output should be analyzed by a network engineer before executing any configuration
commands on an IOS router in production
C. The output should be analyzed by a network engineer before executing any debug
D. The output should be analyzed by a network engineer before executing other show
Answer: C
Question 6
Users were moved from the local DHCP server to the remote corporate DHCP server. After
the move, none of the users were able to use the network. Which two issues wil prevent this
setup from working properly? (Choose two)
A. Auto-QoS is blocking DHCP traffic

B. The DHCP server IP address configuration is missing locally
C. 802.1X is blocking DHCP traffic
D. The broadcast domain is too large for proper DHCP propagation
E. The route to the new DHCP server is missing
Answer: B E
Question 7
Which two statements about the OSPF down bit are true? (Choose two)
A. It is set only when an OSPF virtual link is created

B. It is set only for LSA types 1,2, and 4
C. It is set when OSPF routes are redistributed into BGP
D. It is set only for LSA types 3,5, and 7
E. It is set when MP-BGP routes are redistributed into OSPF
Answer: D E
Explanation
To prevent possibility of a loop, when the routes are redistributed from MP-BGP into OSPF,
then they are marked with a DN Bit in LSA Type 3, 5, or 7 and have the domain tag for Type
5 and 7 LSA.
Good reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-

ospf/118800-configure-ospf-00.html
Question 8
Which command can be entered on router R5 to configure 80 percent of the bandwidth of a

link for EIGRP Autonomous System 55?
A. R5(config-if)#ip bandwidth-percent eigrp 55 80

B. R5(config-pmap-c)#priori1y percent 80
C. R5(config-if)#ip bandwidth-percent eigrp 80 55
D. R5(config-if)#ipv6 bandwidth-percent eigrp 80 55
E. R5(config-if)#ipv6 bandwidth-percent eigrp 55 80
Answer: A
Question 9 (same as Q.12 at http://www.digitaltut.com/nat-questions)
Which two addresses types are included in NAT? (Choose two)
A. inside global
B. global outside
C. outside internet
D. inside internet
E. outside local
Answer: A E
Explanation
NAT use four types of addresses:
* Inside local address – The IP address assigned to a host on the inside network. The address
is usually not an IP address assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service
provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.
Question 10
Hostname R1
!
ip vrf Yellow
rd 100:1
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
network 192.168.1.1 0.0.0.0
no auto-summary
redistribute static
!
R1#ping vrf Yellow 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.1.2, timeout is 2 second:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1 is configured with VRF-Lite and can ping R2. R2 is fully configured, but it has no active
EIGRP neighbors in vrf Yellow If the configuration of R2 is complete, then which issue
prevents the EIGRP 100 neighbor relationship in vrf Yellow from forming?
A. The no auto-summary command is preventing the EIGRP neighbor relationship from

forming
B. There is a Layer 1 issue that prevents the EIGRP neighbor relationship from forming
C. The interface IP addresses are not in the same subnet
D. EIGRP 100 network 192 168 1 0/24 is configured in the global routing table on R1
Answer: D
Explanation
The ―network 192.168.1.1 0.0.0.0‖ should be configured under vrf Yellow as follows:
router eigrp 100

address-family vrf Yellow
network 192.168.1.1 0.0.0.0
…
Question 11 (same as Q.1 of http://www.digitaltut.com/ospf-questions-3-2)
Which two LSA types were introduced to support OSPF for IPv6? (Choose two)
A. type 9
B. type 10
C. type 5
D. type 7
E. type 8
Answer: A E
Explanation
LSAs Type 8 (Link LSA) have link-local flooding scope. A router originates a separate link-
LSA for each attached link that supports two or more (including the originating router itself)
routers. Link-LSAs should not be originated for virtual links.
Link-LSAs have three purposes:

1. They provide the router‘s link-local address to all other routers attached to the link.
2. They inform other routers attached to the link of a list of IPv6 prefixes to associate with
the link.
3. They allow the router to advertise a collection of Options bits in the network-LSA
originated by the Designated Router on a broadcast or NBMA link.
LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA
has one of two functions:
1. It either associates a list of IPv6 address prefixes with a transit network link by referencing
a network-LSA…
2. Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA. A
stub link‘s prefixes are associated with its attached router.
LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4
OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF
algorithm is ran.
Reference (and for more information): http://packetpushers.net/a-look-at-the-new-lsa-types-

in-ospfv3-with-vyatta-and-cisco/
Question 12
Which two statements about DMVPN are true? (Choose two)
A. IPsec encryption not supported with statically addressed spokes

B. It requires full-mesh connectivity on the network
C. It uses NHRP to create a mapping database of spoke addresses
D. Multicast traffic is not supported
E. It supports dynamic addresses for spokes in a hub-and-spoke VPN topology
Answer: A C
Question 13
A netwoik engineer is configuring two dedicated Internet connections within the Internet
module One connection is the primary connection to all wired business communications
while Che other is the primary connection for all customer wireless traffic If one of the links
goes down, the affected traffic needs to be redirected to the redundant link Winch current
technology should be deployed to monitor the scenario?
A. IP SLA
B. MMC
C. IP SAA
D. PBR
E. IP QoS
Answer: A
Question 14
access-list 1 permit 10.1.1.0 0.0.0.255

Which command we use to control the type of routes that are processed in incoming route
updates?
A. passive-interface
B. distribute-list 1 out
C. distribute-list 1 in
D. ip vrf forwarding
Answer: C
Question 15
Which two types of traffic can benefit from LLQ? (Choose two)
A. email
B. voice
C. telnet
D. video
E. file transfer
Answer: B D
Question 16
A network administrator is attempting to configure IP SLA to allow one time stamp to be

logged when a packet arrives on the interface and one time stamp to be logged when a packet
leaves the interface. Which IP SLA accuracy tool enables this functionality?
A. Trap
B. RTT
C. Responder
D. Trigger
E. Logging
Answer: C
Explanation
Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to
respond to Cisco IOS IP SLA request packets. The IP SLA source sends control packets
before the operation starts to establish a connection to the responder. Once the control packet
is acknowledged, test packets are sent to the responder. The responder inserts a time-stamp
when it receives a packet and factors out the destination processing time and adds time-
stamps to the sent packets. This feature allows the calculation of unidirectional packet loss,
latency, and jitter measurements with the kind of accuracy that is not possible with ping or
other dedicated probe testing
Reference:
https://www.cisco.com/en/US/technologies/tk869/tk769/technologies_white_paper0900aecd8
06bfb52.html
Question 17
Which two actions are common methods for migrating a network from one protocol to
another? (Choose two)
A. redistributing routes from the current routing protocol to the new routing protocol
B. removing the current routing protocol and implementing the new routing protocol
C. changing the relative administrative distances of the two routing protocols
D. changing the network IP addresses and bringing up the new IP addresses using the new
routing protocol
E. disabling IP routing globally and implementing the new routing protocol
Answer: A C
Question 18
Which statements best describes the following two OSPF commands, which are used to
summarize routes?
area 0 range 192.168.110.0 255.255.0.0

summary-address 192.168.110.0 255.255.0.0
A. The area range command defines the area where the network resides. The summary-
address command enables autosummanzation
B. The area range command defines the area where the network resides. The summary-
address command summarizes a subnet for an areas
C. The area range command specifies the area where the subnet resides and summarizes it to
other areas. The summary-address command summarizes external routes
D. The area range command summarizes subnets for a specific area. The summary address
command summaries a subnet for all areas
Answer: C
Explanation
An example of the use of ―area range‖ command is shown below:
In order to RTB summarizes routes for the 192.168.16.0/22 supernet before injecting them
into Area 0, we use the command:
Router(config-router)#area 10 range 192.168.16.0 255.255.252.0
An example of using the command ―summary-address‖ is shown below:

Recently the RIPv2 domain has been redistributed into our OSPF domain but the
administrator wants to configure a summarized route instead of 32 external type-5 LSAs (for
172.16.32.0/24 to 172.16.63.0/24) flooding into the OSPF network. In this case the
administrator has to use the ―summary-address‖ command as follows:
Router(config-router)#summary-address 172.16.32.0 255.255.224.0
Question 19
Which action is the most efficient way to handle route feedback when converting a RIPv2
network to OSPF?
A. Implement route tags

B. Implement IP prefix lists
C. Implement route maps with access lists
D. Implement distribute lists
Answer: A
Explanation
We should use route tag to tag any routes that are redistributed from RIPv2 to OSPF. Then
when redistributing from OSPF to RIPv2 we prevents these routes from getting back to
RIPv2 domain (route feedback) by the tags we set before.
Question 20
Which types of LSAs are present in the stub area?
A. LSA type 1, 2, 3, 4 and 5

B. LSA type 1, 2 and 3
C. LSA type 3 and 5
D. LSA type 1 and 2
Answer: B
Explanation
In the stub area no Type 5 AS-external LSA allowed. It only allows LSA type 1, 2 and 3.
Question 21
What is the hop count is advertised for an unreachable network by a RIP router that uses
poison reverse?
A. 16
B. 255
C. 0
D. 15
Answer: A
Question 22
aaa new-model
aaa authentication login default local-case enable
aaa authentication login ADMIN local-case
username CCNP secret Str0ngP@ssw0rd!
line 0 4
login authentication ADMIN
How can you change this configuration so that when user CCNP logs in, the show run
command is executed and the session is terminated?
A. Add the autocommand keyword to the aaa authentication command

B. Assign privilege level 15 to the CCNP username
C. Add the access-class keyword to the aaa authentication command
D. Assign privilege level 14 to the CCNP username
E. Add the access-class keyword to the username command
F. Add the autocommand keyword to the username command
Answer: F
Explanation
The ―autocommand‖ causes the specified command to be issued automatically after the user
logs in. When the command is complete, the session is terminated. Because the command can
be any length and can contain embedded spaces, commands using the autocommand keyword
must be the last option on the line. In this specific question, we have to enter this line
―username CCNP autocommand show running-config‖.
Question 23
router ospf 10
router-id 192.168.1.1
log-adjacency-changes
redistribute bgp 1 subnets route-map BGP-TO-OSPF
!
route-map BGP-TO-OSPF deny 10
match ip address 50
route-map BGP-TO-OSPF permit 20
!
access-list 50 permit 172.16.1.0 0.0.0.255
Which statement about redistribution from BGP into OSPF process 10 is true?
A. Network 172.16.1.0/24 is not redistributed into OSPF

B. Network 10.10.10.0/24 is not redistributed into OSPF
A. Network 172.16.1.0/24 is redistributed with administrative distance of 1
A. Network 10.10.10.0/24 is redistributed with administrative distance of 20
Answer: A
Explanation
The first statement of the above route-map will prevent network 172.16.1.0/24 from being
redistributed into OSPF.
Question 24
Which functions are included in the two-message rapid exchange that a DHCPv6 client can
receive from a server?
A. solicit and reply

B. advertise and request
C. solicit and request
D. advertise and reply
Answer: A
Explanation
DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode.
In Rapid-Commit mode , the DHCP client obtain configuration parameters from the server
through a rapid two message exchange (solicit and reply).
In Normal-Commit mode, the DHCP client uses four message exchanges (solicit, advertise,
request and reply). By default normal-commit is used.
Reference: https://community.cisco.com/t5/networking-documents/part-1-implementing-
dhcpv6-stateful-dhcpv6/ta-p/3145631
Question 25
(exhibit missing)
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. KEY
B. MD5
C. EIGRP
D. CISCO
Answer: D
Question 26
Which two statements about redistributing EIGRP into OSPF are true? (Choose two)
A. The redistributed EIGRP routes appear as type 3 LSAs in the OSPF database
B. The redistributed EIGRP routes appear as type 5 LSAs in the OSPF database
C. The administrative distance of the redistributed routes is 170
D. The redistributed EIGRP routes appear as OSPF external type 1
E. The redistributed EIGRP routes as placed into an OSPF area whose area ID matches the
EIGRP autonomous system number
F. The redistributed EIGRP routes appear as OSPF external type 2 routes in the routing table
Answer: B F
Question 27
A network engineer executes the show ip flow interface command. Which type of
information is displayed on the interface?
A. route cache information

B. IP Cisco Express Forwarding statistics
C. error statistics
D. NetFlow configuration
Answer: D
Explanation
The command ―show ip flow interface‖ displays NetFlow accounting configuration for
interfaces. Below is an example of the output of this command:
R1# show ip flow interface

GigabitEthernet0/0
ip flow ingress
ip flow egress
Question 28
Which two statements are differences between AAA with TACACS+ and AAA with
RADIUS? (Choose two)
A. Only RADIUS uses TCP

B. Unlike TACACS+, RADIUS sends packets with only the password encrypted.
C. Unlike TACACS+, RADIUS supports accounting and authorization only
D. Only TACACS+ uses TCP
E. Only TACACS+ combines authentication and authorization
Answer: B D
Question 29
Which IOS commands can you use to limit the CPU impact of log generation and
transmission on an IOS router?
A. You can use the ip access-list logging interval command in conjunction with the logging
rate-limit command.
B. You can use the ip access-list logging limit command in conjunction with the logging rate-
interval command.
C You can use the ip access-list syslog-logging interval command in conjunction with the
logging rate-limit command
D. You can use the ip access-list logged interval command in conjunction with the logged
rate-limit command.
Answer: A
Question 30
You are configuring a Microsoft client to call a PPP server using CHAP. Only the client will
be authenticated but the client‘s password has expired and must be changed. Which PPP
server configuration allows the call to be completed?
A. ppp authentication ms-chap callin

B. ppp authentication chap
C. ppp authentication ms-chap-v2 callin
D. ppp authentication chap callin
E. ppp authentication ms-chap-v2
Answer: C
Explanation
The MSCHAP Version 2 supports the Password Aging feature, which notifies clients that the
password has expired and provides a generic way for the user to change the password.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-
mt/sec-usr-aaa-15-mt-book/mschap_version_2.pdf
Note: The ―calling‖ keyword specifies that the router will refuse to answer CHAP
authentication challenges received from the peer, but will still require the peer to answer any
CHAP challenges the router sends -> Only the client will be authenticated.
Question 31
Which command creates a manual summary on an interface when using EIGRP?
A. area 100 range 172.32.0.0 255.255.254.0

B. summary-address eigrp 100 172.32.0.0 255.255.254.0
C. ip summary-address eigrp 100 172.32.0.0 255.255.254.0
D. ip summary-address 100 172.32.0.0 255.255 254.0
Answer: C
Question 32
A network engineer wants to implement an SNMP notification process for host machines
using the strongest security available. Which command accomplishes this task?
A. router(config)#snmp-server host 172.16.200.225 traps v2c auth

B. router(config)#snmp-server host 172 16.200.225 traps v1
C. router(config)#snmp-server host 172.16.200.225 traps v3
D. router(config)#snmp-server host 172.16.200.225 traps v2c
Answer: C
Explanation
Both SNMPv1 and v2 did not focus much on security and they provide security based on
community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception.
SNMPv3 provides significant enhancements to address the security weaknesses existing in

the earlier versions. The concept of community string does not exist in this version. SNMPv3
provides a far more secure communication using entities, users and groups. This is achieved
by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to
encrypt the contents of a packet.
Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.
Question 33
Which issue is important to address when integrating two networks with different routing
protocol?
A. preventing UDP starvation

B. handing IPv4 fragmentation
C. controlling unicast flooding
D. mitigating UDP latency
E. preventing asymmetric routing
Answer: E
Question 34
Drag and drop the DMVPN components from the left onto the correct descriptions on the
right.
Answer:
hub – device that acts as the next-hop server

spoke – device that is usually identified with a dynamic address
mGRE – technology that allows one interface to support multiple tunnels
NHRP – protocol that allows spokes to communicate directly with one another
Question 35
%Interfact GigabitEthernet1: IPv4 disabled and address(es) removed due to enabling VRF
CUST_A
An engineer is enabling VPN service for a customer and notices this output when placing the
customer-facing interface into a VRF. Which action corrects the issue?
A. Reconfigure the IP address on Gigabit Ethernet 1

B. Disabling the VRF CUST_A
C. Reset interface Gigabit Ethernet 1
D. Enabling IPv6 on the interface
Answer: A
Explanation
If the interface was assigned an IP address before joining to an VRF then that IP address
would be removed so we have to reconfigure it.
Question 36
Which two statements about VRF-Lite configurations are true? (Choose two)
A. They support the exchange of MPLS labels

B. Different customers can have overlapping IP addresses on different VPNs
C. They support a maximum of 512,000 routes
D. Each customer has its own dedicated TCAM resources
E. Each customer has its own private routing table.
F. They support IS-IS
Answer: B E
Explanation
In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and ―allows
customers to be assigned overlapping addresses‖. The below example shows overlapping IP
addresses configured on two interfaces which belong to two different VPNs:
Router(config)#ip vrf VRF_BLUE

Router(config-vrf)# exit
Router(config)#ip vrf VRF_GREEN
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip vrf forwarding VRF_BLUE
Router(config-if)# ip address 10.0.0.1 255.0.0.0
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip vrf forwarding VRF_GREEN
Router(config-if)# ip address 10.0.0.1 255.0.0.0
Question 37
Which two statements about PPPoE packet types are true? (Choose two)
A. PADR is a broadcast packet sent from the client to request a new server
B. PADI is an initialization packet sent as a broadcast message
C. PADO is a unicast reply packet sent to the client
D. PADO is a broadcast reply packet sent to the client
E. PADR is a unicast confirmation packet sent to the client
Answer: B C
Explanation
+ PPPoE Active Discovery Initiation (PADI): The client initiates a session by broadcasting
a PADI packet to the LAN to request a service.
+ PPPoE Active Discovery Offer (PADO): Any access concentrator that can provide the
service requested by the client in the PADI packet replies with a PADO packet that contains
its own name, the unicast address of the client, and the service requested. An access
concentrator can also use the PADO packet to offer other services to the client.
+ PPPoE Active Discovery Request (PADR): From the PADOs it receives, the client selects
one access concentrator based on its name or the services offered and sends it a PADR packet
to indicate the service or services needed.
+ PPPoE Active Discovery Session-Confirmation (PADS): When the selected access
concentrator receives the PADR packet, it accepts or rejects the PPPoE session:
– To accept the session, the access concentrator sends the client a PADS packet with a unique
session ID for a PPPoE session and a service name that identifies the service under which it
accepts the session.
– To reject the session, the access concentrator sends the client a PADS packet with a service
name error and resets the session ID to zero.
+ After a session is established, the client or the access concentrator can send a PPPoE Active
Discovery Termination (PADT) packet anytime to terminate the session. The PADT packet
contains the destination address of the peer and the session ID of the session to be terminated.
After this packet is sent, the session is closed to PPPoE traffic.
Question 38
Which two statements are examples of the differences between IPv4 and IPv6 EIGRP?
(Choose two)
A. Network command is used in IPv6

B. DUAL is not used for route calculations
C. DUAL is used for route calculations
D. IPv6 keyword is used in many EIGRP commands
E. Network command is not used in IPv6
Answer: D E
Explanation
Although the configuration and management of EIGRP for IPv4 and EIGRP for IPv6 are
similar, they are configured and managed separately. A few (not all) examples of differences
include these:
+ The network command is not used in IPv6; EIGRP is configured via links.
+ The ipv6 keyword is used in many of the EIGRP commands.
+ Needs to be explicitly enabled on each interface when configuring EIGRP.
Note:
The following are a few (not all) examples of similarities shared by IPv4 EIGRP and IPv6
EIGRP:
+ DUAL is used for route calculation and selection with the same metrics.
+ It is scalable to large network implementations.
+ Neighbor, routing, and topology tables are maintained.
+ Both equal-cost load balancing and unequal-cost load balancing are offered.
Reference: http://www.ciscopress.com/articles/article.asp?p=2137516&seqNum=4
Question 39
VRF SPOKE (VRF Id = 4): default RD

VRF HUB (VRF Id = 3): default RD 100:10;
200:20;
default VPNID <not set>
default VPNID <not set>
New CLI format, supports multiple address-
New CLI format, supports multiple
families
address-families
Flags: 0x180C
Flags: 0x180C
Interfaces:
Interfaces:
G1/1
G1/2
Address family ipv4 unicast (Table ID = 0x3)
Address family ipv4 unicast (Table ID = 0x4)
Flags: 0x0
Flags: 0x0
Export VPN route-target communities
Export VPN route-target communities
RT 100:10
RT 200:20
Import VPN route-target communities
Import VPN route-target communities
RT 100:10 RT 200:20
RT 200:20
No import route-map
No import route-map
No global export route-map
No global export route-map
No export route-map
No export route-map
VRF label distribution protocol: not
VRF label distribution protocol: not
configured
configured
VRF label allocation mode: per-prefix
VRF label allocation mode: per-prefix
Address family ipv6 unicast (Table ID =
Address family ipv6 unicast (Table ID =
0x1E000001)
0x1E000001)
[Output omitted]
[Output omitted]
A network engineer is modifying configurations for a customer that currently uses VPN
connectivity between their sites The customer has added a new spoke site but it does not have
reachability to servers located at the hub. Based on the output which statement describes the
cause?
A. The interface of VRF HUB and VRF SPOKE do not match

B. The HUB VRF is not exporting Route-Target 200:20
C. The default VPNID is not set on VRF HUB or VRF SPOKE
D. The SPOKE VRF is not importing Route-Target 100:10
Answer: D
Question 40
Which statement about dynamic NAT is true?
A. It creates a one-to-one mapping of inside addresses to a global address

B. It uses the overload command to map addresses
C. It maps inside addresses to different port numbers
D. It maps inside addresses to a pool of global addresses
Answer: D
Question 41
Which statement about the IP SLA feature is true?
A. It ensures that there are appropriate levels of service for network applications
B. It classifies various traffic types by examining information within Layers 3 trough 7.
C. It measures how the network treats traffic for specific applications by generating traffic
that bears similar characteristics to application traffic
D. It keeps track of the number of packets and bytes that are observed in each flow by storing
information in a cache flow
Answer: C
Question 42
A network engineer is enabling conditional debugging and execute two commands: debug
condition interfaces serial0/0 and debug condition interfaces serial 0/1. Which debugging
output is displayed as a result?
A. Interface cannot be used as a debug condition.

B. Output is display for both specified interfaces.
C. Output is display for interface serial 0/1 only.
D. Output is display for interface 0/0 only.
Answer: B
Question 43
What is the DHCP option to download TFTP info to a Cisco phone?
A. option 57
B. option 82
C. option 66
D. option 68
Answer: C
Explanation
For Cisco phones IP addresses can be assigned manually or by using DHCP. Devices also
require access to a TFTP server that contains device configuration name files (.cnf file
format), which enables the device to communicate with Cisco Call Manager.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone
starts, if it does not have both the IP address and TFTP server IP address pre-configured, it
sends a request with option 150 to the DHCP server to obtain this information.
DHCP Option 150 is Cisco proprietary. The IEEE standard that matches with this
requirement is Option 66. Like option 150, option 66 is used to specify the Name of the
TFTP server.
Question 44
What type of address OSPFv3 uses to form adjacency and send updates?
A. FF02::5
B. link-local
C. IPv4 address
D. IPv6 address multicast
Answer: B
Question 45 (same as Question 7 of http://www.digitaltut.com/new-route-questions-part-2)
What security feature is supported across all SNMP version?
A. authpriv
B. noauthnopriv
C. authnopriv
D. noauthpriv
Answer: B
Question 46 (posted at Question 4 of http://www.digitaltut.com/ip-services-questions)
A network engineer executes the show crypto ipsec sa command. Which three pieces of
information are displayed in the output? (Choose three)
A. inbound crypto map

B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets
Answer: A B C
Explanation
This command shows IPsec Security Associations (SAs) built between peers. An example of
the output of above command is shown below:
Router#show crypto ipsec sa

interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The first part shows the interface and cypto map name that are associated with the interface.
Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this
case, because you used only ESP, there are no AH inbound or outbound SAs.
Note: Maybe ―inbound crypto map‖ here mentions about crypto map name.
Question 47
Drag drop about AAA.

Answer:
+ Auth-proxy: It returns information about hosts using proxy service

+ Commands: It returns information about individual EXEC commands and permissions
associated with a privilege level
+ Connection: It returns information about outbound communications from the network
access server
+ Exec: It returns information about user EXEC terminal sessions with the network access
server
+ Network: It returns information about SLIP, PPP and ARA sessions
+ Resources: It returns information about calls that have passed and failed user authentication
OSPF Evaluation Sim

http://www.digitaltut.com/ospf-evaluation-sim
Question 1
How old is the Type 4 LSA from Router 3 for area 1 on the router R5 based on the output
you have examined?
A. 1858
B. 1601
C. 600
D. 1569
Answer: A
Question 2
Which of the following statements is true about the serial links that terminate in R3?
A. The R1-R3 link needs the neighbor command for the adjacency to stay up
B. The R2-R3 link OSPF timer values are 30, 120, 120
C. The R1-R3 link OSPF timer values should be 10,40,40
D. R3 is responsible for flooding LSUs to all the routers on the network.
Answer: B
Question 3
How many times was SPF algorithm executed on R4 for Area 1?
A. 1
B. 5
C. 9
D. 20
E. 54
F. 224
Answer: C
Question 4
Areas of Router 5 and 6 are not normal areas, inspect their routing tables and determine
which statement is true?
A. R5‘s Loopback and R6‘s Loopback are both present in R5‘s Routing table
B. R5‘s Loopback and R6‘s Loopback are both present in R6‘s Routing table
C. Only R5‘s loopback is present in R5‘s Routing table
D. Only R6‘s loopback is present in R5‘s Routing table
E. Only R5‘s loopback is present in R6‘s Routing table
Answer: A
EIGRP Evaluation Sim

http://www.digitaltut.com/eigrp-evaluation-sim
Question 1
Traffic from R1 to R6′ s Loopback address is load shared between R1-R2-R4-R6 and R1-R3-
R5-R6 paths. What is the ratio of traffic over each path?
A. 1:1
B. 1:5
C. 6:8
D. 19:80
Answer: D
Question 2
What type of route filtering is occurring on R6?
A. Distribute-list using an ACL

B. Distribute-list using a prefix-list
C. Distribute-list using a route-map
D. An ACL using a distance of 255
Answer: A
Question 3
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. CISCO
B. EIGRP
C. key
D. MD5
Answer: A
Question 4
What is the advertised distance for the 192.168.46.0 network on R1?
A. 333056
B. 1938688
C. 1810944
D. 307456
Answer: A
Question 5
What percent of R1‘s interfaces bandwidth is EIGRP allowed to use?
A. 10
B. 20
C. 30
D. 40
Answer: B
EIGRP OSPF Redistribution Sim

http://www.digitaltut.com/route-eigrp-ospf-redistribution-sim
Question
You are a network engineer with ROUTE.com, a small IT company. They have recently
merged two organizations and now need to merge their networks as shown in the topology
exhibit. One network is using OSPF as its IGP and the other is using EIGRP as its IGP. R4
has been added to the existing OSPF network to provide the interconnect between the OSPF
and EIGRP networks. Two links have been added that will provide redundancy.
The network requirements state that you must be able to ping and telnet from loopback 101
on R1 to the OPSF domain test address of 172.16.1.100. All traffic must use the shortest path
that provides the greatest bandwidth. The redundant paths from the OSPF network to the
EIGRP network must be available in case of a link failure. No static or default routing is
allowed in either network.
A previous network engineer has started the merger implementation and has successfully
assigned and verified all IP addressing and basic IGP routing. You have been tasked with
completing the implementation and ensuring that the network requirements are met. You may
not remove or change any of the configuration commands currently on any of the routers.
You may add new commands or change default values.
Policy Based Routing Sim

http://www.digitaltut.com/route-policy-based-routing-sim
Question
Company Acan has two links which can take it to the Internet. The company policy demands
that you use web traffic to be forwarded only to Frame Relay link if available and other
traffic can go through any links. No static or default routing is allowed.
IPv6 OSPF Virtual Link Sim

http://www.digitaltut.com/route-ipv6-ospf-virtual-link-sim
Question
Acme is a small export company that has an existing enterprise network that is running IPv6
OSPFv3. Currently OSPF is configured on all routers. However, R4‘s loopback address
(FEC0:4:4) cannot be seen in R1‘s IPv6 routing table. You are tasked with identifying the
cause of this fault and implementing the needed corrective actions that uses OSPF features
and does no change the current area assignments. You will know that you have corrected the
fault when R4‘s loopback address (FEC0:4:4) can be seen in the routing table of R1.
Special Note: To gain the maximum number of points you must remove all incorrect or
unneeded configuration statements related to this issue.
EIGRP Stub Sim

http://www.digitaltut.com/route-eigrp-stub-sim
Question
By increasing the first distant office, JS manufactures has extended their business. They
configured the remote office router (R3) from which they can reach all Corporate subnets. In
order to raise network stableness and lower the memory usage and broadband utilization to
R3, JS manufactures makes use of route summarization together with the EIGRP Stub
Routing feature. Another network engineer is responsible for the implementing of this
solution. However, in the process of configuring EIGRP stub routing connectivity with the
remote network devices off of R3 has been missing.
Presently JS has configured EIGRP on all routers in the network R2, R3, and R4. Your duty
is to find and solve the connectivity failure problem with the remote office router R3. You
should then configure route summarization only to the distant office router R3 to complete
the task after the problem has been solved.
The success of pings from R4 to the R3 LAN interface proves that the fault has been
corrected and the R3 IP routing table only contains two 10.0.0.0 subnets.
OSPF Sim
http://www.digitaltut.com/route-ospf-sim
Question
OSPF is configured on routers Amani and Lynaic. Amani‘s S0/0 interface and Lynaic‘s S0/1
interface are in Area 0. Lynaic‘s Loopback0 interface is in Area 2.
Your task is to configure the following:
Portland’s S0/0 interface in Area 1

Amani’s S0/1 interface in Area 1
Use the appropriate mask such that ONLY Portland’s S0/0 and Amnani’s S0/1 could be
in Area 1.
Area 1 should not receive any external or inter-area routes (except the default route).
EIGRP Simlet
http://www.digitaltut.com/route-eigrp-simlet
Question
Refer to the exhibit. BigBids Incorporated is a worldwide auction provider. The network uses
EIGRP as its routing protocol throughout the corporation. The network administrator does
not understand the convergence of EIGRP. Using the output of the show ip eigrp topology
all-links command, answer the administrator‘s questions.
Question 1
Which two networks does the Core1 device have feasible successors for? (Choose two)
A – 172.17.0.0/30
B – 172.17.1.0/24
C – 172.17.2.0/24
D – 172.17.3.0/25
E – 172.17.3.128/25
F – 10.140.0.0/24
Answer: A F
Question 2
Which three EIGRP routes will be installed for the 172.17.3.128/25 and 172.17.2.0/24
networks? (Choose three)
A – 172.17.3.128.25 [90/28160] via 172.17.1 2, 01:26:35, FastEthernet0/2

B – 172.17.3.128/25 [90/30720] via 172.17.3.2, 01:26:35, FastEthemet0/3
C – 172.17.3.128/25 [90/30720] via 172.17.10.2, 01:26:35, FastEthernet0/1
D – 172.17.2.0/24 [90/30720] via 172.17.10.2, 02:10:11, FastEthernet0/1
E – 172.17.2.0/24 [90/28160] via 172.17.10.2, 02:10:11, FastEthernet0/1
F – 172.17.2.0/24 [90/33280] via 172.17.3.2, 02:10:11, FastEthernet0/3
Answer: B C D
Question 3
Which three networks is the router at 172.17.10.2 directly connected to? (Choose three)
A – 172.17.0.0/30
B – 172.17.1.0/24
C – 172.17.2.0/24
D – 172.17.3.0/25
E – 172.17.3.128/25
F – 172.17.10.0/24
Answer: C E F

Most Popular Questions: Enable Secret 5 $1$Iujj$Cdz03Kkgh7Mhfx2Rsbdqp

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Most Popular Questions: Enable Secret 5 $1$Iujj$Cdz03Kkgh7Mhfx2Rsbdqp

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Most Popular Questions: Enable Secret 5 $1$Iujj$Cdz03Kkgh7Mhfx2Rsbdqp

Uploaded by

Copyright:

Available Formats

Most Popular Questions

================= Router Questions =================

Question 192 (similar to Q.7 http://www.digitaltut.com/router-questions)

A. enable secret $abc%!e.Cd34$!ao0

For example, in the configuration command:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

When we tried to enter the command ―enable secret 7

A. console line password

A. The device must have an auxilary port

================= Access-list Questions =================

router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 –

Which two statements about IP access-lists are true? (Choose two)

A. ipv6 access-list VTY-ACCESS-IN

B. ipv6 access-list VTY-ACCESS-IN

C. ipv6 access-list VTY-ACCESS-IN

D. ipv6 access-list VTY-ACCESS-IN

E. ipv6 access-list VTY-ACCESS-IN

Question 213 (posted at Q.9 of http://www.digitaltut.com/access-list)

A. access-list 49 permit ip any any eq 21 tcp-ack

Suppose you only want to allow

access-list 100 permit tcp any any established

================= PPP Questions =================

Which PPP authentication method sends authentication information in cleartext?

R1(config)#username R2 password digitaltut1 R2(config)#username R1 password digitaltut2

Which two features were added in MSCHAP Version 2? (Choose two)

A. Backwards-compatibility with MSCHAP version 1

Question 240 (posted at Q.7 of http://www.digitaltut.com/point-to-point-protocol)

A. Its own hostname

================= PPPoE Questions =================

The picture below shows all configuration needed for PPPoE:

What configurations does PPPoE allow? (Choose two)

A. Client can be installed on the same network devices as server

The PPPoE client does not support the following:

Which feature can automatically assign IP addresses in a PPPoE environment?

The PPP negotiation includes the process of IP address assignment. An example of

A. peer default ip address pool

================= CEF Questions =================

Which Cisco Express Forwarding table or tables hold forwarding information?

A. FIB table only

A. CEF is unable to get routing information for this route.

================= Frame Relay Questions =================

Refer to the exhibit.

A. A routing loop is created.

A. Change the OSPF network type to nonbroadcast.

Frame Relay is a non-broadcast multi-access (NBMA) environment so when migrating to a

A. It requires the LMI type to be explicitly configured

LMI autosense is automatically enabled in the following situations:

Reference: CCIE Practical Studies: Security

A. Disable split horizon

A. Enable inverse ARP.

Question 201 (same as Q.29 at http://www.digitaltut.com/new-route-questions-part-4)

================= GRE Questions =================

Which value does a point-to-point GRE tunnel use to identify a peer?

A. The key ID must be the same on each device.

An example of using the tunnel keys is shown below:

Router(config)# interface tunnel 0

Question 224 (posted at Q.1 of http://www.digitaltut.com/gre-tunnel)