Route Oct 2019

New Updated Questions – Part 6
Question 1
What is the task you must perform when configuring SSH? (Choose two)
A. Configure TACACS+
B. Configure hostname
C. Generate RSA key
D. Disable telnet
Answer: B C
Explanation
The following are the prerequisites for configuring the switch for secure shell (SSH):
– For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private
key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its
secure transport.
– Before enabling SCP, you must correctly configure SSH, authentication, and authorization
on the switch.
– Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir,
and Adelman (RSA) key pair.
– SCP relies on SSH for security.
– SCP requires that authentication, authorization, and accounting (AAA) authorization be
configured so the router can determine whether the user has the correct privilege level.
– A user must have appropriate authorization to use SCP.
– A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS
File System (IFS) to and from a switch by using the copy command. An authorized
administrator can also do this from a workstation.
– The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or
3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES)
encryption software image.)
– Configure a hostname and host domain for your device by using the hostname and ―ip
domain-name‖ commands in global configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-
0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-
x_cg_chapter_01001.html
Question 2
Which two pieces of information can you determine from the output of the show ntp status
command?
A. The NTP version number of the peer

B. The configured NTP servers
C. The IP address of the peer to which the clock is synchronized
D. Where the clock is synchronized
Answer: C D
Explanation
Below is an example of the ―show ntp status‖ command:
R1#show ntp status

Clock is synchronized, stratum 10, reference is 10.1.2.1
nominal freq is 250.0000 Hz, actual freq is 249.9987 Hz, precision is 2**18
reference time is D5E492E9.98ACB4CF (13:00:25.596 CST Wed Sep 18 2013)
clock offset is 15.4356 msec, root delay is 52.17 msec
root dispersion is 67.61 msec, peer dispersion is 28.12 msec
First we can see if the local device has been synchronized or not by the line ―Clock is
synchronized‖ (or ―Clock is unsynchronized‖) -> Answer D is correct.
Also in the same line, we see the line ―reference is 10.1.2.1‖ which is the IP address of the
peer to which the clock is synchronized. For example in this case R1 has been configured
with the command ―R1(config)#ntp server 10.1.2.1‖ -> Answer C is correct.
Question 3
You are implementing WAN access for an enterprise network while running applications that
require a fully meshed network, which two design standards are appropriate for such an
environment? (Choose two)
A. A centralized DMVPN solution to simplify connectivity for the enterprise

B. A dedicated WAN distribution layer to consolidate connectivity to remote sites
C. A collapsed core and distribution layer to minimize costs
D. Multiple MPLS VPN connections with static routing
E. Multiple MPLS VPN connections with dynamic routing
Answer: A B
Explanation
With DMVPN phase 2 and 3, spokes can speak with each other directly like they are directly
connected in a meshed network. This simplifies the connectivity for the enterprise -> Answer
A is correct.
Another way to run applications that require a fully meshed network is through a WAN
distribution layer that is connected to all remote sites. Therefore these sites can communicate
with each other via this WAN distribution layer.
Question 4
Which task do you need to perform first when you configure IP SLA to troubleshoot a
network connectivity issue?
A. Specify the test frequency

B. Enable the ICMP echo operation
C. Schedule the ICMP echo operation
D. Verify the ICMP echo operation
Answer: B
Explanation
This question is a bit unclear but answer B is still the best choice here. Maybe ―Enable the
ICMP echo operation‖ here means ―Configure the ICMP echo operation‖ which requires the
following commands:
configure terminal
ip sla operation-number
icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address |
hostname} | source-interface interface-name]
frequency seconds
Note: The ―frequency‖ is just an optional command. Reference:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-
book/sla_icmp_echo.html
For example:
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#frequency 10
After that we can schedule the above ICMP echo operation with the command (for example):
R1(config)#ip sla schedule 1 life forever start-time now
Then we can verify the ICMP echo operation at the end with the command ―show ip sla
group schedule‖ and ―show ip sla configuration‖.
Question 5
Which technology can combine multiple physical switches into one logical switch?
A. HSRP
B. VSS
C. VRRP
D. NHRP
Answer: B
Question 6
Which two features are compatible with port security? (Choose two)
A. Voice VLAN
B. SPAN source port
C. DTP
Answer: A B
Explanation
Table 3 of the following link lists which features are compatible with port security feature:
https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/mult
ibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011111.html
Question 7
Which fallback method can you configure to allow all AAA authorization requests to be
granted if the other methods do not respond or return an error?
A. Radius
B. Enable
C. TACACS+
D. NONE
Answer: D
Explanation
The following examples show how to use a TACACS+ server to authorize the use of network
services. If the TACACS+ server is not available or an error occurs during the authorization
process, the fallback method (none) is to grant all authorization requests:
aaa authorization network default group tacacs+ none

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-
3s/sec-usr-aaa-xe-3s-book/sec-cfg-authorizatn.html
Question 8
By default what is the maximum number of equal metric path BGP uses for load balancing?
A. 4
B. 6
C. 8
D. 16
Answer: C
Explanation
By default BGP support 8 equal metric path for load balancing.
Reference:
https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/bgp/maximum-
paths-bgp.html
Question 9
The track objects in IP SLA and make sure that it is only up if all track objects are up, which
method achieves that goal?
A. AND
B. OR
C. XOR
D. NOT
Answer: A
Explanation
track track-number list boolen {and | or}
This command configures a tracked list object, and enter tracking configuration mode. The
track-number can be from 1 to 500.
+ boolean – Specify the state of the tracked list based on a Boolean calculation.
+ and – Specify that the list is up if all objects are up or down if one or more objects are
down.
+ or – Specify that the list is up if one object is up or down if all objects are down
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12
-2_55_se/configuration/guide/3750xscg/sweot.pdf
Question 10
With PCA and PCB and there are three routers between them and a different MTU value and
they want a PCA to run an application with PCB and DF is set so we have to choose?
A. MSS
B. PMTU
C. GRE
D. ?
Answer: B
Question 11
Drag and Drop
TLL – when reaches ‗0‘ drops packets

ICMP Redirect – indicate to host that another route is available for a specific destination
ICMP unreachable – when destination is unreachable when IP is unable to give a packet to
destination host due to some problem or issue
?–?
?–?
Question 12
How to implement local authentication using a list for case insensitive usernames?
A. aaa authentication login default local

B. aaa authentication login default local-case
Answer: A
Explanation
Use the aaa authentication login command with the local method keyword to specify that the
Cisco router or access server will use the local username database for authentication. For
example, to specify the local username database as the method of user authentication at login
when no other method list has been defined, enter the following command:
aaa authentication login default local

Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathe
n.html
Note: The difference between the last keyword ―local‖ and ―local-case‖ is the first one uses
the case-insensitive local username database while the second keyword uses case-sensitive
local username for authentication.
Question 13 (incomplete question)
Drag drop about NHRP.
ip nhrp shortcut - configured on the spoke which is responsible to rewrite the CEF entry after
getting the redirect message from hub
ip nhrp network-id - (?)
ip nhrp map - (?)
ip redirects - are disabled by default on a tunnel interface
ip nhrp responder - Specifies which interface the Next Hop Server uses for the NHRP
responder IP address
ip nhrp nhs - Statically configures a Next Hop Server
Two left choices (at the right-side column) are:

+ Enables NHRP shortcut switching on the interface
+ designates router XXX as the Next-hop server
Explanation
In fact the "ip nhrp shortcut" should be both "configured on the spoke which is responsible to
rewrite the CEF entry after getting the redirect message from hub" and "Enables NHRP
shortcut switching on the interface" so maybe there is something missing in this question.
Note: "ip redirects" (not "ip nhrp redirects") are disabled by default on a tunnel interface
Question 14
Question about IP SLA deployment cycle. Chose best IP SLA deployment cycle that reduce
deployment (Choose four)
A. baseline (network performance)

B. understand (network performance baseline)
C. Understand Quality results
D. quantify (results)
E. fine tune and optimize
F. Update Understanding
Answer: A B D E
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper090
0aecd8017f8c9.html
Question 13 (incomplete question)
Drag drop about NHRP.
+ ip nhrp shortcut – configured on the spoke which is responsible to rewrite the CEF entry
after getting the redirect message from hub
+ ip nhrp network-id – (?)
+ ip nhrp map – (?)
+ ip redirects – are disabled by default on a tunnel interface
+ ip nhrp responder – Specifies which interface the Next Hop Server uses for the NHRP
responder IP address
+ ip nhrp nhs – Statically configures a Next Hop Server
Two left choices (at the right-side column) are:

+ Enables NHRP shortcut switching on the interface
+ designates router XXX as the Next-hop server
But they cannot be matched with two rest options on the left.
Explanation
In fact the ―ip nhrp shortcut‖ should be both ―configured on the spoke which is responsible to
rewrite the CEF entry after getting the redirect message from hub‖ and ―Enables NHRP
shortcut switching on the interface‖ so maybe there is something missing in this question.
Note: ―ip redirects‖ (not ―ip nhrp redirects‖) are disabled by default on a tunnel interface
Question 14
Question about IP SLA deployment cycle. Chose best IP SLA deployment cycle that reduce
deployment (Choose four)
A. baseline (network performance)

B. understand (network performance baseline)
C. Understand Quality results
D. quantify (results)
E. fine tune and optimize
F. Update Understanding
Answer: A B D E
Reference:
0aecd8017f8c9.html
Question 15
What are two differences between SNMP traps and SNMP informs? (Choose two)
A. Only informs provide a confirmation of receipt

B. Traps are more reliable than informs because they generate PDUs from the network
manager
C. Only informs are discarded after delivery
D. Only traps are discarded after delivery
E. Informs are more reliable than traps because they require TCP three-way handshake.
Answer: A D
Explanation
Traps are messages alerting the SNMP manager to a condition on the network. Informs are
traps that include a request for confirmation of receipt from the SNMP manager -> Answer A
is correct.
Traps are often preferred even though they are less reliable because informs consume more
resources in the router and the network. Unlike a trap, which is discarded as soon as it is
sent, an inform must be held in memory until a response is received or the request times out -
> Answer D is correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/12-
4t/snmp-12-4t-book/nm-snmp-cfg-snmp-support.html
Question 16
Which protocol sort out of order packet at the receiving end?
A. UDP
B. TCP
C. IP
Answer: B
Question 17
A router in an EVN environment is choosing a route. Which value is given the highest
selection priority?
A. IGP administrative distance of the route.

B. Replication status of the route
C. Vnet tag of the route
D. Default administrative distance of a route
E. Lexical value of the source VRF name
Answer: A
Question 18
Which two effects of symmetric routing are true? (Choose two)
A. unicast flooding
B. uRPF failure
C. errdisabling of ports
D. port security violations
E. excessive STP reconvergence
Answer: A B
Explanation
The very cause of unicast flooding is that destination MAC address of the packet is not in the
L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding
ports in its VLAN (except the port it was received on). Below case studies display most
common reasons for destination MAC address not being known to the switch.
Cause 1: Asymmetric Routing (-> Therefore answer ―unicast flooding‖ is correct)

…
For more information about three cases above please visit:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-
143.html
Unicast RPF configured in strict mode may drop legitimate traffic that is received on an
interface that was not the router‘s choice for sending return traffic. Dropping this legitimate
traffic could occur when asymmetric routing paths are present in the network (-> Therefore
answer ―uRPF failure‖ is correct)
Reference: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-
forwarding.html
Question 19
Which difference in the packet fragmentation feature between IPv4 and IPv6 devices is true?
A. Unlike IPv4 routers, IPv6 routers cannot fragment packets by default.

B. Only IPv6 packets can be fragmented at the destination.
C. Only IPv4 headers support the more fragments bit.
D. Only IPv6 headers support the DF bit
Answer: A
Explanation
With IPv4, every router can fragment packets, if needed. If a router cannot forward a packet
because the MTU of the next link is smaller than the packet it has to send, the router
fragments the packet. It cuts it into slices that fit the smaller MTU and sends it out as a set of
fragments. The packet is then reassembled at the final destination. Depending on the network
design, an IPv4 packet may be fragmented more than once during its travel through the
network.
With IPv6, routers do not fragment packets anymore; the sender takes care of it. Path MTU
discovery tries to ensure that a packet is sent using the largest possible size that is supported
on a certain route. The Path MTU is the smallest link MTU of all links from a source to a
destination.
Reference: https://www.oreilly.com/library/view/ipv6-essentials/0596001258/ch04s08.html
Question 20
What are limitations of Stateful NAT64? (Choose two)
A. No requirement on the nature of IPv6 address assignment

B. Lacks in end-to-end address transparency
C. Assures end-to-end address transparency and scalability
D. No state or bindings created on the translation
Answer: A B
Explanation
The two answers here are listed in the ―differences between Stateless NAT64 and Stateful
NAT64 at (https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676277.html)
Question 21
What happens when a router receives a packet with a TTL of 0?
A. The router attempts to forward the packet along an alternate path in the route table
B. The router sends an ICMP Time Exceeded Message to the host that sent the packet
C. The router sends an ICMP Destination Unreachable Message to the host that sent the
packet
D. The router flags the packet and forwards it to the next hop
Answer: B
Explanation
RFC 791 requires that a router destroy any datagram with a TTL value of zero. Packets that
have been dropped due to the expiration of their TTL value are known as TTL expiry
packets. When an IP packet is received with a TTL less than or equal to one and is expected
to be forwarded by the router, the router is required to drop the packet and reply back to the
source with an ICMPv4 Type 11, Code 0 Time Exceeded message. In theory, upon receipt
of this message, the originating device should detect an issue—such as a routing problem
when sending to that particular destination, or an initial TTL value that is too low—and react
to overcome the problem.
Reference: https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html
Question 22
Which purpose of the AAA accounting feature is true when you use TACACS+
authentication?
A. It prompts users to change their passwords when they expire

B. It saves a timestamped record of user activity
C. It controls the activities that the user is permitted to perform
D. It verifies the user identity
Answer: B
Question 23
Refer to the exhibit.
Routing Protocol is "ospf 1"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.1.1.1
It is an area border and autonomous system boundary router
Redistributing External Routes from,
bgp 800, includes subnets in redistribution
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.1.1.0 0.0.0.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)
Based on the output from the show ip protocols vrf RED command, what is happening with
the routing processes?
A. OSPF 1 is redistributing into BGP 800

B. Static routes are redistributed into OSPF 1
C. BGP 800 is redistributing into OSPF 1
D. Static routes are redistributed into BGP 800
Answer: C
Explanation
From the output we notice the line ―Redistributing External Routes from bgp 800, includes
subnets in redistribution‖ so that means BGP 800 is redistributed into OSPF 1 (with the
―redistribute bgp 800 subnets‖ under ―router ospf 1‖).
Question 24
Which limitation is introduced when you deploy RIPv2 on a network that uses supernet
advertisement?
A. RIPv2 supports only classful supernet networks

B. RIPv2 supports only supernet component networks that use VLSM
C. Supernets are not supported in a RIPv2 environment
D. RIPv2 supports only classless supernet networks
Answer: A
Explanation
Supernet advertisement (advertising anynetwork prefix less than its classful major network)
is not allowed in RIP route summarization. For example , the following supernet
summarization is invalid:
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#ip summary-address rip 10.0.0.0 252.0.0.0
-> We can only summarize to the classful supernet networks.
Question 25
When configuring DHCP on a Cisco router what is the function of DHCP Option 82?
A. wireless access point registration to the DHCP server

B. to be an IP DHCP relay agent
C. dynamic DHCP ARP inspection
D. IP DHCP snooping
E. Cisco phone registration to the DHCP server
Answer: B
Explanation
DHCP option 82 provides additional security when DHCP is used to allocate network
addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client
requests from untrusted sources
Question 26
Which feature is not supported when fast-switched PBR is in use?
A. the set ip next-hop interface command

B. matching IP addresses to a named ACL
C. matching IP addresses to a prefix list
D. the set ip default next-hop command
Answer: D
Explanation
IP PBR can now be fast-switched. Prior to Cisco IOS Release 12.0, PBR could only be
process-switched, which meant that on most platforms the switching rate was approximately
1000 to 10,000 packets per second. This speed was not fast enough for many applications.
Users that need PBR to occur at faster speeds can now implement PBR without slowing
down the router. Fast-switched PBR supports all of the match commands and most of the set
with the following restrictions:
+ The set ip default next-hop and set default interface commands are not supported.
+ The set interface command is supported only over point-to-point links, unless a route
cache entry exists using the same interface specified in the set interface command in the route
map.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.pdf
Question 27
Which type of Cisco Express Forwarding adjacency is created when the next hop is directly
connected, but its MAC header rewrite information is missing?
A. punt
B. discard
C. null
D. glean
Answer: D
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on
the router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency. A glean adjacency entry indicates that a
particular next hop should be directly connected, but there is no MAC header rewrite
information available. When the device needs to forward packets to a specific host on a
subnet, Cisco Express Forwarding requests an ARP entry for the specific prefix, ARP sends
the MAC address, and the adjacency entry for the host is built.
Punt adjacency – When packets to a destination prefix can‘t be CEF Switched, or the feature
is not supported in the CEF Switching path, the router will then use the next slower switching
mechanism configured on the router.
Question 28
Which protocol will stop listening and advertising updates, when using passive-interface
command? (Choose two)
A. OSPF
B. EIGRP
C. BGP
D. RIP
E. IS-IS
Answer: A B
Explanation
The ―passive-interface…‖ command in EIGRP or OSPF will shut down the neighbor
relationship of these two routers (no hello packets are exchanged).
In RIP, this command will not allow sending multicast updates via a specific interface but
will allow listening to incoming updates from other RIP speaking neighbors. This means that
the router will still be able to receive updates on that passive interface and use them in its
routing table.
There is no ―passive-interface‖ command in BGP and IS-IS.
Question 29
Place the BGP commands to the proper locations
Answer:
+ show ip bgp: path selection values

+ show ip bgp summary: Memory usage
+ show ip route bgp: AD of BGP
+ show ip bgp neighbor: Notification, update…
Question 30
Which two statements about configuring OSPFv3 are true? (Choose two)
A. The OSPFv3 routing process must be explicitly configured and enabled

B. You can configure only one OSPFv3 instance per link
C. OSPFv3 requires network statements for IPv6 prefixes
D. OSPFv3 neighbors must be explicitly identified on NBMA interfaces
E. OSPFv3 interfaces must be explicitly configured and enabled
Answer: A D
Explanation
When using NBMA in OSPFv3, you cannot automatically detect neighbors. On an NBMA
interface, you must configure your neighbors manually using interface configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-
1sg/ip6-route-ospfv3.html
Cisco IOS routers offer two OSPF configuration methods for IPv6:
+ Using the traditional ―ipv6 router ospf‖ global configuration command. For example:
R1(config)# ipv6 router ospf 1

R1(config-rtr)# router-id 1.1.1.1
R1(config)# interface Ethernet0/0
R1(config-if)# ipv6 ospf 1 area 0
+ Using the new-style ―router ospfv3‖ global configuration command. For example:
R1(config)# router ospfv3 1

R1(config-router)# router-id 1.1.1.1
R1(config)# interface Ethernet0/0
R1(config-if)# ospfv3 1 ipv4 area 0
Answer C is not correct as OSPFv3 does not require ―network‖ statement like OSPFv2.
Answer E seems to be correct too.
Question 31
access-list 1 permit 1.0.0.0 0.255.255.255

router rip
default-metric 1
redistribute eigrp 20
distribute-list 1 out eigrp 20
Which routes will be injected into the routing protocol?
A. the EIGRP 20 routes into RIP that match access-list 1

B. any routing update with a metric of 1
C. all RIP routes into EIGRP 20
D. the RIP routes into EIGRP 20 that match access-list 1
Answer: A
Explanation
The command ―distribute-list 1 out eigrp 20‖ creates an outbound distribute-list to filter
routes being redistributed from EIGRP AS 20 into RIP according to ACL 1.
Question 32
What is the range for private AS numbers?
A. 64512 to 65535
B. 1 to 64511
C. 1024 to 65535
D. 1 to 1024
Answer: A
Explanation
BGP AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511
Question 31

router rip
default-metric 1
distribute-list 1 out eigrp 20
Which routes will be injected into the routing protocol?
A. the EIGRP 20 routes into RIP that match access-list 1

B. any routing update with a metric of 1
C. all RIP routes into EIGRP 20
D. the RIP routes into EIGRP 20 that match access-list 1
Answer: A
Explanation
The command ―distribute-list 1 out eigrp 20‖ creates an outbound distribute-list to filter
routes being redistributed from EIGRP AS 20 into RIP according to ACL 1.
Question 32
What is the range for private AS numbers?
A. 64512 to 65535
B. 1 to 64511
C. 1024 to 65535
D. 1 to 1024
Answer: A
Explanation
BGP AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511
Question 33
Which routing protocol searches for a better route through other autonomous systems to
achieve convergence?
A. Link-state
B. Hybrid
C. Path vector
D. Distance vector
Answer: C
Explanation
Path vector routing protocol (like BGP) can get information from other BGP autonomous
systems to find the best route.
Most Popular Questions

============= Router Questions =============
Question 192 (similar to Q.7 http://www.digitaltut.com/router-questions)
Which is the minimum privilege level to allow a user to execute all user-level commands but
prohibits enable-level commands by default?
A. level 1
B. level 0
C. level 16
D. level 15
E. level 14
Answer: A
Question 76
What command can you enter to configure an enable password that uses an encrypted
password from another configuration?
A. enable secret $abc%!e.Cd34$!ao0

B. enable secret 7 Sabc%!e.Cd34$!ao0
C. enable secret 0 Sabc%U*.Cd34$!ao0
D. enable secret 5 $abc%!e.Cd34$!ao0
E. enable secret 15 $abc%ie.Cd34$!ao0
F. enable secret 6 $abc%!e.Cd34$!ao0
Answer: D
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.
For example, in the configuration command:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command:
username jdoe password 7

07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.
When we enter the ―enable secret‖ command with a number after that, the IOS can specify
that the password has been encrypted so it will not encrypt any more and accept that
password.
In new Cisco IOS (v15+), it seems the device does not recognize ―enable secret 7‖ command
as encrypted password. We tried on Cisco IOS v15.4 and see this:
When we tried to enter the command ―enable secret 7

07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D‖, the Cisco IOS
automatically change the command to ―enable secret 5
$1$dLq2$qgzb4bgdsasX8dx1oHOkD.‖ (in the running-config file). So if you paste an
―enable secret 7 …‖ command from an old Cisco IOS version, you cannot login any more
with your password.
Note: In fact, there is an error with the answer D. As we entered the command in answer D,
the router denied the encrypted password because it was not a valid encrypted secret
password. That means the router also checked if the password was hashed correctly or not.
But it is the best answer in this question.
Question 108
Which is minimum level for which user can see full commands but can‘t change anything?
A. 0
B. 1
C. 14
D. 15
E. 16
Answer: B
Question 183
Which password takes precedence if you configure multiple passwords for Telnet
connections to a Cisco IOS device?
A. console line password

B. enable secret password
C. enable password
D. aux line password
Answer: B
Question 190
Which condition must be met before you can configure SSH on a device running Cisco IOS?
A. The device must have an auxilary port

B. The device must have a modem connection
C. The IOS must be a crypto in
D. Telnet must be disabled on the device
Answer: C
Explanation
To enable SSH on Cisco IOS, you need to have crypto feature in the IOS.
Question 212
Which two statements about the enable secret and enable password commands are true?
(Choose two)
A. If both commands are missing from the global configuration, vty lines use the console
password
B. The enable secret command overrides enable password
C. The enable password command has a stronger encryption algorithm than enable secret
D. The enable secret command is backwards-compatible with more versions of IOS
E. The enable secret and enable password commands must be used together
Answer: A B
================= Access-list Questions =================
Question 1
What does the following access list, which is applied on the external interface FastEthernet
1/0 of the perimeter router, accomplish?
router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface FastEthernet 1/0
router (config-if)#ip access-group 101 in
A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 –

172.31.255.255, 192.168.0.0 – 192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and
logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any
intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.
Answer: C
Explanation
The first answer is not correct because the 10.0.0.0 network range is not correct. It should be
10.0.0.0. to 10.255.255.255.
Question 9
Which two statements about IP access-lists are true? (Choose two)
A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.
Answer: C D
Question 69
Which two different configuration can you apply to a deviceto block incoming SSH access?
(Choose two)
A. ipv6 access-list VTY-ACCESS-IN

sequence 10 deny tcp any any eq 22
sequence 20 permit ipv6 any any
line vty 0 15
ipv6 access-list VTY-ACCESS-IN out
B. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-class VTY-ACCESS-IN out
C. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-class VTY-ACCESS-IN in
D. ipv6 access-list VTY-ACCESS-IN

interface Ethernet0/0
ipv6 traffic-filter VTY-ACCESS-IN in
E. ipv6 access-list VTY-ACCESS-IN

ipv6 traffic-filter VTY-ACCESS-IN out
Answer: C D
Explanation
The ―ipv6 traffic-filter‖ command is used to filter IPv6 traffic flowing through an interface
while the ―ipv6 access-class‖ command is used to filter IPv6 traffic destined to the router (via
logical interfaces).
Question 213 (posted at Q.9 of http://www.digitaltut.com/access-list)
Which access list entry checks for an ACK within a packet TCP header?
A. access-list 49 permit ip any any eq 21 tcp-ack

B. access-list 49 permit tcp any any eq 21 tcp-ack
C. access-list 149 permit tcp any any eq 21 established
D. access-list 49 permit tcp any any eq 21 established
Answer: C
Explanation
The established keyword is only applicable to TCP access list entries to match TCP segments
that have the ACK and/or RST control bit set (regardless of the source and destination ports),
which assumes that a TCP connection has already been established in one direction only.
Let‘s see an example below:
Suppose you only want to allow

the hosts inside your company to telnet to an outside server but not vice versa, you can
simply use an ―established‖ access-list like this:
access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out
Note:
Suppose host A wants to start communicating with host B using TCP. Before they can send
real data, a three-way handshake must be established first. Let‘s see how this process takes
place:
1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with host B. This message
includes a sequence (SEQ) number for tracking purpose. This sequence number can be any
32-bit number (range from 0 to 232) so we use ―x‖ to represent it.
2. After receiving SYN message from host A, host B replies with SYN-ACK message (some
books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge).
This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let‘s called it ―y‖) is a random number and does not have any
relationship with Host A‘s SYN SEQ number.
+ ACK number is the next number of Host A‘s SYN sequence number it received, so we
represent it with ―x+1‖. It means ―I received your part. Now send me the next part (x + 1)‖.
The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if
host A still wants to talk to it as well (via SYN part).
3. After Host A received the SYN-ACK message from host B, it sends an ACK message
with ACK number ―y+1‖ to host B. This confirms host A still wants to talk to host B.
================= PPP Questions =================
Question 84
Which PPP authentication method sends authentication information in cleartext?
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Answer: D
Explanation
Password Authentication Protocol (PAP) is a very basic two-way process. The username and
password are sent in plain text, there is no encryption or protection. If it is accepted, the
connection is allowed. The configuration below shows how to configure PAP on two routers:
R1(config)#username R2 password digitaltut1 R2(config)#username R1 password digitaltut2

R1(config)#interface s0/0/0 R2(config)#interface s0/0/0
R1(config-if)#encapsulation ppp R2(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP R2(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 R2(config-if)#ppp pap sent-username R2
password digitaltut2 password digitaltut1
Note: The PAP ―sent-username‖ and password that each router sends must match those
specified with the ―username … password …‖ command on the other router.
Question 107
Which two features were added in MSCHAP Version 2? (Choose two)
A. Backwards-compatibility with MSCHAP version 1

B. Using the MD5 hash for stronger security
C. Ability to change an expired password
D. Using three-way handshakes for authentication
E. Mutual authentication between peers
Answer: C E
Question 240 (posted at Q.7 of http://www.digitaltut.com/point-to-point-protocol)
Which value does a Cisco router use as its default username for CHAP authentication?
A. Its own hostname

B. chap
C. Cisco
D. ppp
Answer: A
================= PPPoE Questions =================

Question 3
Which command instruct a PPPoE client to obtain its IP address from the PPPoE server? (OR
What command is needed to get the ip address assigned from the PPPOE server?)
A. interface dialer
B. ip address negotiated
C. pppoe enable
D. ip address dhcp
E. ip address dynamic
Answer: B
Explanation
The picture below shows all configuration needed for PPPoE:

As we can see from the PPPoE Client configuration, to get the IP address assigned from the
PPPoE server the command ―ip address negotiated‖ should be used. For more information
about PPPoE configuration please read our PPPoE tutorial.
Question 13
What configurations does PPPoE allow? (Choose two)
A. Client can be installed on the same network devices as server

B. 8 clients can be configured on 1 CPE
C. Clients can connect to multiple hosts over DMVPN
D. Client connecting over ATM PVC
E. Client installed on native IPv6 network
Answer: B C
Explanation
According to this link: http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html
The PPPoE client does not support the following:

+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can
support up to 10 clients so answer A is correct.
+ Coexistence of the PPPoE client and server on the same device -> answer C is not correct
In the above link there is a topology shows ―DMVPN Access to Multiple Hosts from the
Same PPPoE Client‖ -> Answer B is correct.
Question 141
Which feature can automatically assign IP addresses in a PPPoE environment?
A. DHCP
B. BOOTP
C. PPP
D. APPA
Answer: C
Explanation
The PPP negotiation includes the process of IP address assignment. An example of

configuring automatic IP address assignment in PPPoE environment is shown below:
Router:
interface Serial1/2
ip address negotiated
encapsulation ppp
Question 222
Which two commands must you configure in the calling router to support the PPPoE client?
(Choose two)
A. peer default ip address pool

B. mtu
C. bba-group pppoe
D. pppoe enable group
E. pppoe-client dial-pool-number
Answer: B E
Question 51 (posted at https://www.digitaltut.com/new-route-questions-part-5)
Which two facts must you take into account when you deploy PPPoE? (Choose two)
A. DDR idle timers must be configured to support VPDN login.

B. PPPoE supports a maximum of 10 clients per customer premises equipment
C. DDR is not supported
D. You must manually configure IP addresses on the PPPoE interface
E. An individual PVC can support one PPPoE client
Answer: B E
Explanation
The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR)
interesting traffic control list functionality of the dialer interface with a PPP over Ethernet
(PPPoE) client, but also keeps original functionality (PPPoE connection up and always on
after configuration) for those PPPoE clients that require it.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbpecls.html
But it is just an optional feature and we don‘t need DDR idle timers to be configured to
support VPDN login -> Answer A is not correct.

support up to 10 clients so answer B is correct.
DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.
We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.
Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the
introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM
PVC supports multiple PPPoE clients, allowing second line connection and redundancy.
Multiple PPPoE clients can run concurrently on different PVCs, but each PPPoE client must
use a separate dialer interface and a separate dialer pool. Therefore answer E is still correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/15-
mt/bba-15-mt-book/bba-ppoe-client.pdf
================= CEF Questions =================
Question 29
Which Cisco Express Forwarding table or tables hold forwarding information?
A. FIB table only

B. adjacency tables only
C. FIB and adjacency tables only
D. FIB,RIB, and adjacency tables
Answer: C
Question 104
Which feature eliminates the need for Cisco Express Forwarding to maintain a route cache?
A. Adjacency table
B. RIB
C. FIB
D. MAC address table
Answer: C
Explanation
The two main components of Cisco Express Forwarding operation are the forwarding
information base (FIB) and the adjacency tables.
The forwarding information base (FIB) lookup table contains all known routes that exist in
the routing table, it eliminates the need for route cache maintenance.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/xe-
3se/5700/isw-cef-xe-3se-5700-book/ipswitch_cisco_express_forwarding.pdf
Question 125
Which Cisco Express Forwarding component maintains Layer 2 next-hop addresses that are
used for hardware switching?
A. adjacency table
B. RIB
C. ARP table
D. FIB
Answer: A
Explanation
Nodes in the network are said to be adjacent if they can reach each other with a single hop
across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2
addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB
entries.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.
html
Question 163
Refer to exhibit. What is indicated by the show ip cef command for an address?
A. CEF is unable to get routing information for this route.
B. CEF cannot switch packet for this route and passes it to the next best switching method.
C. A valid entry and is pointed to hardware based forwarding.
D. CEF cannot switch packet for this route and drops it.
Answer: B
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on the
router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency.
Question 177
Which three algorithms can you configure with the ip cef load-sharing algorithm
command? (Choose three)
A. per-packed
B. Tunnel
C. per-destination
D. Universal
E. Per-source
F. Include-ports
Answer: B D F
Explanation
The following load-balancing algorithms are provided for use with Cisco Express Forwarding
traffic. You select a load-balancing algorithm with the ip cef load-sharing algorithm
command.
+ Original algorithm – The original Cisco Express Forwarding load-balancing algorithm
produces distortions in load sharing across multiple routers because the same algorithm was
used on every router. Depending on your network environment, you should select either the
universal algorithm (default) or the tunnel algorithm instead.
+ Universal algorithm – The universal load-balancing algorithm allows each router on the
network to make a different load sharing decision for each source-destination address pair,
which resolves load-sharing imbalances. The router is set to perform universal load sharing
by default.
+ Tunnel algorithm – The tunnel algorithm is designed to balance the per-packet load when
only a few source and destination pairs are involved.
+ Include-ports algorithm – The include-ports algorithm allows you to use the Layer 4
source and destination ports as part of the load-balancing decision. This method benefits
traffic streams running over equal cost paths that are not load shared because the majority of
the traffic is between peer addresses that use different port numbers, such as Real-Time
Protocol (RTP) streams. The include-ports algorithm is available in Cisco IOS Release
12.4(11)T and later releases.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-
mt/isw-cef-15-mt-book/isw-cef-load-balancing.html#GUID-D545ACC1-258F-4073-BC8E-
94EC30AAE924
================= Frame Relay Questions =================
Question 18
A network engineer is working on the network topology and executes the command no ip
split horizon on interface S0/0 of the Hub router. What is the result of this command?
A. A routing loop is created.
B. Each of the spoke routers can see the routes that are advertised from the other spoke
routers.
C. The Spoke routers can see the routes that are advertised by the hub router.
D. The hub router can see the routes that are advertised by the spoke routers.
Answer: B
Question 21
If you convert a WAN connection with OSPF from T1 to a Frame Relay circuit, which two
actions must you take to enable the connection? (Choose two)
A. Change the OSPF network type to nonbroadcast.

B. Manually configure neighbors in the OSPF process.
C. Manually configure the hello and dead timers.
D. Change the OSPF network type to broadcast.
E. Change the OSPF network type to multipoint nonbroadcast.
Answer: A B
Explanation
Frame Relay is a non-broadcast multi-access (NBMA) environment so when migrating to a

Frame Relay circuit we must change the OSPF network to non-broadcast. This type of
network does not accept broadcast and muticast packets so we must manually configure
neighbors for OSPF.
Question 46
Which two statements about Frame Relay LMI autosense are true on a router? (Choose two)
A. It requires the LMI type to be explicitly configured

B. It operates on Frame Relay DTE interfaces
C. It operates on Frame Relay DCE interfaces
D. It operates when the line is up but the line protocol is down
E. It requires the line protocol to be up
Answer: B D
Explanation
LMI autosense is automatically enabled in the following situations:

+ The router is powered up or the interface changes state to up
+ The line protocol is down but the line is up
+ The interface is a Frame Relay DTE
+ The LMI type is not explicitly configured on the interface
Reference: CCIE Practical Studies: Security
Question 72
In a point-to-multipoint Frame Relay topology, which two methods ensure that all routing
updates are received by all EIGRP routers within the Frame Relay network? (Choose two)
A. Disable split horizon

B. Create separate address ranges
C. Use subinterface
D. Use statically defined EIGRP neighbor on the site
E. Disable EIGRP out summary
Answer: A C
Explanation
Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship but the
routes cannot be advertised from the Hub to the Spoke because of split horizon rule ->
Answer D is not correct.
To overcome the split horizon rule we can use subinterface as each subinterface is treated like
a separate physical interface so routing updates can be advertised back from Hub to
Spokes. -> Answer C is correct.
Note: The split horizon rule states that routes will not be advertised back out an interface in
which they were received on
Question 77
In which two ways can split horizon issues be overcome in a Frame Relay network
environment? (choose two)
A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites.
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
E. Disabling split horizon.
Answer: C E
Question 80
On which two types of interface is Frame Relay switching supported? (Choose two)
A. serial interfaces
B. Ethernet interfaces
C. fiber interfaces
D. ISDN interfaces
E. auxiliary interfaces
Answer: A D
Question 123
Which task must you perform to enable a point-to-point Frame Relay connection?
A. Enable inverse ARP.

B. Configure the encapsulation type.
C. Configure static address mapping.
D. Disable inverse ARP.
Answer: C
Question 201 (same as Q.29 at http://www.digitaltut.com/new-route-questions-part-4)
Which two statements about Frame Relay Point-to-Point connections are true? (Choose two)
A. Changing a point-to-point sub interface to a different type requires the device to be

reloaded.
B. They use two DLCIs to communicate with multiple endpoints over the Frame Relay cloud.
C. The device can establish a point-to-point connection to the cloud without a DLCI.
D. They can operate normally without a DLCI map.
E. Each physical interface that extends to the Frame Relay cloud can support a single SVC.
Answer: A B
================= GRE Questions =================
Question 53
Which value does a point-to-point GRE tunnel use to identify a peer?
A. MAC address
B. configured multicast address
C. DLCI
D. IP address
E. VC ID
Answer: D
Question 60
Which two statement about GRE tunnel interface are true? (Choose two)
A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state
Answer: B D
Explanation
A valid tunnel destination is one which is routable (which means the destination is present or
there is a default route in the routing table). However, it does not have to be reachable ->
Answer B is correct.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and
the destination must be reachable according to your own routing table.
Question 78
A network engineer has configured GRE between two IOS routers. The state of the tunnel
interface is continuously oscillating between up and down. What is the solution to this
problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable
Answer: A
Explanation
In this question only answer A is a reasonable answer. When the state of the tunnel interface
is continuously moving between up and down we must make sure the route towards the
tunnel destination address is good. If it is not good then that route may be removed from the
routing table -> the tunnel interface comes down.
Question 79
When the tunnel interface is configured in default mode, which statement about routers and
the tunnel destination address is true?
A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP
neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination
Answer: A
Explanation
The tunnel interface is configured in default mode means the tunnel has been configured as a
point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up
state) as soon as it is configured with a valid tunnel source address or interface which is up
and a tunnel destination IP address which is routable.
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the
up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in
recursion.
Therefore if a route towards the tunnel destination has not been configured then the tunnel is
stuck in up/down state.
Question 184
Which two statements about GRE tunnel keys are true? (Choose two)
A. The key ID must be the same on each device.

B. They prevent the injection of unwanted frames.
C. They prevent the injection of unwanted packets.
D. They must be stored to a keychain.
E. They provide the highest level of security that is available.
Answer: A C
Explanation
An example of using the tunnel keys is shown below:
Router(config)# interface tunnel 0

Router(config-if)# tunnel source GigabitEthernet 0/0/0
Router(config-if)# tunnel destination 10.0.2.1
Router(config-if)# tunnel key 1000
The command ―tunnel key <key-number>‖ uses the key-number argument to identify a
tunnel key that is carried in each packet. Tunnel ID keys can be used as a form of weak
security to prevent improper configuration or injection of packets from a foreign source (so E
is not correct).
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-
3s/ir-xe-3s-book/ir-impl-tun-xe.html
The GRE Tunnel Key feature enables the encapsulation router to add a four-byte key, as part
of the GRE header, during encapsulation. In the decapsulation router, the GRE key of an
incoming packet should match the key value configured under the GRE tunnel. During
decapsulation, if a mismatch between the key value of the incoming GRE packet and the
key value configured under the GRE tunnel is identified, the incoming packet is
dropped.
Question 185
R1(config-if)#interface Tunnel0
R1(config-if)#tunnel source 10.0.0.1
R1(config-if)#tunnel destination 10.0.0.2
R1(config-if)#ipv6 address k:k:k:k::1/64
R1(config-if)#ipv6 ospf 1 area 1
R1(config-if)#tunnel mode ipv6ip
!
R2(config-if)#interface Tunnel1
R2(config-if)#ipv6 address k:k:k:k::2/64
R2(config-if)#ipv6 ospf 1 area 1
R2(config-if)#tunnel mode ipv6ip
A user calls from another branch office with a request to establish a simple VPN tunnel to
test a new router‘s tunneling capability. Based on the configuration in the exhibit, which type
of tunnel was configured?
A. IPsec site-to-site
B. 6to4
C. PPTP
D. EZVPN
Answer: B
The command ―tunnel mode ipv6ip‖ is used to configure a manual IPv6 tunnel. In fact
without the keyword ―6to4‖ (in ―tunnel mode ipv6ip 6to4‖)
Question 224 (posted at Q.1 of http://www.digitaltut.com/gre-tunnel)
Refer to the exhibit. After configuring GRE between two routers running OSPF that are
connected to each other via a WAN link, a network engineer notices that the two routers
cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason
for this?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol
number 57.
Answer: A
Explanation
GRE packets are encapsulated within IP and use IP protocol type 47
================= DMVPN Questions =================
Question 12
During which DMVPN phase is spoke-to-spoke communication enabled?
A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1
Answer: A
Explanation
Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to
each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the
only correct answer.
Question 55
Which two statements about NHRP in a DMVPN environment are true? (Choose two)
A. It requires each endpoint to have a unique network ID

B. It routes traffic through the tunnel
C. It can identify PIM-SM RPs over a tunnel
D. It can authenticate VPN endpoints
E. It provides address resolution to route traffic
Answer: D E
Question 73
Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other?
(Choose two)
A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5
Answer: B C
Question 83
Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel
interface on the hub, to support multiple connections from multiple spoke devices?
A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN
Answer: A
Explanation
An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not
require a unique tunnel interface for each connection between Hub and spoke like traditional
GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE
tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all
tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.
For more information about DMVPN, please read our DMVPN tutorial.
Question 148
Which two statements about NAT in a DMVPN environment are true? (Choose two)
A. A hub router can be behind a dynamic NAT on a device

B. Spoke routers can reside only on the public side of a NAT device
C. Two spokes can establish session among themselves using PAT behind different NAT
devices
D. A spoke router can be represented by a static NAT on a device
E. A hub router can use static NAT for its public IP address
Answer: D E
Explanation
With the NAT-Transparency Aware DMVPN enhancement, NHRP can learn and use the
NAT public address for its mappings as long as IPsec transport mode is used (which is the
recommended IPsec mode for DMVPN networks).
With this NAT Transparency enhancement, the hub DMVPN router can be behind the static
NAT -> E is correct.
DMVPN spokes behind NAT will participate in dynamic direct spoke-to-spoke tunnels. The
spokes must be behind NAT boxes that are preforming NAT, not PAT (so answer D is
correct). The NAT box must translate the spoke to the same outside NAT IP address for the
spoke-to-spoke connections as the NAT box does for the spoke-to-hub connection.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-
dmvpn.html#GUID-284B12C0-9F18-42EE-9A77-29D368883C45
Question 166
Which security feature can protect DMVPN tunnels?
A. IPSec
B. TACACS+
C. RTBH
D. RADIUS
Answer: A
Explanation
In DMVPN we can use IPSec to encrypt the tunnel.
Question 174
Which condition prevents the establishment of a DMVPN tunnel between two spokes?
A. The two spokes have different tunnel keepalive settings

B. HSRP is enabled on the spoke devices
C. IPSec is enabled on the spoke devices
D. The two spokes are behind different PAT devices
Answer: D
Explanation
If one spoke is behind one NAT device and another different spoke is behind another NAT
device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices,
then a session initiated between the two spokes cannot be established.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-
dt-spokes-b-nat.html
================= TCP UDP Questions =================
Question 16
Which three problems result from application mixing of UDP and TCP streams within a
network with no QoS? (Choose three)
A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput
Answer: A C E
Explanation
When TCP is mixing with UDP under congestion, TCP flows will try to lower their
transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP
flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-
dominance. This can increase latency and lower the overall throughput.
Question 31a
Which feature can mitigate fragmentation issues within network segments that are between
GRE endpoints?
A. PMTUD
B. ICMP DF bit
C. TCP Flow Control
D. TCP MSS
Answer: D (In fact A is correct too)
Explanation
The IP protocol was designed for use on a wide variety of transmission links. Although the
maximum length of an IP datagram is 65535, most transmission links enforce a smaller
maximum packet length limit, called an MTU. The value of the MTU depends on the type of
the transmission link. The design of IP accommodates MTU differences since it allows
routers to fragment IP datagrams as necessary. The receiving station is responsible for the
reassembly of the fragments back into the original full size IP datagram.
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a

standardized technique to determine the maximum transmission unit (MTU) size on the
network path between two hosts, usually with the goal of avoiding IP fragmentation.
PMTUD was originally intended for routers in IPv4. However, all modern operating systems
use it on endpoints.
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a
host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be
fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN
segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to
popular belief, the MSS value is not negotiated between hosts. The sending host is required to
limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does
not handle the case where there is a smaller MTU link in the middle between these two
endpoints. PMTUD was developed in order to avoid fragmentation in the path between the
endpoints. It is used to dynamically determine the lowest MTU along the path from a
packet‘s source to its destination.
gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP
Fragmentation in this link but it is too long so if you want to read please visit this link)
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.
Question 31b
Which feature mitigates fragmentation issues caused by endpoint hosts?
A. ICMP DF bit
B. TCP Flow Control
C. TCP MSS
D. PMTU
Answer: C
Question 45
What is the default maximum segment size for TCP traffic?

A. 536
B. 1492
C. 1500
D. 1508
E. 3340
F. 4096
Answer: A
Question 57
Which two protocols can cause TCP starvation? (Choose two)
A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP
Answer: A B
Explanation
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the

same service-provider class as UDP-based applications and the class experiences sustained
congestion.
TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which
run on UDP so they can cause TCP starvation.
Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port
20/21
Question 86
Which technology was originally developed for routers to handle fragmentation in the path
between end points?
A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization
Answer: A
Explanation
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized

technique to determine the maximum transmission unit (MTU) size on the network path
between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was
originally intended for routers in IPv4. However, all modern operating systems use it on
endpoints.
reassembled later.
Question 160
A network engineer applies the command ―ip tcp adjust-mss‖ under interface configuration
mode. What is the result?
A. The probability of SYN packet truncation is increased.

B. The UDP session is inversely affected.
C. The probability of dropped or segmented TCP packets is decreased.
D. The optimum MTU value for the interface is set.
Answer: C
Question 161
Which value determines the amount of traffic that a network path can hold in transit?
A. route cache setting

B. maximum window size
C. bandwidth delay product
D. MSS
Answer: C
Explanation
Bandwidth-delay product (BDP) is the maximum amount of data ―in-transit‖ at any point in
time, between two endpoints. In other words, it is the amount of data ―in flight‖ needed to
saturate the link. You can think the link between two devices as a pipe. The cross section of
the pipe represents the bandwidth and the length of the pipe represents the delay (the
propagation delay due to the length of the pipe).
Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the
BDP.
Return to our question, the formula to calculate BDP is:
BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 =
192,000 bits
-> BDP (bytes) = 192,000 / 8 = 24,000 bytes
Therefore we need 24KB to fulfill this link.
For your information, BDP is very important in TCP communication as it optimizes the use
of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an
acknowledgment from the receiver before sending another data. The waiting time may be
very long and we may not utilize full bandwidth of the link for the transmission.
Based on BDP, the sending host can increase the number of data sent on a link (usually by
increasing the window size). In other words, the sending host can fill the whole pipe with
data and no bandwidth is wasted.
Question 164
Which protocol can you use to remotely install an IOS image on a Cisco switch?
A. SFTP
B. NetFlow
C. FTP
D. SNMP
Answer: C
Explanation
We can use TFTP or FTP to install an IOS image remotely.
Question 216
Under which circumstance can TCP starvation occur?
A. when DNS and TFTP traffic are transmitted on the same link
B. when TCP traffic is blocked by an ACL
C. when UDP traffic is processed in a policy-map before TCP traffic
D. when HTTP and HTTPS traffic are transmitted on the same link
E. when TCP and UDP traffic are mixed in the same class of service
Answer: E
Question 248 (posted at Q.3 of http://www.digitaltut.com/tcp-udp-questions-2)
Which option is one way to mitigate asymmetric routing on an active/active firewall setup for
TCP-based connections?
A. performing packet captures

B. disabling asr-group commands on interfaces that are likely to receive asymmetric traffic
C. replacing them with redundant routers and allowing load balancing
D. disabling stateful TCP checks
Answer: D
Explanation
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes
a different path when it returns to the source. This is commonly seen in Layer-3 routed
networks.
Issues to Consider with Asymmetric Routing

Asymmetric routing is not a problem by itself, but will cause problems when Network
Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls,
state information is built when the packets flow from a higher security domain to a lower
security domain. The firewall will be an exit point from one security domain to the other. If
the return path passes through another firewall, the packet will not be allowed to traverse the
firewall from the lower to higher security domain because the firewall in the return path will
not have any state information. The state information exists in the first firewall.
Reference:
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html
Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate
asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a
TCP connection even if the ASA didn‘t see the entire TCP 3-way handshake. This feature is
called TCP State Bypass.
Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-
troubleshooting-and-mitigation
Note: The active/active firewall topology uses two firewalls that are both actively providing
firewall services.
Question 250 (posted at Q.3 of http://www.digitaltut.com/tcp-udp-questions)
Which three TCP enhancements can be used with TCP selective acknowledgments? (Choose
three)
A. header compression
B. explicit congestion notification
C. keepalive
D. time stamps
E. TCP path discovery
F. MTU window
Answer: B C D
Explanation
TCP Selective Acknowledgement (SACK) prevents unnecessary retransmissions by

specifying successfully received subsequent data. Let‘s see an example of the advantages of
TCP SACK.
TCP Selective Acknowledgement
TCP (Normal) Acknowledgement
For TCP (normal) acknowledgement, when a client requests data, server sends the first
three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2
was lost somewhere on the network while Segment#3 stills reached the client. Client checks
Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received
Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert
the server that it has not received any data beyond Segment#1. After receiving these ACKs,
the server must resend Segment#2,#3 and wait for the ACKs of these segments.
For TCP Selective Acknowledgement, the process is the same until the Client realizes
Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received
Segment#3 successfully (so no need to retransmit this segment. Therefore the server only
needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends
ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue
sending Segment #4,#5, …
The SACK option is not mandatory and it is used only if both parties support it.
The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to
notify end hosts of impending network congestion. It also provides enhanced support for TCP
sessions associated with applications, such as Telnet, web browsing, and transfer of audio and
video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction
of delay and packet loss in data transmissions. Use the ―ip tcp ecn‖ command in global
configuration mode to enable TCP ECN.
The TCP time-stamp option provides improved TCP round-trip time measurements. Because
the time stamps are always sent and echoed in both directions and the time-stamp value in the
header is always changing, TCP header compression will not compress the outgoing packet.
Use the ―ip tcp timestamp‖ command to enable the TCP time-stamp option.
The TCP Keepalive Timer feature provides a mechanism to identify dead connections.
When a TCP connection on a routing device is idle for too long, the device sends a TCP
keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a
response packet (a TCP ACK packet) is not received after the device sends a specific number
of probes, the connection is considered dead and the device initiating the probes frees
resources used by the TCP connection.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-
3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html
================= IP Routing Questions =================
Question 38
<exhibit missing>
After configuring the routes, the network engineer executes the show ip route command.
What is the expected results?
A. Gateway of last resort is 10.0.2.1 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
C 10.0.2.0 is directly connected, FastEthernet0/0 10.0.1.0 is directly connected,
FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.2.1(1/0] via 10.0.1.1
Router #
B. Gateway of last resort is 10 0.2 1 to network 0 0 0 0

10 0.0 0/24 is subnetted, 1 subnet C 10.0.2.0 is directly connected, FastEthernet 0/0
S* 0.0.0 0/0 [1/0] via 10.0.2.1
Router #
C. Gateway of last resort is not set

Router #
D. Gateway of test resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/24 is subnetted 1 subnet

C 10.0.1.0 is directly connected FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.1.1
Router #
Answer: C
Question 98
What happens when a router receives a route with an administrative distance of 255?
A. The router installs the route as the most preferred path in the routing table.
B. The router installs the route as the least preferred path in the routing table
C. The router becomes the feasible successor for the route
D. The router is unable to install the route into the routing table
Answer: D
Question 100
Refer to the exhibit. Which networking challenge is the most important issue to address to
enable optimal communication between the networks at company A and company B?
A. IPv4 fragmentation
B. unicast flooding
C. asymmetric routing
D. UDP latency
E. IPV4 MTU
Answer: C
Question 186
A router receives a routing advertisement for 10.1.1.0/24 from an EIGRP peer and from an
OSPF peer. Which route does the router install in the routing table, and for which reason?
A. the OSPF route, because the administrative distance is lower.

B. the EIGRP route, because the metric is lower.
C. the OSPF route, because the metric is lower.
D. The EIGRP route, because the administrative distance is lower.
Answer: D
Explanation
By default the Administrative Distance of EIGRP is 90 which is smaller than that of OSPF
110 so EIGRP will be preferred over OSPF. The Administrative Distances of popular routing
protocols are shown below:
Question 194
You are configuring a static route. Which action must you take to avoid the possibility of
recursive row?
A. Use the ip route command to specify the next-hop IP address only

B. Specify the next hop a directly connected interface
C. Use the ip route command to specify both the next-hop IP address and the connected
interface
D. User the ip route command to specify the connected interface only
Answer: C
Explanation
If the interface with the next hop goes down and the next hop is reachable through a recursive
route, you should specify both the next hop IP address and the alternate interface through
which the next hop should be found. For example, ip route 0.0.0.0 0.0.0.0 Serial 3/3
192.168.20.1. This enables the static route installation to become more deterministic.
Note: A recursive static route is a route whose next hop and the destination network are
covered by another learned route in the Routing Information Base (RIB). Such static routes
cannot be installed in the RIB because they are considered redundant routes.
Reference: https://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-
route/118263-technote-nexthop-00.html
Question 203
Which routing protocol routes traffic through the best path and second best path at the same
time?
A. EIGRP
B. BGP
C. OSPF
D. RIP
Answer: A or B
Explanation
Maybe this question wants to ask which routing protocols support unequal cost load
balancing. But both EIGRP and BGP support this feature (EIGRP with ―variance‖ and BGP
with ―maximum-paths‖.
Question 209
You want to configure a device to select an OSPF-learned route as the preferred path over an
EBGP-learned route. Which action must you take?
A. Increase the OSPF cost

B. Decrease the OSPF cost
C. Increase the OSPF administrative distance
D. Decrease the OSPF administrative distance
Answer: D
Explanation
The Administrative Distances of the routing protocols are compared first so we have to
decrease the OSPF administrative distance.
================= RIP & RIPng Questions =================
Question 11
A network engineer is modifying RIPng timer configuration. Which configuration mode

should the engineer use?
A. router(config)#
B. router(config-if)#
C. router(config-router)#
D. router(config-rtr)#
Answer: D
Explanation
This is how to change the timers for RIPng:
R1(config)#ipv6 router rip digitaltut

R1(config-rtr)#timers 5 15 10 30 (5: Update period; 15: Route timeout period; 10: Route
holddown period; 30: Route garbage collection period)
Note: For IPv4 RIP, we have to change the timers in ―(config-router)#‖.
Question 95
What is the default authentication in RIPv2 when authentication is enabled?
A. SHA1 authentication
B. Enable password authentication
C. Plaintext authentication
D. MD5 authentication
Answer: C
Explanation
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet.
Note: RIP version 1 (RIPv1) does not support authentication.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13719-50.html
Question 122
Two routers are configured with RIPng but can‘t form neighbors as traffic traverses a
firewall. Which port does the firewall need to permit to form neighbors?
A. TCP Port 521

B. UDP Port 521
C. TCP Port 520
D. UDP Port 520
E. IP Protocol 520
F. IP Protocol 521
Answer: B
Question 144
Which command must you configure globally to support RIPng?
A. ip routing
B. ip cef
C. ipv6 enable
D. ipv6 unicast-routing
Answer: D
Question 173
Afer configuring RIPng on two routers that are connected via a WAN link, a network
engineer notices that the two routers cannot exchange routing updates. What is the reason for
this?
A. Either a firewall between the two routers or an ACL on the router is blocking UDP 521
B. Either a firewall between the two routers or an ACL on the router is blocking TCP 520
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 521
D. Either a firewall between the two routers or an ACL on the router is blocking UDP 520
Answer: A
Explanation
Since RIPng is a new protocol, it cannot use the same UDP reserved port number 520 used
for RIPv1/RIPv2. Instead, RIPng uses well-known port number 521.
Question 175
A network engineer is enabling RIPng on a new customer link. Under which configuration
mode is RIPng enabled?
A. Global
B. Router
C. Interface
D. IPv6
Answer: C
Explanation
In order to enable RIPng, we have to do it under global configuration mode. For example:
R1(config)#ipv6 router rip RIPNG_DIGITALTUT
Then we enable RIPng on each interface:
R1(config)#interface Ethernet 0/0

R1(config-if)#ipv6 rip RIPNG_DIGITALTUT enable
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ipv6 rip RIPNG_DIGITALTUT enable
In this question they say ―enabling RIPng on a new customer link‖ so maybe RIPng was
configured previously for other customers and the first command (―ipv6 router rip
RIPNG_DIGITALTUT‖) was used so RIPng should be configured under interface. Therefore
the answer should be ―Interface‖ instead of ―Global‖.
Question 205
A route with default RIPv2 settings loses connectivity to it‘s next-hop neighbor. How long
does the router wait before removing the route to the next hop from its route table?
A. 30 seconds
B. 60 seconds
C. 180 seconds
D. 240 seconds
Answer: D
Explanation
The meanings of RIPv1 and RIPv2 timers (two versions have the same timers) are described
below:
Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid
since seeing a valid update; and place the route into holddown. Default invalid timer is 180
seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count
recording in the routing table, RIP does not ―believe in‖ that update. Default holddown timer
is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing
table. Default Flush timer is 240 seconds
This question asks about the Flush timer, which is 240 seconds by default.
Question 109
Customer enabled new link to partner using RIPng, how and where is RIPng configured?
A. router mode
B. interface mode
C. global – (config)#ipv6 router rip ―RIPNG‖
Answer: C
Question 210
What is the maximum number of hops on a route that RIPng advertises as reachable?
A. 15
B. 30
C. 99
D. 255
Answer: A
Explanation
The maximum number of hops on RIPng is the same as RIP, which is 15. A hop-count of 16
is considered unreachable.
Question 246 (posted at Q.3 of http://www.digitaltut.com/ripng-questions)

A network engineer is troubleshooting connectivity issues with a directly connected RIPng
neighbor. Which command should show directly connected RIPng neighbor adjacencies
only?
A. router#show ipv6 rip next-hops

B. router#show ip rip neighbors
C. router#show ipv6 routers
D. router#show ipv6 rip database
Answer: A
================= OSPF Questions =================
Question 35
Which two statements about OSPF E1 routes are true? (Choose two)
A. They are preferred over interarea routes

B. They use the OSPF cost from redistribution and the OSPF cost to the ASBR.
C. They are preferred over E2 routes
D. They use only the OSPF cost to the ASBR
E. They use only the OSPF cost from redistribution
Answer: B C
Question 103
OSPF has R1 router ID 172.18.1.1. What happens when R1 configure with a new loopback
interface IP address 172.17.1.1?
A. OSPF chooses 172.17.1.1 as new router ID when R1 is rebooted.

B. OSPF chooses 192.168.21.0 as new router ID when apply new configuration.
C. OSPF chooses 172.17.1.1 as new router ID when apply new configuration.
D. OSPF retains 172.18.1.1 as router ID until interface on which is configured goes down
Answer: D
Question 113
Which two areas does OSPF send a summary route by default ? (Choose two)
A. NSSA
B. Backbone
C. Totally stubby
D. Stub
E. Normal
Answer: C D
Question 128
Refer to the exhibit. Which LSA type does R3 propagate into Area 1 for the 192.168.10.0/24
network?
A. type 3 LSA
B. type 5 LSA
C. type 7 LSA
D. type 10 LSA
Answer: C
Explanation
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it
leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA.
Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto
the ASBR.
Question 133
Which OSPF network type uses a DR?

A. Nonbroadcast multi-access
B. point-to-point
C. point-to-multipoint
D. point-to-point nonbroadcast
Answer: A
Question 138
What are two important differences between OSPFv2 and OSPFv3? (Choose two)
A. Only OSPFv3 provides support for IPv6.

B. Only OSPFv3 automatically chooses a router ID for the local device.
C. Only OSPFv3 supports multiple OSPF instances on a single link.
D. Only OSPFv3 automatically enables interfaces when you create them in device
configuration mode.
E. Only OSPFv3 automatically detects OSPF neighbors on an NBMA interface
Answer: A C
Question 153
Device R1 has 1 Gigabit and 10 Gigabit Ethernet interfaces, which command do you enter so
that it takes full advantage of OSPF costs?
A. R1(config-router)#auto-cost reference-bandwidth 10000

B. R1 (config route-map) #set metric 10000000000
C. R1(config-if)#ip ospf cost 10000
D. R1(config router)#auto-cost reference-bandwidth 10000000000
E. R1(config-if)#ip ospf cost 10000000000
F. R1(config-route-map) #set metric 10000
Answer: A
Explanation
The ―auto-cost reference-bandwidth‖ command affects all the OSPF costs on the local router
as all links are recalculated with formula: cost = reference-bandwidth (in Mbps) / interface
bandwidth
Therefore in this case the command ―auto-cost reference-bandwidth 10000‖ allows the local
router to calculate the link up to 10Gbps (10000 Mbps)
Question 178
Which LSA type in OSPFv3 is used for link-local updates?
A. Link LSA type 5

B. Link LSA type 8
C. Link LSA type 6
D. Link LSA type 4
Answer: B
Explanation
LSAs Type 8 (Link LSA) have link-local flooding scope. A router originates a separate link-
LSA for each attached link that supports two or more (including the originating router itself)
routers. Link-LSAs should not be originated for virtual links.
Link-LSAs have three purposes:

1. They provide the router‘s link-local address to all other routers attached to the link.
2. They inform other routers attached to the link of a list of IPv6 prefixes to associate with
the link.
3. They allow the router to advertise a collection of Options bits in the network-LSA
originated by the Designated Router on a broadcast or NBMA link.
Question 188
Which two statements about OSPFv3 are true? (Choose two)
A. The router ID is configured as an IPv6 address.

B. It uses loopback IPv6 addresses to from neighbor relationships.
C. The router ID is configured as an IPv4 address.
D. It uses LSA type 6 for intra-area prefixes.
E. It is backwards-compatible with OSPFv2 through the use of sham link.
F. It uses link-local addresses to form neighbor relationships.
Answer: C F
Question 207

You notice that traffic from R1 to the 192.168.10 0/24 network prefers the path through R3
instead of the least-cost path through R2.What is the most likely reason for this route
selection?
A. OSPF prefers external routes over interarea routes.

B. OSPF prefers interarea routes over intra-area routes.
C. OSPF prefers external routes over intra-area routes.
D. OSPF prefers intra-area routes over interarea routes.
Answer: D
Question 214 (posted at Q.1 of http://www.digitaltut.com/ospf-questions-2-2)
When OSPF is forming an adjacency, in which state does the actual exchange of the
information in the link-state database occur?
A. INIT
B. loading
C. exstart
D. exchange
Answer: B
Explanation
Loading: In this state, the actual exchange of link state information occurs. Based on the
information provided by the DBDs, routers send link-state request packets. The neighbor then
provides the requested link-state information in link-state update packets. During the
adjacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a
link-state request packet. All link-state update packets are acknowledged.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13685-13.html
Question 219 (posted at Q.7 of http://www.digitaltut.com/ospf-questions)
A network engineer enables OSPF on a Frame Relay WAN connection to various remote
sites, but no OSPF adjacencies come up Which two actions are possible solutions for this
issue? (Choose Two)
A. Change the network type to point-to-multipoint under WAN interface

B. Enable virtual links
C. Change the network type to nonbroadcast multipoint access
D. Configure the neighbor command under OSPF process for each remote site
E. Ensure that the OSPF process number matches among all remote sites
Answer: A D
Explanation
When OSPF is run on a network, two important events happen before routing information is
exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building
process. All the routers in that segment should be able to communicate directly with the DR
and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not
necessary since there are only two routers in the segment, and hence the election does not
take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or
multicast packets to be sent.
In an NBMA network topology, which is inherently nonbroadcast, neighbors are not

discovered automatically. OSPF tries to elect a DR and a BDR due to the multi-access
nature of the network, but the election fails since neighbors are not discovered. Neighbors
must be configured manually to overcome these problems -> C is not correct while D is
correct.
In Point-to-Multipoint network: This is a collection of point-to-point links between various

devices on a segment. These networks also allow broadcast or multicast packets to be sent
over the network. These networks can represent the multi-access segment as multiple point-
to-point links that connect all the devices on the segment. -> A is correct.
Question 225 (posted at Q.26 of http://www.digitaltut.com/new-route-questions-part-4)
Which two OSPF router types can perform summarization in an OSPF network? (Choose
two)
A. summary router
B. area border router
C. autonomous system boundary router
D. internal router
E. backbone router
Answer: B C
Question 232 (posted at Q.6 of http://www.digitaltut.com/ospf-questions-3-2)
If you want to migrate an IS-IS network to another routing protocol. Which routing protocols
should you choose? (Choose two)
A. UDP
B. internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP
Answer: D E
Explanation
IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the
best answers. Although RIP is not a wrong choice but it is not widely used because of many
limitations (only 15 hops, long convergence time…).
Question 2 (posted at https://www.digitaltut.com/ospf-questions-3-2)
If routers in a single area are configured with the same priority value, what value does a
router use for the OSPF Router ID in the absence of a loopback interface?
A. The lowest IP address of any physical interface

B. The highest IP address of any physical interface
C. The lowest IP address of any logical interface
D. The highest IP address of any logical interface
Answer: B
================= EIGRP Questions =================
Question 5
A router was configured with the ―eigrp stub‖ command. The router advertises which types
of routes?
A. connected, static, and summary

B. static and summary
C. connected and static
D. connected and summary
Answer: D
Explanation
The ―eigrp stub‖ command is equivalent to the ―eigrp stub connected summary‖ command
which advertises the connected routes and summarized routes.
Note: Summary routes can be created manually with the summary address command or
automatically at a major network border router with the auto-summary command enabled.
Question 17
All interfaces on each router are participating in the EIGRP 100 process. Interface Loopback
2 on HQR2 is currently in shutdown mode. An engineer issues the eigrp stub command on
router BR1. Which statements about the query messages sent from router HQ-R2 for a route
to reach the 12.12.12.12/32 network is true?
A. Router HQ-R2 sends a query message to the feasible successor for a route to
12.12.12.12/32 network.
B. BR1 receives query messages from HQ-R2 for a route to 12.12.12.12/32 network.
C. Router HQ-R1 receives query messages from HQ-R2 for a route to 12.12.12.12/32
network.
D. Router HQ-R1 and BR1 receives query messages from HQ-R2 for a route to 12.12.12/32
network.
Answer: C
Explanation
Router BR1 has been configured ―stub‖ so HQ-R2 will not send query to BR1 as it believes
this is a stub network. Query is only sent to HQ-R1.
Question 28
router eigrp 65535

no auto-summary
network 10.0.0.0 0.0.0.255
router ospf 1
network 192.168.5.0 0.0.0.255 area 0
passive-interface loopback0
If this configuration is applied to a device that redistributes EIGRP routes into OSPF. which
two statements about the behavior of the device are true? (Choose two)
A. EIGRP routes appear in the routing table as E2 OSPF routes

B. The device router ID is set to Loopback0 automatically
C. The device redistributes all EIGRP networks into OSPF
D. EIGRP routes appears in the routing table as N2 OSPF routes
E. The device redistributes only classful EIGRP networks into OSPF
F. EIGRP routes appears as type 3 LSAs in the OSPF database
Answer: C E
Explanation
Answer A is not correct because only EIGRP routes of routers whose receive the routing
advertisements of the local router appear in the routing table as E2 OSPF routes.
Answer B is not correct as this router may have other loopback interfaces which have higher
IP address than loopback0
Answer C is correct as there is no route-map to limit which routes are redistributed into
OSPF. Therefore by default all EIGRP routes will be redistributed
Answer D is not correct as N2 routes only appear when redistributing into Not-so-stubby-area
(NSSA)
Answer E is correct as there is no ―subnets‖ keyword when redistributing into OSPF so only
classful EIGRP networks will be redistributed
Answer F is not correct as EIGRP routes will appear as LSA type 5, not type 3.
Question 30
The excerpt was taken from the routing table of router SATX. Which option ensures that
routes from 51.51.51.1 are preferred over routes from 52.52.52.2?
A. SATX(config-router)#distance 90 51.51.51.1 0.0.0.0

B. SATX(config-router)#distance 89.52.52.52.2 0.0.0.0
C. SATX(config-router)#distance 90.52.52.52.2 0.0.0.0
D. SATX(config-router)#administrative distance 91 51.51.51 0.0.0.0
E. SATX(config-router)#distance 89 51.51.51.1 0.0.0.0
F. SATX(config-router)#administrative distance 91 52.52.52.2 0.0.0.0
Answer: E
Explanation
The syntax of ―distance‖ command is:
distance {ip-address {wildcard-mask}} [ip-standard-list] [ip-extended-list]
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfindp
1.html
Question 39
Which two options can you use to configure an EIGRP stub router? (Choose two)
A. summary-only
B. receive-only
C. external
D. summary
E. totally-stubby
F. not-so-stubby
Answer: B D
Explanation
To configure EIGRP stub we can use this syntax:
router(config-router)# eigrp stub [receive-only | connected | static | summary]
Question 42
Which two types of authentication does EIGRP offer? (Choose two)
A. TKIP
B. MD5
C. WPA
D. Plain Text
Answer: B D
Question 43
Which three statements about IPv6 EIGRP are true? (Choose three)
A. EIGRP neighbor relationships are formed using the link-local address.

B. EIGRP neighbor relationships can be formed only on the configured IPv6 address
C. It supports EUI-64 addresses only.
D. EIGRP route advertisement is configured under the interface configuration.
E. An IPv6 EIGRP router ID is required.
Answer: A D E
Question 111 (posted at http://www.digitaltut.com/eigrp-questions)
What is EIGRP Summary Route Administrative Distance?
A. 90
B. 170
C. 5
D. 110
Answer: C
Explanation
The ―ip summary-address eigrp‖ command is used to configure interface-level address

summarization. EIGRP summary routes are given an administrative distance value of 5. The
administrative distance metric is used to advertise a summary without installing it in the
routing table.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ire_i1.
html
Question 117
Which EIGRP packets use unreliable delivery? (Choose two)
A. Query
B. Reply
C. Request
D. Hello
E. Update
Answer: C D
Question 118
What is used in EIGRP metric calculation?
A. Maximum bandwidth on the path

B. Option about bandwidth
C. Average bandwidth on the path
D. Minimum bandwidth on the path
Answer: D
Explanation
The formula to calculate EIGRP metric is:
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability +

K4)] if K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0
By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use

only bandwidth & delay parameters while others are ignored. The metric formula is now
reduced:
metric = bandwidth + delay
The bandwidth is defined as the slowest bandwidth in the route to the destination.
Question 119
How EIGRP metric is calculated?

A. Bandwidth+Delay
B. Bandwidth*Delay
C. Bandwidth-Delay
D. Bandwidth/Delay
Answer: A
Question 120
Which statements are true to configure IPv6 EIGRP configuration for route advertisements?
(Choose two)
A. Route advertisements are configured at the router global configuration

B. Route advertisements are configured at the interface configuration
C. An IPv6 router ID
D. Uses link-local IP address for route advertisements
E. IPv6 EIGRP uses only the configured IPv6 global addresses for communication
Answer: B D
Question 126
Which task must you preform to implement EIGRP for IPv6 on a device?
A. Use the ipv6 cef command to enable Cisco Express Forwarding on the device
B. Configure a loopback interface on the device
C. Manually configure the router ID
D. Statically configure a neighbor statement
Answer: C
Question 127
Which two features are provided by EIGRP for IPv6? (Choose two)
A. Backbone areas
B. SPF algorithm
C. Partial updates
D. Area border router
E. Scaling
Answer: C E
Question 146
Which two packet type can an EIGRP router send when a route goes into the Active state?
(Choose two)
A. reply
B. request
C. hello
D. update
E. query
Answer: A E
Explanation
The route is in Active state when a router is undergoing a route recomputation. If there are
always feasible successors, a route never has to go into Active state and avoids a route
recomputation.
When there are no feasible successors, a route goes into Active state and a route
recomputation occurs. A route recomputation commences with a router sending a query
packet to all neighbors. Neighboring routers can either reply if they have feasible successors
for the destination or optionally return a query indicating that they are performing a route
recomputation.
EIGRP uses five packet types:

+ Hello/Acks
+ Updates
+ Queries
+ Replies
+ Requests
Queries and replies are sent when destinations go into Active state. Queries are always
multicast unless they are sent in response to a received query. In this case, it is unicast back to
the successor that originated the query. Replies are always sent in response to queries to
indicate to the originator that it does not need to go into Active state because it has feasible
successors. Replies are unicast to the originator of the query. Both queries and replies are
transmitted reliably.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/13669-1.html
Question 150
Which two EIGRP metrics have nonzero K values by default? (Choose two)
A. reliability
B. delay
C. cost
D. load
E. bandwidth
Answer: B E
Explanation

K4)] if K5 > 0

reduced:
-> K1 and K3 have nonzero values by default.
Question 151
Refer to the exhibit. You want router R1 to perform unequal-cost routing to the
192.168.10.0/24 network. What is the smallest EIGRP variance value that you can configure
on R1 to achieve this result?
A. 1
B. 2
C. 3
D. 4
Answer: C
Explanation
When using the variance command, EIGRP will add a feasible successor to the route table if
the feasible successor has a feasible distance that is less than or equal to the product of the
feasible distance of the successor times the variance setting and the feasibility condition is
met. In math terms:
FD (of the FS) <= FD (of the S) * variance
FD – feasible distance
FS – feasible successor
S – successor
In this question the FD of the successor is 150 (from R1 to R2) and the FD of the feasible
successor is 300 + 150 = 450. Therefore we can deduce the minimum value of the variance
must be 3 so that 450 <= 150 * 3 -> C is the best answer.
Note: In fact the route R1 – R3 – R2 does not satisfy the feasibility condition which states:
―To qualify as a feasible successor, a router must have an AD less than the FD of the current
successor route‖
But in this question the AD from R3 is 150 which is equal to the FD of the current successor
route (from R1 to R2) so the feasibility condition is not met. However we still have to choose
one best answer.
Question 167
What happens when two EIGRP peers have mismatched K values?
A. The two devices are unable to correctly perform equal-cost routing

B. The two devices fail to perform EIGRP graceful shutdown when one device goes down
C. The two devices fail to form an adjacency
D. The two devices are unable to correctly perform unequal-cost load balancing
Answer: C
Question 170
When an EIGRP router discovers a new neighbor, which packet type does the router send to
help the neighbor build its topology table?
A. replies
B. requests
C. updates
D. queries
Answer: C
Explanation
EIGRP use five types of packets to communicate:
+ Hello: used to identify neighbors. They are sent as periodic multicasts

+ Update: used to advertise routes, only sent as multicasts when something is changed
+ Ack: acknowledges receipt of an update. In fact, Ack is Hello packet without data. It is
always unicast and uses UDP.
+ Query: used to find alternate paths when all paths to a destination have failed
+ Reply: is sent in response to query packets to instruct the originator not to recompute the
route because feasible successors exist. Reply packets are always unicast to the originator of
the query
Question 195
R1
interface Loopback0
ip address 172.16.1.1. 255.255.255.255
interface FastEthernet0/0
ip address 192.168.10.33 255.255.255.224
router eigrp 100
eigrp router-id 172.16.1.1
no auto-summary
network 192.168.10.0
network 172.16.0.0
R2
interface Loopback0
ip address 172.16.2.2 255.255.255.255
ip address 192.168.10.17 255.255.255.240
router eigrp 100
eigrp router-id 172.16.2.2
network 192.168.10.0
network 172.16.0.0
R1 and R2 are unable to establish an EIGRP adjacency. Which action corrects the problem?
A. Change the eigrp route-id on one of the routers so that values on the two routers are
different.
B. Add the no auto-summary command to the R2 configuration so that it matches the R1
configuration
C. Change the autonomous system number on one of the routers so that each router has
different values
D. Change the IP address and subnet mask on R2 so that is on the same subnet as R1.
Answer: D
Question 220
Which calculation is used to determine the default EIGRP metric?
A. bandwidth * delay
B. bandwidth + delay
C. bandwidth – delay
D. bandwidth / delay
Answer: B
Explanation

K4)] if K5 > 0

reduced:
The bandwidth is defined as the slowest bandwidth in the route to the destination.
Question 223 (posted at Q.3 of http://www.digitaltut.com/eigrp-questions)
Other than a working EIGRP configuration, which option must be the same on all routers for
EIGRP authentication key rollover to work correctly?
A. SMTP
B. SNMP
C. Passwords
D. Time
Answer: D
Explanation
Requirements
+ The time must be properly configured on all routers.
+ A working EIGRP configuration is recommended.
routing-protocol-eigrp/82110-eigrp-authentication.html
================= BGP Questions =================
Question 32
Based on the output, which option is the next hop to get to the 130.0.1.0/24 network?
A. 10.30.30.1
B. 10.0.11.1
C. 10.20.20.1
D. 10.10.10.1
Answer: C
Explanation
This is the BGP routing table. Only the best entry of each prefix (marked with ―>‖) is placed
into the routing table. In the output above, the next hop 130.0.1.0/24 network can be reached
via three next hops (which are 10.10.10.1; 10.30.30.1 and 10.20.20.1) but only 10.20.20.1 is
the best path and is placed into the routing table.
Question 101
Which two conditions can cause BGP neighbor establishment to fail? (Choose two)
A. There is an access list blocking all TCP traffic between the two BGP neighbors.
B. The IBGP neighbor is not directly connected.
C. BGP synchronization is enabled in a transit autonomous system with fully-meshed IBGP
neighbors.
D. The BGP update interval is different between the two BGP neighbors.
E. The BGP neighbor is referencing an incorrect autonomous system number in its neighbor
statement.
Answer: A E
Explanation
An underlying connection between two BGP speakers must be established before any routing
information is exchanged. This connection takes place on TCP port 179 so if an access list
blocks all TCP traffic between the two BGP neighbors, BGP neighbor relationship can not be
established -> A is correct.
The IBGP neighbors don‘t need to be directly connected -> B is not correct.
BGP synchronization only prevents routes sent to other EBGP neighbors before that route
exists in the routing table. It doesn‘t prevent BGP neighbor relationship -> C is not correct.
After the first initial exchange (which exchanges routes and synchronize their tables), a BGP
speaker will only send further updates upon a change in the network topology -> BGP does
not have a fixed update interval -> D is not correct.
BGP neighbor relationship is established when both ends (routers) are manually configured
with the ―neighborneighbor-IP remote-as neighbor-AS‖ command on both sides of the
connection. If the neighbor-AS is wrong, the neighbor relationship can not be established ->
E is correct.
Question 114
Which BGP option is required when load sharing over multiple equal-bandwidth parallel
from a single CE router to a single ISP router over eBGP?
A. eBGP Multipath
B. eBGP Multihop
C. BGP Synchronization
D. Public AS numbers
Answer: A
Explanation
The BGP Multipath Load Sharing for eBGP and iBGP feature allows you to configure
multipath load balancing with both external BGP (eBGP) and internal BGP (iBGP) paths in
Border Gateway Protocol (BGP) networks that are configured to use Multiprotocol Label
Switching (MPLS) Virtual Private Networks (VPNs).
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxeibmp.html
Question 129
Which two options are benefits of BGP peer groups? (Choose two)
A. A configuration change can be applied simultaneously to all peers in the peer group
B. They can optimize backdoor routes
C. They can be updated via multicast
D. Each neighbor in a peer group can have different inbound BGP policies
E. They use soft updates to minimize bandwidth consumption
F. They support groups of paths
Answer: A D
Explanation
Answer A is surely correct as the main purposes (and advantages) of BGP peer groups are to
simplify the BGP configuration and reduce the amount of system resources (CPU and
memory) necessary in an update generation.
Requirements of Peer Groups
Peer groups have these requirements:
+ All members of a peer group must share identical outbound announcement policies (such as
distribute-list, filter-list, and route-map), except for default-originate, which is handled on a
per-peer basis even for peer group members.
+ You can customize the inbound update policy for any member of a peer group -> D is
correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/13755-29.html
Question 130
Which criterion does the BGP maximum paths feature use for load balancing?
A. MED
B. local preference
C. weight
D. router ID
Answer: C
Explanation
BGP selects only one best path for each prefix it receives then installs in the IP routing table.
So whenever we need load-balancing across different paths, we have to enable BGP
multipath, by the ―maximum-paths‖ command.
There‘s a criteria and several conditions that BGP checks before selecting additional paths in
parallel with the best one. The following attributes of parallel paths have to match with the
best path:
+ Weight
+ Local Pref
+ Origin
+ AS-Path Length
+ MED
+ Neighbor AS or Sub-AS match for (eBGP multipath)
+ AS-PATH match (for eiBGP multipath)
+ IGP metric to BGP next hop
Question 149
Which adverse circumstance can the TTL feature prevent?
A. routing loops
B. DoS attacks
C. link saturation
D. CAM table overload
Answer: B
Explanation
This question mentions about the TTL Security Check for multihop BGP Peering Sessions.
The BGP Support for TTL Security Check feature provides an effective and easy-to-deploy
solution to protect eBGP peering sessions from CPU utilization-based attacks. When this
feature is enabled, a host cannot attack a BGP session if the host is not a member of the local
or remote BGP network or if the host is not directly connected to a network segment between
the local and remote BGP networks. This solution greatly reduces the effectiveness of DoS
attacks against a BGP autonomous system. An example of configuring this feature is shown
below:
Router(config)# router bgp 65000

Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2
This sets the expected incoming TTL value for a directly connected eBGP peer. The hop-
count argument is set to 2 configuring BGP to only accept IP packets with a TTL count in the
header that is equal to or greater than 253. If the 10.1.1.1 neighbor is more than 2 hops away,
the peering session will not be accepted.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.pdf
Question 156
Which two tasks must you perform to configure a BGP peer group? (Choose two)
A. Configure the soft-update value

B. Activate the default route
C. Set the advertisement interval
D. Activate each neighbor
E. Assign neighbors to the peer group
Answer: D E
Question 189
Which criterion does BGP evaluate first when determining the best path?
A. MED value
B. neighbor address
C. local preference value
D. weight
Answer: D
Explanation
This list provides the rules that are used to determine the best path:
1. Prefer the path with the highest WEIGHT.

2. Prefer the path with the highest LOCAL_PREF.
3. Prefer the path that was locally originated via a network or aggregate BGP subcommand or
through redistribution from an IGP.
4. Prefer the path with the shortest AS_PATH
5. Prefer the path with the lowest origin type.
6. Prefer the path with the lowest multi-exit discriminator (MED)
7. Prefer eBGP over iBGP paths
8. Prefer the path with the lowest IGP metric to the BGP next hop.
9. Determine if multiple paths require installation in the routing table for BGP Multipath.
10. When both paths are external, prefer the path that was received first (the oldest one).
11. Prefer the route that comes from the BGP router with the lowest router ID
12. If the originator or router ID is the same for multiple paths, prefer the path with the
minimum cluster list length
13. Prefer the path that comes from the lowest neighbor address
For more information about above list, please read this link:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
Question 230
Which command do you enter on router R6 so that BGP supports multiple protocols?
A. R6(config-router)#no bgp default ipv4-unicast

B. R6(config-router)#bgp default ipv4-multicast
C. R6(config-router-af)#no bgp default ipv4-muticast
D. R6(config-router-af)#bgp additional-paths install
E. R6(config-router)#no address-family ipv4 unicast
Answer: A
Explanation
The command ―no bgp default ipv4-unicast‖ disables the default behavior of BGPv4 to
advertise only IPv4 unicast routes. It enables Multi protocol BGP mode where multiple
address families can be negotiated during the BGP session setup when the two peers
exchange the respective capabilities
Question 233 (posted at Q.5 of http://www.digitaltut.com/bgp-questions)
Which two BGP neighbor states are valid? (Choose two)
A. Established
B. Active
C. Stuck in active
D. 2-WAY
E. Unknown
F. DROTHER
Answer: A B
Explanation
BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established
================= Redistribution Questions =================
Question 102
router eigrp 1
redistribute bgp 1 route-map BGP_DEFAULT_ROUTE_RM
network 2.0.0.0
route-map BGP_DEFAULT_ROUTE_RM permit 10
match ip address prefix-list DEFAULT_ROUTE_PL
ip prefix-list DEFAULT_ROUTE_PL seq 10 permit 0.0.0.0/0
For which reason is EIGRP failing to redistribute the default route?

A. The EIGRP process is missing the default metric.
B. The EIGRP process is missing the no auto-summary command.
C. The EIGRP process is missing the router ID.
D. The route-map statement is missing the match any keyword.
Answer: A
Explanation
When redistributing into EIGRP, we have to configure the five metrics or redistribution
would not work because of incompatible metrics.
Question 115 (posted at http://www.digitaltut.com/eigrp-questions)
Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not
learning routes that are received from OSPF?
router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
A. The subnet defined in OSPF is not part of area 0

B. Default metrics are not configured under EIGRP
C. There is no overlap in the subnets advertised
D. The routing protocols do not have the same AS number
Answer: B
Explanation
When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the
redistributed routes would never be learned. In this case we need to configure like this:
router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500
Question 142
Refer to the exhibit. How does R1 handle the route to network 10.1.80.0/24?
R1
router eigrp 1
no auto-summary
redistribute ospf 1 route-map ospf-to-eigrp
default-metric 10000 10 255 1 1500
ip prefix-list ccnp1 seq 5 permit 10.1.48.0/24 le 24

route-map ospf-to-eigrp permit 10

match ip address prefix-list ccnp1
route-map ospf-to-eigrp permit 20
match ip address prefix-list ccnp2
A. R1 redistributes network 10.1.80.0/24 into EIGRP without changing the mask

B. R1 changes the mask to /32 and then redistributes network 10.1.80.0/24 into EIGRP as a
classful network
C. R1 changes the mask to /32 and then redistributes network 10.1.80.0/24 into EIGRP as a
classless network
D. R1 fails to redistribute network 10.1.80.0/24 into EIGRP
Answer: A
Explanation
The prefix-list ccnp2 allows any subnet of that main prefix 10.1.80.0/24 as every mask is
surely less or equal than 32 bits (/32).
Question 202
Which option is an invalid redistribute command option for redistributing routes from EIGRP
into OSPF?
A route map
B. tag
C. access list
D. metric
Answer: C
Explanation
An example of configuring redistributing routes from EIGRP into OSPF with metric is shown
below:
router ospf 1
redistribute eigrp 1111 metric 200 subnets
With route map:
router ospf 1
redistribute eigrp 1 subnets route-map eigrp-to-ospf
With tag:
router ospf 1
redistribute eigrp 1 subnets tag 190
================= IP Prefix-list Questions =================
Question 33
Which command denies the default route?
A. ip prefix-list deny-route seq 5 deny 0.0.0.0/32

B. ip prefix-list deny-route seq 5 deny 0.0.0.0/8
C. ip prefix-list deny-route seq 5 deny 0 0 0.0/0
D. ip prefix-list deny-route seq 5 deny 0.0.0.0/16
Answer: C
================= DHCP & DHCPv6 Questions =================
Question 51
A network engineer is configuring a DHCP server to support a specialized application. Which

additional DHCP feature must be enabled to support the delivery of various additional
parameters to DHCP clients?
A. modules
B. vendor extensions
C. options
D. Scopes
Answer: C
Question 66
After testing various dynamic IPv6 address assignment methods, an engineer decides that
more control is needed when distributing addresses to clients. Which two advantages does
DHCPv6 have over EUI-64 (Choose two)
A. DHCPv6 requires less planning and configuration than EUI-64 requires.
B. DHCPv6 allows for additional parameters to be sent to the client, such as the domain name
and DNS server.
C. DHCPv6 providers tighter control over the IPv6 addresses that are distributed to clients.
D. DHCPv6 does not require the configuration of prefix pools.
E. DHCPv6 does not require neighbor and router discovery on the network segment.
Answer: B C
Explanation
Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface
identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained
through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with
one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The
16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE
has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an
EUI-48 MAC address.
Question 67
Which three options are valid DHCPv6 functions? (Choose three)
A. Server
B. Client
C. Approver
D. Requester
E. ACK
F. Relay
Answer: A B F
Explanation
Most vendor‘s routers/switches have the ability to function as:

+ A DHCP client and obtain an interface IPv4 address from an upstream DHCP service
+ A DHCP relay and forward UDP DHCP messages from clients on a LAN to and from a
DHCP server
+ A DHCP server whereby the router/switch services DHCP requests directly
Question 70
DHCPv6 can obtain configuration parameters from a server through rapid two-way message
exchange. Which two steps are involved in this process? (Choose two)
A. solicit
B. advertise
C. request
D. auth
E. reply
Answer: A E
Question 94
Which set of actions does a network engineer perform to set the IPv6 address of a DHCP
relay server at the VLAN interface level?
A. Enter the VLAN interface configuration mode and define the IPv6 address of a DHCP
relay server
B. Enter the global configuration mode and enable the IPv6 DHCP relay
C. Enter the global configuration mode, enable IPv6 DHCP relay from interface
configuration mode and define the IPv6 address of a DHCP relay server
D. Enter the VLAN interface configuration mode, enable IPv6 DHCP relay, and define the
IPv6 address of a DHCP relay server
Answer: D
Explanation
An example of how to set the IPv6 address of a DHCP relay server at the VLAN interface
level:
host1/Admin(config)# interface vlan 50

host1/Admin(config-if)# ipv6 dhcp relay enable
host1/Admin(config-if)# ipv6 dhcp relay server 2001:DB8:1::1/64
Reference:
https://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/c
ommand/reference/ACE_cr/if.html
Question 96
Where must a network engineer configure the ip helper-address command on a router?
A. On the interface that will receive the broadcasts

B. On the DHCP configuration
C. the interface that is closed to the destination DHCP server
D. on the global configuration mode
Answer: A
Question 158
When a new PC is connected to the network, which step must it take first to receive a DHCP
address?
A. It sends a DHCPHELLO message to the DHCP server IP address

B. It sends a DHCPREQUEST message to the DHCP server IP address
C. It sends a DHCPREQUEST message to 255.255.255.255
D. It sends a DHCPDISCOVER message to 255.255.255.255
Answer: D
Explanation
When a client boots up for the first time (or try to join a new network), it needs to obtain an
IP address to communicate. So it first transmits a DHCPDISCOVER message on its local
subnet. Because the client has no way of knowing the subnet to which it belongs, the
DHCPDISCOVER is an all-subnets broadcast (destination IP address of 255.255.255.255,
which is a layer 3 broadcast address) and a destination MAC address of FF-FF-FF-FF-FF-FF
(which is a layer 2 broadcast address). The client does not have a configured IP address, so
the source IP address of 0.0.0.0 is used. The purpose of DHCPDISCOVER message is to try
to find out a DHCP Server (a server that can assign IP addresses).
To learn more about the whole DHCP process, please read our DHCP tutorial.
Question 168
Which two tasks does a DHCP relay agent perform? (Choose two)
A. It forwards DHCPOFFER and DHCPCOMPLETE messages to the DHCP client

B. It forwards DHCPDISCOVER and DHCPREQUEST messages to the DHCP server
C. It forwards DHCPHELLO and DHCPREQUEST messages to the DHCP server
D. It forwards DHCPREQUEST and DHCPACK messages to the DHCP server
E. It forwards DHCPOFFER and DHCPACK messages to the DHCP client
Answer: B E
Explanation
A DHCP relay agent is any host that forwards DHCP packets between clients and servers.
Relay agents are used to forward requests (which includes the DHCPDISCOVER) and
replies (which includes DHCPOFFER) between clients and servers when they are not on the
same physical subnet.
Question 236 (posted at Q.6 of http://www.digitaltut.com/dhcp-dhcpv6-questions)
Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent
and a DHCPv6 server that is configured for prefix delegation. Which two outcomes will
result when the relay agent is rebooted? (Choose two)
A. Routers will not obtain DHCPv6 prefixes.

B. DHCPv6 clients will be unreachable.
C. Hosts will not obtain DHCPv6 addresses.
D. The DHCPv6 relay agent will resume distributing addresses.
E. DHCPv6 address conflicts will occur on downstream clients.
Answer: A D
Explanation
Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client
and server.
Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay
agent cannot receive DHCP messages (because of port 547 is blocked) then the routers
(clients) will not obtain DHCPv6 prefixes.
We are not sure about answer D but maybe it is related to the (absence of) ―Reload Persistent
Interface ID‖ in DHCPv6 Relay Options. This feature makes the interface ID option
persistent. The interface ID is used by relay agents to decide which interface should be used
to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the
router acting as a relay agent goes offline during a reload or a power outage. When the router
acting as a relay agent returns online, it is possible that changes to the internal interface index
of the relay agent may have occurred in certain scenarios (such as, when the relay agent
reboots and the number of interfaces in the interface index changes, or when the relay agents
boot up and has more virtual interfaces than it did before the reboot). This feature prevents
such scenarios from causing any problems.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-
e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html
Question 237 (posted at Q.8 of http://www.digitaltut.com/dhcp-dhcpv6-questions)
Refer in the exhibit.
ip helper-address 192.168.145.5
A packet capture indicates that the router is not forwarding the DHCP packets that it receives
on interface FastEthernet0/0. Which command needs to be entered in global configuration
mode to resolve this issue?
A. ip helper-address
B. ip DHCP relay
C. service DHCP
D. ip forward-protocol
Answer: B
Explanation
The ―ip helper-address‖ command is only configured in interface mode so it is not the correct
answer.
Note: The Cisco IOS software provides the global configuration command ―ip forward-
protocol‖ to allow an administrator to forward any UDP port in addition to the eight default
UDP Services. For example, to forward UDP on port 517, use the global configuration
command ―ip forward-protocol udp 517‖. But the eight default UDP Services include DHCP
services so it is not the suitable answer.
Reference and good resource:

http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9
A DHCP relay agent may receive a message from another DHCP relay agent that already
contains relay information. By default, the relay information from the previous relay agent is
replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay
information policy {drop | keep | replace} global configuration command to change it ->
Therefore this is the correct answer.
Reference:
https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html
================= EVN & VRF Questions =================
Question 7
After reviewing the EVN configuration, a network administrator notices that a predefined
EVN, which is known as ―vnet global‖ was configured. What is the purpose of this EVN?
(OR) What is the purpose of ‗vnet global‖?
A. It defines the routing scope for each particular EVN edge interface.
B. It aggregates and carries all dot1q tagged traffic.
C. It refers to the global routing context and corresponds to the default RIB.
D. It safeguards the virtual network that is preconfigured to avoid mismatched routing
instances.
Answer: C
Question 34
hostname R1
!
hostname R2
ip vrf Yellow
!
rd 100:1
ip vrf Yellow
!
rd 100:1
interface Serial0/0
!
ip vrf forwarding Yellow
interface Serial0/0
ip address 209.165.202.129 255.255.255.224
ip vrf forwarding Yellow ip
!
address 209.165.202.130
ip route 209.165.202.129 255.255.255.224
255.255.255.224
null0
!
!
router eigrp 100
router eigrp 100
address-family ipv4 vrf Yellow
address-family ipv4 vrf Yellow
network 209.165.202.130 0.0.0.0
network 209.165.202.129 0.0.0.0
no auto-summary
no auto-summary
autonomous-system 100
redistribute static
A senior network engineer tries to propagate a summary route 209.165.201.0/27 to R2 by

redistributing static route on R1, but setup is not working. What is the issue with the
configuration in the exhibit.
A. The summary route is in the global routing table.

B. The wildcard bit in network command is incorrect.
C. The redistribute command is in the wrong address-family.
D. The route target is missing.
Answer: A
Explanation
Two connected interfaces S0/0 are in VRF Yellow so we have to put the static route into this
VRF too. So it should be ―ip route vrf Yellow 209.165.202.129 255.255.255.224 null0‖.
Question 36
Which technology does Easy Virtual Network use?
A. MP-BGP
B. DMVPN
C. MPLS
D. VRF-Lite
Answer: D
Question 41
Which technology is required on an EVN trunk interface?
A. 802.1q
B. NAT
C. VRF-Lite
D. IS-IS
Answer: A
Explanation
An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast
Ethernet, Gigabit Ethernet, and port channels.
If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same
interface.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
xe-3s-book/evn-overview.html
Question 54

hostname R1 hostname R2
! !
ip vrf Yellow ip vrf Yellow
rd 100:1 rd 100:1
! !
interface Serial0/0 interface Serial0/0
ip vrf forwarding Yellow ip vrf forwarding Yellow
ip address 209.165.202.129 255.255.255.224 ip address 209.165.202.130 255.255.255.224
! !
router eigrp 100 router eigrp 100
address-family ipv4 vrf Yellow address-family ipv4 vrf Yellow
network 209.165.202.129 0.0.0.0 network 209.165.202.130 0.0.0.0
no auto-summary no auto-summary
A network engineer is unable to make VRF lite EIGRP adjacency work. There is nothing
wrong with communication between R1 and R2. What command will eliminate the issue
when executed on both routers?
A. (config-router-af)#autonomous-system 100
B. (config)#ip-multicast-routing
C. (config-vrf)#route-target both 100:1
D. (config-router-af)#network 209.165.202.128.0.0.0.31
Answer: A
Explanation
To configure the autonomous-system number for EIGRP to run within a VPN routing and
forwarding (VRF) instance, use the ―autonomous-system‖ command in address-family
configuration mode. In particular:
Router(config)# router eigrp 100

Router(config-router)# address-family ipv4 vrf Yellow
Router(config-router-af)# autonomous-system 100
Question 65
Which two statements about EVN are true? (Choose two)
A. Virtual network tags are assigned per-VRF.

B. It is supported only on access ports.
C. Virtual network tags are assigned globally.
D. Routing metrics can be manipulated only from directly within the routing-context
configuration.
E. The VLAN ID in the 802.1q frame carries the virtual network tag.
F. The VLAN ID is the ISL frame carries the virtual network tag.
Answer: A E
Explanation
Path isolation can be achieved by using a unique tag for each Virtual Network (VN) ->
Answer A is correct.
Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q
is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a
VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged
packets carrying the VLAN ID are not EVN packets and could be transported over the same
trunk interfaces -> Answer E is correct.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
vpns-l3vpn/whitepaper_c11-638769.html
Question 85
What is the primary service that is provided when you implement Cisco Easy Virtual
Network?
A. It requires and enhances the use of VRF-Lite.

B. It reduces the need for common services separation.
C. It allows for traffic separation and improved network efficiency.
D. It introduces multi-VRF and label-prone network segmentation.
Answer: C
Question 105
Which condition must be met before two EVN devices can connect?
A. An EtherChannel must be configured with at least two interfaces connected between the
devices
B. A fiber connection must be established between the devices.
C. One VLAN interface must be configured between the devices.
D. A trunk interface must be configured between the devices.
Answer: D
Question 121
Where does the EVN marks the traffic to separate different users?
A. On the edge interface, with VNET tag
B. On the edge, with 801.Q
C. On the trunk, with VNET tag
D. On the trunk, with 802.1Q
Answer: C
Question 135
A. It supports IPv6 traffic.

B. It can support up to 16 VNs.
C. It uses redistribution to share routes between VNs.
D. It supports SSM only.
E. A configuration can be based on an existing VRF configuration.
Answer: C E
Explanation
Multi-VRF achieves route exchange between VNs by redistributing VN routes indirectly

through BGP using the route-target import/export feature.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-
The following are not supported on an EVN trunk:

+ Access control lists (ACLs)
+ BGP interface commands are not inherited
+ IPv6, except on vnet global -> Only vnet global (is also known as the default routing
table) supports IPv6 -> A is not correct.
+ Network address translation (NAT)
+ NetFlow
+ Web Cache Communication Protocol (WCCP)
According to this Cisco document EVN supports up to 32 VNs and EVN supports both SM
and SSM modes:
Network virtualization solution EVN:
+ Provides a pure IP alternative to MPLS in enterprise networks for up to 32 VNs -> B

is not correct.
+ Uses existing enterprise design/architecture/protocols
+ Uses existing technology to increase the effectiveness of VRFs
+ Provides either an IGP (OSPF, EIGRP) only or IGP/EGP-based alternative Reintroduces
familiar concepts for access and trunks to Layer 3
+ Can be deployed with traditional MPLS VPNs or MPLS VPNs over mGRE
+ Can coexist with Multi-VRF deployments
+ Supports non-IP and IPv6 traffic through the EVN global table
+ Supports PIM and IGMP with SM and SSM modes for mVPN -> Answer D is not
correct.
+ Supports shared services using route replication
+ Includes enhanced troubleshooting and usability tools:
– routing context, traceroute, debug condition, cisco-vrf-mib, and simplified VRF-aware
SNMP configuration
For answer E, it should be understood like this: different VRF configurations may have the
same configuration (like IP addresses, interfaces, AS numbers…)
Question 147
Which protocol does VRF-Lite support?
A. IS-IS
B. ODR
C. EIGRP
D. IGRP
Answer: C
Explanation
VRF-Lite supports BGP, OSPF, EIGRP, RIP and static routing.
Question 171
A customer asks its service provider for VPN support for IPv4 and IPv6 address families.
Which command enables a VRF that supports these requirements?
A. Router(config-vrf)#route-target 004:006
B. Router(config-vrf)#rd 004:006
C. Router(config)#ip vrf CUSTOMER
D. Router(config-vrf)#vrf definition CUSTOMER
Answer: D
Explanation
You can now define multiple address families under the same VRF or configure separate
VRFs for each IPv4 or IPv6 address family by entering the vrf definition command. The
command ―vrf definition vrf-name‖ names the VRF and enters VRF configuration mode. An
example of using this command is shown below:
Router(config)# ipv6 unicast-routing

Router(config)# vrf definition red
Router(config-vrf)# rd 100:1
Router(config-vrf)# address family ipv6
Router(config-vrf-af)# route-target both 200:1
Router(config-vrf-af)# exit-address-family
Router(config-vrf)# interface Ethernet0/1
Router(config-if)# vrf forwarding red
Router(config-if)# ipv6 address 5000::72B/64
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/ios/software/15_4_1_c
g/vrf_cgr1000.html
Question 179
Which technology supports overlapping IP addresses on a single interface?
A. policy-based routing
B. VRF-Lite
C. On-Demand Routing
D. QoS
Answer: B
Explanation
In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and ―allows
customers to be assigned overlapping addresses‖.
Question 181
interface gigabitethernet 2/0/0

vnet trunk
ip address 192.168.1.1 255.255.255.0
vnet name cisco
Which effect of this configuration is true?

A. It designates the interface as a GRE tunnel endpoint
B. It configures 802.1q trunking on the interface
C. It designates the interfaces as an EVN trunk
D. It removes VTP from the interface
Answer: C
Explanation
An EVN trunk interface connects VRF-aware routers together and provides the core with a
means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is
used to de-multiplex the packet into the corresponding EVN. A trunk interface has one
subinterface for each EVN. The vnet trunk command is used to define an interface as an
EVN trunk interface.
Note: Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual
router instances, and both technologies allow routes from one VRF to be selectively leaked to
other VRFs. However, a major difference is the way that two physical routers interconnect.
With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF.
However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies
configuration.
Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
Question 187
What is the role of a route distinguisher via a VRF-Lite setup implementation?
A. It extends the IP address to identify which VRF instance it belongs to.

B. It manages the import and export of routes between two or more VRF instances
C. It enables multicast distribution for VRF-Lite setups to enhance EGP routing protocol
capabilities
D. It enables multicast distribution for VRF-Lite setups to enhance IGP routing protocol
capabilities
Answer: A
Explanation
The route distinguisher (RD) is used to keep all prefixes in the BGP table unique so that we
can use same subnets for different VRFs/VPNs. An example of RD is shown below:
ip vrf CustomerA
rd 65000:1
!
ip vrf CustomerB
rd 65000:2
Note: There is another question asking about the role of a route target (RT) and the answer is
B so please be careful and read the question well.
Question 199
Which statement is true about an edge interface in relation to the Cisco Easy Virtual
Network?
A. An edge interface is used to differentiate VRF instances.

B. An edge interface connects to end devices such as hosts and servers that are VRF-aware
C. An edge interface connects a user device to the EVN while defining the EVN boundaries.
D. An edge interface is configured using the vnet trunk command under the switched virtual
interface.
Answer: C
Explanation
An edge interface connects a user device to the EVN and in effect defines the boundary of the
EVN. Edge interfaces connect end devices such as hosts and servers that are not VRF-aware.
Traffic carried over the edge interface is untagged. The edge interface classifies which EVN
the received traffic belongs to. Each edge interface is configured to belong to only one EVN.
xe-3s-book/evn-overview.html#GUID-D8133186-33B5-4244-AAFD-60F5FEC38CEF
Question 221 (posted at Q.8 of http://www.digitaltut.com/evn-vrf-questions-2)
Which two statements about EVNs are true? (Choose two)
A. VRFs using MPLS require a trunk interface that uses EVN

B. VRF-Lite requires a trunk interface that uses EVNs
C. All EVNs within a trunk interface can share the same IP infrastructure
D. Each EVN within a trunk interface must be configured separately
E. Commands that are specified once under a trunk interface can be inherited by all EVNs
Answer: C E
Explanation
With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple
VRFs) between two routers you need to create a subinterface for each VRF on each router ->
VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk
(called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple
virtual networks can travel over that single trunk interface, which uses tags to identify the
virtual networks to which packets belong.
configuration.
All EVNs within a trunk interface share the same IP infrastructure as they are on the same
physical interface -> Answer C is correct.
With EVNs, a trunk interface is shared among VRFs so each command configured under this
trunk is applied by all EVNs -> Answer E is correct.
Question 227 (posted at Q.6 of http://www.digitaltut.com/evn-vrf-questions)
Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network?
(Choose three)
A. simplified Layer 3 network virtualization

B. improved shared services support
C. enhanced management, troubleshooting, and usability
D. reduced configuration and deployment time for dot1q trunking
E. increased network performance and throughput
F. decreased BGP neighbor configurations
Answer: A B C
Explanation
EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN
provides enhancements in path isolation, simplified configuration and management, and
improved shared service support
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-
Maybe the ―improved shared services support‖ term here implies about the support of sharing
between different VRFs (through route-target, MP-BGP)
What is VRF-lite?
A. VRF without MPLS

B. VRF without VPN
C. VRF without independent route tables
D. VRF without Cisco Express Forwarding switching
Answer: A
================= IPv6 Questions =================
Question 10
Which CLI command can you enter to permit or deny IPv6 traffic travelling through an
interface?
A. access-list
B. access-group
C. ipv6 access-class
D. ipv6 traffic-filter
Answer: D
Explanation
The command ―ipv6 traffic-filter access-list-name { in | out }‖ applies the access list to
incoming or outgoing traffic on the interface.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
2_55_se/configuration/guide/scg3750/swv6acl.html
Question 24
Which two technologies can encapsulate an IPv6 payload in an IPv4 packet for transmission
across a network? (Choose two)
A. L2TPv3
B. trunking
C. AToM
D. ISATAP
E. NAT-PT
Answer: D E
Explanation
The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-
layer translation mechanisms designed to allow nodes that only support IPv4 to communicate
with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the
boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4
and IPv6 network, all IPv4 users are given access to the IPv6 network without modification
in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given
access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished
with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions
are initiated across IPv4-IPv6 boundaries
(Reference: http://www.ietf.org/rfc/rfc4966.txt and

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_white_pap
er09186a008011ff51_ps6640_Products_White_Paper.html)
ISATAP tunneling (Intra-Site Automatic Tunnel Addressing Protocol): is a mechanism for

transmitting IPv6 packets over IPv4 network. The word ―automatic‖ means that once an
ISATAP server/router has been set up, only the clients must be configured to connect to it.
Question 25
When a packet is denied by an IPv6 traffic filter, which additional action does the device
perform?
A. It scans the rest of the ACL for a permit entry matching the destination
B. It generates a TCP Fin bit and sends it to the source.
C. A creates a null route for the destination and adds it to the route table
D. It generates an ICMP unreachable message for the frame.
Answer: D
Explanation
If an IPv6 router ACL is configured to deny a packet, the packet is dropped. A copy of the
packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP
unreachable message for the frame.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
Question 48
Which two options are components of a dual stack? (Choose two)
A. EIGRP
B. OSPF
C. IPv6 traffic
D. IPv4 traffic
E. Layer 3 switch
F. Layer 2 switch
Answer: C D
Question 56
What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation?
(Choose two)
A. stateful address translation

B. a limit of 32 1-to-1 translations
C. lack of overloading functionality
D. identify all interfaces as NAT inside or outside
E. 1-to-1 prefix rewrite
F. mismatched prefix allocations
Answer: C F
Explanation
The IPv6-to-IPv6 Network Prefix Translation (NPTv6) provides a mechanism to translate an

inside IPv6 source address prefix to outside IPv6 source address prefix in IPv6 packet header
and vice-versa. In other words, NPTv6 is simply rewriting IPv6 prefixes. NPTv6 does not
allow to overload. It does not support mismatching prefix allocations sizes (so the
network/host portion remains intact. For example you cannot cover /64 to /48).
Question 62
Which two statements about 6to4 tunneling are accurate? (Choose two)
A. Prepending a reserved IPv6 code to the hexadecimal representation of 192.168.0.1

facilitates 6to4 tunneling
B. Each 6to4 site receives a /48 prefix in a 6to4 tunnel
C. 2002::/48 is the address range specifically assigned to 6to4
D. Prepending 0x2002 with the IPv4 address creates an IPv6 address that is used in 6to4
tunneling
E. 6to4 is a manual tunnel method
Answer: B D
Explanation
6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must
remember this range). These tunnels determine the appropriate destination address by
combining the IPv6 prefix with the globally unique destination 6to4 border
router‘s IPv4 address, beginning with the 2002::/16 prefix, in this format:
2002:border-router-IPv4-address::/48
Because the border-router-IPv4-address is added, we will have a /48 prefix (we all know an
IPv4 address consists of 32 bits). An example of a 6to4 address with the border-router-IPv4-
address of 192.168.1.2 is 2002:C0A8:01:02::/48.
Question 88
The Neighbor Discovery Protocol in IPv6 is replaced with which discovery protocol in IPv4?
A. ARP
B. ICMP
C. UDP
D. TCP
E. RFC
Answer: A
Explanation
Note: This question asks about IPv4 discovery protocol, not IPv6. So the correct asnwer is
ARP.
Just for your information, the IPv6 neighbor discovery process uses Internet Control Message
Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer
address of a neighbor on the same network (local link), verify the reachability of a neighbor,
and track neighboring devices.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-
2mt/ip6-15-2mt-book/ip6-neighb-disc.html
-> Neighbor Discovery Protocol in IPv6 does not use ARP any more.
Question 159
Considering the IPv6 address independence requirements, which process do you avoid when
you use NPTv6 for translation?
A. rewriting of higher layer information
B. checksum verification
C. ipv6 duplication and conservation
D. IPSEC AH header modification
Answer: A
Question 196
Company is deploying a multicast application that must be accessible between sites, but must
not be accessible outside of the organization. Based on the scoping requirements, the
multicast group address for the application will be allocated out of which range?
A. FF00::/16
B. FF0E::/16
C. FF02::/16
D. FF08::/16
Answer: D
Explanation
All IPv6 multicast addresses begin with FF::/8 – in other words, with FF as the first two
digits. But we need to know the differences between these multicast addresses:
FF02::/16 is IPv6 prefix for a link-local multicast, meaning that routers will not forward these
packets outside the local subnet.
FF08::/16 is IPv6 prefix for a organization-local multicast. It is typically used for a multicast
application with users throughout the enterprise, have an organization-local scope, meaning
that packets sent to these addresses are forwarded throughout the organization but not out into
the Internet
FF0E::/16 is IPv6 prefix for a global multicast.
Therefore in this question, FF08::/16 is the best answer.
Which statement about stateless and stateful IPv6 autoconfiguration are true?
A. Both stateless and stateful autoconfiguration require additional setup

B. Stateless autoconfiguration requires no additional setup, whereas stateful
autoconfiguration requires additional setup
C. Stateless autoconfiguration requires additional setup, whereas stateful autoconfiguration
requires no additional setup
D. Both stateless and stateful autoconfiguration require no additional setup
Answer: B
Explanation
Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6
(and based closely on DHCP), is used to pass out addressing and service information in the
same way that DHCP is used in IPv4. This is called ―stateful‖ because the DHCP server and
the client must both maintain state information to keep addresses from conflicting, to handle
leases, and to renew addresses over time.
Stateless Autoconfiguration allows an interface to automatically ―lease‖ an IPv6 address and

does not require the establishment of an server to delve out address space. Stateless
autoconfiguration allows a host to propose an address which will probably be unique (based
on the network prefix and its Ethernet MAC address) and propose its use on the network.
Because no server has to approve the use of the address, or pass it out, stateless
autoconfiguration is simpler. This is the default mode of operation for most IPv6 systems,
including servers.
Question 7 (https://www.digitaltut.com/ipv6-questions)
A network engineer executes the ―ipv6 flowset‖ command. What is the result?
A. Flow-label marking in 1280-byte or larger packets is enabled.

B. Flow-set marking in 1280-byte or larger packets is enabled.
C. IPv6 PMTU is enabled on the router.
D. IPv6 flow control is enabled on the router.
Answer: A
Explanation
The command ―ipv6 flowset‖ allows the device to track destinations to which the device has
sent packets that are 1280 bytes or larger.
Question 11 (https://www.digitaltut.com/ipv6-questions-2-2)
The enterprise network WAN link has been receiving several denial of service attacks from
both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via
its header, in order to filter future attacks? (Choose three)
A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset
Answer: A C D
Explanation
The components of IPv6 header is shown below:
The Traffic Class field (8 bits) is where quality of service (QoS) marking for Layer 3 can be
identified. In a nutshell, the higher the value of this field, the more important the packet. Your
Cisco routers (and some switches) can be configured to read this value and send a high-
priority packet sooner than other lower ones during times of congestion. This is very
important for some applications, especially VoIP.
The Flow Label field (20 bits) is originally created for giving real-time applications special
service. The flow label when set to a non-zero value now serves as a hint to routers and
switches with multiple outbound paths that these packets should stay on the same path so that
they will not be reordered. It has further been suggested that the flow label be used to help
detect spoofed packets.
The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header.
The value of the Hop Limit field specifies the maximum number of routers that an IPv6
packet can pass through before the packet is considered invalid. Each router decrements the
value by one. Because no checksum is in the IPv6 header, the router can decrease the value
without needing to recalculate the checksum, which saves processing resources.
================= uRPF Questions =================
Question 52
Which two statements about uRPF are true? (Choose two)

A. The keyword any can be used with both strict mode and loose mode
B. Strict mode may drop legitimate traffic
C. It is enabled globally
D. Strict mode is most appropriate for networks with asymmetric routing
E. Loose mode may drop traffic when asymmetric routing occurs on the network
F. It is enabled on a per interface basis
Answer: B F
Explanation
The syntax of configuring uRPF in interface mode is:
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-

list-number]
The any option enables a Loose Mode uRPF on the router. This mode allows the router to
reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router
reaches the source address only via the interface on which the packet was received.
Question 226 (posted at Q.7 of http://www.digitaltut.com/unicast-reverse-path-forwarding)
Which command sequence can you enter on a router to configure Unicast Reverse Path
Forwarding in loose mode?
A. interface GigabitEthernet0/0
ip verify unicast source reachable-via all
B. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose
C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any
D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx
Answer: C
================= IP SLA Questions =================
Question 4

The IP SLA configuration of R1 is shown below:
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(config-ip-sla)#frequency 10
R1(config-ip-sla)#threshold 100
R1(config)#ip sla schedule 1 start-time now life forever
R1(config)#track 10 ip sla 1 reachability
R1(config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2
What makes default route not removed when SLA state down or failed?
A. the destination must be 172.30.30.2 for icmp-echo

B. the threshold value is wrong
C. the default route has wrong next hop IP address.
D. missing of track feature on default static route command
Answer: D
Explanation
The default route command (at the last line) must include the ―track‖ keyword for the
tracking feature to work.
ip route 0.0.0.0.0 0.0.0.0 172.20.20.2 track 10
Question 22
A network engineer wants to baseline the network to determine suitability for real-time voice
applications. Which IP SLA operation is best suited for this task?
A. ICMP-echo
B. ICMP-jitter
C. UDP-connect
D. UDP-jitter
E. TCP-connect
F. UDP-echo
Answer: D
Explanation
The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common
codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco
devices in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_udp_jitter_voip.html
Note:
+ UDP Jitter: generates UDP traffic and measures Round-trip Delay, One-way Delay, One-
way Jitter, One-way Packet Loss, and overall Connectivity.
+ UDP-echo: measures Round-trip Delay for UDP traffic.
There is also a special ―UDP Jitter for VoIP‖ which can simulate various codecs and spits out
voice quality scores (MOS, and ICPIF)
Question 71
Refer to exhibit. Which two reasons for IP SLA tracking failure are likely true? (Choose two)
R1(config)#ip sla 1
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10
R1(config)#no ip route 0.0.0.0 0.0.0.0 172.20.20.2
R1(config)#ip route 0.0.0.0 0.0.0.0 172.30.30.2 5
A. The source-interface is configured incorrectly
B. The destination must be 172.30.30.2 for icmp-echo
C. A route back to the R1 LAN network is missing in R2
D. The default route has wrong next hop IP address
E. The threshold value is wrong
Answer: C E
Explanation
There is no problem with the Fa0/0 as the source interface as we want to check the ping from
the LAN interface -> A is not correct.
Answer B is not correct as we must track the destination of the primary link, not backup link.
In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will
not know how to reply back as an ISP usually does not configure a route to a customer‘s
LAN -> C is correct.
There is no problem with the default route -> D is not correct.
For answer E, we need to understand about how timeout and threshold are defined:
Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response
from its request packet. In other words, the timeout specifies how long the router should wait
for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets
the upper threshold value for calculating network monitoring statistics created by an IP SLAs
operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap
or start secondary SLA operation. In other words, the threshold value is only used to indicate
over threshold events, which do not affect reachability but may be used to evaluate the proper
settings for the timeout command.
For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not
OK, reachability is down.
Therefore in this question, we are using ―Reachability‖ tracking (via the command ―track 10
ip sla 1 reachability‖) so threshold value is not important and can be ignored -> Answer E is
correct. In fact, answer E is not wrong but it is the best option left.
This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-
technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and
http://www.ciscozine.com/using-ip-sla-to-change-routing/
Note: Maybe some of us will wonder why there are these two commands:

In fact the two commands:
ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10

ip route 0.0.0.0 0.0.0.0 172.20.20.2
are different. These two static routes can co-exist in the routing table. Therefore if the
tracking goes down, the first command will be removed but the second one still exists and the
backup path is not preferred. So we have to remove the second one.
Question 74a
Which IP SLA operation can be used to measure round-trip delay for the full path and hop-
by-hop round-trip delay on the network?
A. HTTP
B. ICMP path echo
C. TCP connect
D. ICMP echo
Answer: B
Explanation
Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel
from a specific source to a specific destination and back again.
An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response
time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is
useful for determining network availability and for troubleshooting network connectivity
issues.
Note: ICMP Echo only measures round-trip delay for the full path.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-
xe-3s-book/sla_icmp_pathecho.html
Question 74b
A network engineer wants to monitor hop by hop response time on the network. Which IP
SLA operation accomplishes this task?
A. UDPecho
B. ICMP echo
C. ICMP path jitter
D. ICMP path echo
Answer: D
Question 75
Which three IP SLA performance metrics can you use to monitor enterprise-class networks?
(Choose three)
A. Packet loss
B. Delay
C. bandwidth
D. Connectivity
E. Reliability
F. traps
Answer: A B D
Explanation
Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss,
jitter, packet sequence, connectivity, path, server response time, and download time are
monitored within the Cisco device and stored in both CLI and SNMP MIBs.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.ht
ml
Question 83
Which three items can you track when you use two time stamps with IP SLAs? (Choose
three)
A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path
Answer: A B C
Explanation
When enabled, the IP SLAs Responder allows the target device to take two time stamps both
when the packet arrives on the interface at interrupt level and again just as it is leaving,
eliminating the processing time. At times of high network activity, an ICMP ping test often
shows a long and inaccurate response time, while an IP SLAs test shows an accurate response
time due to the time stamping on the responder.
An additional benefit of the two time stamps at the target device is the ability to track
one-way delay, jitter, and directional packet loss. Because much network behavior is
asynchronous, it is critical to have these statistics. However, to capture one-way delay
measurements the configuration of both the source device and target device with Network
Time Protocol (NTP) is required. Both the source and target need to be synchronized to the
same clock source. One-way jitter measurements do not require clock synchronization.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_overview.html
Question 97
Which feature can be used to reduce the number of ICMP unreachable message egressing a
router?
A. uRPF
B. ICMP rate-limiting
C. ip unreachables command
D. Asymmetric routing
Answer: B
Question 145
Which LAN feature enables a default gateway to inform its end device?
A. HSRP
B. proxy ARP
C. ICMP redirects
D. ICMP unreachable messages
Answer: C
Explanation
An ICMP redirect is an error message sent by a router to the sender of an IP packet. Redirects
are used when a router believes a packet is being routed sub optimally and it would like to
inform the sending host that it should forward subsequent packets to that same destination
through a different gateway. In theory a host with multiple gateways could have one default
route and learn more optimal specific routes over time by way of ICMP redirects.
Question 152
Which IP SLA operation can be used to simulate voice traffic on a network?
A. TCP connect
B. UDP-jitter
C. ICMP-echo
D. ICMP-jitter
Answer: B
Explanation
The IP SLAs VoIP UDP jitter operation accurately simulates VoIP traffic using common
codecs and calculates consistent voice quality scores (MOS and ICPIF) between Cisco
devices in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-s/sla-
15-s-book/sla_udp_jitter_voip.pdf
Question 162
Which location within the network is preferred when using a dedicated router for Cisco IP
SLA operations?
A. user edge
B. provider edge
C. access edge
D. distribution edge
Answer: B
Explanation
If there are thousands of test destinations being sourced from the router, then a ―dedicated
router‖ or ―shadow router‖ maybe the best choice for deployment. A dedicated router is
simply a low-end router dedicated to sourcing Cisco IOS IP SLAs operations.
Dedicated routers are most appropriate when the deployment plan calls for the operations to
be sourced from the edge of the core network (ie: Provider Edge [PE]) location in a
Service Provider network. The Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800 and 7200
Series Routers are frequently used as dedicated routers.
Reference:
0aecd8017f8c9.html
Question 180
Which two statements about ICMP unreachable messages are true? (Choose two)
A. They are sent when a route to the destination is missing from the routing table
B. They can be enabled and disabled on a device only on a global level
C. They are sent when a destination address responds to an ARP request
D. They include the entire packet so that the source can identify the process that generated
the message
E. They include a portion of the original data so that the source can identify the process that
generated the message
Answer: A E
Explanation
ICMP Unreachables are responses sent by a router/host/switch whenever the destination host
address, protocol unreachable, or destination networks are not listed in the forward table
(FIB) or services by the device.
Answer C is not correct as the ICMP unreachable messages are only generated when the
destination address/service is missing.
The IP header plus the first 8 bytes of the original datagram‘s data is returned to the sender.
This data is used by the host to match the message to the appropriate process. If a higher level
protocol uses port numbers, they are assumed to be in the first 64 data bits of the original
datagram‘s data -> Answer E is correct.
Reference: Cisco ISP Essentials Book, page 160
Question 193
When does a Cisco router send an ICMP redirect?
A. when the packet‘s source and destination VRFs are different

B. when the packet is source-routed
C. when the packet‘s destination has load-balanced entries in the route table
D. when the packet‘s ingress and egress interface are the same
Answer: D
Explanation
ICMP redirect messages are used by routers to notify the hosts on the data link that a better
route is available for a particular destination.
Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the
packet gets routed out -> Answer D is correct.
+ The subnet or network of the source IP address is on the same subnet or network of the
next-hop IP address of the routed packet.
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects.
The interface subcommand no ip redirects can be used to disable ICMP redirects.)
rip/13714-43.html
Question 193b
When does a Cisco router send an ICMP redirect?
A. when the source and destination in the same subnet

B. when the packet is source-routed
C. when the packet‘s destination has load-balanced entries in the route table
D. when the packet‘s ingress and egress interface are different
Answer: A
Explanation (same as above Explanation)
ICMP redirect messages are used by routers to notify the hosts on the data link that a better
route is available for a particular destination.
Cisco routers send ICMP redirects when all of these conditions are met:
+ The interface on which the packet comes into the router is the same interface on which the
packet gets routed out..
+ The subnet or network of the source IP address is on the same subnet or network of the
next-hop IP address of the routed packet (-> Answer A is correct)
+ The datagram is not source-routed.
+ The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects.
The interface subcommand no ip redirects can be used to disable ICMP redirects.)
rip/13714-43.html
Question 238 (posted at Q.5 of http://www.digitaltut.com/ip-sla-questions-2)
Which two types of threshold can you configure for tracking objects? (Choose two)
A. percentage
B. MTU
C. bandwidth
D. weight
E. delay
F. administrative distance
Answer: A D
Explanation
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or
a percentage threshold.
The example configures track list 1 to track by weight threshold.
Switch(config)# track 1 list threshold weight

Switch(config-track)# object 1 weight 15
Switch(config-track)# threshold weight up 30 down 10
If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up
threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to
satisfy the threshold weight.
This configuration can be useful if object 1 and object 2 represent two small bandwidth
connections and object 3 represents one large bandwidth connection. The configured down
10 value means that once the tracked object is up, it will not go down until the threshold
value is equal to or lower than 10, which in this example means that all connections are
down.
The below example configures tracked list 2 with three objects and a specified percentages
to measure the state of the list with an up threshold of 70 percent and a down threshold of 30
percent:
Switch(config)# track 2 list threshold percentage

Switch(config-track)# object 1
Switch(config-track)# threshold percentage up 51 down 10
This means as long as 51% or more of the objects are up, the list will be considered ―up‖. So
in this case if two objects are up, track 2 is considered ―up‖.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-
2_58_se/configuration/guide/3020_scg/swhsrp.pdf
Question 239 (posted at Q.12 of http://www.digitaltut.com/ip-sla-questions)
Which type of information is displayed when a network engineer executes the show track 1
command on the router?
A. information about tracking list 1
B. time to next poll for track object 1
C. information about the IP route track table
D. tracking information statistics
Answer: A
Question 9 (posted at https://www.digitaltut.com/ip-sla-questions)
A network engineer wants to notify a manager in the events that the IP SLA connection loss
threshold reached. Which two feature are need to implements this functionality? (Choose
two)
A. MOS
B. Threshold action
C. Cisco IOS EEM
D. SNMP traps
E. logging local
Answer: B D
Explanation
IP SLAs supports proactive threshold monitoring and notifications for performance

parameters such as average jitter, unidirectional latency, bidirectional round-trip time (RTT),
and connectivity for most IP SLAs operations. The proactive monitoring capability also
provides options for configuring reaction thresholds for important VoIP related parameters
including unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice
quality scoring.
IP SLAs reactions are configured to trigger when a monitored value exceeds or falls below a
specified level or when a monitored event, such as a timeout or connection loss, occurs. If IP
SLAs measures too high or too low of any configured reaction, IP SLAs can generate a
notification (in the form of SNMP trap) to a network management application or trigger
another IP SLA operation to gather more data.
Cisco IOS IP SLAs can send SNMP traps that are triggered by events such as the following:
+ Connection loss
+ Timeout
+ Round-trip time threshold
+ Average jitter threshold
+ One-way packet loss
+ One-way jitter
+ One-way mean opinion score (MOS)
+ One-way latency
================= SNMP Questions =================
Question 6
A network engineer is asked to create an SNMP-enabled proactive monitoring solution to

ensure that jitter levels remain between particular boundaries. Which IP SLA option should
the engineer use?
A. threshold
B. frequency
C. verify-data
D. timeout
Answer: A
Question 15
Which three statements about SNMP are true? (Choose three)
A. The manager configures and send traps to the agent.

B. The manager sends GET and SET messages.
C. SNMPv3 supports authentication and encryption.
D. The manager polls the agent using UDP port 161
E. The MIB database can be altered only by the SNMP agent.
F. The agent is the monitoring device.
Answer: B C D
Explanation
The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The
Agents are the monitored device while the Manager is the monitoring device. In the picture
below, the Router, Server and Multilayer Switch are monitored devices.
Question 19
In SNMPv3, which security level provides encryption of the data?
A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv
Answer: D
Explanation
+ noAuthNoPriv – Security level that does not provide authentication or encryption.

+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid
e/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 20
What does the number 16 in the following command represent?
Router(config)#snmp-server user abcd public v2c access 16
A. the mask of the files that are allowed to use community string public
B. the standard named access list 16, which contains the access rules that apply to user abcd
C. the number of concurrent users who are allowed to query the SNMP community
D. the user ID that is allowed to use the community string public
Answer: B
Question 50
In SNMPv3, which security level provides encryption of the data?
A. authMember
B. noAuthNoPriv
C. authNoPriv
D. authPriv
Answer: D
Explanation
+ noAuthNoPriv – Security level that does not provide authentication or encryption.

+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid
e/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 157
Which SNMP model and level can provide DES encryption?
A. SNMPV2 noAuthNoPriv
B. SNMPv3 authNoPriv
C. SNMPv3 authPriv
D. SNMPv3 noAuthNoPriv
Answer: C
Explanation
The authentication (auth) and privacy (priv) options are grouped into security models.
NoAuthPriv – no authentication and no privacy

AuthNoPriv – authentication and no privacy
AuthPriv – authentication and privacy
Question 169

snmp-server community ciscotest
snmp-server host 192.168.1.128 ciscotest
snmp-server enable traps bgp
Which effect of this configuration is true?
A. The device sends SNMP traps related to BGP operations to host 192.168.1.128
B. It configures an ACL to protect SNMP managers from receiving BGP traps
C. It configures the device to use string cisotest for read and write access to any SNMP
manager on the network
D. It configures the device to communicate with other devices in the ciscotest community
using SNMPv3
Answer: A
Question 215 (posted at Q.8 of http://www.digitaltut.com/snmp-questions)
Which SNMP verification command shows the encryption and authentication protocols that
are used in SNMPv3?
A. show snmp group

B. show snmp user
C. show snmp
D. show snmp view
Answer: B
Explanation
The command ―show snmp user‖ displays information about the configured characteristics of
SNMP users. The following example specifies the username as abcd with authentication
method of MD5 and encryption method of 3DES.
Router#show snmp user abcd

User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html
================= Syslog Questions =================
Question 40
Refer to the following command.
Logging Console 7
Which option is one of the effects entering this command on a Cisco IOS router, with no
additional logging configuration?
A. Debug messages can be seen on the console by enabling ―terminal monitor‖

B. Debug messages are logged only on active console connections.
C. A user that is connected via SSH sees level 7 messages
D. The router can experience high CPU utilization
Answer: D
Question 89
A router is connected to a Windows Syslog server which does not function. What is the
reason?
A. Firewall is blocking UDP port 514

B. Firewall is blocking IP port 514
C. Firewall is blocking TCP port 514
D. Firewall is blocking UDP port 512
Answer: A
Explanation
A syslog server opens port 514 and listens for incoming syslog event notifications (carried by
UDP protocol packets) generated by remote syslog clients. Therefore if firewall is blocking
this port the syslog server cannot operate correctly.
Question 228 (posted at Q.7 of http://www.digitaltut.com/syslog-questions)
A network engineer executes the commands ―logging host 172.16.200.225‖ and ―logging trap
5‖. Which action results when these two commands are executed together?
A. Logging messages that have a debugging severity level are sent to the remote server
172.16.200.225.
B. Logged information is stored locally, showing the sources as 172.16.200.225
C. Logging messages that have any severity level are sent to the remote server
172.16.200.225
D. Logging messages that have a severity level of ―notifications‖ and above (numerically
lower) are sent to the remote server 172.16.200.225
Answer: D
================= NTP Questions =================
Question 27
A network engineer has configured NTP on a Cisco router, but the time on the router is still
incorrect. What is the reason for this problem?
A. The router is not syncing with the peer, even though the NTP request and response packets
are being exchanged.
B. The router is not syncing with peer, and the NTP request and response packets are not
being exchanged.
C. The router is syncing with the peer, and the NTP request and response packets are being
exchanged.
D. The router is dropping all NTP packets.
Answer: A
Explanation
The ―reach‖ term is defined as follows:
Peer reachability is a bit string reported as an octal value. This field shows whether the last
eight packets were received by the NTP process on the Cisco IOS software. The packets must
be received, processed, and accepted as valid by the NTP process and not just by the router or
switch that receives the NTP IP packets.
Reach uses the poll interval for a time out in order to decide whether a packet was received
or not. The poll interval is the time that NTP waits before it concludes that a packet was lost.
The poll time can be different for different peers, so the time before reach decides that a
packet was lost can also different for different peers.
There are four different reach values:

+ 377 octal = 11111111 binary, which indicates the NTP process received the last eight
packets.
+ 0 octal = 00000000, which indicates the NTP process did not receive any packet.
+ 1 octal = 00000001, which indicates the NTP process received only the latest packet.
+ 357 octal = 11101111, which indicates the packet before the latest four packets was lost.
Reach is a good indicator of whether NTP packets are being dropped because of a poor link,
CPU issues and other intermittent problems.
In our question the ―reach‖ values all are ―377‖, which indicates the NTP process received
the last eight packets -> Answer A is correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-
ntp/116161-trouble-ntp-00.html
Question 37
Which two statements about NTP stratum are true? (Choose two)
A. Stratum 15 indicates a device that is not synchronized

B. Stratum 1 devices receive their time from a peer that is connected directly to an
authoritative time source.
C. The highest stratum level a synchronized device can have is 16.
D. Stratum 2 devices receive their time from a peer that is connected directly to an
authoritative time source
E. Stratum 0 devices are connected directly to an authoritative time source
F. Stratum 1 devices are connected directly to an authoritative time source
Answer: D F
Explanation
Stratum 0 – highest, GPS clock (usually called authoritative time source)

Stratum 1- primary time servers, connected to stratum 0
The upper limit for Stratum is 15;
Stratum 16 is used to indicate that a device is unsynchronized
Question 58
Refer to the exhibit. Which effect of this configuration is true?
R1# show run | include ntp

ntp master 5
ntp authenticate
ntp authentication-key 1 md4 123Cisco
ntp authentication-key 5 md4 Cisco123
ntp trusted-key 1
A. R1 synchronizes with systems that include authentication key 5 in their packets

B. R1 acts as an authoritative clock with a priority ID of 1
C. R1 acts as an authoritative clock at stratum 5
D. R1 is the NTP client for a stratum 1 server
Answer: C
Explanation
The command ―ntp master [stratum]‖ is used to configure the device as an authoritative NTP
server. You can specify a different stratum level from which NTP clients get their time
synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a
stratum 0 device that is assumed to be accurate and has little or no delay associated with it.
Stratum 0 servers cannot be used on the network but they are directly connected to computers
which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network
time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected
to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests
from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a
stratum-2 server… A stratum server may also peer with other stratum servers at the same
level to provide more stable and robust time for all devices in the peer group (for example a
stratum 2 server can peer with other stratum 2 servers).
Question 82
Refer to the following configuration command.
router (config-line)# ntp master 10

Which statement about this command is true?
A. The router acts as an authoritative NTP clock and allows only 10 NTP client connections.
B. The router acts as an authoritative NTP clock at stratum 10.
C. The router acts as an authoritative NTP clock with a priority number of 10.
D. The router acts as an authoritative NTP clock for 10 minutes only.
Answer: B
Explanation
time standard.
Question 176 (same as Q.5 at http://www.digitaltut.com/ntp-questions)
Refer to exhibit:
access-list 1 permit 192.168.1.1

access-list 1 deny any
!
ntp access-group peer 2
ntp access-group serve 1
ntp master 4
!
Which three NTP features can be deduced on the router? (Choose three)
A. Only accepts time requests from 192.168.1.1

B. Only handle four requests at a time
C. Only is in stratum 4
D. Only updates its time from 192.168.1.1
E. Only accepts time requests from 192.168.1.4
F. Only updates its time from 192.168.1.4
Answer: A C F
Explanation
First we need to understand some basic knowledge about NTP. There are two types of NTP
messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status
information. It is not used for time synchronization so we will not care about them in this
question.
+ Request/Update messages: for time synchronization. Request messages ask for
synchronization information while Update messages contains synchronization information
and may change the local clock.
There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it
permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to reply to NTP requests, but drops NTP update. This
access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to respond to NTP requests only. This access-group denies
control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no
local system time synchronization with remote system is permitted.
From my experience, you just need to remember:

+ Peer: serve and to be served
+ Serve: serve but not to be served
Therefore in this question:

+ The ―ntp access-group peer 2‖ command says ―I can only accept NTP updates and
respond to NTP (time) requests from 192.168.1.4―. -> Answer F is correct while answer D is
not correct.
+ The ―ntp access-group serve 1‖ command says ―I can only reply to time requests (but
cannot accept time update) from 192.168.1.1 ‖ -> Answer A is correct*
The ―ntp master 4‖ indicates it is running as a time source with stratum level of 4 -> Answer
B is not correct while answer C is correct.
Answer E is not correct because it can accept time requests from both 192.168.1.1 and
192.168.1.4.
*Note: In fact answer A is incorrect too because the local router can accept time requests
from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake
of this question.
Question 200 (same as Q.9 at http://www.digitaltut.com/ntp-questions)
Which three NTP operating modes must the trusted-key command be configured on for
authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Answer: B D E
Explanation
NTP operates in four different modes.

+ Server Mode is configured such that a device will synchronize NTP clients. Servers can be
configured to synchronize all clients or only a specific group of clients. NTP servers,
however, will not accept synchronization information from their clients. This restriction will
not allow clients to update or manipulate a server‘s time settings.
+ Client Mode is configured used to allow a device to set its clock by and synchronized by
an external timeserver. NTP clients can be configured to use multiple servers to set their local
time and can be configured to give preference to the most accurate time sources available to
them. They will not, however, provide synchronization services to any other devices.
+ Peer Mode is when one NTP-enabled device does not have any authority over another.
With the peering model, each device will share its time information with its peer.
Additionally, each device can also provide time synchronization to the other.
+ Broadcast/Multicast Mode is a special server mode where the NTP server broadcasts its
synchronization information to all clients. Broadcast mode requires that clients be on the
same subnet as the server, and multicast mode requires that clients and servers have multicast
capabilities configured.
Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1851440
―Interface‖ is not a NTP mode so answer A is not correct.

It is sure that in ―peer‖ mode we don‘t need to use the ―trusted-key‖ command for
authentication so answer C is not correct.
Question 211 (same as Q.4 of http://www.digitaltut.com/ntp-questions)
Which two statements about NTP operation are true? (Choose two)
A. If multiple NTP servers are configured, the one with the lowest stratum is preferred
B. By default, NTP communications use UDP port 123.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. Locally configured time overrides time received from an NTP server.
E. ―Stratum‖ refers to the number of hops between the NTP client and the NTP server.
Answer: A B
Explanation
time standard.
stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server
is. When multiple NTP servers are configured, the client will prefer the NTP server with the
lowest stratum level.
NTP uses User Datagram Protocol (UDP) port 123.
================= NAT Questions =================
Question 2
Which statement describes what this command accomplishes when inside and outside
interfaces are correctly identified for NAT?
ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080 extendable
A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It allows external clients coming from public IP 209.165.201.1 to connect to a web server
at 192.168.1.50.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It represents an incorrect NAT configuration because it uses standard TCP ports.
Answer: C
Explanation
First we will not mention about the effect of the ―extendable‖ keyword. So the purpose of the
command ―ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080‖ is to translate
packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP
address 209.165.201.1 with port 8080. This also implies that any packet received on the
outside interface with a destination address of 209.165.201.1:8080 has the destination
translated to 192.168.1.50:80. Therefore answer C is correct.
Answer A is not correct this command ―allows host 192.168.1.50 to access external websites
using TCP port 80‖, not port 8080.
Answer B is not correct because it allows external clients to connect to a web server at
209.165.201.1. The IP addresses of clients should not be 209.165.201.1.
Answer D is not correct because the configuration is correct.
Now we will talk about the keyword ―extendable‖.
Usually, the ―extendable‖ keyword should be added if the same Inside Local is mapped to
different Inside Global Addresses (the IP address of an inside host as it appears to the outside
network). An example of this case is when you have two connections to the Internet on two
ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside
local IP address. For example:
NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2
In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use
200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the
Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or
200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called ―ambiguous from the
inside‖). We tested in GNS3 and it worked correctly! So we guess the NAT router compared
the Inside Global addresses with all of IP addresses of the ―ip nat outside‖ interfaces and
chose the most suitable one to forward traffic.
This is what Cisco explained about ―extendable‖ keyword:
―They might also want to define static mappings for a particular host using each provider‘s
address space. The software does not allow two static translations with the same local
address, though, because it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all addresses and ports) if
the static translations are marked as ―extendable‖. For a new outside-to-inside flow, the
appropriate static entry will act as a template for a full translation. For a new inside-to-outside
flow, the dynamic route-map rules will be used to create a full translation‖.
(Reference:
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper0918
6a0080091cb9.html)
But it is unclear, what will happen if we don‘t use a route-map?
Question 14
Which option is a prerequisite for stateful NAT64?
A. IPsec for IPv6

B. DNS64
C. Application Level Gateway
D. ICMP64
Answer: B
Question 44
Which technology uses the many-to-one method of mapping IP addresses?
A. static NAT
B. dynamic NAT
C. NAT-PT
D. PAT
Answer: D
Question 49
Which three functionalities are specific to stateful NAT64? (Choose three)

A. It conserves IPv4 addresses
B. It requires either manual or DHCPv6-based address assignment for IPv6 hosts
C. A state or bindings are created on every unique translation.
D. It requires IPv4-translatable IPv6 addresses
E. No constraint is put on the number of endpoints due to 1 :N translation.
F. It helps ensure end-to-end address transparency and scalability
Answer: A C E
Question 59
Which command enables NAT-PT on an IPv6 interface?
A. ipv6 nat
B. ipv6 nat enable
C. ipv6 nat-pt
D. ipv6 nat-pt enable
Answer: A
Explanation
The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6
nat prefix 2001:DB8::/96)
Question 64
Which functionality is required within an IP router that is situated at the boundary of an IPv4
network and an IPv6 network to allow communication between IPv6-only and IPv4-only
nodes?
A. Autoconfiguration
B. Automatic 6to4 Tunnel
C. Automatic 6to4 Relay
D. Network Address Translator-Protocol Translator (NAT-PT)
E. Intrasite Automatic Tunnel Address Protocol (ISATAP)
Answer: D
Explanation
The Network Address Translator – Protocol Translator (NAT-PT) defines a set of network-
layer translation mechanisms designed to allow nodes that only support IPv4 to communicate
with nodes that only support IPv6, during the transition to the use of IPv6 in the Internet.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the
boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4
and IPv6 network, all IPv4 users are given access to the IPv6 network without modification
in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given
access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished
with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions
are initiated across IPv4-IPv6 boundaries
(Reference: http://www.ietf.org/rfc/rfc4966.txt and

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_white_pap
er09186a008011ff51_ps6640_Products_White_Paper.html)
Question 110 (posted at http://www.digitaltut.com/nat-questions)
Which NAT command to disable dynamic ARP learning on an interface?
A. R(config-if)# ip nat enable

B. R(config-if)# ip nat inside
C. R(config-if)# ip nat outside
D. R(config)# ip nat service
E. R(config)# ip nat allow-static-host
Answer: E
Explanation
The ―ip nat allow-static-host‖ command enables static IP address support. Dynamic Address
Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control
the creation and deletion of ARP entries for the static IP host.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-
4/nat-12-4-book/iadnat-addr-consv.html
Question 136
Which feature or technology is supported with stateful NAT64?
A. FTP and ICMP on an application layer gateway

B. VFR
C. IP multicast
D. NAT44 and NAT64 on the same interface
Answer: B
Explanation
When Stateful NAT64 is configured on an interface, Virtual Fragmentation Reassembly
(VFR) is configured automatically. Virtual fragmentation reassembly (VFR) enables the
Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby, protecting the network
from various fragmentation attacks.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
Question 137
What does stateful NAT64 do that stateless NAT64 does not do?
A. Stateful NAT64 maintains bindings of IPv4 to IPv6 link-local addresses

B. Stateful NAT64 translates IPv4 to IPv6
C. Stateful NAT64 translates IPv6 to IPv4
D. Stateful NAT64 maintains bindings or session state while performing translation
Answer: D
Explanation
Address Family Translation (AFT) using NAT64 technology can be achieved by either
stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to
IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain
any bindings or session state while performing translation, and it supports both IPv6-
initiated and IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4
addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it
creates or modifies bindings or session state while performing translation. It supports
both IPv6-initiated and IPv4-initiated communications using static or manual mappings.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-
ipv6-solution/white_paper_c11-676278.html
Question 5 (https://www.digitaltut.com/nat-questions)
router(config)# ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80
Which statement about the command is true?
A. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:80 is translated to 172.16.10.8:8080.
B. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:8080 is translated to 172.16.10.8:80.
C. The router accepts only a TCP connection from port 8080 and port 80 on IP address
172.16.10.8.
D. Any packet that is received in the inside interface with a source IP address of 172.16.10.8
is redirected to port 8080 or port 80.
Answer: B
Explanation
This is a static NAT command which translates all the packets received in the inside interface
with a source IP address of 172.16.10.8:8080 to 172.16.10.8:80. The purpose of this NAT
statement is to redirect TCP Traffic to Another TCP Port.
================= AAA Questions =================
Question 8
What are two options for authenticating a user who is attempting to access a network device?
(Choose two)
A. CHAP
B. RADIUS
C. 802.1x
D. PAP
E. TACACS+
Answer: B E
Question 47
Which keyword of the AAA authentication PPP command supports PAP only?
A. line
B. krb5
C. local
D. local-case
E. enable
Answer: B
Explanation
Kerberos 5 is only supported for PAP only.
Question 99
A network access serve using TACACAS+ for AAA operations receives an error message
from the TACACS+ server. Which action does the network access server take next?
A. It attempts to authenticate the user against RADIUS

B. It restarts and attempts to reconnect to the TACACS+ server
C. It rejects the user access request
D. It checks the method list for an additional AAA option
Answer: D
Explanation
The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or
will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If
an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplu
s.pdf
Question 154
In which network environment is AAA with RADIUS most appropriate?
A. when Apple Talk Remote Access is in use

B. when NetBIOS Frame Control Protocol is in use
C. when users require access to only one device at a time
D. when you need to separate all AAA services
Answer: C
Explanation
RADIUS does not support the following protocols:

+ AppleTalk Remote Access (ARA)
+ NetBIOS Frame Control Protocol (NBFCP)
+ NetWare Asynchronous Services Interface (NASI)
+ X.25 PAD connections
Therefore both A and B are not correct.
TACACS+ (not RADIUS) strongly supports separate authentication, authorization and

accounting as separate and independent functions. RADIUS does not separate authentication
and authorization in its transaction -> D is not correct.
Therefore C is the best choice.
Question 165
A user is attempting to authentication on the device connected to a TACACS+ server but the
server require more information from the user to complete authentication. Which reponse
does the TACACS+ daemon return?
A. ACCEPT
B. ERROR
C. REJECT
D. CONTINUE
Answer: D
Explanation
The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or
will be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If
an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplu
s.pdf
Question 182
Which two statements about AAA with the local database are true? (Choose two)
A. The local database can serve only as a backup authentication method

B. It supports a limited number of usernames and passwords
C. Accounting is not supported locally
D. By default, it is queried before a TACACS+ or RADIUS server
E. Authorization is available only for one-time-use logins
Answer: B C
Explanation
While authentication can be done on the router for a limited number of user names, it might
make more sense and be much more scalable to use an AAA Server -> B is correct.
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/
bba/load.pdf
You can use the local database for CLI access authentication, privileged mode authentication,
command authorization, network access authentication, and VPN authentication and
authorization. You cannot use the local database for network access authorization. The local
database does not support accounting -> C is correct.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_
aaa.pdf
Question 247 (posted at Q.14 of http://www.digitaltut.com/new-route-questions)
Which two features does RADIUS combine? (Choose two)
A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting
Answer: C D
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to
decouple authentication and authorization.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
dial-user-service-radius/13838-10.html
================= NetFlow Questions =================
Question 68
A network engineer executes the ―show ip cache flow‖ command. Which two types of
information are displayed in the report that is generated? (Choose two)
A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution
Answer: C E
Explanation
Below is an example of the ―show ip cache flow‖ output:
Information provided includes packet size distribution (the answer says ―IP packet
distribution‖ but maybe it is ―IP packet size distribution‖); basic statistics about number of
flows and export timer setting, a view of the protocol distribution statistics and the NetFlow
cache.
Also we can see the flow samples for TCP and UDP protocols (including Total Flows,
Flows/Sec, Packets/Flow…).
Question 112
Where is the best place to position a NetFlow server?
A. Core edge
B. Access edge
C. WAN edge
D. Distribution edge
E. User edge
Answer: C
Explanation
NetFlow (network flow) is an input side-measurement technology that allows for capturing
the data required for network planning, monitoring, and accounting applications. NetFlow
should be deployed on edge/aggregation router interfaces for service providers or WAN
access router interfaces for Enterprise customers.
Reference: https://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-
NMS-bestpractice.html
Question 172 (same as Question 15 at http://www.digitaltut.com/netflow-questions)
Which two statements about NetFlow templates are true? (Choose two)
A. Only NetFlow version 9 is template based

B. NetFlow Version 5 and version 9 are template based
C. Only NetFlow version 5 is template based
D. Template can increased bandwidth usage
E. They can increase overall performance
F. They can reduce bandwidth usage
Answer: A D
Explanation
The distinguishing feature of the NetFlow Version 9 format is that it is template based ->
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00
800a3db9.html
Export bandwidth increases for version 9 (because of template flowsets) versus version 5 ->
Answer D is correct.
Version 9 slightly decreases overall performance, because generating and maintaining valid
template flowsets requires additional processing -> Answer E is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html
Question 197 (same as Q.13 at http://www.digitaltut.com/netflow-questions)
Where can NetFlow export data for long term storage and analysis?
A. syslog
B. collector
C. another network device
D. flat file
Answer: B
Explanation
NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and
storing the flows. Usually a collector is a separate software running on a network server.
NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).
Question 241 (posted at Q.16 of http://www.digitaltut.com/netflow-questions)
Which version or versions of NetFlow support MPLS?
A. all versions of NetFlow

B. NetFlow version 9
C. NetFlow version 8
D. NetFlow version 5
E. NetFlow version 8 and 9
Answer: B
Explanation
MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow
exports up to three labels of interest from the incoming label stack, the IP address associated
with the top label, as well as traditional NetFlow data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html
Question 242 (posted at Q.14 of http://www.digitaltut.com/netflow-questions)
Refer to the exhibit. How can you configure a second export destination for IP address
192.168.10.1?
configure terminal
ip flow-export destination 192.168.10.1 9991
ip flow-export version 9
A. Specify a different TCP port

B. Specify a different UDP port
C. Specify a VRF
D. Configure a version 5 flow-export to the same destination
E. Specify a different flow ID
Answer: B
Explanation
To configure multiple NetFlow export destinations to a router, use the following commands
in global configuration mode:
Step 1: Router(config)# ip flow-export destination ip-address udp-port

The following example enables the exporting of information in NetFlow cache entries:

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html
================= Troubleshooting Questions =================
Question 87
Which two commands would be used to troubleshoot high memory usage for a process?
(Choose two)
A. router#show memory allocating-process table

B. router#show memory summary
C. router#show memory dead
D. router#show memory events
E. router#show memory processor statistics
Answer: A B
Explanation
The ―show memory allocating-process table‖ command displays statistics on allocated

memory with corresponding allocating processes. This command can be also used to find out
memory leaks. A memory leak occurs when a process requests or allocates memory and then
forgets to free (de-allocate) the memory when it is finished that task.
Note: In fact the correct command should be ―show memory allocating-process totals‖ (not
―table‖)
The ―show memory summary‖ command displays a summary of all memory pools and
memory usage per Alloc PC (address of the system call that allocated the block). An example
of the output of this command is shown below:
Legend:
+ Total: the total amount of memory available after the system image loads and builds its
data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.
Note: The show memory allocating-process totals command contains the same information
as the first three lines of the show memory summary command.
An example of a high memory usage problem is large amount of free memory, but a small
value in the ―Lowest‖ column. In this case, a normal or abnormal event (for example, a large
routing instability) causes the router to use an unusually large amount of processor memory
for a short period of time, during which the memory has run out.
The show memory dead command is only used to view the memory allocated to a process
which has terminated. The memory allocated to this process is reclaimed by the kernel and
returned to the memory pool by the router itself when required. This is the way IOS handles
memory. A memory block is considered as dead if the process which created the block exits
(no longer running).
The command show memory events does not exist.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.h
tml and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
121-mainline/6507-mallocfail.html
Question 204
Which statement about conditional debugging is true?
A. It can support only one condition at a time

B. You can limit the output to a specific interface
C. It generates debug messages only for packets entering the router
D. It is limited to Ethernet, serial, and multilink interfaces
Answer: B
Explanation
When the Conditionally Triggered Debugging feature is enabled, the router generates
debugging messages for packets entering or leaving the router on a specified interface; the
router will not generate debugging output for packets entering or leaving through a different
interface. You can specify the interfaces explicitly. For example, you may only want to see
debugging messages for one interface or subinterface. You can also turn on debugging for all
interfaces that meet specified conditions. This feature is useful on dial access servers, which
have a large number of ports.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcnd
tr.html
Question 229 (posted at Q.6 of http://www.digitaltut.com/point-to-point-protocol)
Which two debug commands can you use to view issues with CHAP and PAP authentication?
(Choose two)
A. debug tacacs
B. debug ppp authentication
C. debug radius
D. debug aaa authentication
E. debug ppp negotiation
Answer: B E
================= Unicast Flooding Questions =================
Question 26
Which action can you take to mitigate unicast flooding in a network?
A. Configure VLANs to span multiple access-layer switches.

B. Implement a nonlooped network topology.
C. Set the ARP timer value to less than the CAM timer value.
D. Set the CAM timer value to less than the ARP timer value.
Answer: C
Question 106
Which three causes of unicast flooding are true? (Choose three)
A. forwarding table overflow

B. changes in STP topology
C. excess space in the forwarding table
D. consistent STP topology
E. asymmetric routing
F. symmetric routing
Answer: A B E
Explanation
The very cause of flooding is that destination MAC address of the packet is not in the L2
forwarding table of the switch. In this case the packet will be flooded out of all forwarding
Cause 1: Asymmetric Routing

Cause 2: Spanning-Tree Protocol Topology Changes
Cause 3: Forwarding Table Overflow

143.html
Question 131
What happens when unicast flood protection is triggered on a VLAN?
A. The VLAN is shut down

B. Traffic on the VLAN is load-balanced across multiple links
C The VLAN is removed from the VLAN database
D. Traffic on the VLAN is passed to another VLAN with lower load
Answer: A
Explanation
In short, unicast flood protection feature allows the switch to monitor the amount of unicast
flooding per VLAN and take specified action if flooding exceeds specified amount. Actions
can be to syslog, limit or shutdown VLAN – the syslog being the most useful for flood
detection.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-
switches/23563-143.html
Question 140
Which adverse event can occur as a consequence of asymmetric routing on the network?
A. vulnerability to a main-in-the-middle attack

B. inadvertent HSRP active router preemption
C. errdisabled port
D. unicast flooding
Answer: D
Explanation
The very cause of unicast flooding is that destination MAC address of the packet is not in the
L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding
Cause 1: Asymmetric Routing

Cause 2: Spanning-Tree Protocol Topology Changes
Cause 3: Forwarding Table Overflow

143.html
Question 191 (nearly the same as Question 26 above)

How can you minimize unicast flooding in a network?
A. Configure HSRP on two routers, with one subnet preferred on the first router and a
different subnet preferred on the second router
B. Set the router‘s ARP timeout value to be the same as the timeout value for Layer 2
forwarding table entries
C. Set the router‘s ARP timeout value to greater than the timeout value for Layer 2
forwarding table entries
D. Set the router‘s ARP timeout value to less than timeout value for Layer 2 forwarding table
entries
Answer: B
Explanation
There are different approaches to limit the flooding caused by asymmetric routing. The
approach is normally to bring the router‘s ARP timeout and the switches‘ forwarding table-
aging time close to each other. This will cause the ARP packets to be broadcast. Relearning
must occur before the L2 forwarding table entry ages out.
Reference: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-
switches/23563-143.html
================= Loop Prevention Questions =================
Question 139
Which of the following situations results in a routing loop?
A. when you implement noncontiguous IP routing blocks

B. when you have a single point of redistribution
C. when you have multiple points of redistribution
D. when you use NAT translation on the edge of your network
E. when you implement contiguous IP routing blocks
Answer: C
Question 155
Which three methods can a network engineer use to fix a metric-based routing loop in the
network? (Choose three)
A. Filter routes manually using prefix lists

B. Implement proper network summarization on key routing points
C. Utilize route database filters
D. Filter routes based on tags
E. Implement offset lists at network boundaries
F. Filter routes manually using distribute lists
Answer: D E F
================= Miscellaneous Questions =================
Question 23
Which command do you enter to filter only routing updates that are sent through interface
GigabitEthernet0/0?
A. R1(config-if)#passive-interface GigabitEthernet0/0.
B. R1(config-router)#no passive-interface GigabitEthernet0/0
C. R1(config-router)#passive-interface GigabitEthernet0/0
D. R1(config-router)passive-interface default
E. R1(config-if)#passive-interface default
F. R1(config-router)#distribute-list 1 GigabitEthernet0/0 out
Answer: C
Explanation
In fact F is also a suitable answer but we don‘t know what ―distribute-list 1‖ contains so C is
a better answer.
Question 63
Given the network diagram, which address would successfully summarize only the networks
seen?
A. 192.168.0.0/24
B. 192.168.8.0/20
C. 192.168.8.0/21
D. 192.168.12.0/20
E. 192.168.16.0/21
F. These networks cannot be summarized.
Answer: C
Question 124
How big is the smallest packet that will always be fragmented on a standard Ethernet network
with default configuration?
A. 1500 bytes
B. 1800 bytes
C. 2048 bytes
D. 2100 bytes
Answer: B
Explanation
The packet with the size of 1500 bytes is the largest packet on a standard Ethernet network
(with default configuration) that is not fragmented. This includes 1460 byte frame plus 40
byte of two headers (20 bytes each). Therefore the next smallest packet that will be
fragmented in the above options is 1800 bytes.
Question 134
Which option is the best for protecting CPU ultilization on a device?
A. fragmentation
B. COPP
C. ICMP redirects
D. ICMP unreachable messages
Answer: B
Explanation
The Control Plane Policing (CoPP) policy is an important security feature that prevents
Denial of Service (DoS) attacks that can impact the supervisor module CPU.
CoPP protects the route processor on network devices by treating route processor resources
as a separate entity with its own ingress interface (and in some implementations, egress also).
Because of this behavior, a CoPP policy can be developed and applied only to those packets
within the control plane. Unlike interface ACLs, for example, no effort is wasted
investigating data plane (transit) packets that will never reach the control plane. This action
has a significant simplifying implication on the construction of policies for CoPP.
Refererence:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/best_practices/cli_mgmt_guid
e/cli_mgmt_bp/cpu.pdf and https://www.cisco.com/c/en/us/about/security-center/copp-best-
practices.html
Question 143
Which STP feature can reduce TCNs on ports that are connected to end devices?
A. BPDU guard
B. Root guard
C. PortFast
D. Backbone Fast
Answer: C
Explanation
In normal STP operation, a bridge keeps receiving configuration BPDUs from the root bridge
on its root port. But, it never sends out a BPDU toward the root bridge. In order to achieve
that, a special BPDU called the topology change notification (TCN) BPDU has been
introduced. Therefore, when a bridge needs to signal a topology change, it starts to send
TCNs on its root port. The designated bridge receives the TCN, acknowledges it, and
generates another one for its own root port. The process continues until the TCN hits the root
bridge. The bridge that notifies the topology change does not stop sending its TCN until the
designated bridge has acknowledged it.
The switch never generates a TCN when a port configured for Portfast goes up or down ->
Therefore PortFast can reduce TCNs on ports that are connected to end devices.
Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-
protocol/12013-17.html#anc12
Question 198
Which two causes of latency are true? (Choose two)
A. High bandwidth on a link

B. Split horizon
C. Propagation delay
D. Serialization delay
E. Under-utilization of a link
Answer: C D
Explanation
The most significant network factor in meeting the latency targets for TelePresence is
propagation delay, which can account for more than 90 percent of the network latency time
budget. Propagation delay is also a fixed component and is a function of the physical distance
that the signals have to travel between the originating endpoint and the receiving endpoint.
Reference: Ciso TelePresence Fundamentals Book
Propagation delay is the amount of time it takes for a single bit of data to get from one side
of a digital connection to the other. Propagation delay is usually close to the speed of light,
depending on the medium over which the packet is being carried (copper, fiber, and so on).
The propagation delay over a digital copper or fiber-optic connection is approximately 1 ms
per 100 miles. For example, the distance between New York and London is approximately
3500 miles. This means that the propagation delay between New York and London is
approximately 35 ms.
Three types of delay are inherent in today‘s telephony networks: propagation delay,
serialization delay, and handling delay (also called processing delay).
Serialization delay is the amount of time it takes to actually place a bit or byte onto an
interface. It is directly related to the clock rate on the interface.
Reference: http://www.ciscopress.com/articles/article.asp?p=606583
Question 231 (posted at Q.7 of http://www.digitaltut.com/miscellaneous-questions)

In which scenario can asymmetric routing occur?
A. active/active firewall setup

B. single path in and out of the network.
C. active/standby firewall setup
D. redundant routers running VRRP
Answer: D
Explanation
Asymmetric routing is the scenario in which outing packet is through a path, returning packet
is through another path. VRRP can cause asymmetric routing occur, for example:
R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1
is the master router and R2 is the backup router.
These two routers are connected to an ISP gateway router, by using BGP. This topology
provides two possible outgoing and incoming paths for the traffic.
Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the
new master router -> traffic passing through R2 instead -> asymmetric routing occurs.
Question 61
The Cisco ASA 500 Series Security Appliances are built specifically for businesses with less
than 100 employees. What are three important benefits of this device? (Choose three)
A. business-grade firewall
B. premium support via SMART net
C. site-to-site VPN for remote offices
D. Cisco IOS software-based
E. email security
F. XML support
Answer: A C E
Question 1 (posted at https://www.digitaltut.com/policy-based-routing)
Which statement about local policy routing is true?
A. It is used to policy route packets that are generated by the device.

B. It requires all packets to be packet switched.
C. It is used to policy route packets that pass through the device.
D. It requires all packets to be CEF switched.
E. It supports IPv4 packets only.
F. It requires an ip address or access list as the matching criteria.
Answer: A
Explanation
Normal policy based routing (PBR) is used to route packets that pass through the device.
Packets that are generated by the router (itself) are not normally policy-routed. To control
these packets, local PBR should be used. For example: Router(config)# ip local policy route-
map map-tag (compared with normal PBR: Router(config-if)# ip policy route-map map-tag)
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
================= Drag and Drop Questions =================
Question 90
Drag and drop for adverse network conditions.
Answer:
Excessive unicast flooding condition: caused by including a host port in STP

Out-of-order packets: potential result of disabling FIFO
TCP starvation: potential effect of excessive UDP traffic on link
Asymmetric routing: cause of inconsistent traffic patterns
Latency: condition in which packets require an excessive length of time to traverse a switch
Explanation
The most common reason for excessive unicast flooding in steady-state Catalyst switch
networks is the lack of proper host port configuration. Hosts, servers, and any other end-
devices do not need to participate in the STP process; therefore, the link up and down states
on the respective NIC interfaces should not be considered an STP topology change.
Question 91
Drag drop the correct descriptions on the right to the Frame Relay LMI extensions on the left.
Answer:
+ Address registration – It allows neighboring Cisco devices to exchange management IP

addresses
+ Global addressing – It enables the Frame Relay network to identify interfaces in the same
manner as a LAN
+ Multicasting – It provides the most efficient transmission of routing protocol messages and
supports address resolution
+ Simple flow control – It supports devices that are unable to use congestion notification
+ Virtual circuit status messages – It prevents data from being transmitted into black holes
Question 92
Drag the descriptions on the left to the appropriate group on the right.
Answer:
Authentication:
+ supports a local database for device access
+ supports encryption
Authorization:
+ specifies a user‘s specific access privileges
+ enforces time periods during which a user can access the device
Accounting:
+ not supported with local AAA
+ verifies network usage
Explanation
AAA offers different solutions that provide access control to network devices. The following
services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined
credentials, such as passwords and other mechanisms like digital certificates. Authentication
controls access by requiring valid user credentials, which are typically a username and
password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that
means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that
regulates what tasks the user is authorized to perform. These attributes are measured against a
user database. The results are returned to the network device to determine the user‘s
qualifications and restrictions. This database can be located locally on Cisco ASA or it can be
hosted on a RADIUS or Terminal Access Controller Access-Control System Plus
(TACACS+) server. In summary, Authorization controls access per user after users
authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server
used to track login times (when the user logged in and logged off) and the services that users
access. This information can be used for billing, auditing, and reporting purposes.
Question 93
Drag drop about AAA commands.
Answer:
+ if authenticated – It allows the user to perform the requested function once authenticated
+ none – It instructs the network access server to proceed without requesting authorization
information
+ local – It provides authorization for a limited set of functions only
+ krb5-instance – It uses a defined instance for authorization
+ group radius – It uses authorization information from a standards based server
+ group tacas+ – It uses authorization information stored as attribute value pair in a Cisco
proprietary server
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathe
n.html
Question 116
Refer to the exhibit. You are configuring the R1 Serial0 interface for a multipoint connection.
Drag and drop the required configuration statements from the left onto the corresponding
locations from the diagram on the right.
Answer:
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
interface Serial0
! Serial interface config
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
! subinterface config
interface Serial0.1 multipoint
ip address 192.168.1.5 255.255.255.240
frame-relay map ip 192.168.1.1 100 broadcast
Question 132
Drag and drop the GRE features from the left onto the correct description on the right.
Answer:
+ mGRE: technology that supports dynamic tunnel endpoints

+ IPSec: encryption protocol used to source tunnels
+ Keepalive: technology that prevents one side of the tunnel from going down while the other
stays up
+ Tunnel Key: clear-text password that confirms the peer connection
+ MSS: configurable value that prevents an interface from sending packets that are too large
for the tunnel
Question 206
Drag and drop the AAA features from the left onto the correct description on the right.
Answer:
+ Authentication: challenge and response operation

+ Accounting: feature that logs network usage
+ TACACS+: authentication method that uses TCP
+ RADIUS: authentication method that uses UDP
+ Authorization: controls specific access privileges of a user
Question 208 (posted at Q.13 of http://www.digitaltut.com/drag-and-drop)
Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.
Answer:
Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable
Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the
destination address
Question 217 (posted at Q.33 http://www.digitaltut.com/new-route-questions-part-4)
Refer to the exhibit. You are configuring the R1 Serial0 interface for a point-to-point
connection. Drag and drop the required configuration statements from the left onto the correct
locations from the diagram on the right. Not all commands are used.
Answer:
A – no ip address
B – interface serial0.1 point-to-point
C – frame-relay interface-dlci 100 ppp virtual-template1
D – ppp authentication chap
Explanation
It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially
Streaming-Video) within a single service-provider class because of the behaviors of these
protocols during periods of congestion. Specifically, TCP transmitters throttle back flows
when drops are detected. Although some UDP applications have application-level
windowing, flow control, and retransmission capabilities, most UDP transmitters are
completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and
the class experiences congestion, TCP flows continually lower their transmission rates,
potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is
called TCP starvation/UDP dominance.
congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it
is beneficial to be aware of this behavior when making such application-mixing decisions
within a single service-provider class.
Reference:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/Qo
S-SRND-Book/VPNQoS.html
Question 235 (posted at Q.4 of http://www.digitaltut.com/drag-and-drop-2-2)
Drag and drop the statements from the left onto the correct IPv6 router security features on
the right.
Answer:
IPv6 Traffic Filter

+ It filters traffic on the interface level
+ It supports tagged ACLs
IPv6 Access Classes

+ It controls traffic to and from the router
+ It requires the destination address for inbound traffic to be a local address
+ It filters management traffic
Drag and drop the statements about device security from the left onto the correct description
on the right.
Answer:
CoPP:
+ It protects the device against DoS attacks
+ It supports packet forwarding by reducing the load on the device
+ It uses QoS to limit the load on the device
MPP:
+ It designates the permitted management interfaces on the device
+ It is enabled only when an interface is configured
+ It requires only a single command to configure
Drag and drop the correct description on the right onto the corresponding ACL types on the
left.
Answer:
+ Dynamic: ACL that uses Telnet for Authentication

+ Extended: ACL type that should be placed closest to the traffic source
+ Reflexive: ACL that must be defined with a named ACL
+ Standard: ACL numbered from 1300 through 1999
+ Time-based: ACL that applied to traffic only during specifically defined periods
Explanation
The general rule when applying access lists is to apply standard IP access lists as close to the
destination as possible and to apply extended access lists as close to the source as possible.
The reasoning for this rule is that standard access lists lack granularity, it is better to
implement them as close to the destination as possible; extended access lists have more
potential granularity, thus they are better implemented close to the source.
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.

They are generally used to allow outbound traffic and to limit inbound traffic in response to
sessions that originate inside the router. Reflexive ACLs can be defined only with extended
named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with
other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and
static extended ACLs. Outbound ACL will have the ‗reflect‘ keyword. It is the ACL that
matches the originating traffic. Inbound ACL will have the ‗evaluate‘ keyword. It is the ACL
that matches the returning traffic.
Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release
11.1. This feature is dependent on Telnet, authentication (local or remote), and extended
ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic
through the router. Users that want to traverse the router are blocked by the extended ACL
until they Telnet to the router and are authenticated. The Telnet connection then drops and a
single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a
particular time period; idle and absolute timeouts are possible.
Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-
confaccesslists.html
Drag and drop the steps in the NAT process for IPv4-initiated packers from the left into the
correct sequence on the right.
Answer:
Step 1: The packet is routed to an NVI

Step 2: The packet is assigned a dynamic or static binding
Step 3: The IPV4 source address is translated to IPv6
Step 4: The translation information is used to create a session
Question 249 (posted at Q.8 of http://www.digitaltut.com/drag-and-drop)
Drag the items on the left to the proper locations on the right.
Answer:
+ network-specific stateful NAT64 prefix: IPv6 prefix assigned by an organization

+ NAT64 : supports application layer gateway
+ NPTv6 : translates 2001:1::/64 to 2001:2::/64
+ well-known stateful NAT64 prefix: supports IPv6 prefix 64:FF9B::/96
Explanation
NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network
address translation (NAT). There are two different forms of NAT64, stateless and stateful:
+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps
no state. It does not save any IP addresses since every v4 address maps to one v6 address.
Stateless NAT64 does not conserve IP4 addresses.
creates or modifies bindings or session state while performing translation (1:N translation). It
supports both IPv6-initiated and IPv4-initiated communications using static or manual
mappings. Stateful NAT64 converses IPv4 addresses.
NPTv6 stands for Network Prefix Translation. It‘s a form of NAT for IPv6 and it supports
one-to-one translation between inside and outside addresses
Question 22 (posted at https://www.digitaltut.com/new-route-questions-part-3)
Drag drop about DHCP Relay information.
Answer:
+ ip dhcp relay information option: automatically add the circuit identifier suboption and
the remote ID suboption
+ ip dhcp relay information check: check that the relay agent information option in
forwarded BOOTREPLY messages is valid
+ ip dhcp relay information policy: Configures the reforwarding policy for a DHCP relay
agent
+ ip dhcp relay information subscriber-id: enable an ISP to add a unique identifier
+ ip dhcp relay information: configured in global configuration mode applies to all

interfaces
+ ip dhcp relay information trusted-sources: configures interfaces on a router as trusted

sources
Question 1 (posted at https://www.digitaltut.com/drag-and-drop)
Drag and drop the IPv6 NAT characteristic from the left to the matching IPv6 NAT category
on the right.
Answer:
NAT64:
+ Use Network-specific prefix
+ Modify session during translation
NPTv6:
+ Modify IP header in transit
+ Map one IPv6 address prefix to another IPv6 prefix
Explanation
address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to
recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific
prefix (NSP), which is configured by a network administrator, or a well-known prefix (which
is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it
will proceed this packet with NAT64.
NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4
address. NAT64 translates nearly everything (source & destination IP addresses, port number,
IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64
―modifies session during translation‖.
Drag and drop the BGP states from the left to the matching definitions on the right.
Answer:
+ OpenSent: wait for an OPEN message

+ OpenConfirm: wait for a KEEPALIVE or NOTIFICATION message
+ Established: UPDATE, NOTIFICATION and KEEPALIVE messages are exchanged with
peers
+ Idle: refuse connections
+ Active: listen for and accept connection
+ Connect: wait for the connection to be completed
Explanation
The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm ->
Established
+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor
relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP
neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer
expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.
Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3
Drag and drop the challenge Handshake Authentication Protocol steps from the left into the
correct order in which they occur on the right.
Answer:
+ Target 1: When the LCP phase is complete and CHAP is negotiated between both devices,
the authenticator sends a challenge message to the peer
+ Target 2: The peer responds with a value calculated through a one-way hash function
(MD5)
+ Target 3: The authenticator checks the response against its own calculation of the expected
hash value if the values match the authentication is successful. Otherwise, the connection is
terminated
Explanation
The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer
by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated
between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message
Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash
value. If the values match, the authentication is successful. Otherwise, the connection is
terminated.
This authentication method depends on a ―secret‖ known only to the authenticator and the
peer. The secret is not sent over the link. Although the authentication is only one-way, you
can negotiate CHAP in both directions, with the help of the same secret set for mutual
authentication.
Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-
ppp/25647-understanding-ppp-chap.html
For more information about CHAP challenge please read our PPP tutorial.
Drag and drop each frame-relay component on the left to the correct statement on the right.
Answer:
+ SVC: A circuit that provides temporary on-demand connections between DTEs

+ LMI: A signaling mechanism for Frame Relay devices
+ DLCI: A locally significant ID
+ FECN: An indicator of congestion on the network
+ PVC: A logical connection comprising two endpoints and a CIR
Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type
of processing on the right.
Punt
Packets are discarded
Adjacency
Features that require special handling or features that are not yet supported in
Drop conjunction with CEF switching paths are forwarded to the next switching layer
Adjacency for handling. Features that are not supported are forwarded to the next higher
switching level.
When a router is connected directly to several hosts, the FIB table on the router
Null maintains a prefix for the subnet rather than for the individual host prefixes. The
Adjacency subnet prefix points to a glean adjacency. When packets need to be forwarded to
a specific host, the adjacency database is gleaned for the specific prefix.
Discard
Packets are dropped, but the prefix is checked.
Adjacency
Glean Packets destined for a Null0 interface are dropped. This can be used as an
Adjacency effective form of access filtering.
Answer:
Punt Adjacency: Features that require special handling or features that are not yet supported
in conjunction with CEF switching paths are forwarded to the next switching layer for
handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an
effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the
router maintains a prefix for the subnet rather than for the individual host prefixes. The
subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific
host, the adjacency database is gleaned for the specific prefix.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.ht
ml
============================ New Updated Questions (posted on 28th-Feb-2019)

============================
Question 250
A network engineer configures two connected routers to run OSPF in Area 0; however, the
routers fail to establish adjacency. Which option is one of the caused for this issue?
A. Area numbers match

B. OSPF process numbers do not match on both neighbor routers
C. The Same MTU sizes are configured on both sides
D. The Same OSPF router IDs are configured on both routers
Answer: D
Question 251
A network engineer trying to synchronize the time clock but the time is not working. What is
likely the cause of this problem?
number 123.
number 123.
Answer: B
Explanation
By default, NTP uses User Datagram Protocol (UDP) port 123 so we cannot synchronize if
something is blocking this port.
Question 252 (posted at Q.7 of https://www.digitaltut.com/dhcp-dhcpv6-questions)

Refer to the exhibit. Router DHCP is configured to lease IPv4 and IPv6 addresses to clients
on ALS1 and ALS2. Clients on ALS2 receive IPv4 and IPv6 addresses. Clients on ALS1
receive IPv4 addresses. Which configuration on DSW1 allows clients on ALS1 to receive
IPv6 addresses?
DSW1#sh run int f0/0

Building configuration…
!
interface FastEhternet0/0
ip address 10.4.10.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2002:A04:A01:A04:A01/120
ipv6 enable
end
A. DSW1(config-if)#ipv6 helper address 2002:404:404::404:404

B. DSW1(config)#ipv6 route 2002:404:404::404:404/128 FastEthernet1/0
C. DSW1(dhcp-config)#default-router 2002:A04:A01::A04:A01
D. DSW1(config-if)#ipv6 dhcp relay destination 2002:404:404::404:404 GigabitEthernet1/2
Answer: D
Explanation
In this topology DSW1 is the DHCPv6 Relay agent so it should relay (forward) the DHCPv6
Request packets (from the clients) out of its Gi1/2 interface to the DHCPv6 server. The
command ―ipv6 dhcp relay destination …‖ is used to complete this task.
Note: There is no ―default-router‖ command for DHCPv6. The ―ipv6 dhcp relay destination‖
is not required to configure on every router along the path between the client and server. It is
ONLY required on the router functioning as the DHCPv6 relay agent.
ipv6-solution/whitepaper_c11-689821.html
Question 253 (posted at Q.9 of https://www.digitaltut.com/frame-relay-questions)
Which two statements about configuring Frame Relay point-to-multipoint connections are
true? (Choose two)
A. They ignore the broadcast keyword in the frame-relay DLCI mapping

B. They require the same DLCI on each side of the link
C. Changing a point-to-multipoint subinterface to a different type requires the interface to be
deleted and recreated
D. They require the frame-relay mapping command to be configured
E. They require inverse ARP
Answer: D E
Explanation
An example of configuring Frame Relay point-to-multipoint connections is described at:

http://www.9tut.com/frame-relay-gns3-lab. Frame Relay point-to-multipoint requires inverse
ARP (which is enabled by default). It requires the frame-relay mapping command to be
configured also. For example: R1(config-if)#frame-relay route 102 interface Serial0/1 201.
Question 254
Which interface type does a PPPoE client use to establish a session?
A. Physical
B. loopback
C. visual-template
D. dialer
Answer: D
Question 255 (posted at Q.9 of https://www.digitaltut.com/evn-vrf-questions-2)
Which values identifies VPNs in an EVN environment?
A. DLCI
B. route target
C. virtual network tag
D. VLAN ID
Answer: C
Question 256 (posted at Q.14 of https://www.digitaltut.com/dmvpn-questions)

Which two protocols are required for DMVPN? (Choose two)
A. IPSec
B. PPTP
C. mGRE
D. NHRP
E. Open VPN
Answer: C D
Explanation
DMVPN is not a protocol, it is the combination of the following technologies:

+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)
DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop
Resolution Protocol) to perform its job and save the administrator the need to define multiple
static crypto maps and dynamic discovery of tunnel endpoints.
Question 257 (posted at Q.3 of https://www.digitaltut.com/syslog-questions)
Which command do you enter to display log messages with a timestamp that includes the
length of time since the device was last rebooted?
A. service timestamps log uptime

B. logging facility 20
C. service timestamps debugging localtime msec
D. logging console errors
E. logging monitor 7
F. service timestamps log datetime msec
Answer: A
Explanation
The ―service timestamps log uptime‖ enables timestamps on log messages, showing the time
since the system was rebooted. For example:
00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Question 258
A network engineer executes the command ―show ip eigrp vrf purple topology‖. Which type
of information is displayed as a result?
A. routes for a global routing table

B. updates that were sent for a specific routing table
C. active neighbors for a global routing table
D. route successors for a specific routing table
Answer: D
Question 259 (posted at Q.6 of https://www.digitaltut.com/ntp-questions)
A network engineer wants an NTP client to be able to update the local system without
updating or synchronizing with the remote system. Which option for the ntp access-group
command is needed to accomplish this?
A. Serve
B. Serve-only
C. peer
D. Query-only
Answer: A
Explanation
To control access to Network Time Protocol (NTP) services on the system, use the ntp
access-group command in global configuration mode.
NTP supports ―Control messages‖ and ―Request/Update messages‖.
+ Control messages are for reading and writing internal NTP variables and obtaining NTP
status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet
obviously asks for synchronization information, and update packet contains synchronization
information, and may change local clock.
When synchronizing system clocks on Cisco IOS devices only Request/Update messages are
used. Therefore in this question we only care about ―NTP Update message‖.
Syntax:
ntp access-group [ipv4 | ipv6] {peer | query-only | serve | serve-only} {access-list-number |

access-list-number-expanded | access-list-name} [kod]
+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control
queries are also accepted. This is the only class which allows a router to be synchronized by
other devices -> not correct. In other words, the peer keyword enables the device to receive
time requests and NTP control queries and to synchronize itself to the servers specified in the
access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to
synchronize local system time, and does not access control queries. In other words, the serve-
only keyword enables the device to receive only time requests from servers specified in the
access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a
server or update packets from a peer). Control queries are also permitted. In other words, the
serve keyword enables the device to receive time requests and NTP control queries from the
servers specified in the access list but not to synchronize itself to the specified servers -> this
option is surely correct.
In summary, the answer ―serve‖ is surely correct but the answer ―serve-only‖ seems to be
correct too (although the definition is not clear).
An example of using the ―ntp access-group‖ command is shown below:
R1(config)#ntp server 178.240.12.1

R1(config)#access-list 2 permit 165.16.4.1 0.0.0.0
R1(config)#access-list 2 deny any
R1(config)#ntp access-group peer 2 // peer only to 165.16.4.1
R1(config)#ntp access-group serve-only 3 //provide time services only to internal network
160.1.0.0/16
Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-
n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/
Question 260 (posted at Q.4 of https://www.digitaltut.com/unicast-reverse-path-forwarding)
Which option is invalid when configuring Unicast Reverse Path Forwarding?
A. allow self ping to router

B. allow default route
C. allow based on ACL match
D. source reachable via both
Answer: D
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming
packets. If it matches with the interface used to reach this source IP then the packets are
allowed to enter (strict mode).

list-number]
You can also use the allow-default option, so that the default route can match when checking
source address -> Answer ―allow default route‖ is a valid option
The allow-self-ping option allows the router to ping itself -> Answer ―allow self ping to
router‖ is a valid option.
Reference:
http://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/b
ba/urpf.pdf
Another feature of uRPF is we can use an access-list to specify the traffic we want or don‘t
want to check -> Answer ―allow based on ACL match‖ is a valid option. An example is
shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110
Note: Access-list ―permit‖ statements allow traffic to be forwarded even if they fail the
Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast
RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF
check.
The last option is ―source reachable via both‖ is not clear and it is the best answer in this
case. Although it may mention about the uRPF loose mode.
New ROUTE Questions (same as New
ROUTE Questions – Part 5)
Question 1
Drag and drop the statements about NAT64 from the left onto the correct NAT64 types on
the right.
Answer:
Stateful:
+ It supports FTP64 for ALG
+ It supports PAT and overload
+ It allows IPv6 systems to use any type of IPv6 address
Stateless:
+ ALG is not supported
+ It supports one-to-one mapping only
+ It requires IPv6 systems to use RFC6052 IPv4-translatable addresses
Explanation
Differences Between Stateful NAT64 and Stateless NAT64 are shown below:
Supported
Stateful NAT64 Stateless NAT64
Features
N:1 mapping for PAT or overload
Address One-to-one mapping — one IPv4
configuration that saves IPv4
savings address is used for each IPv6 host
addresses
IPv6 systems must have IPv4-
IPv6 systems may use any type of
Address space translatable addresses (based on RFC
IPv6 addresses
6052)
ALGs
FTP64 None
supported
Protocols
ICMP, TCP, UDP All
supported
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
Question 2
Which statement about the metric calculation in EIGRP is true?
A. The maximum delay along the path is used

B. The mean value of bandwidth between the source and destination is used
C. The minimum bandwidth between the source and destination is used
D. The minimum delay along the path is used
Answer: C
Question 3
Which two steps must you perform to allow access to a device when the connection to a
remote TACACS+ authentication server fails? (Choose two)
A. Include the local keyword in the AAA configuration

B. Configure a local username and password on the device
C. Configure the device to accept Telnet and SSH connections
D. Configure accounting to reference the log of previously authenticated connections
E. Remove the aaa new model command from the global configuration
Answer: A B
Question 4
ip vrf BLUE
ip vrf RED
!
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
!
ip vrf forwarding BLUE
ip address 10.1.2.1 255.255.255.0
Network users on the 10.1.2.0/24 subnet have a default gateway of 10.1.2.254. Which
command will configure this gateway?
A. router(config)#ip route vrf RED 0.0.0.0 0.0.0.0 10.1.2.254

B. router(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.254
C. router(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/1
D. router(config)#ip route vrf BLUE 0.0.0.0 0.0.0.0 10.1.2.254
Answer: D
Question 5
Router# show processes cpu sorted

Router# show processes memory sorted
Based on Cisco best practice, which statement about the output is true?
A. The output should be analyzed by a network engineer before allocating additional memory
and CPU usage to processes on an IOS router in production
B. The output should be analyzed by a network engineer before executing any configuration
commands on an IOS router in production
C. The output should be analyzed by a network engineer before executing any debug
D. The output should be analyzed by a network engineer before executing other show
Answer: C
Question 6
Users were moved from the local DHCP server to the remote corporate DHCP server. After
the move, none of the users were able to use the network. Which two issues wil prevent this
setup from working properly? (Choose two)
A. Auto-QoS is blocking DHCP traffic

B. The DHCP server IP address configuration is missing locally
C. 802.1X is blocking DHCP traffic
D. The broadcast domain is too large for proper DHCP propagation
E. The route to the new DHCP server is missing
Answer: B E
Question 7
Which two statements about the OSPF down bit are true? (Choose two)
A. It is set only when an OSPF virtual link is created

B. It is set only for LSA types 1,2, and 4
C. It is set when OSPF routes are redistributed into BGP
D. It is set only for LSA types 3,5, and 7
E. It is set when MP-BGP routes are redistributed into OSPF
Answer: D E
Explanation
To prevent possibility of a loop, when the routes are redistributed from MP-BGP into OSPF,
then they are marked with a DN Bit in LSA Type 3, 5, or 7 and have the domain tag for Type
5 and 7 LSA.
Good reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-

ospf/118800-configure-ospf-00.html
Question 8
Which command can be entered on router R5 to configure 80 percent of the bandwidth of a

link for EIGRP Autonomous System 55?
A. R5(config-if)#ip bandwidth-percent eigrp 55 80

B. R5(config-pmap-c)#priori1y percent 80
C. R5(config-if)#ip bandwidth-percent eigrp 80 55
D. R5(config-if)#ipv6 bandwidth-percent eigrp 80 55
E. R5(config-if)#ipv6 bandwidth-percent eigrp 55 80
Answer: A
Question 9 (same as Q.12 at http://www.digitaltut.com/nat-questions)
Which two addresses types are included in NAT? (Choose two)

A. inside global
B. global outside
C. outside internet
D. inside internet
E. outside local
Answer: A E
Explanation
NAT use four types of addresses:
* Inside local address – The IP address assigned to a host on the inside network. The address
is usually not an IP address assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service
provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.
Question 10
Hostname R1
!
ip vrf Yellow
rd 100:1
interface Serial0/0
ip vrf forwarding Yellow
ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
network 192.168.1.1 0.0.0.0
no auto-summary
redistribute static
!
R1#ping vrf Yellow 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.1.2, timeout is 2 second:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1 is configured with VRF-Lite and can ping R2. R2 is fully configured, but it has no active
EIGRP neighbors in vrf Yellow If the configuration of R2 is complete, then which issue
prevents the EIGRP 100 neighbor relationship in vrf Yellow from forming?
A. The no auto-summary command is preventing the EIGRP neighbor relationship from

forming
B. There is a Layer 1 issue that prevents the EIGRP neighbor relationship from forming
C. The interface IP addresses are not in the same subnet
D. EIGRP 100 network 192 168 1 0/24 is configured in the global routing table on R1
Answer: D
Explanation
The ―network 192.168.1.1 0.0.0.0‖ should be configured under vrf Yellow as follows:
router eigrp 100

address-family vrf Yellow
network 192.168.1.1 0.0.0.0
…
Question 11 (same as Q.1 of http://www.digitaltut.com/ospf-questions-3-2)
Which two LSA types were introduced to support OSPF for IPv6? (Choose two)
A. type 9
B. type 10
C. type 5
D. type 7
E. type 8
Answer: A E
Explanation

the link.
LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA
has one of two functions:
1. It either associates a list of IPv6 address prefixes with a transit network link by referencing
a network-LSA…
2. Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA. A
stub link‘s prefixes are associated with its attached router.
LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4
OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF
algorithm is ran.
Reference (and for more information): http://packetpushers.net/a-look-at-the-new-lsa-types-

in-ospfv3-with-vyatta-and-cisco/
Question 12
Which two statements about DMVPN are true? (Choose two)
A. IPsec encryption not supported with statically addressed spokes

B. It requires full-mesh connectivity on the network
C. It uses NHRP to create a mapping database of spoke addresses
D. Multicast traffic is not supported
E. It supports dynamic addresses for spokes in a hub-and-spoke VPN topology
Answer: C E
Question 13
A netwoik engineer is configuring two dedicated Internet connections within the Internet
module One connection is the primary connection to all wired business communications
while Che other is the primary connection for all customer wireless traffic If one of the links
goes down, the affected traffic needs to be redirected to the redundant link Winch current
technology should be deployed to monitor the scenario?
A. IP SLA
B. MMC
C. IP SAA
D. PBR
E. IP QoS
Answer: A
Question 14

Which command we use to control the type of routes that are processed in incoming route
updates?
A. passive-interface
B. distribute-list 1 out
C. distribute-list 1 in
D. ip vrf forwarding
Answer: C
Question 15
Which two types of traffic can benefit from LLQ? (Choose two)
A. email
B. voice
C. telnet
D. video
E. file transfer
Answer: B D
Question 16
A network administrator is attempting to configure IP SLA to allow one time stamp to be

logged when a packet arrives on the interface and one time stamp to be logged when a packet
leaves the interface. Which IP SLA accuracy tool enables this functionality?
A. Trap
B. RTT
C. Responder
D. Trigger
E. Logging
Answer: C
Explanation
Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to
respond to Cisco IOS IP SLA request packets. The IP SLA source sends control packets
before the operation starts to establish a connection to the responder. Once the control packet
is acknowledged, test packets are sent to the responder. The responder inserts a time-stamp
when it receives a packet and factors out the destination processing time and adds time-
stamps to the sent packets. This feature allows the calculation of unidirectional packet loss,
latency, and jitter measurements with the kind of accuracy that is not possible with ping or
other dedicated probe testing
Reference:
https://www.cisco.com/en/US/technologies/tk869/tk769/technologies_white_paper0900aecd8
06bfb52.html
Question 17
Which two actions are common methods for migrating a network from one protocol to
another? (Choose two)
A. redistributing routes from the current routing protocol to the new routing protocol
B. removing the current routing protocol and implementing the new routing protocol
C. changing the relative administrative distances of the two routing protocols
D. changing the network IP addresses and bringing up the new IP addresses using the new
routing protocol
E. disabling IP routing globally and implementing the new routing protocol
Answer: A C
Question 18
Which statements best describes the following two OSPF commands, which are used to
summarize routes?
area 0 range 192.168.110.0 255.255.0.0

summary-address 192.168.110.0 255.255.0.0
A. The area range command defines the area where the network resides. The summary-
address command enables autosummanzation
B. The area range command defines the area where the network resides. The summary-
address command summarizes a subnet for an areas
C. The area range command specifies the area where the subnet resides and summarizes it to
other areas. The summary-address command summarizes external routes
D. The area range command summarizes subnets for a specific area. The summary address
command summaries a subnet for all areas
Answer: C
Explanation
An example of the use of ―area range‖ command is shown below:
In order to RTB summarizes routes for the 192.168.16.0/22 supernet before injecting them
into Area 0, we use the command:
Router(config-router)#area 10 range 192.168.16.0 255.255.252.0
An example of using the command ―summary-address‖ is shown below:
Recently the RIPv2 domain has been redistributed into our OSPF domain but the
administrator wants to configure a summarized route instead of 32 external type-5 LSAs (for
172.16.32.0/24 to 172.16.63.0/24) flooding into the OSPF network. In this case the
administrator has to use the ―summary-address‖ command as follows:
Router(config-router)#summary-address 172.16.32.0 255.255.224.0
Question 19
Which action is the most efficient way to handle route feedback when converting a RIPv2
network to OSPF?
A. Implement route tags

B. Implement IP prefix lists
C. Implement route maps with access lists
D. Implement distribute lists
Answer: A
Explanation
We should use route tag to tag any routes that are redistributed from RIPv2 to OSPF. Then
when redistributing from OSPF to RIPv2 we prevents these routes from getting back to
RIPv2 domain (route feedback) by the tags we set before.
Question 20
Which types of LSAs are present in the stub area?
A. LSA type 1, 2, 3, 4 and 5

B. LSA type 1, 2 and 3
C. LSA type 3 and 5
D. LSA type 1 and 2
Answer: B
Explanation
In the stub area no Type 5 AS-external LSA allowed. It only allows LSA type 1, 2 and 3.
Question 21
What is the hop count is advertised for an unreachable network by a RIP router that uses
poison reverse?
A. 16
B. 255
C. 0
D. 15
Answer: A
Question 22
aaa new-model
aaa authentication login default local-case enable
aaa authentication login ADMIN local-case
username CCNP secret Str0ngP@ssw0rd!
line 0 4
login authentication ADMIN
How can you change this configuration so that when user CCNP logs in, the show run
command is executed and the session is terminated?
A. Add the autocommand keyword to the aaa authentication command

B. Assign privilege level 15 to the CCNP username
C. Add the access-class keyword to the aaa authentication command
D. Assign privilege level 14 to the CCNP username
E. Add the access-class keyword to the username command
F. Add the autocommand keyword to the username command
Answer: F
Explanation
The ―autocommand‖ causes the specified command to be issued automatically after the user
logs in. When the command is complete, the session is terminated. Because the command can
be any length and can contain embedded spaces, commands using the autocommand keyword
must be the last option on the line. In this specific question, we have to enter this line
―username CCNP autocommand show running-config‖.
Question 23
router ospf 10
router-id 192.168.1.1
log-adjacency-changes
redistribute bgp 1 subnets route-map BGP-TO-OSPF
!
route-map BGP-TO-OSPF deny 10
match ip address 50
route-map BGP-TO-OSPF permit 20
!
Which statement about redistribution from BGP into OSPF process 10 is true?
A. Network 172.16.1.0/24 is not redistributed into OSPF

B. Network 10.10.10.0/24 is not redistributed into OSPF
A. Network 172.16.1.0/24 is redistributed with administrative distance of 1
A. Network 10.10.10.0/24 is redistributed with administrative distance of 20
Answer: A
Explanation
The first statement of the above route-map will prevent network 172.16.1.0/24 from being
redistributed into OSPF.
Question 24
Which functions are included in the two-message rapid exchange that a DHCPv6 client can
receive from a server?
A. solicit and reply

B. advertise and request
C. solicit and request
D. advertise and reply
Answer: A
Explanation
DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode.
In Rapid-Commit mode , the DHCP client obtain configuration parameters from the server
through a rapid two message exchange (solicit and reply).
In Normal-Commit mode, the DHCP client uses four message exchanges (solicit, advertise,
request and reply). By default normal-commit is used.
Reference: https://community.cisco.com/t5/networking-documents/part-1-implementing-
dhcpv6-stateful-dhcpv6/ta-p/3145631
Question 25
(exhibit missing)
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. KEY
B. MD5
C. EIGRP
D. CISCO
Answer: D
Question 26
Which two statements about redistributing EIGRP into OSPF are true? (Choose two)
A. The redistributed EIGRP routes appear as type 3 LSAs in the OSPF database
B. The redistributed EIGRP routes appear as type 5 LSAs in the OSPF database
C. The administrative distance of the redistributed routes is 170
D. The redistributed EIGRP routes appear as OSPF external type 1
E. The redistributed EIGRP routes as placed into an OSPF area whose area ID matches the
EIGRP autonomous system number
F. The redistributed EIGRP routes appear as OSPF external type 2 routes in the routing table
Answer: B F
Question 27
A network engineer executes the show ip flow interface command. Which type of
information is displayed on the interface?
A. route cache information

B. IP Cisco Express Forwarding statistics
C. error statistics
D. NetFlow configuration
Answer: D
Explanation
The command ―show ip flow interface‖ displays NetFlow accounting configuration for
interfaces. Below is an example of the output of this command:
R1# show ip flow interface
GigabitEthernet0/0
ip flow ingress
ip flow egress
Question 28
Which two statements are differences between AAA with TACACS+ and AAA with
RADIUS? (Choose two)
A. Only RADIUS uses TCP

B. Unlike TACACS+, RADIUS sends packets with only the password encrypted.
C. Unlike TACACS+, RADIUS supports accounting and authorization only
D. Only TACACS+ uses TCP
E. Only TACACS+ combines authentication and authorization
Answer: B D
Question 29
Which IOS commands can you use to limit the CPU impact of log generation and
transmission on an IOS router?
A. You can use the ip access-list logging interval command in conjunction with the logging
rate-limit command.
B. You can use the ip access-list logging limit command in conjunction with the logging rate-
interval command.
C You can use the ip access-list syslog-logging interval command in conjunction with the
logging rate-limit command
D. You can use the ip access-list logged interval command in conjunction with the logged
rate-limit command.
Answer: A
Question 30
You are configuring a Microsoft client to call a PPP server using CHAP. Only the client will
be authenticated but the client‘s password has expired and must be changed. Which PPP
server configuration allows the call to be completed?
A. ppp authentication ms-chap callin

B. ppp authentication chap
C. ppp authentication ms-chap-v2 callin
D. ppp authentication chap callin
E. ppp authentication ms-chap-v2
Answer: C
Explanation
The MSCHAP Version 2 supports the Password Aging feature, which notifies clients that the
password has expired and provides a generic way for the user to change the password.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-
mt/sec-usr-aaa-15-mt-book/mschap_version_2.pdf
Note: The ―calling‖ keyword specifies that the router will refuse to answer CHAP
authentication challenges received from the peer, but will still require the peer to answer any
CHAP challenges the router sends -> Only the client will be authenticated.
Question 31
Which command creates a manual summary on an interface when using EIGRP?
A. area 100 range 172.32.0.0 255.255.254.0

B. summary-address eigrp 100 172.32.0.0 255.255.254.0
C. ip summary-address eigrp 100 172.32.0.0 255.255.254.0
D. ip summary-address 100 172.32.0.0 255.255 254.0
Answer: C
Question 32
A network engineer wants to implement an SNMP notification process for host machines
using the strongest security available. Which command accomplishes this task?
A. router(config)#snmp-server host 172.16.200.225 traps v2c auth

B. router(config)#snmp-server host 172 16.200.225 traps v1
C. router(config)#snmp-server host 172.16.200.225 traps v3
D. router(config)#snmp-server host 172.16.200.225 traps v2c
Answer: C
Explanation
Both SNMPv1 and v2 did not focus much on security and they provide security based on
community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception.
SNMPv3 provides significant enhancements to address the security weaknesses existing in
the earlier versions. The concept of community string does not exist in this version. SNMPv3
provides a far more secure communication using entities, users and groups. This is achieved
by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to
encrypt the contents of a packet.
Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.
Question 33
Which issue is important to address when integrating two networks with different routing
protocol?
A. preventing UDP starvation

B. handing IPv4 fragmentation
C. controlling unicast flooding
D. mitigating UDP latency
E. preventing asymmetric routing
Answer: E
Question 34
Drag and drop the DMVPN components from the left onto the correct descriptions on the
right.
Answer:
hub – device that acts as the next-hop server

spoke – device that is usually identified with a dynamic address
mGRE – technology that allows one interface to support multiple tunnels
NHRP – protocol that allows spokes to communicate directly with one another
Question 35
%Interfact GigabitEthernet1: IPv4 disabled and address(es) removed due to enabling VRF
CUST_A
An engineer is enabling VPN service for a customer and notices this output when placing the
customer-facing interface into a VRF. Which action corrects the issue?
A. Reconfigure the IP address on Gigabit Ethernet 1

B. Disabling the VRF CUST_A
C. Reset interface Gigabit Ethernet 1
D. Enabling IPv6 on the interface
Answer: A
Explanation
If the interface was assigned an IP address before joining to an VRF then that IP address
would be removed so we have to reconfigure it.
Question 36
Which two statements about VRF-Lite configurations are true? (Choose two)
A. They support the exchange of MPLS labels

B. Different customers can have overlapping IP addresses on different VPNs
C. They support a maximum of 512,000 routes
D. Each customer has its own dedicated TCAM resources
E. Each customer has its own private routing table.
F. They support IS-IS
Answer: B E
Explanation
In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and ―allows
customers to be assigned overlapping addresses‖. The below example shows overlapping IP
addresses configured on two interfaces which belong to two different VPNs:
Router(config)#ip vrf VRF_BLUE

Router(config-vrf)# exit
Router(config)#ip vrf VRF_GREEN
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip vrf forwarding VRF_BLUE
Router(config-if)# ip address 10.0.0.1 255.0.0.0
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip vrf forwarding VRF_GREEN
Router(config-if)# ip address 10.0.0.1 255.0.0.0
Question 37
Which two statements about PPPoE packet types are true? (Choose two)
A. PADR is a broadcast packet sent from the client to request a new server
B. PADI is an initialization packet sent as a broadcast message
C. PADO is a unicast reply packet sent to the client
D. PADO is a broadcast reply packet sent to the client
E. PADR is a unicast confirmation packet sent to the client
Answer: B C
Explanation
+ PPPoE Active Discovery Initiation (PADI): The client initiates a session by broadcasting
a PADI packet to the LAN to request a service.
+ PPPoE Active Discovery Offer (PADO): Any access concentrator that can provide the
service requested by the client in the PADI packet replies with a PADO packet that contains
its own name, the unicast address of the client, and the service requested. An access
concentrator can also use the PADO packet to offer other services to the client.
+ PPPoE Active Discovery Request (PADR): From the PADOs it receives, the client selects
one access concentrator based on its name or the services offered and sends it a PADR packet
to indicate the service or services needed.
+ PPPoE Active Discovery Session-Confirmation (PADS): When the selected access
concentrator receives the PADR packet, it accepts or rejects the PPPoE session:
– To accept the session, the access concentrator sends the client a PADS packet with a unique
session ID for a PPPoE session and a service name that identifies the service under which it
accepts the session.
– To reject the session, the access concentrator sends the client a PADS packet with a service
name error and resets the session ID to zero.
+ After a session is established, the client or the access concentrator can send a PPPoE Active
Discovery Termination (PADT) packet anytime to terminate the session. The PADT packet
contains the destination address of the peer and the session ID of the session to be terminated.
After this packet is sent, the session is closed to PPPoE traffic.
Question 38
Which two statements are examples of the differences between IPv4 and IPv6 EIGRP?
(Choose two)
A. Network command is used in IPv6

B. DUAL is not used for route calculations
C. DUAL is used for route calculations
D. IPv6 keyword is used in many EIGRP commands
E. Network command is not used in IPv6
Answer: D E
Explanation
Although the configuration and management of EIGRP for IPv4 and EIGRP for IPv6 are
similar, they are configured and managed separately. A few (not all) examples of differences
include these:
+ The network command is not used in IPv6; EIGRP is configured via links.
+ The ipv6 keyword is used in many of the EIGRP commands.
+ Needs to be explicitly enabled on each interface when configuring EIGRP.
Note:
The following are a few (not all) examples of similarities shared by IPv4 EIGRP and IPv6
EIGRP:
+ DUAL is used for route calculation and selection with the same metrics.
+ It is scalable to large network implementations.
+ Neighbor, routing, and topology tables are maintained.
+ Both equal-cost load balancing and unequal-cost load balancing are offered.
Question 39
VRF HUB (VRF Id = 3): default RD 100:10; VRF SPOKE (VRF Id = 4): default RD
default VPNID <not set> 200:20;
New CLI format, supports multiple address- default VPNID <not set>
families New CLI format, supports multiple
Flags: 0x180C address-families
Interfaces: Flags: 0x180C
G1/1 Interfaces:
Address family ipv4 unicast (Table ID = 0x3) G1/2
Flags: 0x0 Address family ipv4 unicast (Table ID = 0x4)
Export VPN route-target communities Flags: 0x0
RT 100:10 Export VPN route-target communities
Import VPN route-target communities RT 200:20
RT 100:10 RT 200:20 Import VPN route-target communities
No import route-map RT 200:20
No global export route-map No import route-map
No export route-map No global export route-map
VRF label distribution protocol: not No export route-map
configured VRF label distribution protocol: not
VRF label allocation mode: per-prefix configured
Address family ipv6 unicast (Table ID = VRF label allocation mode: per-prefix
0x1E000001) Address family ipv6 unicast (Table ID =
0x1E000001)
[Output omitted]
[Output omitted]
A network engineer is modifying configurations for a customer that currently uses VPN
connectivity between their sites The customer has added a new spoke site but it does not have
reachability to servers located at the hub. Based on the output which statement describes the
cause?
A. The interface of VRF HUB and VRF SPOKE do not match

B. The HUB VRF is not exporting Route-Target 200:20
C. The default VPNID is not set on VRF HUB or VRF SPOKE
D. The SPOKE VRF is not importing Route-Target 100:10
Answer: D
Question 40
Which statement about dynamic NAT is true?
A. It creates a one-to-one mapping of inside addresses to a global address

B. It uses the overload command to map addresses
C. It maps inside addresses to different port numbers
D. It maps inside addresses to a pool of global addresses
Answer: D
Question 41
Which statement about the IP SLA feature is true?
A. It ensures that there are appropriate levels of service for network applications
B. It classifies various traffic types by examining information within Layers 3 trough 7.
C. It measures how the network treats traffic for specific applications by generating traffic
that bears similar characteristics to application traffic
D. It keeps track of the number of packets and bytes that are observed in each flow by storing
information in a cache flow
Answer: C
Question 42
A network engineer is enabling conditional debugging and execute two commands: debug
condition interfaces serial0/0 and debug condition interfaces serial 0/1. Which debugging
output is displayed as a result?
A. Interface cannot be used as a debug condition.

B. Output is display for both specified interfaces.
C. Output is display for interface serial 0/1 only.
D. Output is display for interface 0/0 only.
Answer: B
Question 43
What is the DHCP option to download TFTP info to a Cisco phone?
A. option 57
B. option 82
C. option 66
D. option 68
Answer: C
Explanation
For Cisco phones IP addresses can be assigned manually or by using DHCP. Devices also
require access to a TFTP server that contains device configuration name files (.cnf file
format), which enables the device to communicate with Cisco Call Manager.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone
starts, if it does not have both the IP address and TFTP server IP address pre-configured, it
sends a request with option 150 to the DHCP server to obtain this information.
DHCP Option 150 is Cisco proprietary. The IEEE standard that matches with this
requirement is Option 66. Like option 150, option 66 is used to specify the Name of the
TFTP server.
Question 44
What type of address OSPFv3 uses to form adjacency and send updates?
A. FF02::5
B. link-local
C. IPv4 address
D. IPv6 address multicast
Answer: B
Question 45 (same as Question 7 of http://www.digitaltut.com/new-route-questions-part-2)
What security feature is supported across all SNMP version?
A. authpriv
B. noauthnopriv
C. authnopriv
D. noauthpriv
Answer: B
Question 46 (posted at Question 4 of http://www.digitaltut.com/ip-services-questions)
A network engineer executes the show crypto ipsec sa command. Which three pieces of
information are displayed in the output? (Choose three)
A. inbound crypto map

B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets
Answer: A B C
Explanation
This command shows IPsec Security Associations (SAs) built between peers. An example of
the output of above command is shown below:
Router#show crypto ipsec sa

interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
The first part shows the interface and cypto map name that are associated with the interface.
Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this
case, because you used only ESP, there are no AH inbound or outbound SAs.
Note: Maybe ―inbound crypto map‖ here mentions about crypto map name.
Question 47
Drag drop about AAA.
Answer:
+ Auth-proxy: It returns information about hosts using proxy service

+ Commands: It returns information about individual EXEC commands and permissions
associated with a privilege level
+ Connection: It returns information about outbound communications from the network
access server
+ Exec: It returns information about user EXEC terminal sessions with the network access
server
+ Network: It returns information about SLIP, PPP and ARA sessions
+ Resources: It returns information about calls that have passed and failed user authentication
Question 48
What are two reasons to use multicast to deliver video traffic, instead of unicast or broadcast?
A. It provides reliable TCP transport
B. It enables multiple servers to send video streams simultaneously
C. It enables multiple clients to send video stream simultaneously
D. It supports distributed applications
E. It enables multiple clients to receive the video stream simultaneously
Answer: D E
Question 48
Which two statements about PAP authentication in a PPP environment are true? (Choose
two)
A. It is performed at the beginning of the session only

B. It sends the password in clear text
C. It uses a username with an MD5 password to authenticate
D. It hashes the password before sending it
E. It is performed at the beginning of the session and is repeated periodically for as long as
the session is maintained
Answer: A B
Explanation
PPP has two built-in security mechanisms which are Password Authentication Protocol
(PAP) and Challenge Handshake Authentication Protocol (CHAP).
Password Authentication Protocol (PAP) is a very simple authentication protocol. The

client who wants to access a server sends its username and password in clear text. The server
checks the validity of the username and password and either accepts or denies connection.
This is called two-way handshake. In PAP two-way handshake process, the username and
password are sent in the first message.
Another difference between PAP and CHAP is PAP performs authentication at the initial link
establishment only while CHAP performs authentication at the initial link establishment and
periodically after that. The challenge text is random and unique so the ―result‖ is also unique
from time to time. This prevents playback attack (in which a hacker tries to copy the ―result‖
text sent from Client to reuse).
Question 49
Which two tasks should you perform to begin troubleshooting a network problem? (Choose
two)
A. Gather all the facts

B. Define the problem as a set of symptoms and causes
C. Implement an action plan
D. Monitor and verify the resolution
E. Analyse the results
Answer: A B
Explanation
The main elements of diagnosis are as follows:

Gathering information: Gathering information happens after the problem has been reported
by the user (or anyone). This might include interviewing all parties (user) involved, plus any
other means to gather relevant information. Usually, the problem report does not contain
enough information to formulate a good hypothesis without first gathering more information.
Information and symptoms can be gathered directly, by observing processes, or indirectly, by
executing tests.
Analyzing information: After the gathered information has been analyzed, the
troubleshooter compares the symptoms against his knowledge of the system, processes, and
baselines to separate normal behavior from abnormal behavior.
…
Question 50
Which two piece of information can you learn by viewing the routing table? (Choose two)
A. Whether an ACL was applied inbound or outbound to an interface

B. Whether the administrative distance was manually or dynamically configured
C. Which neighbor adjacencies are established
D. The EIGRP or BGP autonomous system
E. The length of time that a route has been known
Answer: B E
Question 51
Which two facts must you take into account when you deploy PPPoE? (Choose two)
A. DDR idle timers must be configured to support VPDN login.

B. PPPoE supports a maximum of 10 clients per customer premises equipment
C. DDR is not supported
D. You must manually configure IP addresses on the PPPoE interface
E. An individual PVC can support one PPPoE client
Answer: B
Explanation
The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR)
interesting traffic control list functionality of the dialer interface with a PPP over Ethernet
(PPPoE) client, but also keeps original functionality (PPPoE connection up and always on
after configuration) for those PPPoE clients that require it.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbpecls.html
But it is just an optional feature and we don‘t need DDR idle timers to be configured to
support VPDN login -> Answer A is not correct.


support up to 10 clients so answer B is correct.
DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.
We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.
Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the
introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM
PVC supports multiple PPPoE clients, allowing second line connection and redundancy.
Multiple PPPoE clients can run concurrently on different PVCs, but each PPPoE client must
use a separate dialer interface and a separate dialer pool. Therefore answer E is still correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/15-
mt/bba-15-mt-book/bba-ppoe-client.pdf
Router Questions
https://www.digitaltut.com/router-questions
Question 1
What command can you enter to configure an enable password that uses an encrypted
password from another configuration?
A. enable secret $abc%!e.Cd34$!ao0

B. enable secret 7 Sabc%!e.Cd34$!ao0
C. enable secret 0 Sabc%U*.Cd34$!ao0
D. enable secret 5 $abc%!e.Cd34$!ao0
E. enable secret 15 $abc%ie.Cd34$!ao0
F. enable secret 6 $abc%!e.Cd34$!ao0
Answer: D
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.
For example, in the configuration command:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command:
username jdoe password 7

07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.
When we enter the ―enable secret‖ command with a number after that, the IOS can specify
that the password has been encrypted so it will not encrypt any more and accept that
password.
In new Cisco IOS (v15+), it seems the device does not recognize ―enable secret 7‖ command
as encrypted password. We tried on Cisco IOS v15.4 and see this:
When we tried to enter the command ―enable secret 7

07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D‖, the Cisco IOS
automatically change the command to ―enable secret 5
$1$dLq2$qgzb4bgdsasX8dx1oHOkD.‖ (in the running-config file). So if you paste an
―enable secret 7 …‖ command from an old Cisco IOS version, you cannot login any more
with your password.
Note: In fact, there is an error with the answer D. As we entered the command in answer D,
the router denied the encrypted password because it was not a valid encrypted secret
password. That means the router also checked if the password was hashed correctly or not.
But it is the best answer in this question.
Question 2
What is the optimal location from which to execute a debug command that produces an
excessive amount of information?
A. Vty lines
B. SNMP commands
C. A console port
D. An AUX port
Answer: A
Explanation
Excessive debugs to the console port of a router can cause the router to hang. This is because
the router automatically prioritizes console output ahead of other router functions. Hence if
the router is processing a large debug output to the console port, it may hang. Hence, if the
debug output is excessive use the vty (telnet) ports or the log buffers to obtain your
debugs.
Note: By default, logging is enabled on the console port. Hence, the console port always
processes debug output even if you are actually using some other port or method (such as
Aux, vty or buffer) to capture the output. Hence, Cisco recommends that, under normal
operating conditions, you have the no logging console command enabled at all times and use
other methods to capture debugs.
To enable logging logging on your virtual terminal connection (telnet), use the ―terminal
monitor‖ command under Privileged mode (Router#)
Reference: http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-
digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html
Question 3
Which two options are causes of out-of-order packets? (Choose two)
A. a routing loop
B. a router in the packet flow path that is intermittently dropping packets
C. high latency
D. packets in a flow traversing multiple paths through the network
E. some packets in a flow being process-switched and others being interrupt-switched on a
transit Router
Answer: D E
Explanation
Per-packet load-balancing means that the router sends one packet for destination1 over the
first path, the second packet for (the same) destination1 over the second path, and so on. Per-
packet load balancing guarantees equal load across all links. However, there is potential that
the packets may arrive out of order at the destination because differential delay may exist
within the network -> Answer D is correct.
When searching the routing table, the router looks for the longest match for the destination IP
address prefix. This is done at ―process level‖ (known as process switching), which means
that the lookup is considered as just another process queued among other CPU processes
Interrupt-level switching means that when a packet arrives, an interrupt is triggered which
causes the CPU to postpone other tasks in order to handle that packet.
In general, process switching is faster then interrupt-level switching and can cause out-of-
order packets.
Question 4
Where the output will be shown of the command debug condition interface fa0/1?
A. It will show on interface f0/1

B. It will show on interface f0/0
C. Both interfaces will show debugging ouput
D. An interface cannot be used as condition
Answer: A or C
Explanation
The command ―debug condition interface <interface>‖ command is used to disable

debugging messages for all interfaces except the specified interface so in this case the debug
output will be shown on Fa0/1 interface only.
Note: If in this question there was another ―debug condition interface fa0/0‖ command
configured then the answer should be C (both interfaces will show debugging ouput).
Question 5
Which security feature can you enable to control access to the VTY lines on a router?
A. exec-time out
B. logging
C. username and password
D. transport output
Answer: C
Explanation
There are a few simple steps you can follow to ensure your VTY lines are as secure as
possible. The easiest way is to enable username / password authentication. Other ways are to
include an access-list to prevent unwanted IP addresses from connecting and use SSH to
encrypt the traffic connecting to the device.
Question 6
Under which circumstance will a branch ISR router contain interface vlan configurations?
A. performing inter-VLAN routing

B. performing 802.1Q trunking
C. performing ISL trunking
D. Ethernet Switch Module installed
E. ADSL WIC installed
F. running Call Manager Express
Answer: D
Explanation
An Integrated Services Router(ISR) router can be implemented an Ethernet Switch Module to

perform both IP routing and inter-VLAN routing. With this module, an ISR router will
contain interface vlan configurations.
Question 7
What is the minimum privilege level to enter all commands in usermode?
A. Level14
B. Level0
C. Level1
D. Level15
Answer: C
Question 8
Which two statements about password-protecting device access are true? (Choose two)
A. The more system:running-config command displays encrypted passwords in clear text

B. The service password-encryption command forces a remote device to encrypt the
password
C. A network administrator can recover an encrypted password
D. The privilege level command controls the commands a specific user can execute
E. The password can be encrypted in the running configuration
Answer: D E
Access List
https://www.digitaltut.com/access-list
Question 1
What does the following access list, which is applied on the external interface FastEthernet
1/0 of the perimeter router, accomplish?
router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface FastEthernet 1/0
router (config-if)#ip access-group 101 in
A. It prevents incoming traffic from IP address ranges 10.0.0.0 – 10.0.0.255, 172.16.0.0 –

172.31.255.255, 192.168.0.0 – 192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and
logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any
intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.
Answer: C
Explanation
The first answer is not correct because the 10.0.0.0 network range is not correct. It should be
10.0.0.0. to 10.255.255.255.
Question 2
Refer to the following access list.
access-list 100 permit ip any any log
After applying the access list on a Cisco router, the network engineer notices that the router
CPU utilization has risen to 99 percent. What is the reason for this?
A. A packet that matches access-list with the ―log‖ keyword is Cisco Express Forwarding
switched.
B. A packet that matches access-list with the ―log‖ keyword is fast switched.
C. A packet that matches access-list with the ―log‖ keyword is process switched.
D. A large amount of IP traffic is being permitted on the router.
Answer: C
Explanation
Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the
network or is dropped by network devices. Unfortunately, ACL logging can be CPU
intensive and can negatively affect other functions of the network device. There are two
primary factors that contribute to the CPU load increase from ACL logging: process
switching of packets that match log-enabled access control entries (ACEs) and the
generation and transmission of log messages.
Process switching is the slowest switching methods (compared to fast switching and Cisco
Express Forwarding) because it must find a destination in the routing table. Process switching
must also construct a new Layer 2 frame header for every packet. With process switching,
when a packet comes in, the scheduler calls a process that examines the routing table,
determines which interface the packet should be switched to and then switches the packet.
The problem is, this happens for the every packet.
Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
Question 3
For troubleshooting purposes, which method can you use in combination with the ―debug ip
packet‖ command to limit the amount of output data?
A. You can disable the IP route cache globally.

B. You can use the KRON scheduler.
C. You can use an extended access list.
D. You can use an IOS parser.
E. You can use the RITE traffic exporter.
Answer: C
Explanation
If you use the ―debug ip packet‖ command on a production router, you can bring it down
since it generates an output for every packet and the output can be extensive. The best way to
limit the output of debug ip packet is to create an access-list that linked to the debug. Only
packets that match the access-list criteria will be subject to debug ip packet. For example, this
is how to monitor traffic from 1.1.1.1 to 2.2.2.2
access-list 100 permit ip 1.1.1.1 2.2.2.2

debug ip packet 100
Note: The ―debug ip packet‖ command is used to monitor packets that are processed by the
routers routing engine and are not fast switched.
Question 4
Which outbound access list, applied to the WAN interface of a router, permits all traffic
except for http traffic sourced from the workstation with IP address 10.10.10.1?
A. ip access-list extended 200

deny tcp host 10.10.10.1 eq 80 any
permit ip any any
B. ip access-list extended 10
deny tcp host 10.10.10.1 any eq 80
permit ip any any
C. ip access-list extended NO_HTTP

D. ip access-list extended 100

permit ip any any
Answer: D
Question 5
A route map uses an ACL, if the required matching is based on which criteria?
A. addressing information
B. route types
C. AS paths
D. metrics
Answer: A
Question 6
Which configuration can you apply to a device so that it always blocks the outbound web
traffic on Saturdays and Sunday between the hours of 1:00 AM and 11:59 PM?
A. time-range SATSUN absolute Saturday Sunday 1:00 to 23:59

access-list 102 permit tcp any any eq 80 time-range SATSUN
interface Vlan 303
ip address 10.9.5.3 255.255.255.0
B. time-range SATSUN periodic Saturday Sunday 1:00 to 23:59

interface Vlan 303
ip address 10.9.5.3 255.255.255.0
C. time-range SATSUN periodic Saturday Sunday 1:00 to 11:59

interface Vlan 303
ip address 10.9.5.3 255.255.255.0
D. time-range SATSUN absolute Saturday Sunday 1:00 to 11:59

interface Vlan 303
ip address 10.9.5.3 255.255.255.0
Answer: B
Explanation
+ The question asks to ―always‖ block traffic (every week) so we must use keyword
―periodic‖.
+ Traffic should be blocked to 11:59 PM, which means 23:59
Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and
the minutes range from 0 to 59
Only answer B satisfies these two requirements so it is the best answer. In fact, all the above
answers are not correct as the access-list should deny web traffic, not allow them as shown in
the answers.
Question 7
Allowing website access between certain times
Answer: Filters using Time-Based ACLs
Question 8
Which two different configuration can you apply to a device to block incoming SSH access?
(Choose two)
A. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-list VTY-ACCESS-IN out
B. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-class VTY-ACCESS-IN out
C. ipv6 access-list VTY-ACCESS-IN

line vty 0 15
ipv6 access-class VTY-ACCESS-IN in
D. ipv6 access-list VTY-ACCESS-IN

ipv6 traffic-filter VTY-ACCESS-IN in
E. ipv6 access-list VTY-ACCESS-IN

ipv6 traffic-filter VTY-ACCESS-IN out
Answer: C D
Explanation
The ―ipv6 traffic-filter‖ command is used to filter IPv6 traffic flowing through an interface
while the ―ipv6 access-class‖ command is used to filter IPv6 traffic destined to the router (via
logical interfaces).
Question 9
Which access list entry checks for an ACK within a packet header?
A. access-list 49 permit ip any any eq 21 tcp-ack

B. access-list 49 permit tcp any any eq 21 tcp-ack
C. access-list 149 permit tcp any any eq 21 established
D. access-list 49 permit tcp any any eq 21 established
Answer: C
Explanation
The established keyword is only applicable to TCP access list entries to match TCP segments
that have the ACK and/or RST control bit set (regardless of the source and destination ports),
which assumes that a TCP connection has already been established in one direction only.
Let‘s see an example below:
Suppose you only want to allow

the hosts inside your company to telnet to an outside server but not vice versa, you can
simply use an ―established‖ access-list like this:
access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 101 out
Note:
Suppose host A wants to start communicating with host B using TCP. Before they can send
real data, a three-way handshake must be established first. Let‘s see how this process takes
place:
1. First host A will send a SYN message (a TCP segment with SYN flag set to 1, SYN is
short for SYNchronize) to indicate it wants to setup a connection with host B. This message
includes a sequence (SEQ) number for tracking purpose. This sequence number can be any
32-bit number (range from 0 to 232) so we use ―x‖ to represent it.
2. After receiving SYN message from host A, host B replies with SYN-ACK message (some
books may call it ―SYN/ACK‖ or ―SYN, ACK‖ message. ACK is short for ACKnowledge).
This message includes a SYN sequence number and an ACK number:
+ SYN sequence number (let‘s called it ―y‖) is a random number and does not have any
relationship with Host A‘s SYN SEQ number.
+ ACK number is the next number of Host A‘s SYN sequence number it received, so we
represent it with ―x+1‖. It means ―I received your part. Now send me the next part (x + 1)‖.
The SYN-ACK message indicates host B accepts to talk to host A (via ACK part). And ask if
host A still wants to talk to it as well (via SYN part).
3. After Host A received the SYN-ACK message from host B, it sends an ACK message
with ACK number ―y+1‖ to host B. This confirms host A still wants to talk to host B.
Question 10
Which type of access list allows granular session filtering for upper-level protocols?
A. content-based access lists

B. context-based access lists
C. reflexive access lists
D. extended access lists
Answer: C
Explanation
Reflexive access lists provide filtering on upper-layer IP protocol sessions. They contain
temporary entries that are automatically created when a new IP session begins. They are
nested within extended, named IP access lists that are applied to an interface. Reflexive
access lists are typically configured on border routers, which pass traffic between an internal
and external network. These are often firewall routers. Reflexive access lists do not end with
an implicit deny statement because they are nested within an access list and the subsequent
statements need to be examined.
Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-
1s/sec-access-list-ov.html
Question 11
What is the command to enable IPv6 access list?
A. ipv6 traffic-filter access-list-name {in | out}

B. ipv6 access-list [access-list-name]
C. access-list ipv6 [access-list-name]
D. ipv6 access-group [access-list-name] {in | out}
Answer: A
Explanation
The command ―ipv6 traffic-filter access-list-name { in | out }‖ applies the access list to
incoming or outgoing traffic on the interface.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
Question 12
Which two statements about IP access-lists are true? (Choose two)
A. IP access-lists without at least one deny statement permit all traffic by default.
B. Extended access-lists must include port numbers.
C. They support wildcard masks to limit the address bits to which entries are applies.
D. Entries are applied to traffic in the order in which they appear.
E. They end with an implicit permit.
Answer: C D
Question 13
Which option is the minimum logging level that displays a log message when an ACL drops
an incoming packet?
A. Level 6
B. Level 5
C. Level 7
D. Level 3
Answer: A
Explanation
When the ACL logging feature is configured, the system monitors ACL flows and logs
dropped packets and statistics for each flow that matches the deny conditions of the ACL
entry.
The log and log-input options apply to an individual ACE and cause packets that match the
ACE to be logged. The sample below illustrates the initial message and periodic updates sent
by an IOS device with a default configuration using the log ACE option.
*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp

192.168.1.3(1024) -> 192.168.2.1(22), 1 packet
Reference: https://www.cisco.com/c/en/us/about/security-center/access-control-list-
logging.html
From the example above we can see when an ACL drops a packet, it generates a level 6
Syslog (%SEC-6-)
Point-to-Point Protocol
https://www.digitaltut.com/point-to-point-protocol
Question 1
Which PPP authentication method sends authentication information in cleartext?
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Answer: D
Explanation
Password Authentication Protocol (PAP) is a very basic two-way process. The username and
password are sent in plain text, there is no encryption or protection. If it is accepted, the
connection is allowed. The configuration below shows how to configure PAP on two routers:
R1(config)#username R2 password digitaltut1 R2(config)#username R1 password digitaltut2
R1(config)#interface s0/0/0 R2(config)#interface s0/0/0
R1(config-if)#encapsulation ppp R2(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP R2(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 R2(config-if)#ppp pap sent-username R2
password digitaltut2 password digitaltut1
Note: The PAP ―sent-username‖ and password that each router sends must match those
specified with the ―username … password …‖ command on the other router.
Question 2
Which type of handshake does CHAP authentication use to establish a PPP link?
A. one-way
B. two-way
C. three-way
D. four-way
Answer: C
Explanation
Challenge Handshake Authentication Protocol (CHAP) periodically verifies the identity of

the client by using a three-way handshake. The three-way handshake steps are as follows:
1. When a client contacts a server that uses CHAP, the server (called the authenticator)
responds by sending the client a simple text message (sometimes called the challenge text).
This text is not important and it does not matter if anyone can intercepts it.
2. The client then takes this information and encrypts it using its password which was shared
by both the client and server. The encrypted text is then returned to the server.
3. The server has the same password and uses it as a key to encrypt the information it
previously sent to the client. It compares its results with the encrypted results sent by the
client. If they are the same, the client is assumed to be authentic.
Note: PPP supports two authentication protocols: PAP and CHAP.
Question 3
Which two authentication protocols does PPP support? (Choose two)
A. WAP
B. PAP
C. CHAP
D. EAP
E. RADIUS
Answer: B C
Question 4
In which form does PAP authentication send the username and password across the link?
A. Encrypted
B. Password protected
C. Clear text
D. Hashed
Answer: C
Explanation
PPP supports two authentication protocols: Password Authentication Protocol (PAP) and
Challenge Handshake Authentication Protocol (CHAP). PAP authentication involves a two-
way handshake where the username and password are sent across the link in clear text. For
more information about PPP Authentication methods, please read Point to Point Protocol
(PPP) Tutorial
Question 5
What are characteristics of PAP and CHAP?
A. PAP provides a challenge to the client

B. CHAP provides a challenge to the client
C. PAP can be used by TACACS+ for with
D. PAP requires a username and optional password
E. CHAP requires a username and optional password
Answer: B C
Question 6
Which two debug commands can you use to view issues with CHAP and PAP authentication?
(Choose two)
A. debug tacacs
B. debug ppp authentication
C. debug radius
D. debug aaa authentication
E. debug ppp negotiation
Answer: B E
Question 7
Which value does a Cisco router use as its default username for CHAP authentication?
A. Its own hostname

B. chap
C. Cisco
D. ppp
Answer: A
PPPoE Questions
https://www.digitaltut.com/pppoe-questions
Question 1
PPPoE is composed of which two phases?
A. Active Authentication Phase and PPP Session Phase

B. Passive Discovery Phase and PPP Session Phase
C. Active Authorization Phase and PPP Session Phase
D. Active Discovery Phase and PPP Session Phase
Answer: D
Explanation
PPPoE provides a standard method of employing the authentication methods of the Point-to-
Point Protocol (PPP) over an Ethernet network. When used by ISPs, PPPoE allows
authenticated assignment of IP addresses. In this type of implementation, the PPPoE client
and server are interconnected by Layer 2 bridging protocols running over a DSL or other
broadband connection.
PPPoE is composed of two main phases:

+ Active Discovery Phase: In this phase, the PPPoE client locates a PPPoE server, called an
access concentrator. During this phase, a Session ID is assigned and the PPPoE layer is
established.
+ PPP Session Phase: In this phase, PPP options are negotiated and authentication is
performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation
method, allowing data to be transferred over the PPP link within PPPoE headers.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-
vpn-cli/vpn-pppoe.html
Question 2
Which statement is true about the PPP Session Phase of PPPoE?
A. PPP options are negotiated and authentication is not performed. Once the link setup is
completed, PPPoE functions as a Layer 3 encapsulation method that allows data to be
transferred over the PPP link within PPPoE headers.
B. PPP options are not negotiated and authentication is performed. Once the link setup is
C. PPP options are automatically enabled and authorization is performed. Once the link setup
is completed, PPPoE functions as a Layer 2 encapsulation method that allows data to be
encrypted over the PPP link within PPPoE headers.
D. PPP options are negotiated and authentication is performed. Once the link setup is
Answer: D
Explanation
PPP Session Phase: In this phase, PPP options are negotiated and authentication is
performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation
method, allowing data to be transferred over the PPP link within PPPoE headers.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-
vpn-cli/vpn-pppoe.html
Question 3
A corporate policy requires PPPoE to be enabled and to maintain a connection with the ISP,
even if no interesting traffic exists. Which feature can be used to accomplish this task?
A. TCP Adjust
B. Dialer Persistent
C. PPPoE Groups
D. half-bridging
E. Peer Neighbor Route
Answer: B
Explanation
The ―dialer persistent‖ command (under interface configuration mode) allows a dial-on-
demand routing (DDR) dialer profile connection to be brought up without being triggered by
interesting traffic. When configured, the dialer persistent command starts a timer when the
dialer interface starts up and starts the connection when the timer expires. If interesting traffic
arrives before the timer expires, the connection is still brought up and set as persistent. An
example of configuring is shown below:
interface Dialer1
ip address 12.12.12.1 255.255.255.0
encapsulation ppp
dialer-pool 1
dialer persistent
Question 4
Prior to enabling PPPoE in a virtual private dialup network group, which task must be
completed?
A. Disable CDP on the interface.

B. Execute the vpdn enable command.
C. Execute the no switchport command.
D. Enable QoS FIFO for PPPoE support.
Answer: B
Explanation
The ―vpdn enable‖ command is used to enable virtual private dialup networking (VPDN) on
the router and inform the router to look for tunnel definitions in a local database and on a
remote authorization server (home gateway). The following steps include: configure the
VPDN group; configure the virtual-template; create the IP pools.
Question 5
A network engineer has been asked to ensure that the PPPoE connection is established and
authenticated using an encrypted password. Which technology, in combination with PPPoE,
can be used for authentication in this manner?
A. PAP
B. dot1x
C. IPsec
D. CHAP
E. ESP
Answer: D
Explanation
There are three authentication methods that can be used to authenticate a PPPoE connection:
+ CHAP – Challenge Handshake Authentication Protocol

+ MS-CHAP – Microsoft Challenge Handshake Authentication Protocol Version 1 & 2
+ PAP – Password Authentication Protocol
In which MS-CHAP & CHAP are two encrypted authentication protocol while PAP is
unencrypted authentication protocol.
Note: PAP authentication involves a two-way handshake where the username and password
are sent across the link in clear text; hence, PAP authentication does not provide any
protection against playback and line sniffing.
With CHAP, the server (authenticator) sends a challenge to the remote access client. The
client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5
(MD5) hash result based on the challenge and a hash result computed from the user‘s
password. The client sends the MD5 hash result to the server. The server, which also has
access to the hash result of the user‘s password, performs the same calculation using the hash
algorithm and compares the result to the one sent by the client. If the results match, the
credentials of the remote access client are considered authentic. A hash algorithm provides
one-way encryption, which means that calculating the hash result for a data block is easy, but
determining the original data block from the hash result is mathematically infeasible.
Question 6
Which statement is a restriction for PPPoE configuration?
A. Multiple PPPoE clients can use the same dialer interface.

B. Multiple PPPoE clients can use the same dialer pool.
C. A PPPoE session can be initiated only by the client.
D. A PPPoE session can be initiated only by the access concentrator.
Answer: C
Explanation
A PPPoE session is initiated by the PPPoE client. If the session has a timeout or is
disconnected, the PPPoE client will immediately attempt to reestablish the session. The
following four steps describe the exchange of packets that occurs when a PPPoE client
initiates a PPPoE session:
1. The client broadcasts a PPPoE Active Discovery Initiation (PADI) packet.
2. When the access concentrator receives a PADI that it can serve, it replies by sending a
PPPoE Active Discovery Offer (PADO) packet to the client.
3. Because the PADI was broadcast, the host may receive more than one PADO packet. The
host looks through the PADO packets it receives and chooses one. The choice can be based
on the access concentrator name or on the services offered. The host then sends a single
PPPoE Active Discovery Request (PADR) packet to the access concentrator that it has
chosen.
4. The access concentrator responds to the PADR by sending a PPPoE Active Discovery
Session-confirmation (PADS) packet. At this point a virtual access interface is created that
will then negotiate PPP, and the PPPoE session will run on this virtual access.
If a client does not receive a PADO for a preceding PADI, the client sends out a PADI at
predetermined intervals. That interval is doubled for every successive PADI that does not
evoke a response, until the interval reaches a configured maximum.
If PPP negotiation fails or the PPP line protocol is brought down for any reason, the PPPoE
session and the virtual access will be brought down. When the PPPoE session is brought
down, the client waits for a predetermined number of seconds before trying again to establish
a PPPoE.
Reference: http://www.cs.vsb.cz/grygarek/TPS/DSL/pppoe_client.pdf
Question 7

interface Ethernet 0
pppoe-client dial-pool-number 5
pppoe-client ppp-max-payload 1500
interface Dialer 1
ip address negotiated
dialer pool 5
mtu 1492
Which statement about the configuration is true?
A. This configuration is incorrect because the MTU must match the ppp-max-payload that is
defined.
B. This configuration is incorrect because the dialer interface number must be the same as the
dialer pool number.
C. This configuration is missing an IP address on the dialer interface.
D. This configuration represents a complete PPPoE client configuration on an Ethernet
connection.
Answer: D
Question 8
Which command configures a PPPoE client and specifies dial-on-demand routing

functionality?
A. pppoe-client dial-pool-number
B. PPPoE enable
C. interface dialer 1
D. encapsulation PPP
Answer: A
Question 9
Which command instruct a PPPoE client to obtain its IP address from the PPPoE server?
A. interface dialer
B. ip address negotiated
C. pppoe enable
D. ip address dhcp
E. ip address dynamic
Answer: B
Explanation
The picture below shows all configuration needed for PPPoE:

As we can see from the PPPoE Client configuration, to get the IP address assigned from the
PPPoE server the command ―ip address negotiated‖ should be used. For more information
about PPPoE configuration please read our PPPoE tutorial.
Question 10
Which two configurations can a PPPoE client support? (Choose two)
A. Eight clients are configured on a single CPE

B. The client is connected to multiple hosts over DMVPN
C. The client is installed on the same network device as the server
D. The client is connecting over an ATM PVC
E. The client is installed on a native IPv6 network
Answer: A B
Explanation

support up to 10 clients so answer A is correct.
+ Coexistence of the PPPoE client and server on the same device -> answer C is not correct
In the above link there is a topology shows ―DMVPN Access to Multiple Hosts from the
Same PPPoE Client‖ -> Answer B is correct.
Question 11
Which DSL encapsulation method requires client software running on the end-user PC that is
directly connected to a DSL modem?
A. PPPoA
B. PPPoE
C. PPP
D. L2TP
E. ATM
Answer: B
Question 12
Which two commands do you need to implement on a router to support PPPoE client?
A. peer default ip address pool

B. MTU
C. bba-group pppoe
D. pppoe enable group
E. pppoe-client dialer-pool-number
Answer: B E
CEF & Fast Switching

https://www.digitaltut.com/cef-fast-switching
Question 1
Refer to the exhibit

Based on this FIB table, which statement is correct?
A. There is no default gateway.

B. The IP address of the router on FastEthernet is 209.168.201.1.
C. The gateway of last resort is 192.168.201.1.
D. The router will listen for all multicast traffic.
Answer: C
Explanation
The command ―show ip cef‖ is used to display the CEF Forwarding Information Base (FIB)
table. There are some entries we want to explain:
+ If the ―Next Hop‖ field of a network prefix is set to receive, the entry represents an IP
address on one of the router‘s interfaces. In this case, 192.168.201.2 and 192.168.201.31 are
IP addresses assigned to interfaces on the local router.
+ If the ―Next Hop‖ field of a network prefix is set to attached, the entry represents a
network to which the router is directly attached. In this case the prefix 192.168.201.0/27 is a
network directly attached to router R2‘s Fa0/0 interface.
But there are some special cases:

+ The all-0s host addresses (for example, 192.168.201.0/32) and the all-1s host addresses (not
have in the output above but for example, 192.168.201.255/32) also show as receive entries.
+ 255.255.255.255/32 is the local broadcast address for a subnet
+ 0.0.0.0/32: maybe it is a reserved link-local address
+ 0.0.0.0/0: This is the default route that matching all other addresses (also known as
―gateway of last resort‖). In this case it points to 192.168.201.1 -> Answer C is correct.
Question 2

A network administrator checks this adjacency table on a router. What is a possible cause for
the incomplete marking?
A. incomplete ARP information

B. incorrect ACL
C. dynamic routing protocol failure
D. serial link congestion
Answer: A
Explanation
The ―show adjacency‖ command is used to display information about the Cisco Express
Forwarding adjacency table or the hardware Layer 3-switching adjacency table.
There are two known reasons for an incomplete adjacency:

+ The router cannot use ARP successfully for the next-hop interface.
+ After a clear ip arp or a clear adjacency command, the router marks the adjacency as
incomplete. Then it fails to clear the entry.
Note: Two nodes in the network are considered adjacent if they can reach each other using
only one hop.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/17812-cef-
incomp.html
Question 3
Which switching method is used when entries are present in the output of the command show
ip cache?
A. fast switching
B. process switching
C. Cisco Express Forwarding switching
D. cut-through packet switching
Answer: A
Explanation
The ―show ip cache‖ command displays the contents of a router‘s fast cache. An example of
the output of this command is shown below:
Note: If CEF is disabled and fast switching is enabled, the router begins to populate its fast
cache.
Question 4
How does an IOS router process a packet that should be switched by Cisco Express
Forwarding without an FIB entry?
A. by forwarding the packet

B. by dropping the packet
C. by creating a new FIB entry for the packet
D. by looking in the routing table for an alternate FIB entry
Answer: B
Question 5
At which layer does Cisco Express Forwarding use adjacency tables to populate addressing
information?
A. Layer 4
B. Layer 2
C. Layer 1
D. Layer 3
Answer: B
Explanation
Cisco Express Forwarding (CEF) provides the ability to switch packets through a device in a
very quick and efficient way while also keeping the load on the router‘s processor low. CEF
is made up of two different main components: the Forwarding Information Base (FIB) and
the Adjacency Table. These are automatically updated at the same time as the routing table.
The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB.
Question 6
A network administrator creates a static route that points directly to a multi-access interface,
instead of the next-hop IP address. The administrator notices that Cisco Express Forwarding
ARP requests are being sent to all destinations. Which issue might this configuration create?
A. Low bandwidth usage

B. High memory usage
C. Cisco Express Forwarding routing loop
D. High bandwidth usage
E. IP route interference
Answer: C
Explanation
The explanation of this question is too lengthy so we recommend to read this article:
http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/26083-trouble-cef.html
Question 7
Refer to exhibit. What is indicated by the show ip cef command for an address?
A. CEF is unable to get routing information for this route.
B. CEF cannot switch packet for this route and passes it to the next best switching method.
C. A valid entry and is pointed to hardware based forwarding.
D. CEF cannot switch packet for this route and drops it.
Answer: B
Explanation
Glean adjacency – in short when the router is directly connected to hosts the FIB table on the
router will maintain a prefix for the subnet rather than for the individual host prefix. This
subnet prefix points to a GLEAN adjacency.
Question 8
Which Cisco Express Forwarding component maintains Layer 2 addressing information?
A. adjacency table
B. RIB
C. dCEF
D. fast switching
E. FIB
Answer: A
Explanation
Nodes in the network are said to be adjacent if they can reach each other with a single hop
across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2
addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB
entries.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.
html
Question 9
IP CEF load-sharing options (Choose three)
A. Tunnel
B. Universal
C. Include-ports
D. Source
E. Destination
Answer: A B C
Frame Relay Questions

https://www.digitaltut.com/frame-relay-questions
Question 1
Which protocol uses dynamic address mapping to request the next-hop protocol address for a
specific connection?
A. Frame Relay inverse ARP

B. static DLCI mapping
C. Frame Relay broadcast queue
D. dynamic DLCI mapping
Answer: A
Explanation
Normal (Ethernet) ARP Request knows the Layer 3 address (IP) and requests for Layer 2
address (MAC). On the other hand, Frame Relay Inverse ARP knows the Layer 2 address
(DLCI) and requests for Layer 3 address (IP) so we called it ―Inverse‖. For detail explanation
about Inverse ARP Request please read our Frame Relay tutorial – Part 2.
Question 2
What is the default OSPF hello interval on a Frame Relay point-to-point network?
A. 10
B. 20
C. 30
D. 40
Answer: A
Explanation
When saying ―Frame Relay point-to-point‖ network, it means ―Frame Relay subinterfaces‖
run ―point-to-point‖. Notice that Frame Relay subinterfaces can run in two modes:
+ Point-to-Point: When a Frame Relay point-to-point subinterface is configured, the
subinterface emulates a point-to-point network and OSPF treats it as a point-to-point network
type
+ Multipoint: When a Frame Relay multipoint subinterface is configured, OSPF treats this
subinterface as an NBMA network type.
And there are 4 network types which can be configured with OSPF. The hello & dead
intervals of these types are listed below:
Network Type Hello Interval (secs) Dead Interval (secs)

Point-to-Point 10 40
Point-to-Multipoint 30 120
Broadcast 10 40
Non-Broadcast 30 120
Therefore the default OSPF hello interval on a Frame Relay point-to-point network is 10
seconds.
ospf/13693-22.html
Question 3
A company has their headquarters located in a large city with a T3 frame relay link that
connects 30 remote locations that each have T1 frame relay connections. Which technology
must be configured to prevent remote sites from getting overwhelmed with traffic and
prevent packet drops from the headquarters?
A. traffic shaping
B. IPsec VPN
C. GRE VPN
D. MPLS
Answer: A
Explanation
Traffic shaping should be used when:

+ Hub site (headquarter) has much faster speed link than the spokes (remote sites). In this
case we need to rate-limit the hub site so that it does not exceed the remote side access rate
+ Hub site has the same speed link as the spokes. For example both the headquarter and the
spokes use T1 links. In this case, we need to rate-limit the remote sites so as to not overrun
the hub.
An example of configuring traffic shaping is shown below:

interface Serial0/1
encapsulation frame-relay
frame-relay traffic-shaping
!
interface Serial0/1.10 point-to-point
ip address 10.10.10.10 255.255.255.0
frame-relay interface-dlci 10 class my_traffic_shaping
!
map-class frame-relay my_traffic_shaping
frame-relay adaptive-shaping becn //Configure the router to respond to frame relay frames
that have the BECN bit set
frame-relay cir 128000 //Specify the committed information rate (CIR) for a Frame Relay
virtual circuit
frame-relay bc 8000 //Specify the committed burst size (Bc) for a Frame Relay virtual circuit.
frame-relay be 8000 // Specify the excess burst size (Be) for a Frame Relay virtual circuit.
frame-relay mincir 64000 // Specify minimum acceptable CIR for a Frame Relay virtual
circuit.
Reference: http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/6151-traffic-
shaping-6151.html
Question 4
On which two types of interface is Frame Relay switching supported? (Choose two)
A. serial interfaces
B. Ethernet interfaces
C. fiber interfaces
D. ISDN interfaces
E. auxiliary interfaces
Answer: A D
Question 5
In which two ways can split horizon issues be overcome in a Frame Relay network
environment? (choose two)
A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites.
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
E. Disabling split horizon.
Answer: C E
Question 6
Router 1 cannot ping router 2 via the Frame Relay between them. Which two statements
describe the problems? (Chooses two)
A. Encapsulation is mismatched.
B. Frame Relay map is configured.
C. DLCI is active.
D. DLCI is inactive or deleted.
E. An access list is needed to allow ping.
Answer: A D
Question 7
How should a router that is being used in a Frame Relay network be configured to keep split
horizon issues from preventing routing updates?
A. Configure a separate subinterface for each PVC with a unique DLCI and subnet assigned
to the subinterface.
B. Configure each Frame Relay circuit as a point-to-point line to support multicast and
broadcast traffic.
C. Configure many subinterfaces in the same subnet.
D. Configure a single subinterface to establish multiple PVC connections to multiple remote
router interfaces.
Answer: A
Explanation
Each subinterface is treated like a physical interface so split horizon issues are overcome.
Question 8
Which value does Frame Relay use to identify a connection between a DTE and DCE?
A. DLCI
B. IP address
C. MAC address
D. VLAN ID
Answer: A
Explanation
Frame-relay uses data-link connection identifiers (DLCIs) to build up logical circuits. The
identifiers have local meaning only, that means that their values are unique per router, but not
necessarily in the other routers. For example, there is only one DLCI of 23 representing for
the connection from HeadQuarter to Branch 1 and only one DLCI of 51 from HeadQuarter to
Branch 2. Branch 1 can use the same DLCI of 23 to represent the connection from it to
HeadQuarter. Of course it can use other DLCIs as well because DLCIs are just local
significant.
By including a DLCI number in the Frame Relay header, HeadQuarter can communicate with
both Branch 1 and Branch 2 over the same physical circuit.
Question 9
Which two statements about configuring Frame Relay point-to-multipoint connections are
true? (Choose two)
A. They ignore the broadcast keyword in the frame-relay DLCI mapping

B. They require the same DLCI on each side of the link
C. Changing a point-to-multipoint subinterface to a different type requires the interface to be
deleted and recreated
D. They require the frame-relay mapping command to be configured
E. They require inverse ARP
Answer: D E
Explanation
An example of configuring Frame Relay point-to-multipoint connections is described at:

http://www.9tut.com/frame-relay-gns3-lab. Frame Relay point-to-multipoint requires inverse
ARP (which is enabled by default). It requires the frame-relay mapping command to be
configured also. For example: R1(config-if)#frame-relay route 102 interface Serial0/1 201.
Question 10
Which two statements about Frame Relay LMI autosense are true on a router? (Choose two)
A. It requires the LMI type to be explicitly configured

B. It operates on Frame Relay DTE interfaces
C. It operates on Frame Relay DCE interfaces
D. It operates when the line is up but the line protocol is down
E. It requires the line protocol to be up
Answer: B D
Explanation
LMI autosense is automatically enabled in the following situations:

+ The router is powered up or the interface changes state to up
+ The line protocol is down but the line is up
+ The interface is a Frame Relay DTE
+ The LMI type is not explicitly configured on the interface
Reference: CCIE Practical Studies: Security
GRE Tunnel
https://www.digitaltut.com/gre-tunnel
Question 1
Refer to the exhibit. After configuring GRE between two routers running OSPF that are
connected to each other via a WAN link, a network engineer notices that the two routers
cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason
for this?
number 47.
number 57.
Answer: A
Explanation
GRE packets are encapsulated within IP and use IP protocol type 47
Question 2
An engineer is configuring a GRE tunnel interface in the default mode. The engineer has
assigned an IPv4 address on the tunnel and sourced the tunnel from an Ethernet interface.
Which option also is required on the tunnel interface before it is operational?
A. tunnel destination address

B. keepalives
C. IPv6 address
D. tunnel protection
Answer: A
Explanation
A GRE interface definition includes:
+ An IPv4 address on the tunnel

+ A tunnel source
+ A tunnel destination
Below is an example of how to configure a basic GRE tunnel:
interface Tunnel 0
ip address 10.10.10.1 255.255.255.0
tunnel source fa0/0
tunnel destination 172.16.0.2
In this case the ―IPv4 address on the tunnel‖ is 10.10.10.1/24 and ―sourced the tunnel from an
Ethernet interface‖ is the command ―tunnel source fa0/0‖. Therefore it only needs a tunnel
destination, which is 172.16.0.2.
Note: A multiple GRE (mGRE) interface does not require a tunnel destination address.
Question 3
When the tunnel interface is configured in default mode, which statement about routers and
the tunnel destination address is true?
A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP
neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination
Answer: A
Explanation
The tunnel interface is configured in default mode means the tunnel has been configured as a
point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up
state) as soon as it is configured with a valid tunnel source address or interface which is up
and a tunnel destination IP address which is routable.
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the
up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in
recursion.
Therefore if a route towards the tunnel destination has not been configured then the tunnel is
stuck in up/down state.
Question 4
A network engineer has configured GRE between two IOS routers. The state of the tunnel
interface is continuously oscillating between up and down. What is the solution to this
problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable
Answer: A
Explanation
In this question only answer A is a reasonable answer. When the state of the tunnel interface
is continuously moving between up and down we must make sure the route towards the
tunnel destination address is good. If it is not good then that route may be removed from the
routing table -> the tunnel interface comes down.
Question 5
Which two GRE features can you configure to prevent fragmentation? (Choose two)
A. TCP MSS
B. DF Bit Clear
C. IP MTU
D. PMTUD
E. MTU ignore
F. UDP window sizes
Answer: A D
Explanation
The IP protocol was designed for use on a wide variety of transmission links. Although the
maximum length of an IP datagram is 65535, most transmission links enforce a smaller
maximum packet length limit, called an MTU. The value of the MTU depends on the type of
the transmission link. The design of IP accommodates MTU differences since it allows
routers to fragment IP datagrams as necessary. The receiving station is responsible for the
reassembly of the fragments back into the original full size IP datagram.
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a

standardized technique to determine the maximum transmission unit (MTU) size on the
network path between two hosts, usually with the goal of avoiding IP fragmentation.
PMTUD was originally intended for routers in IPv4. However, all modern operating systems
use it on endpoints.
reassembled later.
Question 6
Which two statement about GRE tunnel interface are true?
A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state
Answer: B D
Explanation
A valid tunnel destination is one which is routable (which means the destination is present or
there is a default route in the routing table). However, it does not have to be reachable ->
Answer B is correct.
For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and
the destination must be reachable according to your own routing table.
Question 7
Which of the following is a GRE Tunnel characteristic?
A. GRE impose more CPU overhead than IPSec on VPN gateways

B. GRE tunnels can run through IPsec tunnels.
C. GRE Tunnel doesn‘t have support for IPv6
D. GRE consists of two sub-protocols: Encapsulated Security Payload (ESP) and
Authentication Header (AH).
Answer: B
Question 8
Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a
GRE and IPsec tunnel, over the DSL connection, destined for an Enterprise network. Which
of the following answers best describes the router‘s logic that tells the router, for a given
packet, to apply GRE encapsulation to the packet?
A. When the packet received on the LAN interface is permitted by the ACL listed on the
tunnel gre acl command under the incoming interface
B. When routing the packet, matching a route whose outgoing interface is the GRE tunnel
interface
C. When routing the packet, matching a route whose outgoing interface is the IPsec tunnel
interface
D. When permitted by an ACL that was referenced in the associated crypto map
Answer: B
Question 9
What is a key benefit of using a GRE tunnel to provide connectivity between branch offices
and headquarters?
A. authentication, integrity checking, and confidentiality

B. less overhead
C. dynamic routing over the tunnel
D. granular QoS support
E. open standard
F. scalability
Answer: C
Explanation
GRE tunnel provides a way to encapsulate any network layer protocol over any other network
layer protocol. GRE allows routers to act as if they have a virtual point-to-point connection to
each other. GRE tunneling is accomplished by creating routable tunnel endpoints that operate
on top of existing physical and/or other logical endpoints. Especially, IPsec does not support
multicast traffic so GRE tunnel is a good solution instead (or we can combine both).
Question 10
A network administrator uses GRE over IPSec to connect two branches together via VPN
tunnel. Which one of the following is the reason for using GRE over IPSec?
A. GRE over IPSec provides better QoS mechanism and is faster than other WAN
technologies.
B. GRE over IPSec decreases the overhead of the header.
C. GRE supports use of routing protocol, while IPSec supports encryption.
D. GRE supports encryption, while IPSec supports use of routing protocol.
Answer: C
Question 11
Which statement is true about an IPSec/GRE tunnel?
A. The GRE tunnel source and destination addresses are specified within the IPSec transform
set.
B. An IPSec/GRE tunnel must use IPSec tunnel mode.
C. GRE encapsulation occurs before the IPSec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Answer: C
Explanation
When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and
then GRE is encrypted by IPSec -> C is correct.
Question 12
What are the four main steps in configuring a GRE tunnel over IPsec on Cisco routers?
(Choose four)
A. Configure a physical interface or create a loopback interface to use as the tunnel endpoint.
B. Create the GRE tunnel interfaces.
C. Add the tunnel interfaces to the routing process so that it exchanges routing updates across
that interface.
D. Add the tunnel subnet to the routing process so that it exchanges routing updates across
that interface.
E. Add all subnets to the crypto access-list, so that IPsec encrypts the GRE tunnel traffic.
F. Add GRE traffic to the crypto access-list, so that IPsec encrypts the GRE tunnel traffic.
Answer: A B D F
Explanation
Four steps to configure GRE tunnel over IPsec are:
1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback
rather than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across
that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.
An example of configuring GRE Tunnel is shown below:
interface Tunnel0
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel mode gre ip
Note: The last command is enabled by default so we can ignore it in the configuration)
(Reference: CCNP Routing and Switching Quick Reference)
Question 13
Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel
was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?
A. The crypto isakmp configuration is not correct.
B. The crypto map configuration is not correct.
C. The interface tunnel configuration is not correct.
D. The network configuration is not correct; network 172.16.1.0 is missing
Answer: A
Explanation
The address of the crypto isakmp key (line ―crypto isakmp key ******* address 172.16.1.2‖)
should be 192.168.2.1, not 172.16.1.2 -> A is correct.
Question 14
A. The crypto map is not configured correctly.

B. The crypto ACL is not configured correctly.
C. The crypto map is not applied to the correct interface.
D. The OSPF network is not configured correctly.
Answer: B
Explanation
The access-list must also support GRE traffic with the ―access-list 102 permit gre host
192.168.1.1 host 192.168.2.1‖ command -> B is correct.
Below is the correct configuration for GRE over IPsec on router B1 along with descriptions.
The interface tunnel configuration is rather simple so I don‘t post it here.
Question 15
A. The crypto isakmp configuration is not correct.
B. The crypto map configuration is not correct.
C. The network 172.16.1.0 is not included in the OSPF process.
D. The interface tunnel configuration is not correct.
Answer: D
Explanation
The ―tunnel destination‖ in interface tunnel should be 192.168.2.1, not 172.16.1.2 -> D is
correct.
DMVPN Questions
https://www.digitaltut.com/dmvpn-questions
Question 1
Refer to the following output:

Router#show ip nhrp detail
10.1.1.2/8 via 10.2.1.2, Tunnel1 created 00:00:12, expire 01:59:47
Type: dynamic, Flags: authoritative unique nat registered used
NBMA address: 10.12.1.2
What does the authoritative flag mean in regards to the NHRP information?
A. It was obtained directly from the next-hop server.

B. Data packets are process switches for this mapping entry.
C. NHRP mapping is for networks that are local to this router.
D. The mapping entry was created in response to an NHRP registration request.
E. The NHRP mapping entry cannot be overwritten.
Answer: A
Explanation
From the output we learn that the logical address 10.2.1.2 is mapped to the NBMA address
10.12.1.2. Type ―dynamic‖ means NBMA address was obtained from NHRP Request packet.
Type ―static‖ means NBMA address is statically configured. The ―authoritative‖ flag means
that the NHRP information was obtained from the Next Hop Server (NHS).
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html
Question 2
Which common issue causes intermittent DMVPN tunnel flaps?
A. a routing neighbor reachability issue

B. a suboptimal routing table
C. interface bandwidth congestion
D. that the GRE tunnel to hub router is not encrypted
Answer: A
Explanation
When DMVPN tunnels flap, check the neighborship between the routers as issues with
neighborship formation between routers may cause the DMVPN tunnel to flap. In order to
resolve this problem, make sure the neighborship between the routers is always up.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/29240-dcmvpn.html#Prblm1
Question 3
Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol,
NHRP, and Cisco Express Forwarding?
A. FlexVPN
B. DMVPN
C. GETVPN
D. Cisco Easy VPN
Answer: B
Explanation

Question 4
A company has just opened two remote branch offices that need to be connected to the
corporate network. Which interface configuration output can be applied to the corporate
router to allow communication to the remote sites?
A. interface Tunnel0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel source Serial0/0
tunnel mode gre multipoint
B. interface fa0/0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel mode gre multipoint
C. interface Tunnel0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 209.165.201.1
tunnel-mode dynamic
D. interface fa 0/0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 192.168.161.2
tunnel-mode dynamic
Answer: A
Explanation
To allow communication to multiple sites using only one tunnel interface, we need to
configure that tunnel in ―multipoint‖ mode. Otherwise we have to create many tunnel
interfaces, each can only communicate to one site.
Question 5
Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel
interface on the hub, to support multiple connections from multiple spoke devices?
A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN
Answer: A
Explanation
An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not
require a unique tunnel interface for each connection between Hub and spoke like traditional
GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE
tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all
tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.
Question 6
A network administrator is troubleshooting a DMVPN setup between the hub and the spoke.
Which action should the administrator take before troubleshooting the IPsec configuration?
A. Verify the GRE tunnels

B. Verify ISAKMP
C. Verify NHRP
D. Verify crypto maps
Answer: A
Explanation
GRE tunnels are the first thing we have to configure to create a DMVPN network so we
should start troubleshooting from there. NHRP can only work properly with operating GRE
tunnels.
Question 7
Which protocol is used in a DMVPN network to map physical IP addresses to logical IP

addresses?
A. BGP
B. LLDP
C. EIGRP
D. NHRP
Answer: D
Question 8
A network engineer is troubleshooting a DMVPN setup between the hub and the spoke. The
engineer executes the command ―show crypto isakmp sa‖ and observes the output that is
displayed. What is the problem?
A. That ISAKMP is not enabled

B. That ISAKMP is using default settings
C. An incompatible IP sec transform set
D. An incompatible ISAKMP policy
Answer: B
Explanation
The ―show crypto isakmp sa‖ command displays all current Internet Key Exchange (IKE)
security associations (SAs) at a peer.
QM_IDLE state means this tunnel is UP and the IKE SA key exchange was successful, but is
idle and may be used for subsequent quick mode exchanges. It is in a quiescent state (QM) ->
Answers A, C, D are incorrect so answer B is the only suitable answer left.
Question 9
A network engineer wants to display the statistics of an active tunnel on a DMVPN network.
Which command should the administrator execute to accomplish this task?
A. Router#show crypto ipsec sa

B. Router#show crypto isakmp peers
C. Router#show crypto isakmp sa
D. Router#show crypto ipsec transform-set
E. Router#show crypto engine connections active
Answer: A
Explanation
The DMVPN is comprised of IPsec/GRE tunnels that connect branch offices to the data
center. DMVPN troubleshooting requires the network engineer to verify neighbor links,
routing and VPN peer connectivity. The GRE protocol is required to support routing
advertisements. The VPN peer connection is comprised of IKE and IPsec security association
exchanges.
The command ―show crypto ipsec sa‖ is used to verify IPsec connectivity between branch
office and data center router. We can also use this command to display the statistics of an
active tunnel on a DMVPN network.
Note:
+ The command ―show crypto isakmp sa‖ is used on DMVPN to verify IKE connectivity
status to branch offices. The normal IKE state = QM IDLE for branch routers and data center
routers.
+ The command ―show crypto engine connection active‖ displays the total encrypts and
decrypts per SA.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/29240-dcmvpn.html
Question 10
Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other?
(Choose two)
A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5
Answer: B C
Question 11
Which two commands configure on a DMVPN hub to enable phase 3? (Choose two)
A. ip nhrp interest
B. ip nhrp redirect
C. ip nhrp shortcut
D. ip network id
E. ip nhrp map
F. ip redirects
Answer: B C
Question 12
During which DMVPN phase is spoke-to-spoke communication enabled?
A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1
Answer: A
Explanation
Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to
each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the
only correct answer.
Question 13
Which protocols support DMVPN?
A. EIGRP
B. RIPv2
C. OSPF
D. BGP
E. ISIS
Answer: A C D
Explanation
Some documents say RIPv2 also supports DMVPN but EIGPR, OSPF and BGP are the better
choices so we should choose them.
Question 14
Which two protocols are required for DMVPN? (Choose two)
A. IPSec
B. PPTP
C. mGRE
D. NHRP
E. Open VPN
Answer: C D
Explanation

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop
Resolution Protocol) to perform its job and save the administrator the need to define multiple
static crypto maps and dynamic discovery of tunnel endpoints.
Question 15
What is the NHRP role in DMVPN? (Choose two)
A. Obtains the next-hop to be used for routing

B. Routes the packet through the tunnel
C. Identifies the PIM-SM RP used to route the packet
D. Can authenticate VPN endpoints
E. It requires each tunnel endpoint to have an unique network ID
Answer: A D
TCP UDP Questions

https://www.digitaltut.com/tcp-udp-questions
Question 1
Under which condition does UDP dominance occur?
A. when TCP traffic is in the same class as UDP

B. when UDP flows are assigned a lower priority queue
C. when WRED is enabled
D. when ACLs are in place to block TCP traffic
Answer: A
Explanation
It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially
Streaming-Video) within a single service-provider class because of the behaviors of these
protocols during periods of congestion. Specifically, TCP transmitters throttle back flows
when drops are detected. Although some UDP applications have application-level
windowing, flow control, and retransmission capabilities, most UDP transmitters are
completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and
the class experiences congestion, TCP flows continually lower their transmission rates,
potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is
called TCP starvation/UDP dominance.
congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it
is beneficial to be aware of this behavior when making such application-mixing decisions
within a single service-provider class.
Reference:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/Qo
S-SRND-Book/VPNQoS.html
Question 2
Which two actions must you perform to enable and use window scaling on a router? (Choose
two)
A. Execute the command ip tcp window-size 65536.

B. Set window scaling to be used on the remote host.
C. Execute the command ip tcp queuemax.
D. Set TCP options to ―enabled‖ on the remote host.
E. Execute the command ip tcp adjust-mss.
Answer: A B
Question 3
Which three TCP enhancements can be used with TCP selective acknowledgments? (Choose
three)
A. header compression
B. explicit congestion notification
C. keepalive
D. time stamps
E. TCP path discovery
F. MTU window
Answer: B C D
Explanation
TCP Selective Acknowledgement (SACK) prevents unnecessary retransmissions by

specifying successfully received subsequent data. Let‘s see an example of the advantages of
TCP SACK.
TCP Selective Acknowledgement
TCP (Normal) Acknowledgement
For TCP (normal) acknowledgement, when a client requests data, server sends the first
three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2
was lost somewhere on the network while Segment#3 stills reached the client. Client checks
Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received
Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert
the server that it has not received any data beyond Segment#1. After receiving these ACKs,
the server must resend Segment#2,#3 and wait for the ACKs of these segments.
For TCP Selective Acknowledgement, the process is the same until the Client realizes
Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received
Segment#3 successfully (so no need to retransmit this segment. Therefore the server only
needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends
ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue
sending Segment #4,#5, …
The SACK option is not mandatory and it is used only if both parties support it.
The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to
notify end hosts of impending network congestion. It also provides enhanced support for TCP
sessions associated with applications, such as Telnet, web browsing, and transfer of audio and
video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction
of delay and packet loss in data transmissions. Use the ―ip tcp ecn‖ command in global
configuration mode to enable TCP ECN.
The TCP time-stamp option provides improved TCP round-trip time measurements. Because
the time stamps are always sent and echoed in both directions and the time-stamp value in the
header is always changing, TCP header compression will not compress the outgoing packet.
Use the ―ip tcp timestamp‖ command to enable the TCP time-stamp option.
The TCP Keepalive Timer feature provides a mechanism to identify dead connections.
When a TCP connection on a routing device is idle for too long, the device sends a TCP
keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a
response packet (a TCP ACK packet) is not received after the device sends a specific number
of probes, the connection is considered dead and the device initiating the probes frees
resources used by the TCP connection.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-
3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html
Question 4
A network engineer notices that transmission rates of senders of TCP traffic sharply increase
and decrease simultaneously during periods of congestion. Which condition causes this?
A. global synchronization
B. tail drop
C. random early detection
D. queue management algorithm
Answer: A
Explanation
Global synchronization occurs when multiple TCP hosts reduce their transmission rates in
response to congestion. But when congestion is reduced, TCP hosts try to increase their
transmission rates again simultaneously (known as slow-start algorithm), which causes
another congestion. Global synchronization produces this graph:
Global synchronization reduces optimal throughput of network applications and tail drop
contributes to this phenomenon. When an interface on a router cannot transmit a packet
immediately, the packet is queued. Packets are then taken out of the queue and eventually
transmitted on the interface. But if the arrival rate of packets to the output interface exceeds
the ability of the router to buffer and forward traffic, the queues increase to their maximum
length and the interface becomes congested. Tail drop is the default queuing response to
congestion. Tail drop simply means that ―drop all the traffic that exceeds the queue limit. Tail
drop treats all traffic equally and does not differentiate among classes of service.
Question 5
Which three problems result from application mixing of UDP and TCP streams within a
network with no QoS? (Choose three)
A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput
Answer: A C E
Explanation
When TCP is mixing with UDP under congestion, TCP flows will try to lower their
transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP
flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-
dominance. This can increase latency and lower the overall throughput.
Question 6
A network administrator uses IP SLA to measure UDP performance and notices that packets
on one router have a higher one-way delay compared to the opposite direction. Which UDP
characteristic does this scenario describe?
A. latency
B. starvation
C. connectionless communication
D. nonsequencing unordered packets
E. jitter
Answer: A
Question 7
A network engineer is configuring a routed interface to forward broadcasts of UDP 69, 53,
and 49 to 172.20.14.225. Which command should be applied to the configuration to allow
this?
A. router(config-if)#ip helper-address 172.20.14.225

B. router(config-if)#udp helper-address 172.20.14.225
C. router(config-if)#ip udp helper-address 172.20.14.225
D. router(config-if)#ip helper-address 172.20.14.225 69 53 49
Answer: A
Question 8
Which traffic characteristic is the reason that UDP traffic that carries voice and video is
assigned to the queue only on a link that is at least 768 kbps?
A. typically is not fragmented

B. typically is fragmented
C. causes windowing
D. causes excessive delays for video traffic
Answer: A
Explanation
If the speed of an interface is equal or less than 768 kbps (half of a T1 link), it is considered a
low-speed interface. The half T1 only offers enough bandwidth to allow voice packets to
enter and leave without delay issues. Therefore if the speed of the link is smaller than 768
kbps, it should not be configured with a queue.
Question 9
Which two attributes describe UDP within a TCP/IP network? (Choose two)
A. Acknowledgments
B. Unreliable delivery
C. Connectionless communication
D. Connection-oriented communication
E. Increased headers
Answer: B C
Question 10
A network engineer wants to ensure an optimal end-to-end delay bandwidth product. The
delay is less than 64 KB. Which TCP feature ensures steady state throughput?
A. Window scaling
B. Network buffers
C. Round-trip timers
D. TCP acknowledgments
Answer: A
Explanation
First we need to understand about bandwidth-delay product.
Therefore the Volume of the pipe = Bandwidth x Delay (or Round-Trip-Time). The volume
of the pipe is also the BDP.
For example if the total bandwidth is 64 kbps and the RTT is 3 seconds, the formula to
calculate BDP is:
192,000 bits
-> BDP (bytes) = 192,000 / 8 = 24,000 bytes
In conclusion, if we want an optimal end-to-end delay bandwidth product, TCP must use
window scaling feature so that we can fill the entire ―pipe‖ with data.
TCP UDP Questions 2

https://www.digitaltut.com/tcp-udp-questions-2
Question 1
Your company uses Voice over IP (VoIP). The system sends UDP datagrams containing the
voice data between communicating hosts. When areas of the network become busy, some of
the datagrams arrive at their destination out of order. What happens when this occurs?
A. UDP will send an ICMP Information request message to the source host.
B. UDP will pass the information in the datagrams up to the next OSI layer in the order in
which they arrive.
C. UDP will drop the datagrams that arrive out of order.
D. UDP will use the sequence numbers in the datagram headers to reassemble the data into
the correct order.
E. UDP will not acknowledge the datagrams and wait for a retransmission of the datagrams.
Answer: B
Explanation
Unlike TCP which uses the sequence numbers to rearrange the segments when they arrive out
of order, UDP just passes the received datagrams to the next OSI layer (the Session Layer) in
the order in which they arrived.
Question 2
A network engineer applies the command ―ip tcp adjust-mss‖ under interface configuration
mode. What is the result?
A. The probability of SYN packet truncation is increased.

B. The UDP session is inversely affected.
C. The probability of dropped or segmented TCP packets is decreased.
D. The optimum MTU value for the interface is set.
Answer: C
Question 3
Which option is one way to mitigate asymmetric routing on an active/active firewall setup for
TCP-based connections?
A. performing packet captures

B. disabling asr-group commands on interfaces that are likely to receive asymmetric traffic
C. replacing them with redundant routers and allowing load balancing
D. disabling stateful TCP checks
Answer: D
Explanation
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes
a different path when it returns to the source. This is commonly seen in Layer-3 routed
networks.
Issues to Consider with Asymmetric Routing
Asymmetric routing is not a problem by itself, but will cause problems when Network
Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls,
state information is built when the packets flow from a higher security domain to a lower
security domain. The firewall will be an exit point from one security domain to the other. If
the return path passes through another firewall, the packet will not be allowed to traverse the
firewall from the lower to higher security domain because the firewall in the return path will
not have any state information. The state information exists in the first firewall.
Reference:
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200903.html
Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate
asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a
TCP connection even if the ASA didn‘t see the entire TCP 3-way handshake. This feature is
called TCP State Bypass.
Reference: https://supportforums.cisco.com/document/55536/asa-asymmetric-routing-
troubleshooting-and-mitigation
Note: The active/active firewall topology uses two firewalls that are both actively providing
firewall services.
Question 4
Which problem can be caused by latency on a UDP stream?
A. The device that sends the stream is forced to hold data in the buffer for a longer period of
time.
B. The overall throughput of the stream is decreased.
C. The device that receives the stream is forced to hold data in the buffer for a longer period
of time.
D. The devices at each end of the stream are forced to negotiate a smaller window size.
Answer: C
Explanation
A device that sends UDP packets assumes that they reach the destination. There is no
mechanism to alert senders that the packet has arrived -> Answer A is not correct.
UDP throughput is not impacted by latency because the sender does not have to wait for the
ACK to be sent back -> Answer B is not correct.
UDP does not negotiate how the connection will work, UDP just transmits and hopes for the
best -> D is not correct.
Therefore only answer C is left.
Question 5
What show command is used here?

TCB Local Address Foreign Address (state)
6523A4FC 10.1.25.3.11000 10.1.25.3.23 ESTAB
65239A84 10.1.25.3.23 10.1.25.3.11000 ESTAB
653FCBBC *.1723 *.* LISTEN
A. show tcp brief
B. show tcp brief all
C. show tcp brief numeric
D. show tcp brief ip
Answer: C
Explanation
The command ―show tcp brief numeric‖ displays a concise description of TCP connection
endpoints.
Question 6
Congestion in the network. What is the effect on UDP?
A. Sender will have to buffer more data

B. Receiver will have to buffer more data. Before sending packets to higher layers
C. There will be latency
Answer: C
Question 7
Which two protocols can cause TCP starvation? (Choose two)
A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP
Answer: A B
Explanation

congestion.
TFTP (run on UDP port 69) and SNMP (runs on UDP port 161/162) are two protocols which
run on UDP so they can cause TCP starvation.
Note: SMTP runs on TCP port 25; HTTPS runs on TCP port 443; FTP runs on TCP port
20/21
RIP Questions
https://www.digitaltut.com/rip-questions
Question 1
Refer to the exhibit. The network setup is running the RIP routing protocol. Which two
events will occur following link failure between R2 and R3? (Choose two)
A. R2 will advertise
network 192.168.2.0/27 with a hop count of 16 to R1.
B. R2 will not send any advertisements and will remove route 192.168.2.0/27 from its routing
table.
C. R1 will reply to R2 with the advertisement for network 192.168.2.0/27 with a hop count of
16.
D. After communication fails and after the hold-down timer expires, R1 will remove the
192.168.2.0/27 route from its routing table.
E. R3 will not accept any further updates from R2, due to the split-horizon loop prevention
mechanism.
Answer: A C
Question 2
What is the maximum hop count with RIP?
A. 15
B. 255
C. 0
D. 16
Answer: A
Question 3
RIPv2 Question. Cannot receive RIP updates. Why?

A. Firewall Port block UDP 520
B. Firewall Port block TCP 520
C. Firewall Port block UDP 502
D. Firewall Port block TCP 502
Answer: A
Question 4
Engineer has to enable RIP on a link. Where he will issue the command?
A. IPv6
B. Global
C. Router sub command
D. Interface sub command
Answer: C
Explanation
RIP can only be turned on under router sub command (in Router(config-router)# mode).
Unlike OSPF or EIGRP, RIP cannot be enabled from interface sub command (Router(config-
if)# mode)
OSPF Questions
https://www.digitaltut.com/ospf-questions
Question 1
The OSPF database of a router shows LSA types 1, 2, 3, and 7 only. Which type of area is
this router connected to?
A. stub area
B. totally stubby area
C. backbone area
D. not-so-stubby area
Answer: D
Explanation
LSA Type 7 is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe
routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA.
These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2
is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR -> LSA
Type 7 only exists in an NSSA area.
Question 2
Which option prevents routing updates from being sent to the DHCP router, while still
allowing routing update messages to flow to the Internet router and the distribution switches?
A.
DHCP(config-router)# passive-interface default
DHCP(config-router)# no passive-interface Gi1/0
Internet(config-router)# passive-interface Gi0/1
Internet(config-router)# passive-interface Gi0/2
B.
Core(config-router)# passive-interface Gi0/0
DHCP(config-router)# no passive-interface Gi1/0
C. Core(config-router)# passive-interface default
Core(config-router)# no passive-interface Gi0/0
D.
Internet(config-router)# passive-interface default
Core(config-router)# passive-interface default
DSW1(config-router)# passive-interface default
DSW2(config-router)# passive-interface default
Answer: C
Question 3
Which option prevents routing updates from being sent to the access layer switches?
A.
DWS1(config-router)# passive-interface default
DWS2(config-router)# passive-interface default
B.
ALS1(config-router)# passive-interface default
ALS2(config-router)# passive-interface default
C.
DWS1(config-router)# passive-interface gi1/1
D.
ALS1(config-router)# passive-interface gi0/1
Answer: C
Explanation
Answer B is not correct because using ―passive-interface‖ command on ASW1 & ASW2
does not prevent DSW1 & DSW2 from sending routing updates to two access layer switches.
Question 4

Refer to the exhibit showing complete command output. What type of OSPF router is Router
A?
A. internal router
B. ASBR
C. ABR
D. edge router
Answer: C
Explanation
From the output above, we see the following LSAs:

+ Router Link States (Area 0): LSA Type 1 (Area 0)
+ Net Link States (Area 0): LSA Type 2 (Area 0)
+ Summary Net Link States (Area 0): LSA Type 3 (Area 0)
+ Router link States (Area 4): LSA Type 1 (Area 4)
+ Net Link States (Area 4): LSA Type 2 (Area 4)
+ Summary Net Link States (Area 4): LSA Type 3 (Area 4)
There are two areas represented on this router, which are Area 0 & Area 4. So we conclude
this is an ABR router.
Just for your information, from the Router Link States (Area 0) part, we only see one entry
15.15.15.33. It is both the Link ID and ADV Router so we can conclude this is an IP address
of one of the interfaces on the local router.
Question 5
Meaning of priority 0 configured in OSPF router?
A. That router cannot participate in the election of DR (or something like that).
B. That router has the highest priority to become a DR
C. That router will not advertise any OSPF route
D. Priority 0 does not exist
Answer: A
Question 6
Which OSPF network type doesn‘t require a DR/BDR election? (Choose two)
A. Broadcast
B. Point to point
C. Non-Broadcast
D. Point-to-multipoint
Answer: B D
Questions 7
A network engineer enables OSPF on a Frame Relay WAN connection to various remote
sites, but no OSPF adjacencies come up Which two actions are possible solutions for this
issue? (Choose Two)
A. Change the network type to point-to-multipoint under WAN interface

B. Enable virtual links
C. Change the network type to nonbroadcast multipoint access
D. Configure the neighbor command under OSPF process for each remote site
E. Ensure that the OSPF process number matches among all remote sites
Answer: A D
Explanation
When OSPF is run on a network, two important events happen before routing information is
exchanged:
+ Neighbors are discovered using multicast hello packets.
+ DR and BDR are elected for every multi-access network to optimize the adjacency building
process. All the routers in that segment should be able to communicate directly with the DR
and BDR for proper adjacency (in the case of a point-to-point network, DR and BDR are not
necessary since there are only two routers in the segment, and hence the election does not
take place).
For a successful neighbor discovery on a segment, the network must allow broadcasts or
multicast packets to be sent.
In an NBMA network topology, which is inherently nonbroadcast, neighbors are not

discovered automatically. OSPF tries to elect a DR and a BDR due to the multi-access
nature of the network, but the election fails since neighbors are not discovered. Neighbors
must be configured manually to overcome these problems -> C is not correct while D is
correct.
In Point-to-Multipoint network: This is a collection of point-to-point links between various

devices on a segment. These networks also allow broadcast or multicast packets to be sent
over the network. These networks can represent the multi-access segment as multiple point-
to-point links that connect all the devices on the segment. -> A is correct.
Question 8
Using new backup router in spite of faulty one in OSPF domain but relationship with
neighbor in one interface only not working, what is the reason of this problem? (Choose two)
A. area ID mismatch
B. authentication mismatch
C. process id of OSPF not match
D. OSPF timers not match
Answer: A B D (?)
Explanation
OSPF forms neighbor relationship with other OSPF routers on the same segment by
exchanging hello packets. The hello packets contain various parameters. Some of them
should match between neighboring routers. These include:
+ Hello and Dead intervals
+ Area ID
+ Authentication type and password
+ Stub Area flag
+ Subnet ID and Subnet mask
So there are three correct answers in this question. Maybe in the exam you will see only two
correct answers.
Question 9
Which OSPF areas prevent LSA type 4, LSA type 5? ( choose two)
A. Not-so-stubby area
B. Total stubby area
C. Stubby area
D. Normal area
E. Backbone area
F. Not-so-stubby totally stub area
Answer: B F
Explanation
Let‘s have a quick review of LSAs Type 4 & 5:
Summary ASBR LSA (Type 4) – Generated by the ABR to describe an ASBR to routers in
other areas so that routers in other areas know how to get to external routes through that
ASBR. For example, suppose R8 is redistributing external route (EIGRP, RIP…) to R3. This
makes R3 an Autonomous System Boundary Router (ASBR). When R2 (which is an ABR)
receive this LSA Type 1 update, R2 will create LSA Type 4 and flood into Area 0 to inform
them how to reach R3. When R5 receives this LSA it also floods into Area 2.
In the above example, the only ASBR belongs to area 1 so the two ABRs send LSA Type 4 to
area 0 & area 2 (not vice versa). This is an indication of the existence of the ASBR in area 1.
Note:
+ Type 4 LSAs contain the router ID of the ASBR.
+ There are no LSA Type 4 injected into Area 1 because every router inside area 1 knows
how to reach R3. R3 only uses LSA Type 1 to inform R2 about R8 and inform R2 that R3 is
an ASBR.
External Link LSA (LSA 5) – Generated by ASBR to describe routes redistributed into the
area and point the destination for these external routes to the ASBR. These routes appear as
O E1 or O E2 in the routing table. In the topology below, R3 generates LSAs Type 5 to
describe the external routes redistributed from R8 and floods them to all other routers and tell
them ―hey, if you want to reach these external routes, send your packets to me!‖. But other
routers will ask ―how can I reach you? You didn‘t tell me where you are in your LSA Type
5!‖. And that is what LSA Type 4 do – tell other routers in other areas where the ASBR is!
Each OSPF area only allows some specific LSAs to pass through. Below is a summarization
of which LSAs are allowed in each OSPF area:
Area Restriction
Normal None
Stub No Type 5 AS-external LSA allowed
Totally Stub No Type 3, 4 or 5 LSAs allowed except the default summary route
No Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to Type
NSSA
5 at the NSSA ABR can traverse
NSSA Totally No Type 3, 4 or 5 LSAs except the default summary route, but Type 7 LSAs
Stub that convert to Type 5 at the NSSA ABR are allowed
ospf/13703-8.html
Therefore there are two OSPF areas that prevent LSAs Type 4 & 5: Totally Stub & NSSA
Totally Stub areas
OSPF Questions 2
https://www.digitaltut.com/ospf-questions-2-2
Question 1
When OSPF is forming an adjacency, in which state, the actual exchange of information in
the link?
A. INIT
B. loading
C. exstart
D. exchange
Answer: B
Explanation
Loading: In this state, the actual exchange of link state information occurs. Based on the
information provided by the DBDs, routers send link-state request packets. The neighbor then
provides the requested link-state information in link-state update packets. During the
adjacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a
link-state request packet. All link-state update packets are acknowledged.
ospf/13685-13.html
Question 2
OSPF chooses routes in which order, regardless of route‘s adminstrative distance and metric?
A. Interarea
B. Intra-area
C. NSSA type1
D. NSSA type 2
E. External type1
F. External type2
Answer:
Order: B A E F C D (Intra-Area (O); Inter-Area (O IA); External Type 1 (E1); External Type
2 (E2); NSSA Type 1 (N1); NSSA Type 2 (N2))
Question 3
Refer to the exhibit. A network engineer executes the show ipv6 ospf database command
and is presented with the output that is shown. Which flooding scope is referenced in the
link-state type?
(Exhibit missing)
A. link-local
B. area
C. AS (OSPF domain)
D. reserved
Answer: B
Question 4
area 1 range 10.1.0.0 255.255.0.0

summary address 10.1.0.0 255.255.0000
What is the effect of those two commands?
A. area 1 range: command applied to summarize internal OSPF routes (ABR)

B. area 1 range: command applied to summarize external OSPF routes (ASBR)
C. Summary address: command applied to summarize external OSPF routes (ASBR)
D. Summary address: command applied to summarize internal OSPF routes (ABR)
Answer: A C
Question 5
Which LSAs present in OSPF stub area?
A. LSA 1,2,3,4,5
B. LSA 1,2,5
C. LSA 1,2,3
D. LSA 3,5
Answer: C
Explanation
+ Standard areas can contain LSAs of type 1, 2, 3, 4, and 5, and may contain an ASBR. The
backbone is considered a standard area.
+ Stub areas can contain type 1, 2, and 3 LSAs. A default route is substituted for external
routes.
+ Totally stubby areas can only contain type 1 and 2 LSAs, and a single type 3 LSA. The
type 3 LSA describes a default route, substituted for all external and inter-area routes.
+ Not-so-stubby areas implement stub or totally stubby functionality yet contain an ASBR.
Type 7 LSAs generated by the ASBR are converted to type 5 by ABRs to be flooded to the
rest of the OSPF domain.
Reference: http://packetlife.net/blog/2008/jun/24/ospf-area-types/
Question 6
Which OSPF area has type 7 LSA?
A. NSSA
B. Total stubby
C. Stubby area
D. Normal area
Answer: A
Explanation
the ASBR.
Question 7
Which type of address does OSPFv3 use to form neighbor adjacencies and to send LSAs?
A. unicast IPv6 addresses

B. link-local addresses
C. multicast address FF02::5
D. unicast IPv4 addresses
Answer: C
Explanation
OSPFv3 uses the well-known IPv6 multicast addresses, FF02::5 to communicate with
neighbors. The FF02::5 multicast address is known as the AllSPFRouters address. All
OSPFv3 routers must join this multicast group and listen to packets for this multicast group.
The OSPFv3 Hello packets are sent to this address.
Note: All other routers (non DR and non BDR) establish adjacency with the DR and the BDR
and use the IPv6 multicast address FF02::6 (known as AllDRouters address) to send LSA
updates to the DR and BDR.
The answer ―link-local addresses‖ is also correct too. The reason is OSPFv3 routers use link-
local address (FE80::/10) on its interfaces (as the source address) to send Hello packets to
FF02::5 (as the destination address). So in fact this question is not clear and there are two
correct answers here.
Note: The two IPv6 multicast addresses FF02::5 and FF02::6 have link-local scope.
Question 8
Which LSA type can exist only in an OSPF NSSA area?
A. type 7 LSA
B. type 1 LSA
C. type 5 LSA
D. type 3 LSA
Answer: A
Explanation
the ASBR.
Question 9
A route map was configured and it was distributing OSPF external routes.
A. Distributing E1 only
B. Distributing E1 and E2 using prefix list
C. Distributing E1 and E2 using access list
D. Distributing E2 routes
Answer: B
Question 10
You have a router has some interface configured with 10Gbps interface and 1Gbps interface.
Which command you use to optimize higher bandwidth?
A. auto-cost reference-bandwidth 10000

B. cost 10000
C. reference-bandwidth 10000
D. auto-cost 10000
Answer: A
OSPF Questions 3
https://www.digitaltut.com/ospf-questions-3-2
Question 1
Which are new LSA types in OSPF for IPv6 (OSPFv3)? (Choose two)
A. LSA Type 8
B. LSA Type 9
C. LSA Type 10
D. LSA Type 12
Answer: A B
Explanation

the link.
LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA
has one of two functions:
1. It either associates a list of IPv6 address prefixes with a transit network link by referencing
a network-LSA…
2. Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA. A
stub link‘s prefixes are associated with its attached router.
LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4
OSPF to advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF
algorithm is ran.
Reference (and for more information): http://packetpushers.net/a-look-at-the-new-lsa-types-

in-ospfv3-with-vyatta-and-cisco/
Question 2
If routers in a single area are configured with the same priority value, what value does a
router use for the OSPF Router ID in the absence of a loopback interface?
A. The lowest IP address of any physical interface

B. The highest IP address of any physical interface
C. The lowest IP address of any logical interface
D. The highest IP address of any logical interface
Answer: B
Question 3
You get a call from a network administrator who tells you that he typed the following into his
router:
Router(config)#router ospf 1
Router(config-router)#network 10.0.0.0 255.0.0.0 area 0
He tells you he still can‘t see any routes in the routing table. What configuration error did the
administrator make?
A. The wildcard mask is incorrect

B. The OSPF area is wrong
C. The OSPF process ID is incorrect
D. The AS configuration is wrong
Answer: A
Explanation
The wildcard mask should be 0.0.0.255 instead of the subnet mask 255.0.0.0.
Question 4
Which type of OSPF router can be aggregated? (Choose two)
A. the ABR
B. the ASBR
C. Backbone Router
D. Intra Router
Answer: A B
Explanation
Route aggregation can be performed on the border routers to reduce the LSAs advertised to
other areas. Route aggregation can also minimize the influences caused by the topology
changes.
Question 5
Which two OSPF network types can operate without a DR/BDR relationship? (Choose two)
A. Point-to-multipoint
B. Point-to-point
C. nonbroadcast
D. nonbroadcast multi-access
E. broadcast
Answer: A B
Question 6
If you want to migrate an IS-IS network to another routing protocol. Which routing protocols
should you choose? (Choose two)
A. UDP
B. internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP
Answer: (maybe) D E
Explanation
IS-IS is an interior gateway protocol (IGP), same as EIGRP and OSPF so maybe they are the
best answers. Although RIP is not a wrong choice but it is not widely used because of many
limitations (only 15 hops, long convergence time…).
Question 7
If you configure one router in your network with the auto-cost reference-bandwidth 100
command, which effect on the data path is true?
A. The data path remains the same for all links

B. The data path changes for 10Mbps links only
C. The data path changes for all links
D. The data path changes for 10Gbps links only
Answer: C
Explanation
This command affects all the OSPF costs on the local router as all links are recalculated with
formula: cost = reference-bandwidth (in Mbps) / interface bandwidth
Note: The default reference bandwidth for OSPF is 10^8 bps or 100Mpbs so the ―auto-cost
reference-bandwidth 100‖ is in fact the default value so answer A may be a correct answer.
Question 8
Refer to the exhibit. In the network diagram, Area 1 is defined as a stub area. Because
redistribution is not allowed in the stub area, EIGRP routes cannot be propagated into the
OSPF domain. How does defining area 1 as a not-so-stubby area (NSSA) make it possible to
inject EIGRP routes into the OSPF NSSA domain?
A. by creating type 5 LSAs
B. by creating type 7 LSAs
C. by creating a link between the EIGRP domain and the RIP domain, and redistributing
EIGRP into RIP
D. by manually changing the routing metric of EIGRP so that it matches the routing metric of
OSPF
Answer: B
Explanation
the ASBR.
Question 9
Which two routers can do OSPF route summarization? (Choose two)
A. ABR
B. ASBR
C. Summary router
D. Internal router
E. Backbone router
Answer: A B
EIGRP Questions
https://www.digitaltut.com/eigrp-questions
Question 1
A network engineer is considering enabling load balancing with EIGRP. Which consideration
should be analyzed?
A. EIGRP allows a maximum of four paths across for load balancing traffic.
B. By default, EIGRP uses a default variance of 2 for load balancing.
C. EIGRP unequal path load balancing can result in routing loops.
D. By default, EIGRP performs equal cost load balancing at least across four equal cost
paths.
Answer: D
Explanation
By default, EIGRP load-shares over four equal-cost paths. EIGRP also support unequal-cost
load balancing via the ―variance‖ command.
Question 2
A router receives a routing advertisement for the same prefix and subnet from four different
routing protocols. Which advertisement is installed in the routing table?
A. RIP
B. OSPF
C. iBGP
D. EIGRP
Answer: D
Explanation
The table below lists the default administrative distance values of popular routing protocols:
Routing Protocols Default Administrative Distance
EIGRP 90
OSPF 110
RIP 120
eBGP 20
iBGP 200
Connected interface 0
Static route 1
Question 3
Other than a working EIGRP configuration, which option must be the same on all routers for
EIGRP authentication key rollover to work correctly?
A. SMTP
B. SNMP
C. Passwords
D. Time
Answer: D
Explanation
Requirements
+ The time must be properly configured on all routers.
+ A working EIGRP configuration is recommended.
routing-protocol-eigrp/82110-eigrp-authentication.html
Question 4
What following parameters for the EIGRP authentication need to match in order for EIGRP
neighbors to establish a neighbor relationship?
A. Autonomous System number.

B. K-Values
C. If authentication is used both: the key number, the password, and the date/time.
D. The neighbors must be on common subnet (all IGPs follow this rule).
Answer: C (maybe this question is missing something)
Explanation
The following list of parameters must match between EIGRP neighbors in order to
successfully establish neighbor relationships:
+ Autonomous System number.

+ K-Values.
+ If authentication is used both: the key number, the password, and the date/time the
password is valid must match.
+ The neighbors must be on common subnet (all IGPs follow this rule).
Question 5
EIGRP is implemented in a Frame Relay network but there is no adjacency. Which options
cause the adjacency to come up? (choose two)

B. Neighbor command to configure it for a point to multipoint on the WAN interface
C. Create an static route pointing to the destination
D. EIGRP is not supported for Frame Relay
Answer: A B
Explanation
When EIGRP is configured in a point-to-multipoint Frame Relay network, although the Hub
can receive routing updates sent from its Spoke routers but split horizon rule forbids the Hub
from relaying advertisements back out the interface on which they were received. For
example in the topology below, Hub can receive routing updated from two Spokes but it
cannot relay them out of S0/0 interface again (as it is the interface where it received the
updates). To solve this problem we need to disable split horizon on S0/0 interface of Hub.
The command should be (suppose EIGRP 1 is running):
Hub(config)#interface serial0/0
Hub(config-if)#no ip split-horizon eigrp 1
Therefore answer A is correct.

In Non-broadcast networks (such as Frame-Relay), multicast (and broadcast) are not allowed
while EIGRP (and OSPF, RIPv2) uses multicast to send Hello and Update messages.
Therefore these dynamic routing protocols would not work well under Frame-Relay. To
overcome this issue we usually add the keyword ―broadcast‖ at the end of the frame-relay
map statement (for example, ―frame-relay map ip 10.1.1.1 403 broadcast―). This makes
EIGRP to send update via unicast instead of multicast.
Another way to resolve above issue is to use the ―neighbor‖ command. This command also
make EIGRP to communicate with its neighbors via unicast -> B is correct.
Note: Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship
but the routes cannot be advertised from the Hub to the Spoke because of split horizon rule.
Question 6
In a point-to-multipoint Frame Relay topology, which two methods ensure that all routing
updates are received by all EIGRP routers within the Frame Relay network? (Choose two)

B. Create separate address ranges
C. Use subinterface
D. Use statically defined EIGRP neighbor on the site
E. Disable EIGRP out summary
Answer: A C
Explanation
Although we can use the ―neighbor‖ command to set up EIGRP neighbor relationship but the
routes cannot be advertised from the Hub to the Spoke because of split horizon rule ->
Answer D is not correct.
To overcome the split horizon rule we can use subinterface as each subinterface is treated like
a separate physical interface so routing updates can be advertised back from Hub to
Spokes. -> Answer C is correct.
Note: The split horizon rule states that routes will not be advertised back out an interface in
which they were received on
Question 7
What is EIGRP Summary Route Administrative Distance?
A. 90
B. 170
C. 5
D. 110
Answer: C
Explanation
The ―ip summary-address eigrp‖ command is used to configure interface-level address

summarization. EIGRP summary routes are given an administrative distance value of 5. The
administrative distance metric is used to advertise a summary without installing it in the
routing table.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ire_i1.
html
Question 8
Which authentication methods are EIGRP uses?
A. SHA
B. MD5
C. XDA
D. CHAP
E. Cisco
Answer: B
Question 9
Which two options are requirements for EIGRP authentication? (Choose two)
A. A crypto map must be configured.

B. The Authentication key must be configured under the interface running EIGRP.
C. The authentication key must be configured within the EIGRP routing configuration.
D. The authentication key IDs must match between two neighbors.
E. A separate key chain must be configured.
F. AN IPsec profile must be configured.
Answer: B D
Explanation
An example of how to configure EIGRP authentication on two routers that are connected to
each other is shown below:
R1,R2(config)#key chain MYKEYS
R1,R2(config-keychain)#key 1
R1,R2(config-keychain-key)#key-string SecRetThing!
R1,R2(config-keychain-key)#end
R1,R2(config)#interface serial 0/0

R1,R2(config-subif)#ip authentication mode eigrp 10 md5
R1,R2(config-subif)#ip authentication key-chain eigrp 10 MYKEYS
Question 10
Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not
learning routes that are received from OSPF?
router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
A. The subnet defined in OSPF is not part of area 0

B. Default metrics are not configured under EIGRP
C. There is no overlap in the subnets advertised
D. The routing protocols do not have the same AS number
Answer: B
Explanation
When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the
redistributed routes would never be learned. In this case we need to configure like this:
router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500
Question 11
What is true about EIGRP‘s redistributed static routes and summarized routes? (Choose two)
A. summary routes have AD of 5

B. static redistributed routes have AD of 170
Answer: A B
EIGRP Questions 2
https://www.digitaltut.com/eigrp-questions-2-2
Question 1
A router was configured with the ―eigrp stub‖ command. The router advertises which types
of routes?
A. connected, static, and summary

B. static and summary
C. connected and static
D. connected and summary
Answer: D
Explanation
The ―eigrp stub‖ command is equivalent to the ―eigrp stub connected summary‖ command
which advertises the connected routes and summarized routes.
Note: Summary routes can be created manually with the summary address command or
automatically at a major network border router with the auto-summary command enabled.
Question 2
An exhibit with three routers with three loopback interfaces. One of them was configured as
EIGRP stub, question was to choose what appears in the other router routing table?
A. Loopback of the stub router advertised

B. Loopback of the stub router was not advertised
Answer: A
Question 3
The excerpt was taken from the routing table of router SATX. Which option ensures that
routes from 51.51.51.1 are preferred over routes from 52.52.52.2?
A. SATX(config-router)#distance 90 51.51.51.1 0.0.0.0
B. SATX(config-router)#distance 89.52.52.52.2 0.0.0.0
C. SATX(config-router)#distance 90.52.52.52.2 0.0.0.0
D. SATX(config-router)#administrative distance 91 51.51.51 0.0.0.0
E. SATX(config-router)#distance 89 51.51.51.1 0.0.0.0
F. SATX(config-router)#administrative distance 91 52.52.52.2 0.0.0.0
Answer: E
Explanation
The syntax of ―distance‖ command is:
distance {ip-address {wildcard-mask}} [ip-standard-list] [ip-extended-list]
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfindp
1. html
Question 4
Which type of message does a device configured with the eigrp stub command send in
response to EIGRP queries?
A. invalid request
B. unavailable
C. stuck in active
D. stub-only
E. reject
F. inaccessible
Answer: F
Explanation
If an older version of code is deployed on the hub router, it will ignore the stub TLV and
continue to send QUERY packets to the stub router. However, the stub router will
immediately reply ―inaccessible‖ to any QUERY packets, and will not continue to propagate
them. Thus, the solution is backward-compatible and does not necessarily require an upgrade
on the hub routers.
Reference:
http://www.cisco.com/en/US/technologies/tk648/tk365/technologies_white_paper0900aecd8
023df6f.html
Question 5
What command would you use to set EIGRP routes to be prioritized?
A. distance 100
B. distance 89
C. distance eigrp 100
D. distance eigrp 89
Answer: D
Question 6
Which of the below mentioned conditions form a neighbor relation in EIGRP?(Choose three)
A. Hello or ACK received

B. AS number match
C. Hello timer match
D. Identical metric (k values)
E. Dead Timer Match
F. Network Time Match
Answer: A B D
Explanation
To become a neighbor, the following conditions must be met:

+ The router must hear a Hello packet from a neighbor.
+ The EIGRP autonomous system (AS) must be the same.
+ K-values must be the same.
Question 7
Which item does EIGRP IPv6 require before it can start running?
A. router ID
B. DHCP server
C. subnet mask
D. default gateway
Answer: A
Question 8
Where are EIGRP successor routes stored?

A. In the routing table only
B. In the neighbor table only
C. In the topology table only
D. In the routing table and the topology table
E. In the routing table and the neighbor table
Answer: D
Question 9
You need the IP address of the devices with which the router has established an adjacency.
Also, the retransmit interval and the queue counts for the adjacent routers need to be checked.
What command will display the required information?
A. show ip eigrp adjacency

B. show ip eigrp topology
C. show ip eigrp interfaces
D. show ip eigrp neighbor
Answer: D
Explanation
Below is an example of the ―show ip eigrp neighbors‖ output.
Let‘s analyze these columns:
+ H: lists the neighbors in the order this router was learned

+ Address: the IP address of the neighbors
+ Interface: the interface of the local router on which this Hello packet was received
+ Hold (sec): the amount of time left before neighbor is considered in ―down‖ status
+ Uptime: amount of time since the adjacency was established
+ SRTT (Smooth Round Trip Timer): the average time in milliseconds between the
transmission of a packet to a neighbor and the receipt of an acknowledgement.
+ RTO (Retransmission Timeout): if a multicast has failed, then a unicast is sent to that
particular router, the RTO is the time in milliseconds that the router waits for an
acknowledgement of that unicast.
+ Queue count (Q Cnt): shows the number of queued EIGRP packets. It is usually 0.
+ Sequence Number (Seq Num): the sequence number of the last update EIGRP packet
received. Each update message is given a sequence number, and the received ACK should
have the same sequence number. The next update message to that neighbor will use Seq Num
+ 1.
In this question we have to check the RTO and Q cnt fields.
Question 10
What is used in EIGRP metric calculation?
A. maximum delay
B. minimum delay
C. average delay
D. minimum interface bandwidth
Answer: D
Explanation
By default, EIGRP uses only the bandwidth & delay parameters to calculate the metric
(metric = bandwidth + delay). In particular, EIGRP uses the slowest bandwidth of the
outgoing interfaces of the route to calculate the metric as follows:
For an example of how EIGRP calculates the metric, please read our EIGRP tutorial (part 3).
Question 11
Which two among the following are used to indicate external type of route in routing table?
(Choose two)
A. D EX
B. IA
C. E2
D. R E2
E. i L2
Answer: A C
Question 12
Which command will display all the EIGRP feasible successor routes known to a router?
A. show ip routes
B. show ip eigrp summary
C. show ip eigrp topology
D. show ip eigrp adjacencies
Answer: C
Distribute List
https://www.digitaltut.com/distribute-list
Question 1
Which one statement is

true?
A. Traffic from the 172.16.0.0/16 network will be blocked by the ACL.

B. The 10.0.0.0/8 network will not be advertised by Router B because the network statement
for the 10.0.0.0/8 network is missing from Router B.
C. The 10.0.0.0/8 network will not be in the routing table on Router B.
D. Users on the 10.0.0.0/8 network can successfully ping users on the 192.168.5.0/24
network, but users on the 192.168.5.0/24 cannot successfully ping users on the 10.0.0.0/8
network.
E. Router B will not advertise the 10.0.0.0/8 network because it is blocked by the ACL.
Answer: E
Question 2
!
router rip
Which command only announces the 1.2.3.0/24 network out of FastEthernet0/0?
A. distribute list 1 out

B. distribute list 1 out FastEthernet0/0
C. distribute list 2 out
D. distribute list 2 out FastEthernet0/0
Answer: D
Explanation
A distribute list is used to filter routing updates either coming to or leaving from our router.
In this case, the ―out‖ keyword specifies we want to filter traffic leaving from our router.
Access-list 2 indicates only routing update for network 1.2.3.0/24 is allowed (notice that
every access-list always has an implicit ―deny all‖ at the end).
Question 3
Which command prevents routers from sending routing updates through a router interface?
A. default-metric 0
B. distribute-list in
C. passive-interface
D. distribute-list out
Answer: C
Explanation
To prevent routing updates through a specified interface, use the passive-interface type
number command in router configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-
3s/iri-xe-3s-book/iri-default-passive-interface.html
Policy Based Routing

https://www.digitaltut.com/policy-based-routing
Question 1
Which statement about local policy routing is true?
A. It is used to policy route packets that are generated by the device.

B. It requires all packets to be packet switched.
C. It is used to policy route packets that pass through the device.
D. It requires all packets to be CEF switched.
E. It supports IPv4 packets only.
F. It requires an ip address or access list as the matching criteria.
Answer: A
Explanation
Normal policy based routing (PBR) is used to route packets that pass through the device.
Packets that are generated by the router (itself) are not normally policy-routed. To control
these packets, local PBR should be used. For example: Router(config)# ip local policy route-
map map-tag (compared with normal PBR: Router(config-if)# ip policy route-map map-tag)
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
Question 2
When policy-based routing (PBR) is being configured, which three criteria can the set
command specify? (Choose three)
A. all interfaces through which the packets can be routed

B. all interfaces in the path toward the destination
C. adjacent next hop router in the path toward the destination
D. all routers in the path toward the destination
E. all networks in the path toward the destination
F. type of service and precedence in the IP packets
Answer: A C F
Explanation
The set command specifies the action(s) to take on the packets that match the criteria. You
can specify any or all of the following:
* precedence: Sets precedence value in the IP header. You can specify either the precedence
number or name.
* df: Sets the ―Don‘t Fragment‖ (DF) bit in the ip header.
* vrf: Sets the VPN Routing and Forwarding (VRF) instance.
* next-hop: Sets next hop to which to route the packet.
* next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which
is not adjacent.
* interface: Sets output interface for the packet.
* default next-hop: Sets next hop to which to route the packet if there is no explicit route for
this destination.
* default interface: Sets output interface for the packet if there is no explicit route for this
destination.
(Reference:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Pr
oducts_Configuration_Guide_Chapter.html)
Question 3
Refer to the exhibit. Which command would verify if PBR reacts to packets sourced from
172.16.0.0/16?
A. show ip route
B. show policy-map
C. show access-lists
D. show route-map
Answer: D
Explanation
The ―show route-map ―route-map name‖ displays the policy routing match counts so we can
learn if PBR reacts to packets sourced from 172.16.0.0/16 or not.
Question 4
Refer to the exhibit. Based upon the configuration, you need to understand why the policy
routing match counts are not increasing. Which would be the first logical step to take?
A. Confirm if there are other problematic route-map statements that precede divert.
B. Check the access list for log hits.
C. Check the routing table for 212.50.185.126.
D. Remove any two of the set clauses. (Multiple set clause entries will cause PBR to use the
routing table.)
Answer: B
Explanation
First we should check the access-list log, if the hit count does not increase then no packets are
matched the access-list -> the policy based routing match counts will not increase.
BGP Questions
https://www.digitaltut.com/bgp-questions
Question 1
Which type of BGP AS number is 64591?
A. a private AS number
B. a public AS number
C. a private 4-byte AS number
D. a public 4-byte AS number
Answer: A
Explanation
Private autonomous system (AS) numbers which range from 64512 to 65535 are used to
conserve globally unique AS numbers. Globally unique AS numbers (1 – 64511) are assigned
by InterNIC. These private AS number cannot be leaked to a global Border Gateway Protocol
(BGP) table because they are not unique (BGP best path calculation expects unique AS
numbers).
Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/13756-32.html
Question 2
A network administrator notices that the BGP state drops and logs are generated for missing
BGP hello keepalives. What is the potential problem?
A. Incorrect neighbor options
B. Hello timer mismatch
C. BGP path MTU enabled
D. MTU mismatch
Answer: D
Explanation
If MTU on two interfaces are mismatched, the BGP neighbors may flap, the BGP state drops
and the logs generate missing BGP hello keepalives or the other peer terminates the session.
For more information about MTU mismatched between BGP neighbors please read:
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/116377-
troubleshoot-bgp-mtu.html
Question 3
What is the administrative distance for EBGP?
A. 200
B. 30
C. 70
D. 20
Answer: D
Explanation
Notice that the Administrative Distance (AD) of External BGP (eBGP) is 20 while the AD of
internal BGP (iBGP) is 200.
Question 4
Valid range for BGP private ASNs?
A. 64512-65535
B. 1-64000
C. 64512-65534
Answer: A
Explanation
Private autonomous system (AS) numbers which range from 64512 to 65535 are used to
conserve globally unique AS numbers. These private AS number cannot be leaked to a global
BGP table because they are not unique.
Question 5
Which two BGP neighbor states are valid? (Choose two)
A. Established
B. Active
C. Stuck in active
D. 2-WAY
E. Unknown
F. DROTHER
Answer: A B
Explanation
BGP Neighbor states are: Idle – Connect – Active – Open Sent – Open Confirm – Established
Question 6
Which TCP port for BGP?
A. port 179
B. port 197
C. port 180
D. port 178
Answer: A
Explanation
BGP peers are established by manual configuration between routing devices to create a TCP
session on (destination) port 179.
Question 7
What are two BGP neighborship states? (Choose two)
A. Connect
B. Open Sent
C. Open
D. Passive
Answer: A B
Explanation
Below is the list of BGP states in order, from startup to peering:
1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is waiting for a
BGP start event, generally either the establishment of a TCP connection or the re-
establishment of a previous connection. Once the connection is established, BGP moves to
the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If the TCP
connection completes, BGP will move to the OpenSent stage; if the connection cannot
complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP session with
the BGP speaker it wants to peer with. If this can be done, the BGP state goes to OpenSent
state.
4 – OpenSent: the BGP speaker is waiting to receive an OPEN message from the remote
BGP speaker
5 – OpenConfirm: Once the BGP speaker receives the OPEN message and no error is
detected, the BGP speaker sends a KEEPALIVE message to the remote BGP speaker
6 – Established: All of the neighbor negotiations are complete. You will see a number (2 in
this case), which tells us the number of prefixes the router has received from a neighbor or
peer group.
Question 8
What attribute is used to influence traffic from AS200 and AS300 so that it uses link to reach
AS100?
A. MED
B. AS_path
C. weight
D. local preference
Answer: A
Question 9
To enable BGP tunneling over an IPv4 backbone, the IPv4 address 192.168.30.1 is converted
into a valid IPv6 address. Which three IPv6 addresses are acceptable formats for the IPv4
address? (Choose three)
A. 192.168.30.1:0:0:0:0:0:0
B. 0:0:0:0:0:0:192.168.30.1
C. ::192.168.30.1
D. C0A8:1E01::
E. 192.168.30.1::
F. ::C0A8:1E01
Answer: B C F
Question 10
What is true about peer groups? (Choose two)
A. Optimize backdoor routes

B. If you change configuration then it effects all peers in the group
C. Peer groups can send soft updates to all
D. Updates can be sent with multicast
Answer: B C
Redistribution Questions
https://www.digitaltut.com/redistribution-questions
Question 1
What is the function of the command ―redistribute ospf 1 match internal‖ ?
A. means that just inter and intra will be redistributed

B. means routes that match ―internal‖ route-map will be redistributed
C. all routes except internal routes will be redistributed
Answer: A
Question 2
Redistributing BGP into OSPF what statement is correct? (there is a graphic of redistributing
BGP into OSPF with a route-map)
route-map deny 10
match ip address 10
route-map permit 20
A. 172.16.0.0/24 will NOT be redistributed into OSPF

B. 172.16.0.0/24 will be redistributed into OSPF
C. Routes permitted by ACL 10 will be redistributed
D. All routes will be filtered
Answer: A
Question 3
Which is an invalid option when redistributing from EIGRP into OSPF?
A. ACL
B. tag
C. metric
D. route map
Answer: A
DHCP & DHCPv6 Questions

https://www.digitaltut.com/dhcp-dhcpv6-questions
Question 1
Which DHCP option provides a TFTP server that Cisco phones can use to download a
configuration?
A. DHCP Option 66
B. DHCP Option 68
C. DHCP Option 82
D. DHCP Option 57
Answer: A
Explanation
DHCP options 3, 66, and 150 are used to configure Cisco IP Phones. Cisco IP Phones
download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does
not have both the IP address and TFTP server IP address preconfigured, it sends a request
with option 150 or 66 to the DHCP server to obtain this information.
+ DHCP option 150 provides the IP addresses of a list of TFTP servers.
+ DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_con
fig/basic_dhcp.pdf
Question 2
Which three options are valid DHCPv6 functions? (Choose three)
A. Server
B. Client
C. Approver
D. Requester
E. ACK
F. Relay
Answer: A B F
Explanation
Most vendor‘s routers/switches have the ability to function as:

+ A DHCP client and obtain an interface IPv4 address from an upstream DHCP service
+ A DHCP relay and forward UDP DHCP messages from clients on a LAN to and from a
DHCP server
+ A DHCP server whereby the router/switch services DHCP requests directly
Question 3
After testing various dynamic IPv6 address assignment methods, an engineer decides that
more control is needed when distributing addresses to clients. Which two advantages does
DHCPv6 have over EUI-64 (Choose two)
A. DHCPv6 requires less planning and configuration than EUI-64 requires.

B. DHCPv6 allows for additional parameters to be sent to the client, such as the domain name
and DNS server.
C. DHCPv6 providers tighter control over the IPv6 addresses that are distributed to clients.
D. DHCPv6 does not require the configuration of prefix pools.
E. DHCPv6 does not require neighbor and router discovery on the network segment.
Answer: B C
Explanation
Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface
identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained
16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE
EUI-48 MAC address.
Question 4
Got a diagram and asked how to configure ipv6 dhcp relay
A. DHCPv6 server facing Interface:

ipv6 address autoconfig
ipv6 enable
exit
In clients facing interface
ipv6 address
ipv6 dhcp relay destination
B. DHCPv6 server facing Interface:

ipv6 dhcp relay destination
ipv6 address
exit
In clients facing interface
ipv6 enable
ipv6 address autoconfig
Answer: A
Explanation
Please notice that the ―ipv6 address autoconfig‖ is configured on the DHCP Relay Agent (not
DHCP Server). A configuration example can be found at
https://community.cisco.com/t5/networking-documents/stateful-dhcpv6-relay-configuration-
example/ta-p/3149338
Question 5
Which three configuration parameters can a DHCPv6 pool contain? (Choose three)
A. domain search list

B. router IP
C. default gateway
D. prefix delegation
E. DNS servers
F. subnet mask
Answer: A D E
Explanation
A DHCPv6 configuration information pool is a named entity that includes information about
available configuration parameters and policies that control assignment of the parameters to
clients from the pool. A pool is configured independently of the DHCPv6 service and is
associated with the DHCPv6 service through the command-line interface (CLI).
Each configuration pool can contain the following configuration parameters and operational
information:
– Prefix delegation information, which could include:
+ A prefix pool name and associated preferred and valid lifetimes
+ A list of available prefixes for a particular client and associated preferred and valid
lifetimes
– A list of IPv6 addresses of DNS servers
– A domain search list, which is a string containing domain names for DNS resolution
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-
2mt/ipv6-15-2mt-book/ip6-dhcp.html
This is how to configure a DHCPv6 pool:
ipv6 unciast-routing
ipv6 dhcp pool <pool name>
address prefix <specify address prefix> lifetime <infinite> <infinite>
dns-server <specify the dns server address>
domain-name <specify the domain name>
For example:
ipv6 dhcp pool test

address prefix 2010:AA01:10::/64 lifetime infinite infinite
dns-server AAAA:BBBB:10FE:100::15
dns-server 2010:AA01::15
domain-name example.com
Reference: https://supportforums.cisco.com/document/116221/part-1-implementing-dhcpv6-
stateful-dhcpv6
So we can see DHCPv6 pool supports address prefix and domain search list, DNS servers.
Question 6
Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent
and a DHCPv6 server that is configured for prefix delegation. Which two outcomes will
result when the relay agent is rebooted? (Choose two)
A. Routers will not obtain DHCPv6 prefixes.

B. DHCPv6 clients will be unreachable.
C. Hosts will not obtain DHCPv6 addresses.
D. The DHCPv6 relay agent will resume distributing addresses.
E. DHCPv6 address conflicts will occur on downstream clients.
Answer: A D
Explanation
Note: A DHCPv6 relay agent is used to relay (forward) messages between the DHCPv6 client
and server.
Servers and relay agents listen for DHCP messages on UDP port 547 so if a DHCPv6 relay
agent cannot receive DHCP messages (because of port 547 is blocked) then the routers
(clients) will not obtain DHCPv6 prefixes.
We are not sure about answer D but maybe it is related to the (absence of) ―Reload Persistent
Interface ID‖ in DHCPv6 Relay Options. This feature makes the interface ID option
persistent. The interface ID is used by relay agents to decide which interface should be used
to forward a RELAY-REPLY packet. A persistent interface-ID option will not change if the
router acting as a relay agent goes offline during a reload or a power outage. When the router
acting as a relay agent returns online, it is possible that changes to the internal interface index
of the relay agent may have occurred in certain scenarios (such as, when the relay agent
reboots and the number of interfaces in the interface index changes, or when the relay agents
boot up and has more virtual interfaces than it did before the reboot). This feature prevents
such scenarios from causing any problems.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-
e/dhcp-15-e-book/dhcp-15e-book_chapter_010.html
Question 7
Refer to the exhibit. Router DHCP is configured to lease IPv4 and IPv6 addresses to clients
on ALS1 and ALS2. Clients on ALS2 receive IPv4 and IPv6 addresses. Clients on ALS1
receive IPv4 addresses. Which configuration on DSW1 allows clients on ALS1 to receive
IPv6 addresses?
DSW1#sh run int f0/0

Building configuration…
!
interface FastEhternet0/0
ip address 10.4.10.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2002:A04:A01:A04:A01/120
ipv6 enable
end
A. DSW1(config-if)#ipv6 helper address 2002:404:404::404:404

B. DSW1(config)#ipv6 route 2002:404:404::404:404/128 FastEthernet1/0
C. DSW1(dhcp-config)#default-router 2002:A04:A01::A04:A01
D. DSW1(config-if)#ipv6 dhcp relay destination 2002:404:404::404:404 GigabitEthernet1/2
Answer: D
Explanation
In this topology DSW1 is the DHCPv6 Relay agent so it should relay (forward) the DHCPv6
Request packets (from the clients) out of its Gi1/2 interface to the DHCPv6 server. The
command ―ipv6 dhcp relay destination …‖ is used to complete this task.
Note: There is no ―default-router‖ command for DHCPv6. The ―ipv6 dhcp relay destination‖
is not required to configure on every router along the path between the client and server. It is
ONLY required on the router functioning as the DHCPv6 relay agent.
ipv6-solution/whitepaper_c11-689821.html
Question 8
Refer in the exhibit.

A packet capture indicates that the router is not forwarding the DHCP packets that it receives
on interface FastEthernet0/0. Which command needs to be entered in global configuration
mode to resolve this issue?
A. ip helper-address
B. ip DHCP relay
C. service DHCP
D. ip forward-protocol
Answer: B
Explanation
The ―ip helper-address‖ command is only configured in interface mode so it is not the correct
answer.
Note: The Cisco IOS software provides the global configuration command ―ip forward-
protocol‖ to allow an administrator to forward any UDP port in addition to the eight default
UDP Services. For example, to forward UDP on port 517, use the global configuration
command ―ip forward-protocol udp 517‖. But the eight default UDP Services include DHCP
services so it is not the suitable answer.
Reference and good resource:

http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9
A DHCP relay agent may receive a message from another DHCP relay agent that already
contains relay information. By default, the relay information from the previous relay agent is
replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay
information policy {drop | keep | replace} global configuration command to change it ->
Therefore this is the correct answer.
Reference:
https://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html
Question 9
Refer to the exhibit. The DHCP client is unable to receive a DHCP address from the DHCP
server. Consider the following output:
hostname R2
!
interface fastethernet 0/0
ip address 172.31.1.1 255.255.255.0
interface serial 0/0
ip address 10.1.1.1 255.255.255.252
!
ip route 172.16.1.0 255.255.255.0 10.1.1.2
Which configuration is required on the R2 fastethernet 0/0 port in order to allow the DHCP
client to successfully receive an IP address from the DHCP server?
A. R2(config-
if)# ip helper-address 172.16.1.2
B. R2(config-if)# ip helper-address 172.16.1.1
C. R2(config-if)# ip helper-address 172.31.1.1
D. R2(config-if)# ip helper-address 255.255.255.255
Answer: A
Explanation
If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure
the router on the DHCP client side to act as a DHCP Relay Agent so that it can forward
DHCP messages between the DHCP Client & DHCP Server. To make a router a DHCP
Relay Agent, simply put the ―ip helper-address <IP-address-of-DHCP-Server>‖ command
under the interface that receives the DHCP messages from the DHCP Client.
Question 10
DHCPv6 can obtain configuration parameters from a server through rapid two-way message
exchange. Which two steps are involved in this process? (Choose two)
A. solicit
B. advertise
C. request
D. auth
E. reply
Answer: A E
EVN & VRF Questions

https://www.digitaltut.com/evn-vrf-questions
Question 1
Which three characteristics are shared by subinterfaces and associated EVNs? (Choose three)
A. IP address
B. routing table
C. forwarding table
D. access control lists
E. NetFlow configuration
Answer: A B (?) C (?)
Explanation
All the subinterfaces and associated EVNs have the same IP address assigned. In other words,
a trunk interface is identified by the same IP address in different EVN contexts. EVN
automatically generates subinterfaces for each EVN. For example, both Blue and Green
VPN Routing and Forwarding (VRF) use the same IP address of 10.0.0.1 on their trunk
interface:
vrf definition Blue

vnet tag 100
vrf definition Green
vnet tag 200
!
interface gigabitethernet0/0/0
vnet trunk
ip address 10.0.0.1 255.255.255.0
-> A is correct.
In fact answer B & C are not correct because each EVN has separate routing table and
forwarding table.
Note: The combination of the VPN IP routing table and the associated VPN IP forwarding
table is called a VPN routing and forwarding (VRF) instance.
Question 2
Which encapsulation supports an interface that is configured for an EVN trunk?
A. 802.1Q
B. ISL
C. PPP
D. Frame Relay
E. MPLS
F. HDLC
Answer: A
Explanation
EVN is supported on any interface that supports 802.1q encapsulation, for example, an
Ethernet interface. Instead of adding a new field to carry the VNET tag in a packet, the
VLAN ID field in 802.1q is repurposed to carry a VNET tag. The VNET tag uses the same
position in the packet as a VLAN ID. On a trunk interface, the packet gets re-encapsulated
with a VNET tag. Untagged packets carrying the VLAN ID are not EVN packets and could
be transported over the same trunk interfaces.
Question 3
What is the purpose of the autonomous-system {autonomous-system-number} command?
A. It sets the EIGRP autonomous system number in a VRF.

B. It sets the BGP autonomous system number in a VRF.
C. It sets the global EIGRP autonomous system number.
D. It sets the global BGP autonomous system number.
Answer: A
Explanation
An example of using ―autonomous-system {autonomous-system-number}‖ command is

shown below:
router eigrp 100

address-family ipv4 vrf Cust
net 192.168.12.0
no auto-summary
This configuration is performed under the Provide Edge (PE) router to run EIGRP with a
Customer Edge (CE) router. The ―autonomous-system 100‖ command indicates that the
EIGRP AS100 is running between PE & CE routers.
Question 4
What is the primary service that is provided when you implement Cisco Easy Virtual
Network?
A. It requires and enhances the use of VRF-Lite.

B. It reduces the need for common services separation.
C. It allows for traffic separation and improved network efficiency.
D. It introduces multi-VRF and label-prone network segmentation.
Answer: C
Question 5
Which Cisco VPN technology uses AAA to implement group policies and authorization and
is also used for the XAUTH authentication method?
A. DMVPN
B. Cisco Easy VPN
C. GETVPN
D. GREVPN
Answer: B
Question 6
Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network?
(Choose three)
A. simplified Layer 3 network virtualization

B. improved shared services support
C. enhanced management, troubleshooting, and usability
D. reduced configuration and deployment time for dot1q trunking
E. increased network performance and throughput
F. decreased BGP neighbor configurations
Answer: A B C
Explanation
EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN
provides enhancements in path isolation, simplified configuration and management, and
improved shared service support
Maybe the ―improved shared services support‖ term here implies about the support of sharing
between different VRFs (through route-target, MP-BGP)
Question 7
A network engineer has set up VRF-Lite on two routers where all the interfaces are in the
same VRF. At a later time, a new loopback is added to Router 1, but it cannot ping any of the
existing interfaces. Which two configurations enable the local or remote router to ping the
loopback from any existing interface? (Choose two)
A. adding a static route for the VRF that points to the global route table
B. adding the loopback to the VRF
C. adding dynamic routing between the two routers and advertising the loopback
D. adding the IP address of the loopback to the export route targets for the VRF
E. adding a static route for the VRF that points to the loopback interface
F. adding all interfaces to the global and VRF routing tables
Answer: A B
Explanation
This question is not clear because we have to configure a static route pointing to the global
routing table while it stated that ―all interfaces are in the same VRF‖. But we should
understand both outside and inside interfaces want to ping the loopback interface.
Question 8
Which two routing protocols are supported by Easy Virtual Network? (Choose two)
A. RIPv2
B. OSPFv2
C. BGP
D. EIGRP
E. IS-IS
Answer: B D
Explanation
EVN supports IPv4, static routes, Open Shortest Path First version 2 (OSPFv2), and
Enhanced Interior Gateway Routing Protocol (EIGRP) for unicast routing, and Protocol
Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4
Multicast routing. EVN also supports Cisco Express Forwarding (CEF) and Simple Network
Management Protocol (SNMP).
Question 9
What is the purpose of the route-target command?
A. It extends the IP address to identify which VRF instance it belongs to.

B. It enables multicast distribution for VRF-Lite setups to enhance IGP routing protocol
capabilities.
C. It manages the import and export of routes between two or more VRF instances.
D. It enables multicast distribution for VRF-Lite setups to enhance EGP routing protocol
capabilities.
Answer: C
Explanation
Route-target is is tagged to each VPN when it is exported. In other words, when a prefix is
exported with a route-target, an extended BGP community is attached to that prefix. If this
community is matched with the (import) route-target of the receiving side then the prefix is
imported to the receiving VRF.
Question 10
Which easy virtual networking configuration component significantly decreases network

configuration?
A. Easy Trunk
B. dot1e
C. virtual network trunk
D. VNET tags
E. MBGP
Answer: C
Explanation
Easy Virtual Network (EVN) is an IP-based virtualization technology that provides end-to-
end virtualization of two or more Layer-3 networks. You can use a single IP infrastructure to
provide separate virtual networks whose traffic paths remain isolated from each other.
An EVN trunk interface connects VRF-aware routers together and provides the core with a
means to transport traffic for multiple EVNs. Trunk interfaces carry tagged traffic. The tag is
used to de-multiplex the packet into the corresponding EVN. A trunk interface has one
subinterface for each EVN. The vnet trunk command is used to define an interface as an EVN
trunk interface.
In other words, EVN trunk interfaces allow multiple VRFs to use the same physical
interfaces for transmission but the data of each VRF is treated separately. Without EVN trunk
interfaces we need to create many subinterfaces. Therefore virtual network trunk (VNET)
decreases the network configuration required.
Note: There is no ―Easy Trunk‖ component or technology.
EVN & VRF Questions 2

https://www.digitaltut.com/evn-vrf-questions-2
Question 1
Cisco EVN related question, a network engineer implemented Cisco EVN. Which feature
implements shared services support?
A. Edge interfacing
B. Tunnel feedback
C. Route replication
D. Route redistribution
Answer: C
Explanation
Route replication allows shared services because routes are replicated between virtual
networks and clients who reside in one virtual network can reach prefixes that exist in
another virtual network.
xe-3s-book/evn-shared-svcs.html
Question 2
What does the ―show ip route vrf CISCO‖ command display?
A. directly connected routes for VRF CISCO.

B. the routing table for VRF CISCO.
C. the global routing table.
D. all routing tables that start with VRF CISCO.
E. the route distinguisher for VRF CISCO.
Answer: B
Question 3
A. Virtual network tags are assigned per-VRF.

B. It is supported only on access ports.
C. Virtual network tags are assigned globally.
D. Routing metrics can be manipulated only from directly within the routing-context
configuration.
E. The VLAN ID in the 802.1q frame carries the virtual network tag.
F. The VLAN ID is the ISL frame carries the virtual network tag.
Answer: A E
Explanation
Path isolation can be achieved by using a unique tag for each Virtual Network (VN) ->
Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q
is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a
VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged
packets carrying the VLAN ID are not EVN packets and could be transported over the same
trunk interfaces -> Answer E is correct.
Question 4
Refer to Exhibit. R1 is unable to ping interface S0/0 of R2. What is the issue the
configuration that is shown here?
A. The route-target configuration command is missing.

B. The interface IP addresses are not in the same subnet.
C. The syntax of the ping command is wrong.
D. The default route configuration is missing.
E. The serial interfaces belong to the global table instead of vrf Yellow.
Answer: E
Explanation
We are trying to ping the 192.168.1.2 in vrf Yellow but the Serial0/0 interfaces of both
routers do not belong to this VRF so the ping fails. We need to configure S0/0 interfaces with
the ―ip vrf forwarding Yellow‖ (under interface S0/0) in order to put these interfaces into
VRF Yellow.
Question 5
After reviewing the EVN configuration, a network administrator notices that a predefined
EVN, which is known as ―vnet global‖ was configured. What is the purpose of this EVN?
(OR) What is the purpose of ‗vnet global‖?
A. It defines the routing scope for each particular EVN edge interface.
B. It aggregates and carries all dot1q tagged traffic.
C. It refers to the global routing context and corresponds to the default RIB.
D. It safeguards the virtual network that is preconfigured to avoid mismatched routing
instances.
Answer: C
Question 6
What is the output of the following command?
show ip vrf
A. show the vrf present in the route and their associated route distinguisher
B. Displays IP routing table information associated with a VRF
C. Show‘s routing protocol information associated with a VRF.
D. Displays the ARP table (static and dynamic entries) in the specified VRF.
Answer: A
Question 7
Which two statements about route targets that are configured with VRF-Lite are true?
(Choose two)
A. Route targets uniquely identify the customer routing table

B. Route targets control the import and export of routes into a customer routing table
C. Route targets are supported only when BGP is configured
D. When IS-IS is configured, route targets identify the circuit level in which the customer
resides
E. When BGP is configured, route targets are transmitted as BGP standard communities
F. Route targets allows customers to be assigned overlapping addresses
Answer: B C
Explanation
In the link http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-

2/25ew/configuration/guide/conf/vrf.html there is a notice about route-target command:
―Note: This command is effective only if BGP is running.‖ -> C is correct.
Answer A & F are not correct as only route distinguisher (RD) identifies the customer routing
table and ―allows customers to be assigned overlapping addresses‖.
Answer E is not correct as ―When BGP is configured, route targets are transmitted as BGP
extended communities‖
Question 8
Which two statements about EVNs are true? (Choose two)
A. VRFs using MPLS require a trunk interface that uses EVN

B. VRF-Lite requires a trunk interface that uses EVNs
C. All EVNs within a trunk interface can share the same IP infrastructure
D. Each EVN within a trunk interface must be configured separately
E. Commands that are specified once under a trunk interface can be inherited by all EVNs
Answer: C E
Explanation
With VRF-Lite, if you want to send traffic for multiple virtual networks (that is, multiple
VRFs) between two routers you need to create a subinterface for each VRF on each router ->
VRF-Lite requires subinterfaces. However, with Cisco EVN, you instead create a trunk
(called a Virtual Network (VNET) trunk) between the routers. Then, traffic for multiple
virtual networks can travel over that single trunk interface, which uses tags to identify the
virtual networks to which packets belong.
configuration.
All EVNs within a trunk interface share the same IP infrastructure as they are on the same
physical interface -> Answer C is correct.
With EVNs, a trunk interface is shared among VRFs so each command configured under this
trunk is applied by all EVNs -> Answer E is correct.
Question 9
Which values identifies VPNs in an EVN environment?
A. DLCI
B. route target
C. virtual network tag
D. VLAN ID
Answer: C
Question 10
How does an EVN provide end-to-end virtualization and separation of data traffic from
multiple networks?
A. It tags traffic with an 802.1q tag at the edge interface.

B. It tags traffic with an 802.1q tag at trunk interface.
C. It tags traffic with a virtual network tag at the trunk interface.
D. It tags traffic with a virtual network tag at the edge interface
Answer: C
IPv6 Questions
https://www.digitaltut.com/ipv6-questions
Question 1
Which method allows IPv4 and IPv6 to work together without requiring both to be used for a
single connection during the migration process?
A. dual-stack method
B. 6to4 tunneling
C. GRE tunneling
D. NAT-PT
Answer: A
Explanation
Dual-stack method is the most common technique which only requires edge routers to run
both IPv4 and IPv6 while the inside routers only run IPv4. At the edge network, IPv4 packets
are converted to IPv6 packets before sending out.
combining the IPv6 prefix with the globally unique destination 6to4 border router‘s IPv4
address, beginning with the 2002::/16 prefix, in this format:
For example, if the border-router-IPv4-address is 64.101.64.1, the tunnel interface will have
an IPv6 prefix of 2002:4065:4001:1::/64, where 4065:4001 is the hexadecimal equivalent of
64.101.64.1. This technique allows IPv6 sites to communicate with each other over the IPv4
network without explicit tunnel setup but we have to implement it on all routers on the path.
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at

the boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an
IPv4 and IPv6 network, all IPv4 users are given access to the IPv6 network without
modification in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network
are given access to the IPv4 hosts without modification to the local IPv6-hosts. This is
accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis
as sessions are initiated across IPv4-IPv6 boundaries.
Question 2
Which statement about the use of tunneling to migrate to IPv6 is true?
A. Tunneling is less secure than dual stack or translation.

B. Tunneling is more difficult to configure than dual stack or translation.
C. Tunneling does not enable users of the new protocol to communicate with users of the old
protocol without dual-stack hosts.
D. Tunneling destinations are manually determined by the IPv4 address in the low-order 32
bits of IPv4-compatible IPv6 addresses.
Answer: C
Explanation
Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4
infrastructure (a core network or the Internet). By using overlay tunnels, you can
communicate with isolated IPv6 networks without upgrading the IPv4 infrastructure between
them. Overlay tunnels can be configured between border routers or between a border router
and a host; however, both tunnel endpoints must support both the IPv4 and IPv6 protocol
stacks.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/i
p6-tunnel.html
Question 3
A router with an interface that is configured with ipv6 address autoconfig also has a link-
local address assigned. Which message is required to obtain a global unicast address when a
router is present?
A. DHCPv6 request
B. router-advertisement
C. neighbor-solicitation
D. redirect
Answer: B
Explanation
In Stateless Configuration mode, hosts will listen for Router Advertisements (RA) messages
which are transmitted periodically from the router (DHCP Server). This RA message allows a
host to create a global IPv6 address from:
+ Its interface identifier (EUI-64 address)
+ Link Prefix (obtained via RA)
Note: Global address is the combination of Link Prefix and EUI-64 address
Question 4
An engineer has configured a router to use EUI-64, and was asked to document the IPv6
address of the router. The router has the following interface parameters:
mac address C601.420F.0007

subnet 2001:DB8:0:1::/64
Which IPv6 addresses should the engineer add to the documentation?
A. 2001:DB8:0:1:C601:42FF:FE0F:7
B. 2001:DB8:0:1:FFFF:C601:420F:7
C. 2001:DB8:0:1:FE80:C601:420F:7
D. 2001:DB8:0:1:C601:42FE:800F:7
Answer: A
Explanation
The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac
address is first separated into two 24-bits, with one being OUI (Organizationally Unique
Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between
these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value
which can only appear in EUI-64 generated from the an EUI-48 MAC address.
In this question, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are
―C60142‖ (OUI) and ―0F0007‖ (NIC). Then ―FFFE‖ is inserted in the middle. Therefore we
have the address: C601.42FF.FE0F.0007.
Then, according to the RFC 3513 we need to invert the Universal/Local bit (―U/L‖ bit) in the
7th position of the first octet. The ―u‖ bit is set to 1 to indicate Universal, and it is set to zero
(0) to indicate local scope. In this case we don‘t need to set this bit to 1 because it is already 1
(C6 = 11000110).
Therefore with the subnet of 2001:DB8:0:1::/64, the full IPv6 address is

2001:DB8:0:1:C601:42FF:FE0F:7/64
Question 5
For security purposes, an IPv6 traffic filter was configured under various interfaces on the
local router. However, shortly after implementing the traffic filter, OSPFv3 neighbor
adjacencies were lost. What caused this issue?
A. The traffic filter is blocking all ICMPv6 traffic.

B. The global anycast address must be added to the traffic filter to allow OSPFv3 to work
properly.
C. The link-local addresses that were used by OSPFv3 were explicitly denied, which caused
the neighbor relationships to fail.
D. IPv6 traffic filtering can be implemented only on SVIs.
Answer: C
Question 6
A company‘s corporate policy has been updated to require that stateless, 1-to-1, and IPv6 to
IPv6 translations at the Internet edge are performed. What is the best solution to ensure
compliance with this new policy?
A. NAT64
B. NAT44
C. NATv6
D. NPTv4
E. NPTv6
Answer: E
Explanation
Question 7
A network engineer executes the ―ipv6 flowset‖ command. What is the result?
A. Flow-label marking in 1280-byte or larger packets is enabled.

B. Flow-set marking in 1280-byte or larger packets is enabled.
C. IPv6 PMTU is enabled on the router.
D. IPv6 flow control is enabled on the router.
Answer: A
Explanation
The command ―ipv6 flowset‖ allows the device to track destinations to which the device has
sent packets that are 1280 bytes or larger.
Question 8
IPv6 has just been deployed to all of the hosts within a network, but not to the servers. Which
feature allows IPv6 devices to communicate with IPv4 servers?
A. NAT
B. NATng
C. NAT64
D. dual-stack NAT
E. DNS64
Answer: C
Explanation
NAT64 is used to make IPv4-only servers available to IPv6 clients.
Note:
NAT44 – NAT from IPv4 to IPv4
Question 9
After you review the output of the command show ipv6 interface brief, you see that several
IPv6 addresses have the 16-bit hexadecimal value of ―FFFE‖ inserted into the address. Based
on this information, what do you conclude about these IPv6 addresses?
A. IEEE EUI-64 was implemented when assigning IPv6 addresses on the device.
B. The addresses were misconfigured and will not function as intended.
C. IPv6 addresses containing ―FFFE‖ indicate that the address is reserved for multicast.
D. The IPv6 universal/local flag (bit 7) was flipped.
E. IPv6 unicast forwarding was enabled, but IPv6 Cisco Express Forwarding was disabled.
Answer: A
Explanation
The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac
address is first separated into two 24-bits, with one being OUI (Organizationally Unique
Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between
these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value
which can only appear in EUI-64 generated from the an EUI-48 MAC address.
Question 10
A packet capture log indicates that several router solicitation messages were sent from a local
host on the IPv6 segment. What is the expected acknowledgment and its usage?
A. Router acknowledgment messages will be forwarded upstream, where the DHCP server
will allocate addresses to the local host.
B. Routers on the IPv6 segment will respond with an advertisement that provides an external
path from the local subnet, as well as certain data, such as prefix discovery.
C. Duplicate Address Detection will determine if any other local host is using the same IPv6
address for communication with the IPv6 routers on the segment.
D. All local host traffic will be redirected to the router with the lowest ICMPv6 signature,
which is statically defined by the network administrator.
Answer: B
Explanation
IPv6 allows devices to configure their own IP addresses and other parameters automatically
without the need for a DHCP server. This method is called ―IPv6 Stateless Address
Autoconfiguration‖ (which contrasts to the server-based method using DHCPv6, called
―stateful‖). In Stateless Autoconfiguration method, a host sends a router solicitation to
request a prefix. The router then replies with a router advertisement (RA) message which
contains the prefix of the link. Host will use this prefix and its MAC address to create its own
unique IPv6 address.
Note:
+ RA messages are sent periodically and in response to device solicitation messages
+ In the absence of a router, a host can generate only link-local addresses. Link-local
addresses are only sufficient for allowing communication among nodes that are attached to
the same link
IPv6 Questions 2
https://www.digitaltut.com/ipv6-questions-2-2
Question 1
Which traffic does the following configuration allow?

ipv6 access-list cisco
permit ipv6 host 2001:DB8:0:4::32 any eq ssh
line vty 0 4
ipv6 access-class cisco in
A. all traffic to vty 0 4 from source 2001:DB8:0:4::32

B. only ssh traffic to vty 0 4 from source all
C. only ssh traffic to vty 0 4 from source 2001:DB8:0:4::32
D. all traffic to vty 0 4 from source all
Answer: C
Question 2
Which two functions are completely independent when implementing NAT64 over NAT-PT?
(Choose two)
A. DNS
B. NAT
C. port redirection
D. stateless translation
E. session handling
Answer: A B
Question 3
Which two methods of deployment can you use when implementing NAT64? (Choose two)
A. stateless
B. stateful
C. manual
D. automatic
E. static
F. functional
G. dynamic
Answer: A B
Explanation
Address Family Translation (AFT) using NAT64 technology can be achieved by either
stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to
IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain any
bindings or session state while performing translation, and it supports both IPv6-initiated and
IPv4-initiated communications.
creates or modifies bindings or session state while performing translation. It supports both
IPv6-initiated and IPv4-initiated communications using static or manual mappings.
Question 4
Router A and Router B are configured with IPv6 addressing and basic routing capabilities
using OSPFv3. The networks that are advertised from Router A do not show up in Router B‘s
routing table. After debugging IPv6 packets, the message ―not a router‖ is found in the
output. Why is the routing information not being learned by Router B?
A. OSPFv3 timers were adjusted for fast convergence.

B. The networks were not advertised properly under the OSPFv3 process.
C. An IPv6 traffic filter is blocking the networks from being learned via the Router B
interface that is connected to Router A.
D. IPv6 unicast routing is not enabled on Router A or Router B.
Answer: D
Question 5
What is a function of NPTv6?
A. It interferes with encryption of the full IP payload.

B. It maintains a per-node state.
C. It is checksum-neutral.
D. It rewrites transport layer headers.
Answer: C
Explanation
When a change is made to one of the IP header fields in the IPv6 pseudo-header checksum
(such as one of the IP addresses), the checksum field in the transport layer header may
become invalid. Fortunately, an incremental change in the area covered by the Internet
standard checksum [RFC1071] will result in a well-defined change to the checksum value
[RFC1624]. So, a checksum change caused by modifying part of the area covered by the
checksum can be corrected by making a complementary change to a different 16-bit field
covered by the same checksum.
Reference: https://tools.ietf.org/html/rfc6296
Question 6
Which statement about dual stack is true?
A. Dual stack translates IPv6 addresses to IPv4 addresses.

B. Dual stack means that devices are able to run IPv4 and IPv6 in parallel.
C. Dual stack translates IPv4 addresses to IPv6 addresses.
D. Dual stack changes the IP addresses on hosts from IPv4 to IPv6 automatically.
Answer: B
Question 7
Which IPv6 address type is seen as the next-hop address in the output of the show ipv6 rip
RIPng database command?
A. link-local
B. global
C. site-local
D. anycast
E. multicast
Answer: A
Explanation
Link-local addresses are always configured with the FE80::/64 prefix. Most routing protocols
use the link-local address for a next-hop.
Question 8
Refer to the exhibit. The command is executed while configuring a point-to-multipoint Frame
Relay interface. Which type of IPv6 address is portrayed in the exhibit?
frame-relay map ipv6 FE80::102 102
A. link-local
B. site-local
C. global
D. multicast
Answer: A
Explanation
A link-local address is an IPv6 unicast address that can be automatically configured on any
interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in
the modified EUI-64 format. Link-local addresses are not necessarily bound to the MAC
address (configured in a EUI-64 format). Link-local addresses can also be manually
configured in the FE80::/10 format using the ipv6 address link-local command.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113328-ipv6-
lla.html
Question 9
The following configuration is applied to a router at a branch site:

ipv6 dhcp pool dhcp-pool
dns-server 2001:DB8:1:B::1
dns-server 2001:DB8:3:307C::42
domain-name example.com
!
If IPv6 is configured with default settings on all interfaces on the router, which two dynamic
IPv6 addressing mechanisms could you use on end hosts to provide end-to-end connectivity?
(Choose two)
A. EUI-64
B. SLAAC
C. DHCPv6
D. BOOTP
Answer: A B
Explanation
Stateless Address Auto Configuration (SLAAC) is a method in which the host or router
interface is assigned a 64-bit prefix, and then the last 64 bits of its address are derived by the
host or router with help of EUI-64 process.
Question 10
Which statement about the NPTv6 protocol is true?
A. It is used to translate IPv4 prefixes to IPv6 prefixes.

B. It is used to translate an IPv6 address prefix to another IPv6 prefix.
C. It is used to translate IPv6 prefixes to IPv4 subnets with appropriate masks.
D. It is used to translate IPv4 addresses to IPv6 link-local addresses.
Answer: B
Question 11
The enterprise network WAN link has been receiving several denial of service attacks from
both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via
its header, in order to filter future attacks? (Choose three)
A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset
Answer: A C D
Explanation
The components of IPv6 header is shown below:

The Traffic Class field (8 bits) is where quality of service (QoS) marking for Layer 3 can be
identified. In a nutshell, the higher the value of this field, the more important the packet. Your
Cisco routers (and some switches) can be configured to read this value and send a high-
priority packet sooner than other lower ones during times of congestion. This is very
important for some applications, especially VoIP.
The Flow Label field (20 bits) is originally created for giving real-time applications special
service. The flow label when set to a non-zero value now serves as a hint to routers and
switches with multiple outbound paths that these packets should stay on the same path so that
they will not be reordered. It has further been suggested that the flow label be used to help
detect spoofed packets.
The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header.
The value of the Hop Limit field specifies the maximum number of routers that an IPv6
packet can pass through before the packet is considered invalid. Each router decrements the
value by one. Because no checksum is in the IPv6 header, the router can decrease the value
without needing to recalculate the checksum, which saves processing resources.
IPv6 Questions 3
Question 1
Refer to the exhibit. When summarizing these routes, which route is the summarized route?
A. OI 2001:DB8::/48 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
B. OI 2001:DB8::/24 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
C. OI 2001:DB8::/32 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
D. OI 2001:DB8::/64 [110/100] via FE80::A8BB:CCFF:FE00:6F00, Ethernet0/0
Answer: A
Explanation
We need to summarize three IPv6 prefixes with /64 subnet mask so the summarized route
should have a smaller subnet mask. As we can see all four answers have the same
summarized route of 2001:DB8:: so /48 is the best choice.
Note: IPv6 consists of 8 fields with each 16 bits (8×16 = 128). All the above prefix starts with
2001:DB8:0 (16 bits x 3 = 48) so we need at least /48 mask to summarize them.
Question 2
What type of IPv6 packet will indicate traffic from single host and single node?
A. multicast
B. unicast
C. broadcast
D. anycast
Answer: B
Question 3
Considering the IPv6 address independence requirements, which process do you avoid when
you use NPTv6 for translation?
A. rewriting of higher layer information

B. checksum verification
C. ipv6 duplication and conservation
D. IPSEC AH header modification
Answer: A
Question 4
An engineer is using a network sniffer to troubleshoot DHCPv6 between a router and hosts
on the LAN with the following configuration:
interface Ethernet0
ipv6 dhcp server DHCPSERVERPOOL rapid-commit
!
Which two DHCPv6 messages will appear in the sniffer logs?
A. reply
B. request
C. advertise
D. acknowledge
E. solicit
F. accept
Answer: A E
Explanation
DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode. In
Rapid-Commit mode , the DHCP client obtain configuration parameters from the server
through a rapid two message exchange (solicit and reply).
The ―solicit‖ message is sent out by the DHCP Client to verify that there is a DHCP Server
available to handle its requests.
The ―reply‖ message is sent out by the DHCP Server to the DHCP Client, and it contains the
―configurable information‖ that the DHCP Client requested.
Just for your information, in Normal-Commit mode, the DHCP client uses four message
exchanges (solicit, advertise, request and reply). By default normal-commit is used.
Question 5
What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation?
(Choose two)
A. stateful address translation

B. a limit of 32 1-to-1 translations
C. lack of overloading functionality
D. identify all interfaces as NAT inside or outside
E. 1-to-1 prefix rewrite
F. mismatched prefix allocations
Answer: C F
Explanation
The IPv6-to-IPv6 Network Prefix Translation (NPTv6) provides a mechanism to translate an

inside IPv6 source address prefix to outside IPv6 source address prefix in IPv6 packet header
and vice-versa. In other words, NPTv6 is simply rewriting IPv6 prefixes. NPTv6 does not
allow to overload. It does not support mismatching prefix allocations sizes (so the
network/host portion remains intact. For example you cannot cover /64 to /48).
Question 6
Technologies used in preparing Service Provider IPv6? (Choose two)
A. 6ND
B. 6RD
C. 6VPE
D. VRF-Lite
E. DS-Lite
F. Dual-stack
Answer: B E
Question 7
An EUI-64 bit address is formed by adding a reserved 16-bit value in which position of the
MAC address?
A. between the vendor OID and the NIC-specific part of the MAC address.
B. after the NIC-specific part of the MAC address.
C. before the vendor OID part of the MAC address.
D. anywhere in the Mac address, because the value that is added is reserved.
Answer: A
Question 8
An EUI-64 bit address is formed by inserting which 16-bit value into the MAC address of a
device?
A. 3FFE
B. FFFE
C. FF02
D. 2001
Answer: B
Question 9
Refer to the exhibit. Routers R1 and R2 are IPv6 BGP peers that have been configured to
support a neighbor relationship over an IPv4 internetwork. Which three neighbor IP
addresses are valid choices to use in the highlighted section of the exhibit? (Choose three)
A – ::0A43:0002
B – 0A43:0002::
C – ::10.67.0.2
D – 10.67.0.2::
E – 0:0:0:0:0:0:10.67.0.2
F – 10.67.0.2:0:0:0:0:0:0
Answer: A C E
Explanation
The automatic tunneling mechanism uses a special type of IPv6 address, termed an ―IPv4-
compatible‖ address. An IPv4-compatible address is identified by an all-zeros 96-bit prefix,
and holds an IPv4 address in the low-order 32-bits. IPv4-compatible addresses are structured
as follows:
Therefore, an IPv4 address of 10.67.0.2 will be written as ::10.67.0.2 or 0:0:0:0:0:0:10.67.0.2
or ::0A43:0002 (with 10[decimal] = 0A[hexa] ; 67[decimal] = 43[hexa] ; 0[hexa] =
0[decimal] ; 2[hexa] = 2[decimal])
Question 10
Which of the following address types are associated with IPv6? (Choose three)
A. Unicast
B. Private
C. Broadcast
D. Public
E. Multicast
F. Anycast
Answer: A E F
IPv6 Questions 4
Question 1
Which statement is true about IPv6?
A. Only one IPv6 address is assigned per node.

B. Only one IPv6 address can be assigned to each interface.
C. Each host can auto configure its address without the aid of a DHCP server.
D. IPv6 hosts use any cast addresses to assign IP addresses to interfaces.
Answer: C
Question 2
What is IPv6 router solicitation?
A. a request made by a node to join a specified multicast group

B. a request made by a node for its IP address
C. a request made by a node for the IP address of the DHCP server
D. a request made by a node for the IP address of the local router
Answer: D
Question 3
Which statement describes the difference between a manually configured IPv6 in IPv4 tunnel
versus an automatic 6to4 tunnel?
A. A manually configured IPv6 in IPv4 tunnel allows multiple IPv4 destinations.

B. An automatic 6to4 tunnel allows multiple IPv4 destinations.
C. A manually configured IPv6 in IPv4 tunnel does not require dual-stack (IPv4 and IPv6)
routers at the tunnel endpoints.
D. An automatic 6to4 tunnel does not require dual-stack (IPv4 and IPv6) routers at the tunnel
endpoints.
Answer: B
Explanation
An automatic 6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network
to remote IPv6 networks. The key difference between automatic 6to4 tunnels and manually
configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint -> it allows
multiple IPv4 destinations -> B is correct.
A is not correct because manually 6to4 is point-to-point -> only allows one IPv4 destination.
Configuring 6to4 (manually and automatic) requires dual-stack routers (which supports both
IPv4 & IPv6) at the tunnel endpoints because they are border routers between IPv4 & IPv6
networks.
(Reference: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-
tunnel_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055515)
Question 4
Which two statements are true about using IPv4 and IPv6 simultaneously on a network
segment? (Choose two)
A. Hosts can be configured to receive both IPv4 and IPv6 addresses via DHCP.
B. Host configuration: options for IPv4 can be either statically assigned or assigned via
DHCP. Host configuration: options for IPv6 can be statically assigned only.
C. IPv6 allows a host to create its own IPv6 address that will allow it to communicate to other
devices on a network configured via DHCP. IPv4 does not provide a similar capability for
hosts.
D. IPv4 and IPv6 addresses can be simultaneously assigned to a host but not to a router
interface.
E. IPv6 provides for more host IP addresses but IPv4 provides for more network addresses.
Answer: A C
Question 5
By default, which type of IPv6 address is used to build the EUI-64 bit format?
A. unique-local address
B. IPv4-compatible IPv6 address
C. link-local address
D. aggregatable-local address
Answer: ?
Explanation
In fact this question has no correct answer. The IPv6 EUI-64 format address is obtained
16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE
EUI-48 MAC address.
For example, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are
―C60142‖ (OUI) and ―0F0007‖ (NIC). Then ―FFFE‖ is inserted in the middle. Therefore we
have the address: C601.42FF.FE0F.0007.
Question 6
Refer to the exhibit. Given the partial configuration in the exhibit, which IPv6 statement is
true?
A. The configuration is an example of an encrypted IPv6 VPN tunnel

B. The configuration is an example of one to one IPv6 tunnel
C. The configuration is an example of a 6to4 tunnel
D. The configuration is an example of a 4to6 tunnel
Answer: C
Explanation
combining the IPv6 prefix with the globally unique destination 6to4 border router‘s IPv4
address, beginning with the 2002::/16 prefix, in this format:
For example, if the border-router-IPv4-address is 192.168.99.1, the tunnel interface will have
an IPv6 prefix of 2002:C0A8:6301::/64, where C0A8:6301 is the hexadecimal equivalent of
192.168.99.1.
Question 7
What other action does an IPv6 filter do when it drops a packet?
A. Generates an ICMP unreachable message

B. Generates an Router Advertisement unreachable message
C. Generates an Router Solicitation unreachable message
Answer: A
RIPng Questions
https://www.digitaltut.com/ripng-questions
Question 1
What are the default timers for RIPng?
A. Update:30 seconds Expire:180 seconds Flush:240 seconds

B. Update:20 seconds Expire:120 seconds Flush:160 seconds
C. Update:10 seconds Expire:60 seconds Flush:80 seconds
D. Update:5 seconds Expire:30 seconds Flush:40 seconds
Answer: A
Explanation
The default timers of RIP and RIPng are the same. The meanings of these timers are
described below:
Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid
since seeing a valid update; and place the route into holddown. Default invalid timer is 180
seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count
recording in the routing table, RIP does not ―believe in‖ that update. Default holddown timer
is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing
table. Default Flush timer is 240 seconds
Question 2
What is the command to only check neighbor router using RIPng?
A. show ipv6 rip one next-hops

B. show ipv6 rip next-hops one
C. show ipv6 next-hops rip
D. show ipv6 next-hops one rip
Answer: A
Question 3
A network engineer is troubleshooting connectivity issues with a directly connected RIPng

neighbor. Which command should show directly connected RIPng neighbor adjacencies
only?
A. router#show ipv6 rip next-hops
B. router#show ip rip neighbors
C. router#show ipv6 routers
D. router#show ipv6 rip database
Answer: A
Question 4
Which IPv6 address type does RIPng use for next-hop addresses?
A. Global
B. Site-local
C. Any Cast
D. Link-local
E. Multicast
Answer: D
Question 5
RIPng Question. Cannot receive RIPng updates. Why?
A. Firewall Port block UDP 520

B. Firewall Port block TCP 520
C. Firewall Port block UDP 521
D. Firewall Port block TCP 521
Answer: C
Question 6
A network engineer is disabling split horizon on a point-to-multipoint interface that is

running RIPng. Under which configuration mode can split horizon be disabled?
A. router(config-riping)#
B. router(config-rtr)#
C. router(config-if)#
D. router(config)#
Answer: B
Explanation
This is how to disable split horizon processing for the IPv6 RIP routing process named
digitaltut:
Router(config)# ipv6 router rip digitaltut

Router(config-rtr)#no split-horizon
Note: For RIP (IPv4), we have to disable/enable split horizon in interface mode. For example:
Router(config-if)# ip split-horizon
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-
book/ipv6-s6.html
Question 7
A network engineer is modifying RIPng timer configuration. Which configuration mode

should the engineer use?
A. router(config)#
B. router(config-if)#
C. router(config-router)#
D. router(config-rtr)#
Answer: D
Explanation
This is how to change the timers for RIPng:
R1(config)#ipv6 router rip digitaltut

R1(config-rtr)#timers 5 15 10 30 (5: Update period; 15: Route timeout period; 10: Route
holddown period; 30: Route garbage collection period)
Note: For IPv4 RIP, we have to change the timers in ―(config-router)#‖.
Security Questions
https://www.digitaltut.com/security-questions
Question 1
Which statement is true?
A. RADIUS uses TCP, and TACACS+ uses UDP.

B. RADIUS encrypts the entire body of the packet.
C. TACACS+ encrypts only the password portion of a packet.
D. TACACS+ separates authentication and authorization.
Answer: D
Explanation
TACACS+ uses the AAA architecture, which separates AAA. This allows separate
authentication solutions that can still use TACACS+ for authorization and accounting. For
example, with TACACS+, it is possible to use Kerberos authentication and TACACS+
authorization and accounting. After a NAS authenticates on a Kerberos server, it requests
authorization information from a TACACS+ server without having to re-authenticate. The
NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos
server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks
with a TACACS+ server to determine if the user is granted permission to use a particular
command. This provides greater control over the commands that can be executed on the
access server while decoupling from the authentication mechanism.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
Question 2
Which two statements about AAA implementation in a Cisco router are true? (Choose two)
A. RADIUS is more flexible than TACACS+ in router management.

B. RADIUS and TACACS+ allow accounting of commands.
C. RADIUS and TACACS+ encrypt the entire body of the packet.
D. RADIUS and TACACS+ are client/server AAA protocols.
E. Neither RADIUS nor TACACS+ allow for accounting of commands.
Answer: B D
Explanation
Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal
Access Controller Access-Control System) Plus) are the main protocols to provide
Authentication, Authorization, and Accounting (AAA) services on network devices.
Both RADIUS and TACACS+ support accounting of commands. Command accounting
provides information about the EXEC shell commands for a specified privilege level that are
being executed on a network access server. Each command accounting record includes a list
of the commands executed for that privilege level, as well as the date and time each
command was executed, and the user who executed it.
For example, to send accounting messages to the TACACS+ accounting server when you
enter any command other than show commands at the CLI, use the aaa accounting
command command in global configuration mode
Note: TACACS+ was developed by Cisco from TACACS.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.
html
Question 3
Which of the following are characteristics of TACACS+? (Choose two)
A. Uses UDP
B. Encrypts an entire packet
C. Offers robust accounting
D. Cisco-proprietary
Answer: B D
Explanation
TACACS+ encrypts the entire body of the packet (but leaves a standard TACACS+ header).
TACACS+ is an AAA protocol developed by Cisco.
Question 4
What are two options for authenticating a user who is attempting to access a network device?
(Choose two)
A. CHAP
B. RADIUS
C. 802.1x
D. PAP
E. TACACS+
Answer: B E
Question 5
What is supported RADIUS server? (Choose two)
A. telnet
B. authentication
C. accounting
D. authorization
E. SSH
Answer: B D
Question 6
Which two features does RADIUS combine (Choose two)?
A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting
Answer: C D
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
Unicast Reverse Path Forwarding

https://www.digitaltut.com/unicast-reverse-path-forwarding
Question 1
What are the three modes of Unicast Reverse Path Forwarding?
A. strict mode, loose mode, and VRF mode

B. strict mode, loose mode, and broadcast mode
C. strict mode, broadcast mode, and VRF mode
D. broadcast mode, loose mode, and VRF mode
Answer: A
Explanation
The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against
malformed or ―spoofed‖ IP packets passing through a router. A spoofed IP address is one that
is manipulated to have a forged IP source address. Unicast RPF enables the administrator to
drop packets that lack a verifiable source IP address at the router.
Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks
packets that arrive inbound on the interface to see whether the source address matches the
receiving interface. Cisco Express Forwarding (CEF) is required on the router because the
Forwarding Information Base (FIB) is the mechanism checked for the interface match.
Unicast RPF works in one of three different modes:

+ Strict mode: router will perform two checks for all incoming packets on a certain interface.
First check is if the router has a matching entry for the source in the routing table. Second
check is if the router uses the same interface to reach this source as where it received this
packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing
table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an
incoming packet‘s source IP address against the VRF table configured for an eBGP neighbor.
Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition
Question 2
Which address is used by the Unicast Reverse Path Forwarding protocol to validate a packet
against the routing table?
A. source address
B. destination address
C. router interface
D. default gateway
Answer: A
Explanation
When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive
inbound on the interface to see whether the source address matches the receiving interface.
Question 3

Which option represents the minimal configuration that allows inbound traffic from the
172.16.1.0/24 network to successfully enter router TUT, while also limiting spoofed
10.0.0.0/8 hosts that could enter router TUT?
A. (config)#ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx allow-default
B. (config)#ip cef
(config-if)#ip verify unicast source reachable-via rx
C. (config)#no ip cef
(config-if)#ip verify unicast source reachable-via rx
D. (config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via any
Answer: A
Explanation
First we need to understand the ―allow-default‖ keyword here:
Normally, uRPF will not allow traffic that only matches the default route. The ―allow-
default‖ keyword will override this behavior and uRPF will allow traffic matched the default
route to pass through.
In answer A, The ―ip verify unicast source reachable-via rx allow-default‖ command under
interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24
network (and any traffic) can go through this interface except the 10.0.0.0/8 network because
this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT
router from Fa0/1, thus ―limiting spoofed 10.0.0.0/8 hosts that could enter router‖.
Question 4
Which option is invalid when configuring Unicast Reverse Path Forwarding?
A. allow self ping to router

B. allow default route
C. allow based on ACL match
D. source reachable via both
Answer: D
Explanation

list-number]
You can also use the allow-default option, so that the default route can match when checking
source address -> Answer ―allow default route‖ is a valid option
The allow-self-ping option allows the router to ping itself -> Answer ―allow self ping to
router‖ is a valid option.
Reference:
http://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/b
ba/urpf.pdf
Another feature of uRPF is we can use an access-list to specify the traffic we want or don‘t
want to check -> Answer ―allow based on ACL match‖ is a valid option. An example is
shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config-if)#ip verify unicast source reachable-via any 110
Note: Access-list ―permit‖ statements allow traffic to be forwarded even if they fail the
Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast
RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF
check.
The last option is ―source reachable via both‖ is not clear and it is the best answer in this
case. Although it may mention about the uRPF loose mode.
Question 5
Which mode of uRPF causes a router interface to accept a packet, if the network to which the
packet‘s source IP address belongs is found in the router‘s FIB?
A. Strict mode
B. Loose mode
C. Auto mode
D. Desirable mode
Answer: B
Explanation
Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks
packets that arrive inbound on the interface to see whether the source address matches the
receiving interface. Cisco Express Forwarding (CEF) is required on the router because the
Forwarding Information Base (FIB) is the mechanism checked for the interface match.
Unicast RPF works in one of three different modes:

+ Strict mode: router will perform two checks for all incoming packets on a certain interface.
First check is if the router has a matching entry for the source in the routing table. Second
check is if the router uses the same interface to reach this source as where it received this
packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing
table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an
incoming packet‘s source IP address against the VRF table configured for an eBGP neighbor.
Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition
This question only mentioned about ―the network to which the packet‘s source IP address
belongs is found in the router‘s FIB‖ so surely loose mode will accept this packet.
Question 6
When Unicast Reverse Path Forwarding is configured on an interface, which action does the
interface take first when it receives a packet?
A. It checks the ingress access list

B. It checks the egress access list
C. It verifies a reverse path via the FIB to the source
D. It verifies that the source has a valid CEF adjacency
Answer: A
Explanation
When a packet is received at the interface where Unicast RPF and ACLs have been
configured, the following actions occur:
Step 1: Input ACLs configured on the inbound interface are checked.
Step 2: Unicast RPF checks to see if the packet has arrived on the best return path to the
source, which it does by doing a reverse lookup in the FIB table.
Step 3: CEF table (FIB) lookup is carried out for packet forwarding.
Step 4: Output ACLs are checked on the outbound interface.
Step 5: The packet is forwarded.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.h
tml
Question 7
Which command sequence can you enter on a router to configure Unicast Reverse Path
ip verify unicast source reachable-via all
ip verify unicast source reachable-via loose
ip verify unicast source reachable-via any
ip verify unicast source reachable-via rx
Answer: C
Question 8
What option can be used for uRPF in loose mode on the command ―ip verify unicast source
reachable-via‖?
A. rx
B. any
C. allow-default
Answer: B
Explanation
The command ―ip verify unicast source reachable-via any‖ enables uRFP in loose mode,
which only checks if the router has a matching entry for the source in the routing table.
Question 9
Which command sequence can you enter a router to configure Unicast Reverse Path
ip verify unicast source reachable-via loose.
ip verify unicast source reachable-via all.
ip verify unicast source reachable-via any.
ip verify unicast source reachable-via rx.
Answer: C
Question 10
What from the following can cause an issue for uRPF?

A. Asymetric routing
B. CEF not enabled
C. uRPF not applied to the traffic source
D. if it is used as ingress filtering
Answer: A
IP Services Questions
https://www.digitaltut.com/ip-services-questions
Question 1
Which type of traffic does DHCP snooping drop?
A. discover messages
B. DHCP messages where the source MAC and client MAC do not match
C. traffic from a trusted DHCP server to client
D. DHCP messages where the destination MAC and client MAC do not match
Answer: B
Explanation
The switch validates DHCP packets received on the untrusted interfaces of VLANs with
DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following
conditions occur (in which case the packet is dropped):
+ The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
+ The switch receives a packet on an untrusted interface, and the source MAC address and
the DHCP client hardware address do not match. This check is performed only if the DHCP
snooping MAC address verification option is turned on.
+ The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted
host with an entry in the DHCP snooping binding table, and the interface information in the
binding table does not match the interface on which the message was received.
+ The switch receives a DHCP packet that includes a relay agent IP address that is not
0.0.0.0.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/snoodhcp.html#wp1101946
Question 2
A network engineer is configuring a solution to allow failover of HSRP nodes during
maintenance windows, as an alternative to powering down the active router and letting the
network respond accordingly. Which action will allow for manual switching of HSRP nodes?
A. Track the up/down state of a loopback interface and shut down this interface during
maintenance.
B. Adjust the HSRP priority without the use of preemption.
C. Disable and enable all active interfaces on the active HSRP node.
D. Enable HSRPv2 under global configuration, which allows for maintenance mode.
Answer: A
Explanation
We can test the action of HSRP by tracking the loopback interface and decrease the HSRP
priority so that the standby router can take the active role.
Question 3
Refer to the following command:

router(config)# ip http secure-port 4433
Which statement is true?
A. The router will listen on port 4433 for HTTPS traffic.

B. The router will listen on port 4433 for HTTP traffic.
C. The router will never accept any HTTP and HTTPS traffic.
D. The router will listen to HTTP and HTTP traffic on port 4433.
Answer: A
Explanation
The ―ip http secure-port
‖ is used to set the secure HTTP (HTTPS) server port number for listening.
Question 4
A network engineer executes the show crypto ipsec sa command. Which three pieces of
information are displayed in the output? (Choose three)
A. inbound crypto map

B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets
Answer: A B C
Explanation
This command shows IPsec Security Associations (SAs) built between peers. An example of
the output of above command is shown below:
Router#show crypto ipsec sa

interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
The first part shows the interface and cypto map name that are associated with the interface.
Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this
case, because you used only ESP, there are no AH inbound or outbound SAs.
Note: Maybe ―inbound crypto map‖ here mentions about crypto map name.
Question 5
Which two protocols can be affected by MPP? (Choose two)
A. POP
B. SMTP
C. HTTP
D. SFTP
E. SSH
Answer: C E
Explanation
The Management Plane Protection (MPP) feature in Cisco IOS software provides the
capability to restrict the interfaces on which network management packets are allowed to
enter a device. The MPP feature allows a network operator to designate one or more router
interfaces as management interfaces. Device management traffic is permitted to enter a
device only through these management interfaces. After MPP is enabled, no interfaces except
designated management interfaces will accept network management traffic destined to the
device.
In the command management-interface interface allow protocols we can configure these

protocols (to allow on the designated management interface):
+ BEEP
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Therefore these are also the protocols that can be affected by MPP.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html
SNMP Questions
https://www.digitaltut.com/snmp-questions
Question 1
A network engineer is configuring SNMP on network devices to utilize one-way SNMP

notifications. However, the engineer is not concerned with authentication or encryption.
Which command satisfies the requirements of this scenario?
A. router(config)#snmp-server host 172.16.201.28 traps version 2c CISCORO
B. router(config)#snmp-server host 172.16.201.28 informs version 2c CISCORO
C. router(config)#snmp-server host 172.16.201.28 traps version 3 auth CISCORO
D. router(config)#snmp-server host 172.16.201.28 informs version 3 auth CISCORO
Answer: A
Explanation
―The engineer is not concerned with authentication or encryption‖ so we don‘t need to use
SNMP version 3. And we only use ―one-way SNMP notifications‖ so SNMP messages
should be sent as traps (no need to acknowledge from the SNMP server) -> A is correct.
Question 2
When using SNMPv3 with NoAuthNoPriv, which string is matched for authentication?
A. username
B. password
C. community-string
D. encryption-key
Answer: A
Explanation
There are three SNMP security levels (for SNMPv1, SNMPv2c, and SNMPv3):
+ noAuthNoPriv: Security level that does not provide authentication or encryption.

+ authNoPriv: Security level that provides authentication but does not provide encryption.
+ authPriv: Security level that provides both authentication and encryption.
For SNMPv3, ―noAuthNoPriv‖ level uses a username match for authentication.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide
/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html
Question 3
To configure SNMPv3 implementation, a network engineer is using the AuthNoPriv security

level. What effect does this action have on the SNMP messages?
A. They become unauthenticated and unencrypted.

B. They become authenticated and unencrypted.
C. They become authenticated and encrypted.
D. They become unauthenticated and encrypted.
Answer: B
Explanation
The SNMPv3 Agent supports the following set of security levels:

+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The protocols used
for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for
Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) and
AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have
to install some third-party privacy packages.
Question 4
Which parameter in an SNMPv3 configuration offers authentication and encryption?
A. auth
B. noauth
C. priv
D. secret
Answer: C
Explanation
The SNMPv3 Agent supports the following set of security levels:

+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The protocols used
for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for
Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) and
AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have
to install some third-party privacy packages.
In the CLI, we use ―priv‖ keyword for ―AuthPriv‖ (―noAuth‖ keyword for ―noAuthnoPriv‖;
―auth‖ keyword for ―AuthNoPriv‖). The following example shows how to configure a
remote user to receive traps at the ―priv‖ security level when the SNMPv3 security model is
enabled:
Router(config)# snmp-server group group1 v3 priv
Router(config)# snmp-server user PrivateUser group1 remote 1.2.3.4 v3 auth md5 password1
priv access des56
Question 5
What is the function of the snmp-server manager command?
A. To enable the device to send and receive SNMP requests and responses
B. To enable the device to send SNMP traps to the SNMP server
C. To disable SNMP messages from getting to the SNMP engine
D. To configure the SNMP server to store log data
Answer: A
Explanation
The ―snmp-server manager‖ command is used to start the SNMP manager process. In other
words, it allows the SNMP manager to begin sending and receiving SNMP requests and
responses to the SNMNP agents.
Note: SNMP Manager (sometimes called Network Management System – NMS) is a

software runs on the device of the network administrator (in most case, a computer) to
monitor the network.
Question 6
What is the most security SNMP version?
A. v2c auth
B. v2c
C. v3
D. v1
Answer: C
Explanation
Both SNMPv1 and v2 did not focus much on security and they provide security based on
community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception.
SNMPv3 provides significant enhancements to address the security weaknesses existing in

the earlier versions. The concept of community string does not exist in this version. SNMPv3
provides a far more secure communication using entities, users and groups. This is achieved
by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to
encrypt the contents of a packet.
Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.
Question 7
A network engineer is asked to create an SNMP-enabled proactive monitoring solution to

ensure that jitter levels remain between particular boundaries. Which IP SLA option should
the engineer use?
A. threshold
B. frequency
C. verify-data
D. timeout
Answer: A
Question 8
Which SNMP verification command shows the encryption and authentication protocols that
are used in SNMPv3?
A. show snmp group

B. show snmp user
C. show snmp
D. show snmp view
Answer: B
Explanation
The command ―show snmp user‖ displays information about the configured characteristics of
SNMP users. The following example specifies the username as abcd with authentication
method of MD5 and encryption method of 3DES.
Router#show snmp user abcd

User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html
Question 9
What SNMP version provides both encryption and authentication?
A. SNMPv1
B. SNMPv4
C. SNMPv3
D. SNMPv2c
Answer: C
Question 10
What is the reasons of command:
Router(config)#snmp-server host 192.168.1.3 traps version 2c CISCORO
A. For network system to management server

B. allow 192.168.1.3 only
Answer: A
Explanation
The snmp-server host global configuration command is used to specify the recipient of an
SNMP notification operation, in this case 192.168.1.3. In other words, traps of the local
router will be sent to 192.168.1.3. Therefore this command is often used to manage the
device.
Question 11
Which three statements about SNMP are true? (Choose three)
A. The manager configures and send traps to the agent.

B. The manager sends GET and SET messages.
C. SNMPv3 supports authentication and encryption.
D. The manager polls the agent using UDP port 161
E. The MIB database can be altered only by the SNMP agent.
F. The agent is the monitoring device.
Answer: B C D
Explanation
The SNMP Manger can send GET, GET-NEXT and SET messages to SNMP Agents. The
Agents are the monitored device while the Manager is the monitoring device. In the picture
below, the Router, Server and Multilayer Switch are monitored devices.
Syslog Questions
https://www.digitaltut.com/syslog-questions
Question 1
Which alerts will be seen on the console when running the command: logging console
warnings?
A. warnings only
B. warnings, notifications, error, debugging, informational
C. warnings, errors, critical, alerts, emergencies
D. notifications, warnings, errors
E. warnings, errors, critical, alerts
Answer: C
Explanation
The Message Logging is divided into 8 levels as listed below:
Level Keyword Description

0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages
The highest level is level 0 (emergencies). The lowest level is level 7. If you specify a level
with the ―logging console level‖ command, that level and all the higher levels will be
displayed. For example, by using the ―logging console warnings‖ command, all the logging
of emergencies, alerts, critical, errors, warnings will be displayed.
Question 2
Network engineer wants to configure logging to compile and send information to an external
server. Which type of logging must be configured?
A. Terminal
B. Syslog
C. Buffer
D. Console
Answer: B
Explanation
Syslog can be configured to send messages to an external server for storing. The storage size
does not depend on the router‘s resources and is limited only by the available disk space on
the external Syslog server. For example, to instruct our router to send Syslog messages to
192.168.1.2 we can simply use only this command (all parameters are at default values):
R1(config)#logging 192.168.1.2
We cannot send other options (terminal, buffer, console) to external server.
Question 3
Which command do you enter to display log messages with a timestamp that includes the
length of time since the device was last rebooted?
A. service timestamps log uptime

B. logging facility 20
C. service timestamps debugging localtime msec
D. logging console errors
E. logging monitor 7
F. service timestamps log datetime msec
Answer: A
Explanation
The ―service timestamps log uptime‖ enables timestamps on log messages, showing the time
since the system was rebooted. For example:
00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Question 4
A network engineer enables a trunk port and encounters the following message:
%LINEPROTO-5- UPDOWN: Line protocol on Interface FastEthernet 1/1, changed state to
up.
What is the severity level of this message?
A. alert
B. critical
C. notification
D. informational
Answer: C
Explanation
Syslog levels are listed below:
Level Keyword Description

0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages
Number ―5‖ in ―%LINEPROTO-5- UPDOWN‖ is the severity level of this message so in this
case it is ―notification‖.
Question 5
Up/ down interface, what log severity level?
A. level 3
B. level 4
C. level 5
D. level 0
Answer: A
Explanation
Maybe this question wants to mention about this Syslog message:
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
-> The log secerity level of this warning is 3 – errors
Question 6
The network engineer types the follow commands in a router:
logging host 172.16.10.12 logging trap 5
What do these commands do?
A. Export messages of notifications for an external server

B. Show notifications in CLI
C. Sends info to host 172.16.10.12 with notifications less than or equal to 5
D. Sends info to host 172.16.10.12 with notifications greater than or equal to 5
Answer: C
Question 7
A network engineer executes the commands ―logging host 172.16.200.225‖ and ―logging trap
5‖. Which action results when these two commands are executed together?
A. Logging messages that have a debugging severity level are sent to the remote server
172.16.200.225.
B. Logged information is stored locally, showing the sources as 172.16.200.225
C. Logging messages that have any severity level are sent to the remote server
172.16.200.225
D. Logging messages that have a severity level of ―notifications‖ and above (numerically
lower) are sent to the remote server 172.16.200.225
Answer: D
Question 8
After a recent DoS attack on a network, senior management asks you to implement better
logging functionality on all IOS-based devices. Which two actions can you take to provide
enhanced logging results? (Choose two)
A. Use the msec option to enable service time stamps.

B. Increase the logging history
C. Set the logging severity level to 1.
D. Specify a logging rate limit.
E. Disable event logging on all noncritical items.
Answer: A B
Explanation
―Increase the logging history‖ here is same as ―increase the logging buffer‖. The default
buffer size is 4096 bytes. By increasing the logging buffer size we can see more history
logging messages. But do not make the buffer size too large because the access point could
run out of memory for other tasks. We can write the logging messages to a outside logging
server instead.
NTP Questions
https://www.digitaltut.com/ntp-questions
Question 1
router (config-line)# ntp master 10
Which statement about this command is true?
A. The router acts as an authoritative NTP clock and allows only 10 NTP client connections.
B. The router acts as an authoritative NTP clock at stratum 10.
C. The router acts as an authoritative NTP clock with a priority number of 10.
D. The router acts as an authoritative NTP clock for 10 minutes only.
Answer: B
Explanation
time standard.
Question 2
A network engineer is trying to implement broadcast-based NTP in a network and executes

the ntp broadcast client command. Assuming that an NTP server is already set up, what is
the result of the command?
A. It enables receiving NTP broadcasts on the interface where the command was executed.
B. It enables receiving NTP broadcasts on all interfaces globally.
C. It enables a device to be an NTP peer to another device.
D. It enables a device to receive NTP broadcast and unicast packets.
Answer: A
Explanation
The ―ntp broadcast client‖ command is used under interface mode to allow the device to
receive Network Time Protocol (NTP) broadcast packets on that interface
Reference:
tml#wp1123148
Question 3
Which two statements indicate a valid association mode for NTP synchronization? (Choose
two)
A. The client polls NTP servers for time

B. The client broadcasts NTP requests
C. The client listens to NTP broadcasts
D. The client creates a VPN tunnel to an NTP server
E. The client multicasts NTP requests
Answer: A C
Question 4
Which two statements about NTP operation are true? (Choose two)
A. If multiple NTP servers are configured, the one with the lowest stratum is preferred
B. By default, NTP communications use UDP port 123.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. Locally configured time overrides time received from an NTP server.
E. ―Stratum‖ refers to the number of hops between the NTP client and the NTP server.
Answer: A B
Explanation
time standard.
stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server
is. When multiple NTP servers are configured, the client will prefer the NTP server with the
lowest stratum level.
NTP uses User Datagram Protocol (UDP) port 123.
Question 5
Refer to Exhibit:
!
ntp access-group peer 2
ntp access-group serve 1
ntp master 4
!
Which three NTP features can be deduced on the router? (Choose three)
A. Only accepts time requests from 192.168.1.1

B. Only handle four requests at a time
C. Only is in stratum 4
D. Only updates its time from 192.168.1.1
E. Only accepts time requests from 192.168.1.4
F. Only updates its time from 192.168.1.4
Answer: A C F
Explanation
First we need to understand some basic knowledge about NTP. There are two types of NTP
messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status
information. It is not used for time synchronization so we will not care about them in this
question.
+ Request/Update messages: for time synchronization. Request messages ask for
synchronization information while Update messages contains synchronization information
and may change the local clock.
There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it
permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to reply to NTP requests, but drops NTP update. This
access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to respond to NTP requests only. This access-group denies
control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no
local system time synchronization with remote system is permitted.
From my experience, you just need to remember:

+ Peer: serve and to be served
+ Serve: serve but not to be served
Therefore in this question:

+ The ―ntp access-group peer 2‖ command says ―I can only accept NTP updates and
respond to NTP (time) requests from 192.168.1.4―. -> Answer F is correct while answer D is
not correct.
+ The ―ntp access-group serve 1‖ command says ―I can only reply to time requests (but
cannot accept time update) from 192.168.1.1 ‖ -> Answer A is correct*
The ―ntp master 4‖ indicates it is running as a time source with stratum level of 4 -> Answer
B is not correct while answer C is correct.
Answer E is not correct because it can accept time requests from both 192.168.1.1 and
192.168.1.4.
*Note: In fact answer A is incorrect too because the local router can accept time requests
from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake
of this question.
Question 6
A network engineer wants an NTP client to be able to update the local system without
updating or synchronizing with the remote system. Which option for the ntp access-group
command is needed to accomplish this?
A. Serve
B. Serve-only
C. peer
D. Query-only
Answer: A
Explanation
To control access to Network Time Protocol (NTP) services on the system, use the ntp
access-group command in global configuration mode.
NTP supports ―Control messages‖ and ―Request/Update messages‖.
+ Control messages are for reading and writing internal NTP variables and obtaining NTP
status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet
obviously asks for synchronization information, and update packet contains synchronization
information, and may change local clock.
When synchronizing system clocks on Cisco IOS devices only Request/Update messages are
used. Therefore in this question we only care about ―NTP Update message‖.
Syntax:
ntp access-group [ipv4 | ipv6] {peer | query-only | serve | serve-only} {access-list-number |

access-list-number-expanded | access-list-name} [kod]
+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control
queries are also accepted. This is the only class which allows a router to be synchronized by
other devices -> not correct. In other words, the peer keyword enables the device to receive
time requests and NTP control queries and to synchronize itself to the servers specified in the
access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to
synchronize local system time, and does not access control queries. In other words, the serve-
only keyword enables the device to receive only time requests from servers specified in the
access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a
server or update packets from a peer). Control queries are also permitted. In other words, the
serve keyword enables the device to receive time requests and NTP control queries from the
servers specified in the access list but not to synchronize itself to the specified servers -> this
option is surely correct.
In summary, the answer ―serve‖ is surely correct but the answer ―serve-only‖ seems to be
correct too (although the definition is not clear).
An example of using the ―ntp access-group‖ command is shown below:
R1(config)#ntp server 178.240.12.1

R1(config)#ntp access-group peer 2 // peer only to 165.16.4.1
R1(config)#ntp access-group serve-only 3 //provide time services only to internal network
160.1.0.0/16
Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-
n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/
Question 7
Question about NTP Stratum:
A. stratum 0
B. stratum 1
C. stratum 2
D. stratum 15
E. stratum 16
Answer: depends on the question:
Stratum 0 – highest, GPS clock

Stratum 1- primary time servers, connected to stratum 0
The upper limit for Stratum is 15;
Stratum 16 is used to indicate that a device is unsynchronized
Question 8
Refer to exhibit. A network engineer receives a command output from a customer that
indicates an issue with NTP. What are two reasons for the output? (Choose two)
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18
reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
A. NTP traffic is blocked.

B. NTP is not configured.
C. The router is the NTP master.
D. ntp update-calendar is missing.
E. There is an NTP authentication failure.
Answer: A E
Explanation
The output indicates that the local device did not receive the NTP update successfully so
something went wrong during the transmission.
Question 9
Which three NTP operating modes must the trusted-key command be configured on for
authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Answer: B D E (?)
Question 10
A network engineer wants to verify the status of a recently configured NTP setup on one of
the routers. The engineer executes the ―show ntp associations‖ command. What does the
output indicate?
A. the synchronized NTP servers that are configured on the device.

B. the authentication mode that is used with the NTP server.
C. the security key value for the configured NTP server.
D. the facility that is configured for the NTP server.
Answer: A
Explanation
An example of the output of this command is shown below:
Router#show ntp associations

address ref clock st when poll reach delay offset
disp
*~10.1.2.65 10.1.2.33 11 36 64 377 27.9 25.17
30.0
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
If there‘s an asterisk (*) next to a configured peer, then you are synced to this peer and using
them as the master clock. As long as one peer is the master then everything is fine. However,
the key to knowing that NTP is working properly is looking at the value in the reach field.
The reach field is a circular bit buffer. It gives you the status of the last eight NTP messages
(eight bits in octal is 377, so you want to see a reach field value of 377). If an NTP response
packet is lost, the missing packet is tracked over the next eight NTP update intervals in the
reach field. For more information about this field please read
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
110/15171-ntpassoc.html
Question 11
Refer to Exhibit, which statement about the configuration on the Cisco router is true?
Router(config)#ntp source Loopback0

Router(config)#interface eth0/0
Router(config-if)#ntp disable
A. The router sends only NTP traffic, using the loopback interface, and it disables eth0/0
from sending NTP traffic.
B. Eth0/0 sends NTP traffic on behalf of the loopback interface
C. The router sends only NTP traffic, using the eth0/0 interface, and it disables loopback0
from sending NTP traffic.
D. The router never sends NTP traffic, as using the loopback interface for NTP traffic is not
supported on IOS routers.
Answer: A
Question 12
Refer to the exhibit. Which effect of this configuration is true?

R1# show run | include ntp
ntp master 5
ntp authenticate
ntp authentication-key 1 md4 123Cisco
ntp authentication-key 5 md4 Cisco123
ntp trusted-key 1
A. R1 synchronizes with systems that include authentication key 5 in their packets

B. R1 acts as an authoritative clock with a priority ID of 1
C. R1 acts as an authoritative clock at stratum 5
D. R1 is the NTP client for a stratum 1 server
Answer: C
Explanation
time standard.
NAT Questions
https://www.digitaltut.com/nat-questions
Question 1
A network engineer is trying to modify an existing active NAT configuration on an IOS

router by using the following command:
(config)# no ip nat pool dynamic-nat-pool 192.1.1.20 192.1.1.254 netmask 255.255.255.0
Upon entering the command on the IOS router, the following message is seen on the console:
%Dynamic Mapping in Use, Cannot remove message or the %Pool outpool in use,
cannot destroy
What is the least impactful method that the engineer can use to modify the existing IP NAT
configuration?
A. Clear the IP NAT translations using the clear ip nat traffic * ‖ command, then replace the
NAT configuration quickly, before any new NAT entries are populated into the translation
table due to active NAT traffic.
B. Clear the IP NAT translations using the clear ip nat translation * ‖ command, then replace
the NAT configuration quickly, before any new NAT entries are populated into the
translation table due to active NAT traffic.
C. Clear the IP NAT translations using the reload command on the router, then replace the
D. Clear the IP NAT translations using the clear ip nat table * ‖ command, then replace the
Answer: B
Question 2
Which statement describes what this command accomplishes when inside and outside
interfaces are correctly identified for NAT?
ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080 extendable
A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It allows external clients coming from public IP 209.165.201.1 to connect to a web server
at 192.168.1.50.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It represents an incorrect NAT configuration because it uses standard TCP ports.
Answer: C
Explanation
First we will not mention about the effect of the ―extendable‖ keyword. So the purpose of the
command ―ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080‖ is to translate
packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP
address 209.165.201.1 with port 8080. This also implies that any packet received on the
outside interface with a destination address of 209.165.201.1:8080 has the destination
translated to 192.168.1.50:80. Therefore answer C is correct.
Answer A is not correct this command ―allows host 192.168.1.50 to access external websites
using TCP port 80‖, not port 8080.
Answer B is not correct because it allows external clients to connect to a web server at
209.165.201.1. The IP addresses of clients should not be 209.165.201.1.
Answer D is not correct because the configuration is correct.
Now we will talk about the keyword ―extendable‖.
Usually, the ―extendable‖ keyword should be added if the same Inside Local is mapped to
different Inside Global Addresses (the IP address of an inside host as it appears to the outside
network). An example of this case is when you have two connections to the Internet on two
ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside
local IP address. For example:
NAT router:
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2
In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use
200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the
Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or
200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called ―ambiguous from the
inside‖). We tested in GNS3 and it worked correctly! So we guess the NAT router compared
the Inside Global addresses with all of IP addresses of the ―ip nat outside‖ interfaces and
chose the most suitable one to forward traffic.
This is what Cisco explained about ―extendable‖ keyword:
―They might also want to define static mappings for a particular host using each provider‘s
address space. The software does not allow two static translations with the same local
address, though, because it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all addresses and ports) if
the static translations are marked as ―extendable‖. For a new outside-to-inside flow, the
appropriate static entry will act as a template for a full translation. For a new inside-to-outside
flow, the dynamic route-map rules will be used to create a full translation‖.
(Reference:
6a0080091cb9.html)
But it is unclear, what will happen if we don‘t use a route-map?
Question 3
A network engineer is asked to configure a ―site-to-site‖ IPsec VPN tunnel. One of the last
things that the engineer does is to configure an access list (access-list 1 permit any) along
with the command ip nat inside source list 1 int s0/0 overload. Which functions do the two
commands serve in this scenario?
A. The command access-list 1 defines interesting traffic that is allowed through the tunnel.
B. The command ip nat inside source list 1 int s0/0 overload disables ―many-to-one‖ access
for all devices on a defined segment to share a single IP address upon exiting the external
interface.
C. The command access-list 1 permit any defines only one machine that is allowed through
the tunnel.
D. The command ip nat inside source list 1 int s0/0 overload provides ―many-to-one‖
access for all devices on a defined segment to share a single IP address upon exiting the
external interface.
Answer: D
Explanation
The command ―ip nat inside source list 1 int s0/0 overload‖ translates all source addresses
that pass access list 1, which means all the IP addresses, into an address assigned to S0/0
interface. Overload keyword allows to map multiple IP addresses to a single registered IP
address (many-to-one) by using different ports.
Question 4

ip address 209.165.200.225 255.255.255.224
ip nat outside
!
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
!
Which command allows hosts that are connected to FastEthernet0/2 to access the Internet?
A. ip nat inside source list 10 interface FastEthernet0/1 overload

B. ip nat outside source static 209.165.200.225 10.10.10.0 overload
C. ip nat inside source list 10 interface FastEthernet0/2 overload
D. ip nat outside source list 10 interface FastEthernet0/2 overload
Answer: A
Explanation
The command ―ip nat inside source list 10 interface FastEthernet0/1 overload‖ configures
NAT to overload on the address that is assigned to the Fa0/1 interface.
Question 5
router(config)# ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80
Which statement about the command is true?
A. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:80 is translated to 172.16.10.8:8080.
B. Any packet that is received in the inside interface with a source IP port address of
172.16.10.8:8080 is translated to 172.16.10.8:80.
C. The router accepts only a TCP connection from port 8080 and port 80 on IP address
172.16.10.8.
D. Any packet that is received in the inside interface with a source IP address of 172.16.10.8
is redirected to port 8080 or port 80.
Answer: B
Explanation
This is a static NAT command which translates all the packets received in the inside interface
with a source IP address of 172.16.10.8:8080 to 172.16.10.8:80. The purpose of this NAT
statement is to redirect TCP Traffic to Another TCP Port.
Question 6
Which two functionalities are specific to stateless NAT64? (Choose two)
A. No requirement exists for the characteristics of Ipv6 address assignment

B. It does not conserve IPv4 addresses
C. It provides 1-to-1 translation.
D. It uses address overloading.
E. State or bindings are created on the translation.
Answer: B C
Explanation
Question 7
Which NAT command to disable dynamic ARP learning on an interface?
A. R(config-if)# ip nat enable

B. R(config-if)# ip nat inside
C. R(config-if)# ip nat outside
D. R(config)# ip nat service
E. R(config)# ip nat allow-static-host
Answer: E
Explanation
The ―ip nat allow-static-host‖ command enables static IP address support. Dynamic Address
Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control
the creation and deletion of ARP entries for the static IP host.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-
4/nat-12-4-book/iadnat-addr-consv.html
Question 8
What is the viable successor of NAT-PT?
A. NAT
B. NAT64
C. NPTv6
D. DHCPv6
Answer: B
Explanation
Network Address Translation-Protocol Translation (NAT-PT) has been deemed deprecated

by IETF because of its tight coupling with Domain Name System (DNS) and its general
limitations in translation. IETF proposed NAT64 as the viable successor to NAT-PT.
NAT64 technology facilitates communication between IPv6-only and IPv4-only hosts and
networks (whether in a transit, an access, or an edge network). This solution allows both
enterprises and ISPs to accelerate IPv6 adoption while simultaneously handling IPv4 address
depletion. All viable translation scenarios are supported by NAT64, and therefore NAT64 is
becoming the most sought translation technology.
Question 9
Which option is the first task that a device configured with NAT64 performs when it receives
an incoming IPv6 packet that matches the stateful NAT64 prefix?
A. It translates the IPv6 header into an IPv4 header.

B. It checks the IPv6 packet against the NAT64 stateful prefix.
C. It translates the IPv6 source address to an IPv4 header.
D. It translates theA IPv4 destination address into a new NAT64 state.
E. It performs an IPv6 route lookup.
Answer: A
Question 10
Which command enables NAT-PT on an IPv6 interface?
A. ipv6 nat
B. ipv6 nat enable
C. ipv6 nat-pt
D. ipv6 nat-pt enable
Answer: A
Explanation
The syntax should be: ipv6 nat prefix ipv6-prefix / prefix-length (for example: Router# ipv6
nat prefix 2001:DB8::/96)
Question 11
Which two options are limitations of stateful NAT64? (Choose two)
A. It is unable to route VRF traffic

B. It is unable to route multicast traffic
C. It supports FTP traffic only with an ALG
D. It supports DNS64 only
E. Layer 4 supports TCP only
Answer: A B
Explanation
From the link: https://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat64-stateful.pdf
Restrictions for configuring Stateful Network Address:
+ Virtual routing and forwarding (VRF)-aware NAT64 is not supported -> Answer A is
correct.
+ IP Multicast is not supported -> Answer B is correct.
+ Application-level gateways (ALGs) FTP and ICMP are not supported -> Answer C is not
correct.
+ Only TCP and UDP Layer 4 protocols are supported for header translation -> Answer E is
not correct.
+ For Domain Name System (DNS) traffic to work, you must have a separate working
installation of DNS64 -> This statement means stateful NAT64 supports DNS64 but we
cannot conclude it is the only one supported by NAT64. We are not sure but maybe stateful
NAT64 also supports DNS ALG.
Question 12
Which two addresses types are included in NAT? (Choose two)
A. inside global
B. global outside
C. outside internet
D. inside internet
E. outside local
Answer: A E
Explanation
NAT use four types of addresses:
* Inside local address – The IP address assigned to a host on the inside network. The address
is usually not an IP address assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service
provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.
Question 13
NPTv6 restrictions?
Possible answers:
– Virtual Routing and Forwarding (VRF)

– NAT64 on the same interface.
– Multicast and Firewall is not supported.
– Payload address or port translation is not supported.
– Syslog is not supported.
Question 14

ip nat inside source list 1 interface gigabitethernet0/0 overload
You have correctly identified the inside and outside interfaces in the NAT configuration of
this device. Which effect of this configuration is true?
A. dynamic NAT
B. static NAT
C. PAT
D. NAT64
Answer: C
IP SLA Questions
https://www.digitaltut.com/ip-sla-questions
Question 1

Which technology can be employed to automatically detect a WAN primary link failure and
failover to the secondary link?
A. HSRP
B. VRRP
C. IP SLA
D. multicast
Answer: C
Question 2
A network engineer has configured a tracking object to monitor the reachability of IP SLA 1.
In order to update the next hop for the interesting traffic, which feature must be used in
conjunction with the newly created tracking object to manipulate the traffic flow as required?
A. SNMP
B. PBR
C. IP SLA
D. SAA
E. ACLs
F. IGP
Answer: B
Explanation
IP SLA PBR (Policy-Based Routing) Object Tracking allows you to make sure that the next
hop is reachable before that route is used. If the next hop is not reachable, another route is
used as defined in the PBR configuration. If no other route is present in the route map, the
routing table is used.
An example of configuring PBR based on tracking object is shown below:
//Configure and schedule IP SLA operations

ip sla 1
icmp-echo 10.3.3.2
ip sla schedule 1 life forever start-time now
!
// Configure Object Tracking to track the operations
track 1 ip sla 1 reachability
!
//Configure ACL
ip access-list standard ACL
permit ip 10.2.2.0/24 10.1.1.1/32
!
//Configure PBR policing on the router
route-map PBR
match ip address ACL
set ip next-hop verify-availability 10.3.3.2 track 1
set ip next-hop verify-availability 10.3.3.2 track 2 -> Track 2 is not shown here but it is used
if track 1 fails
!
//Apply PBR policy on the incoming interface of the router.
interface ethernet 0/0
ip address 10.2.2.1 255.255.255.0
ip policy route-map PBR
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-
os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-
OS_IP_SLAs_Configuration_Guide_rel_6-x/b_Cisco_Nexus_7000_Series_NX-
OS_IP_SLAs_Configuration_Guide_rel_6-x_chapter_01000.html
Question 3
A network engineer initiates the ip sla responder tcp-connect command in order to gather
statistics for performance gauging. Which type of statistics does the engineer see?
A. connectionless-oriented
B. service-oriented
C. connection-oriented
D. application-oriented
Answer: C
Explanation
The keyword ―tcp-connect‖ enables the responder for TCP connect operations. TCP is a
connection-oriented transport layer protocol -> C is correct.
Question 4
Refer to the exhibit. Which statement about the configuration is true?
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type jitter dest-ipaddr 200.0.10.3 dest-port 65051 num-packets 20
request-data-size 160
tos 128
frequency 30
ip sla monitor shedule 1 start-time after 00:05:00
A. 20 packets are being sent every 30 seconds.

B. The monitor starts at 12:05:00 a.m.
C. Jitter is being tested with TCP packets to port 65051.
D. The packets that are being sent use DSCP EF.
Answer: A
Explanation
The ―num-packets‖ specifies the number of packets to be sent for a jitter operation.
The ―frequency‖ is the rate (in seconds) at which this IP SLA operation repeats. The ―tos‖
defines a type of service (ToS) byte in the IP header of this IP SLA operation.
Question 5
Which three items can you track when you use two time stamps with IP SLAs? (Choose
three)
A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path
Answer: A B C
Explanation
When enabled, the IP SLAs Responder allows the target device to take two time stamps both
when the packet arrives on the interface at interrupt level and again just as it is leaving,
eliminating the processing time. At times of high network activity, an ICMP ping test often
shows a long and inaccurate response time, while an IP SLAs test shows an accurate response
time due to the time stamping on the responder.
An additional benefit of the two time stamps at the target device is the ability to track
one-way delay, jitter, and directional packet loss. Because much network behavior is
asynchronous, it is critical to have these statistics. However, to capture one-way delay
measurements the configuration of both the source device and target device with Network
Time Protocol (NTP) is required. Both the source and target need to be synchronized to the
same clock source. One-way jitter measurements do not require clock synchronization.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-
15-mt-book/sla_overview.html
Question 6
Two aspects of an IP SLA operation can be tracked: state and reachability. Which statement
about state tracking is true?
A. When tracking state, an OK return code means that the track‘s state is up; any other return
code means that the track‘s state is down.
B. When tracking state, an OK or over threshold return code means that the track‘s state is
up; any other return code means that the track‘s state is down.
C. When tracking state, an OK return code means that the track‘s state is down; any other
return code means that the track‘s state is up.
D. When tracking state, an OK or over threshold return code means that the track‘s state is
down; any other return code means that the track‘s state is up.
Answer: A
Question 7
An engineer is asked to monitor the availability of the next-hop IP address of 172.16.201.25

every 3 seconds using an ICMP echo packet via an ICMP echo probe. Which two commands
accomplish this task? (Choose two)
A. router(config-ip-sla)#icmp-echo 172.16.201.25 source-interface FastEthernet 0/0

B. router(config-ip-sla-echo)#timeout 3
C. router(config-ip-sla)#icmp-jitter 172.16.201.25 interval 100
D. router(config-ip-sla-echo)#frequency 3
E. router(config-ip-sla)#udp-echo 172.16.201.25 source-port 23
F. router(config-ip-sla-echo)#threshold 3
Answer: A D
Question 8
Which three IP SLA performance metrics can you use to monitor enterprise-class networks?
(Choose three)
A. Packet loss
B. Delay
C. bandwidth
D. Connectivity
E. Reliability
F. traps
Answer: A B D
Explanation
Depending on the specific Cisco IOS IP SLAs operation, statistics of delay, packet loss,
jitter, packet sequence, connectivity, path, server response time, and download time are
monitored within the Cisco device and stored in both CLI and SNMP MIBs.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsoverv.ht
ml
Question 9
A network engineer wants to notify a manager in the events that the IP SLA connection loss
threshold reached. Which two feature are need to implements this functionality? (Choose
two)
A. MOS
B. Threshold action
C. Cisco IOS EEM
D. SNMP traps
E. logging local
Answer: B D
Explanation
IP SLAs supports proactive threshold monitoring and notifications for performance

parameters such as average jitter, unidirectional latency, bidirectional round-trip time (RTT),
and connectivity for most IP SLAs operations. The proactive monitoring capability also
provides options for configuring reaction thresholds for important VoIP related parameters
including unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice
quality scoring.
IP SLAs reactions are configured to trigger when a monitored value exceeds or falls below a
specified level or when a monitored event, such as a timeout or connection loss, occurs. If IP
SLAs measures too high or too low of any configured reaction, IP SLAs can generate a
notification (in the form of SNMP trap) to a network management application or trigger
another IP SLA operation to gather more data.
Cisco IOS IP SLAs can send SNMP traps that are triggered by events such as the following:
+ Connection loss
+ Timeout
+ Round-trip time threshold
+ Average jitter threshold
+ One-way packet loss
+ One-way jitter
+ One-way mean opinion score (MOS)
+ One-way latency
Question 10
Which IP SLA operation can be used to measure round-trip delay for the full path and hop-
by-hop round-trip delay on the network?
A. HTTP
B. ICMP path echo
C. TCP connect
D. ICMP echo
Answer: B
Explanation
Round-trip time (RTT), also called round-trip delay, is the time required for a packet to travel
from a specific source to a specific destination and back again.
An ICMP Path Echo operation measures end-to-end (full path) and hop-by-hop response
time (round-trip delay) between a Cisco router and devices using IP. ICMP Path Echo is
useful for determining network availability and for troubleshooting network connectivity
issues.
Note: ICMP Echo only measures round-trip delay for the full path.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla-
xe-3s-book/sla_icmp_pathecho.html
Question 11

The IP SLA configuration of R1 is shown below:
R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(config-ip-sla)#frequency 10
R1(config-ip-sla)#threshold 100
R1(config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2
What makes default route not removed when SLA state down or failed?
A. the destination must be 172.30.30.2 for icmp-echo

B. the threshold value is wrong
C. the default route has wrong next hop IP address.
D. missing of track feature on default static route command
Answer: D
Explanation
The default route command (at the last line) must include the ―track‖ keyword for the
tracking feature to work.
ip route 0.0.0.0.0 0.0.0.0 172.20.20.2 track 10
Question 12
Which type of information is displayed when a network engineer executes the show track 1
command on the router?
A. information about tracking list 1.

B. time to next poll for track object 1.
C. information about the IP route track table.
D. tracking information statistics.
Answer: A
IP SLA Questions 2
https://www.digitaltut.com/ip-sla-questions-2
Question 1
Which IP SLA operation requires Cisco endpoints?
A. UDP Jitter for VoIP

B. ICMP Path Echo
C. ICMP Echo
D. UDP Jitter
Answer: A
Explanation
User Datagram Protocol (UDP) Jitter for VoIP is the most common operation for networks
that carry voice traffic, video, or UDP jitter-sensitive applications. Requires Cisco endpoints.
Note: The ICMP jitter operation is similar to the IP SLAs UDP jitter operation but does not
require a Cisco endpoint (maybe only Cisco router has been designated to reply to Cisco IOS
IP SLA test packets).
The config below shows an example of configuring UDP Jitter for VoIP:
Router(config)# ip sla 10
//Configures the operation as a jitter (codec) operation that will generate VoIP scores in
addition to latency, jitter, and packet loss statistics. Notice that it requires an endpoint.
Router(config-ip-sla)# udp-jitter 209.165.200.225 16384 codec g711alaw advantage-factor
10
//The below configs are only optional
Router(config-ip-sla-jitter)# frequency 30
Router(config-ip-sla-jitter)# history hours-of-statistics-kept 4
Router(config-ip-sla-jitter)# owner admin
Router(config-ip-sla-jitter)# tag TelnetPollServer1
Router(config-ip-sla-jitter)# threshold 10000
Router(config-ip-sla-jitter)# timeout 10000
Router(config-ip-sla-jitter)# tos 160
Reference:
http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_qas0900aecd8017
bd5a.html &
http://www.cisco.com/c/en/us/td/docs/ios/ipsla/configuration/guide/15_s/sla_15_0s_book/sla
_udp_jitter_voip.pdf
Question 2
Refer to exhibit. Which two reasons for IP SLA tracking failure are likely true? (Choose two)
R1(config)#ip sla 1
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#threshold 500
R1(config)#ip route 0.0.0.0 0.0.0.0 172.30.30.2 5
A. The source-interface is configured incorrectly

B. The destination must be 172.30.30.2 for icmp-echo
C. A route back to the R1 LAN network is missing in R2
D. The default route has wrong next hop IP address
E. The threshold value is wrong
Answer: C E
Explanation
There is no problem with the Fa0/0 as the source interface as we want to check the ping from
the LAN interface -> A is not correct.
Answer B is not correct as we must track the destination of the primary link, not backup link.
In this question, R1 pings R2 via its LAN Fa0/0 interface so maybe R1 (which is an ISP) will
not know how to reply back as an ISP usually does not configure a route to a customer‘s
LAN -> C is correct.
There is no problem with the default route -> D is not correct.
For answer E, we need to understand about how timeout and threshold are defined:
Timeout (in milliseconds) sets the amount of time an IP SLAs operation waits for a response
from its request packet. In other words, the timeout specifies how long the router should wait
for a response to its ping before it is considered failed.Threshold (in milliseconds too) sets
the upper threshold value for calculating network monitoring statistics created by an IP SLAs
operation. Threshold is used to activate a response to IP SLA violation, e.g. send SNMP trap
or start secondary SLA operation. In other words, the threshold value is only used to indicate
over threshold events, which do not affect reachability but may be used to evaluate the proper
settings for the timeout command.
For reachability tracking, if the return code is OK or OverThreshold, reachability is up; if not
OK, reachability is down.
Therefore in this question, we are using ―Reachability‖ tracking (via the command ―track 10
ip sla 1 reachability‖) so threshold value is not important and can be ignored -> Answer E is
correct. In fact, answer E is not wrong but it is the best option left.
This tutorial can help you revise IP SLA tracking topic: http://www.firewall.cx/cisco-
technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html and
http://www.ciscozine.com/using-ip-sla-to-change-routing/
Note: Maybe some of us will wonder why there are these two commands:

In fact the two commands:
ip route 0.0.0.0 0.0.0.0 172.20.20.2 track 10

ip route 0.0.0.0 0.0.0.0 172.20.20.2
are different. These two static routes can co-exist in the routing table. Therefore if the
tracking goes down, the first command will be removed but the second one still exists and the
backup path is not preferred. So we have to remove the second one.
Question 3
Which option must be configured on a target device to use time stamping to accurately
represent response times using IP SLA?
A. Responder
B. Jitter value
C. TCP Connect
D. ICMP Echo
Answer: A
Explanation
A primary benefit of Cisco IOS IP SLAs is accuracy, embedded flexibility, and cost-saving, a
key component of which is the Cisco IOS IP SLAs responder enabled on the target device.
When the responder is enabled, it allows the target device to take two timestamps: when the
packet arrives on the interface at interrupt level and again just as it leaves. This eliminates
processing time. This timestamping is made with a granularity of sub-millisecond (ms). The
responder timestamping is very important because all routers and switches in the industry
will prioritize switching traffic destined for other locations over packets destined for its local
IP address (this includes Cisco IOS IP SLAs and ping test packets). Therefore, at times of
high network activity, ping tests can reveal an inaccurately large response time; conversely,
timestamping on the responder allows a Cisco IOS IP SLAs test to accurately represent the
response time due.
Reference:
aecd8017f8c9_ps6602_Products_White_Paper.html
Note: The ICMP echo operation is used to cause ICMP echo requests to be sent to a
destination to check connectivity
Question 4
A network engineer executes the ―show ip sla statistics‖ command. What does the output of
this command show?
A. Operation availability
B. Device CPU utilization
C. Interface packet statistics
D. Packet sequencing
Answer: A
Explanation
The ―show ip sla statistics‖ command displays the current operational status and statistics of
all IP SLAs operations or a specified operation so the answer ―operation availability‖ is the
best choice here.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/ipsla/command/reference/sla_book/sla_04.html
Question 5
Which two types of threshold can you configure for tracking objects? (Choose two)
A. percentage
B. MTU
C. bandwidth
D. weight
E. delay
F. administrative distance
Answer: A D
Explanation
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or
a percentage threshold.
The example configures track list 1 to track by weight threshold.
Switch(config)# track 1 list threshold weight

Switch(config-track)# threshold weight up 30 down 10
If object 1, and object 2 are down, then track list 1 is up, because object 3 satisfies the up
threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to
satisfy the threshold weight.
This configuration can be useful if object 1 and object 2 represent two small bandwidth
connections and object 3 represents one large bandwidth connection. The configured down
10 value means that once the tracked object is up, it will not go down until the threshold
value is equal to or lower than 10, which in this example means that all connections are
down.
The below example configures tracked list 2 with three objects and a specified percentages
to measure the state of the list with an up threshold of 70 percent and a down threshold of 30
percent:
Switch(config)# track 2 list threshold percentage

Switch(config-track)# threshold percentage up 51 down 10
This means as long as 51% or more of the objects are up, the list will be considered ―up‖. So
in this case if two objects are up, track 2 is considered ―up‖.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/blades/3020/software/release/12-
2_58_se/configuration/guide/3020_scg/swhsrp.pdf
Question 6
Which option can you use to monitor voice traffic when configuring an IP SLA?
A. UDP-Jitter
B. TCP-Jitter
C. ip sla logging traps
D. ip sla reaction-configuration
Answer: A
Question 7
Which command is used to check IP SLA when an interface is suspected to receive lots of
traffic with options?
A. show track
B. show threshold
C. show timer
D. show delay
Answer: A
Question 8
How to set up IP SLA to monitor bandwidth between the certain limits?
A. Timer
B. Frequency
C. Threshold
D. Queue-limit
Answer: C
Question 9
Which location is traffic from IP SLAs?
A. core edge
B. access edge
C. WAN edge
D. Distribution edge
E. User edge
Answer: C
Explanation
Maybe this question wants to ask ―which location IP SLAs are usually used to monitor the
traffic?‖ then the answer should be WAN edge as IP SLA is usually used to track a remote
device or service (usually via ping).
NetFlow Questions
https://www.digitaltut.com/netflow-questions
Question 1
A network engineer executes the show ip flow export command. Which line in the output
indicates that the send queue is full and export packets are not being sent?
A. output drops
B. enqueuing for the RP
C. fragmentation failures
D. adjacency issues
Answer: A
Explanation
The ―show ip flow export‖ command is used to display the status and the statistics for
NetFlow accounting data export, including the main cache and all other enabled caches. An
example of the output of this command is shown below:
Router# show ip flow export

Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
Version 5 flow records
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops
The ―output drops‖ line indicates the total number of export packets that were dropped
because the send queue was full while the packet was being transmitted.
Reference:
http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_T
SD_Products_Command_Reference_Chapter.html#wp1188401
Question 2
An organization decides to implement NetFlow on its network to monitor the fluctuation of

traffic that is disrupting core services. After reviewing the output of NetFlow, the network
engineer is unable to see OUT traffic on the interfaces. What can you determine based on this
information?
A. Cisco Express Forwarding has not been configured globally.

B. NetFlow output has been filtered by default.
C. Flow Export version 9 is in use.
D. The command ip flow-capture fragment-offset has been enabled.
Answer: A
Explanation
In general, NetFlow requires CEF to be configured in most recent IOS releases. CEF decides
which interface the traffic is sent out. With CEF disabled, router will not have specific
destination interface in the NetFlow report packets. Therefore a NetFlow Collector cannot
show the OUT traffic for the interface.
Question 3
A network engineer has left a NetFlow capture enabled over the weekend to gather
information regarding excessive bandwidth utilization. The following command is entered:
switch#show flow exporter Flow_Exporter-1
What is the expected output?
A. configuration of the specified flow exporter

B. current status of the specified flow exporter
C. status and statistics of the specified flow monitor
D. configuration of the specified flow monitor
Answer: B
Explanation
This command is used to display the current status of the specific flow exporter, in this case
Flow_Exporter-1. For example
N7K1# show flow export

Flow exporter Flow_Exporter-1:
Description: Fluke Collector
Destination: 10.255.255.100
VRF: default (1)
Destination UDP Port 2055
Source Interface Vlan10 (10.10.10.5)
Export Version 9
Exporter Statistics
Number of Flow Records Exported 726
Number of Templates Exported 1
Number of Export Packets Sent 37
Number of Export Bytes Sent 38712
Number of Destination Unreachable Events 0
Number of No Buffer Events 0
Number of Packets Dropped (No Route to Host) 0
Number of Packets Dropped (other) 0
Number of Packets Dropped (LC to RP Error) 0
Number of Packets Dropped (Output Drops) 0
Time statistics were last cleared: Thu Feb 15 21:12:06 2015
Question 4

Sampler: mysampler, id: 1, packets matched: 10, mode random sampling mode
sampling interval is : 100
Which statement about the output of the show flow-sampler command is true?
A. The sampler matched 10 packets, each packet randomly chosen from every group of 100
packets.
B. The sampler matched 10 packets, one packet every 100 packets.
C. The sampler matched 10 packets, each one randomly chosen from every 100-second
interval.
D. The sampler matched 10 packets, one packet every 100 seconds.
Answer: A
Explanation
The sampling mode determines the algorithm that selects a subset of traffic for NetFlow
processing. In the random sampling mode, incoming packets are randomly selected so that
one out of each n sequential packets is selected on average for NetFlow processing. For
example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the
5th, 120th, 299th, 302nd, and so on packets. This sample configuration provides NetFlow
data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you
can configure.
In the above output we can learn the number of packets that has been sampled is 10. The
sampling mode is ―random sampling mode‖ and sampling interval is 100 (NetFlow samples 1
out of 100 packets).
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfstatsa.html
Question 5
What is the result of the command ip flow-export destination 10.10.10.1 5858?
A. It configures the router to export cache flow information to IP 10.10.10.1 on port

UDP/5858.
B. It configures the router to export cache flow information about flows with destination IP
10.10.10.1 and port UDP/5858.
C. It configures the router to receive cache flow information from IP 10.10.10.1 on port
UDP/5858.
D. It configures the router to receive cache flow information about flows with destination IP
10.10.10.1 and port UDP/5858.
Answer: A
Explanation
The ―ip flow-export destination 10.10.10.1 5858‖ command is used to export the information
captured by the ―ip flow-capture‖ command to the destination 10.10.10.1. ―5858‖ is the UDP
port to which NetFlow packets are sent (default is 2055). The syntax of this command is:
ip flow-export destination ip-address [udp-port] [version 5 {origin-as | peer-as}]
Question 6
Which NetFlow component is applied to an interface and collects information about flows?
A. flow monitor
B. flow exporter
C. flow sampler
D. flow collector
Answer: A
Explanation
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform
network traffic monitoring. Flow monitors consist of a record and a cache. You add the
record to the flow monitor after you create the flow monitor. The flow monitor cache is
automatically created at the time the flow monitor is applied to the first interface. Flow data
is collected from the network traffic during the monitoring process based on the key and
nonkey fields in the record, which is configured for the flow monitor and stored in the flow
monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and
enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#
(Reference:
http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html
#wp1314030)
Question 7
A network engineer is notified that several employees are experiencing network performance
related issues, and bandwidth-intensive applications are identified as the root cause. In order
to identify which specific type of traffic is causing this slowness, information such as the
source/destination IP and Layer 4 port numbers is required. Which feature should the
engineer use to gather the required information?
A. SNMP
B. Cisco IOS EEM
C. NetFlow
D. Syslog
E. WCCP
Answer: C
Question 8
An engineer executes the ip flow ingress command in interface configuration mode. What is
the result of this action?
A. It enables the collection of IP flow samples arriving to the interface.

B. It enables the collection of IP flow samples leaving the interface.
C. It enables IP flow while disabling IP CEF on the interface.
D. It enables IP flow collection on the physical interface and its subinterfaces.
Answer: A
Explanation
The following is an example of configuring an interface to capture flows into the NetFlow
cache. CEF followed by NetFlow flow capture is configured on the interface:
Router(config)# ip cef
Router(config)# interface ethernet 1/0
Router(config-if)# ip flow ingress
or
Router(config-if)# ip route-cache flow
Note: Either ip flow ingress or ip route-cache flow command can be used depending on the
Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release
12.2(15)T or above.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-
netflow/prod_white_paper0900aecd80406232.html
Question 9
Refer to the exhibit. Which statement about the command output is true?
A. The router exports flow information to 10.10.10.1 on UDP port 5127.

B. The router receives flow information from 10.10.10.2 on UDP port 5127.
C. The router exports flow information to 10.10.10.1 on TCP port 5127.
D. The router receives flow information from 10.10.10.2 on TCP port 5127.
Answer: A
Question 10
In which two ways can NetFlow data be viewed? (Choose two)
A. CLI
B. NetFlow collector
C. built-in GUI
D. syslog server interface
E. web interface
Answer: A B
Explanation
There are two primary methods to access NetFlow data: the Command Line Interface (CLI)
with show commands or utilizing an application reporting tool. If you are interested in an
immediate view of what is happening in your network, the CLI can be used. The other choice
is to export NetFlow to a reporting server or what is called the ―NetFlow collector‖.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-
netflow/prod_white_paper0900aecd80406232.html
Question 11
A network engineer is configuring the router for NetFlow data exporting. What is required in
order for NDE to begin exporting data?
A. Source
B. Flow mask
C. Destination
D. Interface type
E. Traffic type
F. NetFlow version
Answer: C
Explanation
NetFlow collects statistics about traffic that flows through the router. NetFlow Data Export
(NDE) enables you to export those statistics to an external data collector for analysis.
An example of configuring NetFlow data exporting is shown below:
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address
for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.
The most important parameter when configuring NetFlow is the destination where NetFlow
sends data to. Other parameters can be ignored and they will use default values (except the
command ―ip route-cache flow‖ to enable NetFlow).
Question 12
A network engineer executes the ―show ip cache flow‖ command. Which two types of
information are displayed in the report that is generated? (Choose two)
A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution
Answer: C E
Explanation
Below is an example of the ―show ip cache flow‖ output:

Information provided includes packet size distribution (the answer says ―IP packet
distribution‖ but maybe it is ―IP packet size distribution‖); basic statistics about number of
flows and export timer setting, a view of the protocol distribution statistics and the NetFlow
cache.
Also we can see the flow samples for TCP and UDP protocols (including Total Flows,
Flows/Sec, Packets/Flow…).
Question 13
Where can NetFlow export data for long term storage and analysis?
A. syslog
B. collector
C. another network device
D. flat file
Answer: B
Explanation
NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and
storing the flows. Usually a collector is a separate software running on a network server.
NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).
Question 14
Refer to the exhibit. How can you configure a second export destination for IP address
192.168.10.1?
configure terminal
ip flow-export version 9
A. Specify a different TCP port

B. Specify a different UDP port
C. Specify a VRF
D. Configure a version 5 flow-export to the same destination
E. Specify a different flow ID
Answer: B
Explanation
To configure multiple NetFlow export destinations to a router, use the following commands
in global configuration mode:

The following example enables the exporting of information in NetFlow cache entries:
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html
Question 15
Which two statements about NetFlow templates are true? (Choose two)
A. Only NetFlow version 9 is template based

B. NetFlow Version 5 and version 9 are template based
C. Only NetFlow version 5 is template based
D. Template can increased bandwidth usage
E. They can increase overall performance
F. They can reduce bandwidth usage
Answer: A D
Explanation
The distinguishing feature of the NetFlow Version 9 format is that it is template based ->
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00
800a3db9.html
Export bandwidth increases for version 9 (because of template flowsets) versus version 5 ->
Answer D is correct.
Version 9 slightly decreases overall performance, because generating and maintaining valid
template flowsets requires additional processing -> Answer E is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html
Question 16
Which version or versions of NetFlow support MPLS?
A. all versions of NetFlow

B. NetFlow version 9
C. NetFlow version 8
D. NetFlow version 5
E. NetFlow version 8 and 9
Answer: B
Explanation
MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow
exports up to three labels of interest from the incoming label stack, the IP address associated
with the top label, as well as traditional NetFlow data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html
Troubleshooting Questions
https://www.digitaltut.com/troubleshooting-questions
Question 1
Which two commands would be used to troubleshoot high memory usage for a process?
(Choose two)
A. router#show memory allocating-process table

B. router#show memory summary
C. router#show memory dead
D. router#show memory events
E. router#show memory processor statistics
Answer: A B
Explanation
The ―show memory allocating-process table‖ command displays statistics on allocated

memory with corresponding allocating processes. This command can be also used to find out
memory leaks. A memory leak occurs when a process requests or allocates memory and then
forgets to free (de-allocate) the memory when it is finished that task.
Note: In fact the correct command should be ―show memory allocating-process totals‖ (not
―table‖)
The ―show memory summary‖ command displays a summary of all memory pools and
memory usage per Alloc PC (address of the system call that allocated the block). An example
of the output of this command is shown below:
Legend:
+ Total: the total amount of memory available after the system image loads and builds its
data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.
Note: The show memory allocating-process totals command contains the same information
as the first three lines of the show memory summary command.
An example of a high memory usage problem is large amount of free memory, but a small
value in the ―Lowest‖ column. In this case, a normal or abnormal event (for example, a large
routing instability) causes the router to use an unusually large amount of processor memory
for a short period of time, during which the memory has run out.
The show memory dead command is only used to view the memory allocated to a process
which has terminated. The memory allocated to this process is reclaimed by the kernel and
returned to the memory pool by the router itself when required. This is the way IOS handles
memory. A memory block is considered as dead if the process which created the block exits
(no longer running).
The command show memory events does not exist.
Reference:
tml and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
121-mainline/6507-mallocfail.html
Question 2
A network engineer finds that a core router has crashed without warning. In this situation,
which feature can the engineer use to create a crash collection?
A. secure copy protocol

B. core dumps
C. warm reloads
D. SNMP
E. NetFlow
Answer: B
Explanation
A core dump is a file containing a process‘s address space (memory) when the process
terminates unexpectedly to identify the cause of the crash
Question 3
A network engineer is investigating the cause of a service disruption on a network segment
and executes the debug condition interface fastethernet f0/0 command. In which situation
is the debugging output generated?
A. when packets on the interface are received and the interface is operational
B. when packets on the interface are received and logging buffered is enabled
C. when packets on the interface are received and forwarded to a configured syslog server
D. when packets on the interface are received and the interface is shut down
Answer: A
Question 4
Various employees in the same department report to the network engineer about slowness in
the network connectivity to the Internet. They are also having latency issues communicating
to the network drives of various departments. Upon monitoring, the engineer finds traffic
flood in the network. Which option is the problem?
A. network outage
B. network switching loop
C. router configuration issue
D. wrong proxy configured
Answer: B
Miscellaneous Questions
https://www.digitaltut.com/miscellaneous-questions
Question 1
A network administrator executes the command clear ip route. Which two tables does this
command clear and rebuild? (Choose two)
A. IP routing
B. FIB
C. ARP cache
D. MAC address table
E. Cisco Express Forwarding table
F. topology table
Answer: A B
Explanation
The command ―clear ip route‖ clears one or more routes from both the unicast RIB (IP
routing table) and all the module Forwarding Information Bases (FIBs).
Question 2
Which prefix is matched by the command ip prefix-list name permit 10.8.0.0/16 ge 24 le

24?
A. 10.9.1.0/24
B. 10.8.0.0/24
C. 10.8.0.0/16
D. 10.8.0.0/23
Answer: B
Explanation
The prefix-list ―ip prefix-list name permit 10.8.0.0/16 ge 24 le 24‖ means

+ Check the first 16 bits of the prefix. It must be 10.8
+ The subnet mask must be greater or equal 24
+ The subnet mask must be less than or equal 24
-> The subnet mask must be exactly 24
Therefore the suitable prefix that is matched by above ip prefix-list should be 10.8.x.x/24
Question 3
A user is having issues accessing file shares on a network. The network engineer advises the
user to open a web browser, input a prescribed IP address, and follow the instructions. After
doing this, the user is able to access company shares. Which type of remote access did the
engineer enable?
A. EZVPN
B. IPsec VPN client access
C. VPDN client access
D. SSL VPN client access
Answer: D
Explanation
This is a new user (client) that has not been configured to accept SSL VPN connection. So
that user must open a web browser, enter the URL and login successfully to be authenticated.
A small software will also be downloaded and installed on the client computer for the first
time. Next time the user can access file shares on that network normally.
Question 4
Which technology was originally developed for routers to handle fragmentation in the path
between end points?
A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization
Answer: A
Explanation
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized

technique to determine the maximum transmission unit (MTU) size on the network path
between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was
originally intended for routers in IPv4. However, all modern operating systems use it on
endpoints.
reassembled later.
Question 5
If the total bandwidth is 64 kbps and the RTT is 3 seconds, what is the bandwidth delay
product?
A. 8,000 bytes
B. 16,000 bytes
C. 24,000 bytes
D. 32,000 bytes
E. 62,000 bytes
Answer: C
Explanation
Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the
BDP.
Return to our question, the formula to calculate BDP is:
192,000 bits
-> BDP (bytes) = 192,000 / 8 = 24,000 bytes
Question 6
A network engineer receives reports about poor voice quality issues at a remote site. The
network engineer does a packet capture and sees out-of-order packets being delivered. Which
option can cause the VOIP quality to suffer?
A. traffic over backup redundant links

B. misconfigured voice vlan
C. speed duplex link issues
D. load balancing over redundant links
Answer: D
Question 7
In which scenario can asymmetric routing occur?
A. active/active firewall setup

B. single path in and out of the network.
C. active/standby firewall setup
D. redundant routers running VRRP
Answer: D
Explanation
Asymmetric routing is the scenario in which outing packet is through a path, returning packet
is through another path. VRRP can cause asymmetric routing occur, for example:
R1 and R2 are the two routers in the local internal LAN network that are running VRRP. R1
is the master router and R2 is the backup router.
These two routers are connected to an ISP gateway router, by using BGP. This topology
provides two possible outgoing and incoming paths for the traffic.
Suppose the outgoing traffic is sent through R1 but VRRP failover occurs, R2 becomes the
new master router -> traffic passing through R2 instead -> asymmetric routing occurs.
Question 8
How route tags can be set? (Choose two)
A. only with route-maps

B. only with tag lists
C. can be set with route-maps
D. can be set with taglist
E. only used on link state RPs
Answer: C D
Question 9
What are three reasons to control routing updates via route filtering? (Choose three)
A. to hide certain networks from the rest of organization

B. for easier implementations
C. to control network overhead on the wire
D. for simple security
E. to prevent adjacencies from forming
Answer: A C D
Drag and Drop

https://www.digitaltut.com/drag-and-drop
Question 1
Drag and drop the IPv6 NAT characteristic from the left to the matching IPv6 NAT category
on the right.
Answer:
NAT64:
+ Use Network-specific prefix
+ Modify session during translation
NPTv6:
+ Modify IP header in transit
+ Map one IPv6 address prefix to another IPv6 prefix
Explanation
address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to
recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific
prefix (NSP), which is configured by a network administrator, or a well-known prefix (which
is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it
will proceed this packet with NAT64.
NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4
address. NAT64 translates nearly everything (source & destination IP addresses, port number,
IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64
―modifies session during translation‖.
Question 2
Drag and drop the BGP states from the left to the matching definitions on the right.
Answer:
+ OpenSent: wait for an OPEN message

+ OpenConfirm: wait for a KEEPALIVE or NOTIFICATION message
+ Established: UPDATE, NOTIFICATION and KEEPALIVE messages are exchanged with
peers
+ Idle: refuse connections
+ Active: listen for and accept connection
+ Connect: wait for the connection to be completed
Explanation
The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm ->
Established
+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor
relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP
neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer
expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.
Question 3
Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type
of processing on the right.
Punt
Packets are discarded
Adjacency
Features that require special handling or features that are not yet supported in
Drop conjunction with CEF switching paths are forwarded to the next switching layer
Adjacency for handling. Features that are not supported are forwarded to the next higher
switching level.
When a router is connected directly to several hosts, the FIB table on the router
Null maintains a prefix for the subnet rather than for the individual host prefixes. The
Adjacency subnet prefix points to a glean adjacency. When packets need to be forwarded to
a specific host, the adjacency database is gleaned for the specific prefix.
Discard
Packets are dropped, but the prefix is checked.
Adjacency
Glean Packets destined for a Null0 interface are dropped. This can be used as an
Adjacency effective form of access filtering.
Answer:
Punt Adjacency: Features that require special handling or features that are not yet supported
in conjunction with CEF switching paths are forwarded to the next switching layer for
handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an
effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the
router maintains a prefix for the subnet rather than for the individual host prefixes. The
subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific
host, the adjacency database is gleaned for the specific prefix.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.ht
ml
Question 4
Drag and drop the challenge Handshake Authentication Protocol steps from the left into the
correct order in which they occur on the right.
Answer:
+ Target 1: When the LCP phase is complete and CHAP is negotiated between both devices,
the authenticator sends a challenge message to the peer
+ Target 2: The peer responds with a value calculated through a one-way hash function
(MD5)
+ Target 3: The authenticator checks the response against its own calculation of the expected
hash value if the values match the authentication is successful. Otherwise, the connection is
terminated
Explanation
The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer
by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated
between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message
Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash
value. If the values match, the authentication is successful. Otherwise, the connection is
terminated.
This authentication method depends on a ―secret‖ known only to the authenticator and the
peer. The secret is not sent over the link. Although the authentication is only one-way, you
can negotiate CHAP in both directions, with the help of the same secret set for mutual
authentication.
Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-
ppp/25647-understanding-ppp-chap.html
For more information about CHAP challenge please read our PPP tutorial.
Question 5
Drag the descriptions on the left to the appropriate group on the right.
Answer:
Authentication:
+ supports a local database for device access
+ supports encryption
Authorization:
+ specifies a user‘s specific access privileges
+ enforces time periods during which a user can access the device
Accounting:
+ not supported with local AAA
+ verifies network usage
Explanation
AAA offers different solutions that provide access control to network devices. The following
services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined
credentials, such as passwords and other mechanisms like digital certificates. Authentication
controls access by requiring valid user credentials, which are typically a username and
password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that
means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that
regulates what tasks the user is authorized to perform. These attributes are measured against a
user database. The results are returned to the network device to determine the user‘s
qualifications and restrictions. This database can be located locally on Cisco ASA or it can be
hosted on a RADIUS or Terminal Access Controller Access-Control System Plus
(TACACS+) server. In summary, Authorization controls access per user after users
authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server
used to track login times (when the user logged in and logged off) and the services that users
access. This information can be used for billing, auditing, and reporting purposes.
Question 6
Drag the characteristics on the left to the proper authentication protocols on the right.
Answer:
PAP:
+ Provides minimal security
+ Requires a username and password only
CHAP:
+ Generates a unique string for each transaction
+ Supports mid-session re-authentication
Question 7
Answer:
Radius
+ Uses UDP port 1812 (for authentication/authorization). It encrypts only the password in the
access-request packet, from the client to the server. The remainder of the packet is
unencrypted.
+ It combines authorization and accounting functions
TACAS+
+ Uses TCP port 49 and encrypts the entire packet
+ It separates authorization and accounting functions
Question 8
Answer:
+ network-specific stateful NAT64 prefix: IPv6 prefix assigned by an organization

+ NAT64 : supports application layer gateway
+ NPTv6 : translates 2001:1::/64 to 2001:2::/64
+ well-known stateful NAT64 prefix: supports IPv6 prefix 64:FF9B::/96
Explanation
Question 9
Answer:
+ mGRE: Protocol to connect multiple destinations

+ IPSec: Protocol used to secure connection
+ Keepalive: Used to keep other side if tunnel interface up with local side is up
+ Tunnel Key: Used to authenticate connection
+ MSS: Amount of data that a device can handle as unfragmented piece
Question 10
Drag and drop each frame-relay component on the left to the correct statement on the right.
Answer:
+ SVC: A circuit that provides temporary on-demand connections between DTEs

+ LMI: A signaling mechanism for Frame Relay devices
+ DLCI: A locally significant ID
+ FECN: An indicator of congestion on the network
+ PVC: A logical connection comprising two endpoints and a CIR
Question 11
Answer:
+ DHCPv6 Server:
IPv6 address autoconfig
IPv6 enable
+ Client Interface:
IPv6 address
IPv6 DHCP Relay destination
Question 12
Answer:
RADIUS:
+ combines authentication and authorization functions
+ has no option to authorize router commands
TACAS+:
+ encrypts the entire packet
+ uses TCP port 49
Question 13
Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.
Answer:
Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable
Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the
destination address
Drag and Drop 2

https://www.digitaltut.com/drag-and-drop-2-2
Question 1
Drag and drop the statements about device security from the left onto the correct description
on the right.
Answer:
CoPP:
+ It protects the device against DoS attacks
+ It supports packet forwarding by reducing the load on the device
+ It uses QoS to limit the load on the device
MPP:
+ It designates the permitted management interfaces on the device
+ It is enabled only when an interface is configured
+ It requires only a single command to configure
Question 2
Drag and drop the steps in the NAT process for IPv4-initiated packers from the left into the
correct sequence on the right.
Answer:
Step 1: The packet is routed to an NVI

Step 2: The packet is assigned a dynamic or static binding
Step 3: The IPV4 source address is translated to IPv6
Step 4: The translation information is used to create a session
Question 3
Drag and drop for adverse network conditions.
Answer:
Excessive unicast flooding condition: caused by including a host port in STP

Out-of-order packets: potential result of disabling FIFO
TCP starvation: potential effect of excessive UDP traffic on link
Asymmetric routing: cause of inconsistent traffic patterns
Latency: condition in which packets require an excessive length of time to traverse a switch
Explanation
The most common reason for excessive unicast flooding in steady-state Catalyst switch
networks is the lack of proper host port configuration. Hosts, servers, and any other end-
devices do not need to participate in the STP process; therefore, the link up and down states
on the respective NIC interfaces should not be considered an STP topology change.
Question 4
Drag and drop the statements from the left onto the correct IPv6 router security features on
the right.
Answer:
IPv6 Traffic Filter

+ It filters traffic on the interface level
+ It supports tagged ACLs
IPv6 Access Classes

+ It controls traffic to and from the router
+ It requires the destination address for inbound traffic to be a local address
+ It filters management traffic
Question 5
Drag and drop steps in the TACACS+ authentication process from the left onto the actors that
perform on the right.
Answer:
Router:
+ prompts the user for a username and password
+ passes logon information to the TACAS+ server
TACAS+ Server:
+ authenticates the user

+ authorizes the user
User:
+ provides access credentials
+ attempts to access the router
Question 6
Drag and drop the correct description on the right onto the corresponding ACL types on the
left.
Answer:
+ Dynamic: ACL that uses Telnet for Authentication

+ Extended: ACL type that should be placed closest to the traffic source
+ Reflexive: ACL that must be defined with a named ACL
+ Standard: ACL numbered from 1300 through 1999
+ Time-based: ACL that applied to traffic only during specifically defined periods
Explanation
The general rule when applying access lists is to apply standard IP access lists as close to the
destination as possible and to apply extended access lists as close to the source as possible.
The reasoning for this rule is that standard access lists lack granularity, it is better to
implement them as close to the destination as possible; extended access lists have more
potential granularity, thus they are better implemented close to the source.
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.

They are generally used to allow outbound traffic and to limit inbound traffic in response to
sessions that originate inside the router. Reflexive ACLs can be defined only with extended
named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with
other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and
static extended ACLs. Outbound ACL will have the ‗reflect‘ keyword. It is the ACL that
matches the originating traffic. Inbound ACL will have the ‗evaluate‘ keyword. It is the ACL
that matches the returning traffic.
Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release
11.1. This feature is dependent on Telnet, authentication (local or remote), and extended
ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic
through the router. Users that want to traverse the router are blocked by the extended ACL
until they Telnet to the router and are authenticated. The Telnet connection then drops and a
single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a
particular time period; idle and absolute timeouts are possible.
Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-
confaccesslists.html
OSPF Evaluation Sim

http://www.digitaltut.com/ospf-evaluation-sim
Question 1
How old is the Type 4 LSA from Router 3 for area 1 on the router R5 based on the output
you have examined?
A. 1858
B. 1601
C. 600
D. 1569
Answer: A
Question 2
Which of the following statements is true about the serial links that terminate in R3?
A. The R1-R3 link needs the neighbor command for the adjacency to stay up
B. The R2-R3 link OSPF timer values are 30, 120, 120
C. The R1-R3 link OSPF timer values should be 10,40,40
D. R3 is responsible for flooding LSUs to all the routers on the network.
Answer: B
Question 3
How many times was SPF algorithm executed on R4 for Area 1?
A. 1
B. 5
C. 9
D. 20
E. 54
F. 224
Answer: C
Question 4
Areas of Router 5 and 6 are not normal areas, inspect their routing tables and determine
which statement is true?
A. R5‘s Loopback and R6‘s Loopback are both present in R5‘s Routing table
B. R5‘s Loopback and R6‘s Loopback are both present in R6‘s Routing table
C. Only R5‘s loopback is present in R5‘s Routing table
D. Only R6‘s loopback is present in R5‘s Routing table
E. Only R5‘s loopback is present in R6‘s Routing table
Answer: A
EIGRP Evaluation Sim

http://www.digitaltut.com/eigrp-evaluation-sim
Question 1
Traffic from R1 to R6′ s Loopback address is load shared between R1-R2-R4-R6 and R1-R3-
R5-R6 paths. What is the ratio of traffic over each path?
A. 1:1
B. 1:5
C. 6:8
D. 19:80
Answer: D
Question 2
What type of route filtering is occurring on R6?
A. Distribute-list using an ACL

B. Distribute-list using a prefix-list
C. Distribute-list using a route-map
D. An ACL using a distance of 255
Answer: A
Question 3
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. CISCO
B. EIGRP
C. key
D. MD5
Answer: A
Question 4
What is the advertised distance for the 192.168.46.0 network on R1?
A. 333056
B. 1938688
C. 1810944
D. 307456
Answer: A
Question 5
What percent of R1‘s interfaces bandwidth is EIGRP allowed to use?
A. 10
B. 20
C. 30
D. 40
Answer: B
EIGRP OSPF Redistribution Sim

http://www.digitaltut.com/route-eigrp-ospf-redistribution-sim
Question
You are a network engineer with ROUTE.com, a small IT company. They have recently
merged two organizations and now need to merge their networks as shown in the topology
exhibit. One network is using OSPF as its IGP and the other is using EIGRP as its IGP. R4
has been added to the existing OSPF network to provide the interconnect between the OSPF
and EIGRP networks. Two links have been added that will provide redundancy.
The network requirements state that you must be able to ping and telnet from loopback 101
on R1 to the OPSF domain test address of 172.16.1.100. All traffic must use the shortest path
that provides the greatest bandwidth. The redundant paths from the OSPF network to the
EIGRP network must be available in case of a link failure. No static or default routing is
allowed in either network.
A previous network engineer has started the merger implementation and has successfully
assigned and verified all IP addressing and basic IGP routing. You have been tasked with
completing the implementation and ensuring that the network requirements are met. You may
not remove or change any of the configuration commands currently on any of the routers.
You may add new commands or change default values.
Policy Based Routing Sim

http://www.digitaltut.com/route-policy-based-routing-sim
Question
Company Acan has two links which can take it to the Internet. The company policy demands
that you use web traffic to be forwarded only to Frame Relay link if available and other
traffic can go through any links. No static or default routing is allowed.
IPv6 OSPF Virtual Link Sim
http://www.digitaltut.com/route-ipv6-ospf-virtual-link-sim
Question
Acme is a small export company that has an existing enterprise network that is running IPv6
OSPFv3. Currently OSPF is configured on all routers. However, R4‘s loopback address
(FEC0:4:4) cannot be seen in R1‘s IPv6 routing table. You are tasked with identifying the
cause of this fault and implementing the needed corrective actions that uses OSPF features
and does no change the current area assignments. You will know that you have corrected the
fault when R4‘s loopback address (FEC0:4:4) can be seen in the routing table of R1.
Special Note: To gain the maximum number of points you must remove all incorrect or
unneeded configuration statements related to this issue.
EIGRP Stub Sim

http://www.digitaltut.com/route-eigrp-stub-sim
Question
By increasing the first distant office, JS manufactures has extended their business. They
configured the remote office router (R3) from which they can reach all Corporate subnets. In
order to raise network stableness and lower the memory usage and broadband utilization to
R3, JS manufactures makes use of route summarization together with the EIGRP Stub
Routing feature. Another network engineer is responsible for the implementing of this
solution. However, in the process of configuring EIGRP stub routing connectivity with the
remote network devices off of R3 has been missing.
Presently JS has configured EIGRP on all routers in the network R2, R3, and R4. Your duty
is to find and solve the connectivity failure problem with the remote office router R3. You
should then configure route summarization only to the distant office router R3 to complete
the task after the problem has been solved.
The success of pings from R4 to the R3 LAN interface proves that the fault has been
corrected and the R3 IP routing table only contains two 10.0.0.0 subnets.
OSPF Sim
http://www.digitaltut.com/route-ospf-sim
Question
OSPF is configured on routers Amani and Lynaic. Amani‘s S0/0 interface and Lynaic‘s S0/1
interface are in Area 0. Lynaic‘s Loopback0 interface is in Area 2.
Your task is to configure the following:
Portland’s S0/0 interface in Area 1

Amani’s S0/1 interface in Area 1
Use the appropriate mask such that ONLY Portland’s S0/0 and Amnani’s S0/1 could be
in Area 1.
Area 1 should not receive any external or inter-area routes (except the default route).
EIGRP Simlet
http://www.digitaltut.com/route-eigrp-simlet
Question
Refer to the exhibit. BigBids Incorporated is a worldwide auction provider. The network uses
EIGRP as its routing protocol throughout the corporation. The network administrator does
not understand the convergence of EIGRP. Using the output of the show ip eigrp topology
all-links command, answer the administrator‘s questions.
Question 1
Which two networks does the Core1 device have feasible successors for? (Choose two)
A – 172.17.0.0/30
B – 172.17.1.0/24
C – 172.17.2.0/24
D – 172.17.3.0/25
E – 172.17.3.128/25
F – 10.140.0.0/24
Answer: A F
Question 2
Which three EIGRP routes will be installed for the 172.17.3.128/25 and 172.17.2.0/24
networks? (Choose three)
A – 172.17.3.128.25 [90/28160] via 172.17.1 2, 01:26:35, FastEthernet0/2

B – 172.17.3.128/25 [90/30720] via 172.17.3.2, 01:26:35, FastEthemet0/3
C – 172.17.3.128/25 [90/30720] via 172.17.10.2, 01:26:35, FastEthernet0/1
D – 172.17.2.0/24 [90/30720] via 172.17.10.2, 02:10:11, FastEthernet0/1
E – 172.17.2.0/24 [90/28160] via 172.17.10.2, 02:10:11, FastEthernet0/1
F – 172.17.2.0/24 [90/33280] via 172.17.3.2, 02:10:11, FastEthernet0/3
Answer: B C D
Question 3
Which three networks is the router at 172.17.10.2 directly connected to? (Choose three)
A – 172.17.0.0/30
B – 172.17.1.0/24
C – 172.17.2.0/24
D – 172.17.3.0/25
E – 172.17.3.128/25
F – 172.17.10.0/24
Answer: C E F

Route Oct 2019

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Route Oct 2019

Uploaded by

Copyright:

Available Formats

New Updated Questions – Part 6

A. The NTP version number of the peer

Below is an example of the ―show ntp status‖ command:

R1#show ntp status

A. A centralized DMVPN solution to simplify connectivity for the enterprise

A. Specify the test frequency

Note: The ―frequency‖ is just an optional command. Reference:

R1(config)#ip sla schedule 1 life forever start-time now

aaa authorization network default group tacacs+ none

By default BGP support 8 equal metric path for load balancing.

track track-number list boolen {and | or}

Drag and Drop

TLL – when reaches ‗0‘ drops packets

A. aaa authentication login default local

aaa authentication login default local

Question 13 (incomplete question)

Drag drop about NHRP.

Two left choices (at the right-side column) are:

A. baseline (network performance)

Question 13 (incomplete question)

Drag drop about NHRP.

Two left choices (at the right-side column) are:

A. baseline (network performance)

A. Only informs provide a confirmation of receipt

Which protocol sort out of order packet at the receiving end?

A. IGP administrative distance of the route.

Which two effects of symmetric routing are true? (Choose two)

Cause 1: Asymmetric Routing (-> Therefore answer ―unicast flooding‖ is correct)

For more information about three cases above please visit:

A. Unlike IPv4 routers, IPv6 routers cannot fragment packets by default.

What are limitations of Stateful NAT64? (Choose two)

A. No requirement on the nature of IPv6 address assignment

What happens when a router receives a packet with a TTL of 0?

A. It prompts users to change their passwords when they expire

Refer to the exhibit.

Routing Protocol is "ospf 1"

A. OSPF 1 is redistributing into BGP 800

A. RIPv2 supports only classful supernet networks

A. wireless access point registration to the DHCP server

Which feature is not supported when fast-switched PBR is in use?

A. the set ip next-hop interface command

There is no ―passive-interface‖ command in BGP and IS-IS.

+ show ip bgp: path selection values

A. The OSPFv3 routing process must be explicitly configured and enabled

R1(config)# ipv6 router ospf 1

R1(config)# router ospfv3 1

Answer E seems to be correct too.

Refer to the exhibit.

access-list 1 permit 1.0.0.0 0.255.255.255

Which routes will be injected into the routing protocol?

A. the EIGRP 20 routes into RIP that match access-list 1

What is the range for private AS numbers?

Refer to the exhibit.

access-list 1 permit 1.0.0.0 0.255.255.255

Which routes will be injected into the routing protocol?

A. the EIGRP 20 routes into RIP that match access-list 1

What is the range for private AS numbers?

Most Popular Questions

Question 192 (similar to Q.7 http://www.digitaltut.com/router-questions)

A. enable secret $abc%!e.Cd34$!ao0

For example, in the configuration command:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

username jdoe password 7