RSTP Deployment

From: “Travis Henderson”

To: “CCIE Candidate”
Subject: RSTP Deployment
Hi,
We’re very excited that you are with us on this journey we’re about to embark on. I know we haven’t
even got to the official meet and greet yet, but I figured I might just take advantages of your expertise
already.
Our junior engineer has been busy rolling out new switches around the HQ lately. However, it seems
that STP settings have been left at their defaults on all switches. This has resulted in poor
performance related to wherever a device was plugged in or removed from the network. Mangement
is convinced that simply by enabling Rapid PVST+ everywhere the performance of the network will
dramatically improve, but I’m wondering if there are any additional settings that absolutely must be
implemented so that, after
enabling RPVST+, the user experience is truly improved.

Best regards.
Travis
Network Manager

2/39

Refer to the new resource(s) available.

Which action must be taken in addition to enabling Rapid PVST+ on all switches in the HQ to guarantee
that the user experience is improved?
a) Disable EtherChannel Misconfiguration Guard
b) Protect ports toward end hosts with BPDU Guard
c) Configure ports toward end hosts as edge ports
d) Protect port toward end hosts with BPDU Filter
Answer:
-------------------------------------#
RE: RSTP Deployment
From: “Travis Henderson”
To: “CCIE candidate”
Subject: RE: RSTP Deployment
Hi,
Thanks for the response. We have revised our choices. After an internal discussion, we enabled Rapid
PVST+ enabled on HQ switches, configured ports toward end hosts with PortFast, enabled BDPU Guard
on the same ports and even shortened the forward_delay_timer to 10 seconds. It seems to work
nicely.
Now that we’re at this, I wanted to ask you. I was looking into securing our Rapid PVST+ deployment
and I was looking at this Root Guard feature. My understanding is that it protects the existence of the
root switch so that other switches cannot overthrow it, but I’m little unsure as to where exactly to
configure it, as it can only be enabled on per-port basis. Can you give me a hint here?
Best regards
Travis Henderson
FABD2 Network Manager
3/39

Refer to the new resource(s) available.

What is the proper placement for the Root Guard feature in FABD2 network?
a) On edge ports toward end hosts on all switches in the FABD2 switches network
b) On root ports of the non-root switches in the FABD2 switches network
c) On designated ports of the root switches in the FABD2 switches network
d) On boundary ports toward switches networks not under FABD2’s administrative control
Answer:
-------------------------------------#
 4/39

4/39

Refer to the new resource(s) available.

Based on the diagram, what design change can be made to address the flapping EIGRP neighbor
between r24 and r70 without impacting the network connectivity to any other DMVPN location?
a) On r70, enable EIGRP stub
b) On r21 and r70, put the WAN interfaces toward the SP into a front door VRF
c) On r70, only enable EIGRP on the r70 LAN interfaces and the DMVPN tunnel
d) On r70, do not advertise the 10.200.0.0/24 subnet in BGP
e) On r70, put the WAN interfaces toward the SP into a front door VRF
Answer:

-------------------------------------#

5/39
Refer to the new resource(s) available.
For every protection mechanism, indicate whether the individual statements are true, if any (select all
that apply)
-------------------------------------#

6/39

Refer to the new resource(s) available.

Based on the email from Travis, which two statements about the combinations of the diverse
mechanisms are true? (Choose two)
a) Loop Guard and BPDU Guard are mutually exclusive
b) UDLD can be combined with Loop Guard
c) Loop Guard can be combined with Root Guard
d) Loop Guard and STP Dispute are mutually exclusive
e) UDLD and BPDU Filter are mutually exclusive
Answer:
-------------------------------------#
7/39

Refer to the new resource(s) available.

Which of the following phenomena is a possible consequence of mismatched OSPF reference bandwidth
in FABD2 DC?
a) Asymmetric routing
b) Inability to establish adjacencies
c) Routing loops
d) Route flapping
Answer:
-------------------------------------#
8/39

Refer to the new resource(s) available.

This item consists of multiple questions, you may need to scroll down to be able to see all questions.
Based on the email from Anna, what two actions when combined, would meet the requirements?
(Choose two.)
a) Put HQ into NSSA area 1 with the ABRs injecting an O N2 default into it
b) Have r12 inject an O N1 default route with the P bit cleared
c) Have r12 inject an O IA default route with low metric
d) Have r12 inject an O N1 default route with the P bit set
e) Put HQ into NSSA TS area 1 with the ABRs injecting an O E default route with a high metric into it

Answer:

Which two devices must be acting as the ABRs between HQ area 1 and the OSPF backbone to meet the
requirements? (Choose two.)
a) sw101
b) sw201
c) r11
d) sw202
e) r12
f) sw102

Answer:
-------------------------------------#
9/39

Refer to the new resource(s) available.

This item consists of multiple questions, You may need to scroll down to be able to see all questions.
Based on current FABD2 design, which switch or switches must perform DHCP Snooping to avoid DHCP
related incidents in the HQ?
a) sw110 and sw211
b) sw110
c) sw101, sw102, sw110 and sw211
d) sw101, sw102 and sw110
Answer:

If DHCP Snooping was activated on sw110, what interfaces would need to operate as trusted interfaces?
a) Port channels toward sw101 and sw102
b) SVI for management VLAN on sw110
c) SVIs for VLANs where DHCP Snooping is activated
d) Ports toward end hosts
Answer:

Which of the following two approaches can be used to avoid breaking DHCP functionally when the DHCP
server runs on a different device than the DHCP snooping device? (Choose two)
a) On IOS based DHCP servers and relay agents, accept DHCP messages containing Option 82
having all-zero giaddr
b) On switches performing DHCP Snooping, disable Option 82 insertion
c) On DHCP servers, allocate IP addresses to clients based on Option 82 remote-id and circuit-id
values instead of client MAC addresses
d) On DHCP clients, preconfigure customized Option 82 contents
e) On IOS-based DHCP relay agents, change the relay policy to replace Option 82
Answer:
-------------------------------------#
10/39

Refer to the new resource(s) available.

What are two parallel reasons for the direct spoke-to-spoke DMVPN tunnel coming up between r62 and
r70?
(Choose two)

a) Shortcut switching is enabled on the DMVPN tunnel of r62 and r70

b) The EIGRP next-hop self feature is disabled on r24
c) NHRP Redirects are enabled on the DMVPN tunnel of r24
d) r62’s NHRP and r70’s NHRP registrations can be seen by each other as they are multicasted over the
same DMVPN tunnel
e) Shortcut switching is enabled on the DMVPN tunnel of r24
f) NHRP Redirects are enabled on the DMVPN tunnel of r62 and r70
Answer:
-------------------------------------#
11/39

Refer to the new resource(s) available.

Based on the requirements for the security hardening in Branch #3, which two statements correctly
describe the use of the PVLAN port type?
a) To edge routers, use promiscuous trunk or promiscuous hosts ports
b) To edge routers, use traditional trunk ports
c) To switches supporting PVLANs, use promiscuous trunk ports
d) To edge routers, use routes ports
e) To switches supporting PVLANs, use traditional trunk ports
Answer:
-------------------------------------#
12/39

Refer to the new resource(s) available.

Drag the QoS configuration action on the left to the correct device on the right, observing the correct
order of the configuration. Not all options are used
-------------------------------------#
13/39

Refer to the new resource(s) available.

What change is required to the BGP configuration in the environment of Global SP #1 so that r4 learns
about multiple paths to networks at Branch #3?
a) On r5 and r6, activate the route reflector function
b) On r5 and r6, unique RDs need to be configured
c) On r3 as the route reflector, BGP Multipath feature must be enabled
d) On each PE, unique RTs need to be configured
e) On r4 the BGP maximum paths setting needs to be increased
Answer:
-------------------------------------#
14/39
Refer to the new resource(s) available.
Which two addresses are the best choices for the Connected FABD2 and RapidStreaming multicast
groups? (Choose two.)
a) 232.2.1.1
b) 232.1.1.1
c) 239.129.1.2
d) 239.2.1.1
e) 232.129.1.1
f) 239.1.1.2
g) 239.1.1.1
Answer:
-------------------------------------#

15/39

Refer to the new resource(s) available.

For every RP discovery mechanism, indictate whether the individual statements are true or not, if any.
(Choose all that apply)
-------------------------------------#
16/39

Refer to the new resource(s) available.

Given the current FABD2 design, what is the proper solution to solve the flooding issue?
a) Create a dedicated VLAN for multicast traffic
b) Set the multicast stream TTL to 1
c) Run PIM Sparse mode on the LAN interfaces
d) Enabling IGMP Snooping on the LAN interfaces
Answer:
-------------------------------------#
17/39

Refer to the new resource(s) available.

What prefixes, along with their label bindings must be advertised by LDP in the MPLS mock lab to enable
MPLS L3VPN services?
a) Loopback0 prefixes of all PE routers and prefixes of all infrastructure links
b) Loopback0 prefixes of all PE and P Routers
c) Loopback0 prefixes of all PE routers
d) Loopback0 prefixes of all PE and P Routers, and prefixes of all infrastructure links
Answer:
-------------------------------------#

18/39

Refer to the new resource(s) available.

What mechanism and type of deployment would be the most appropriate to accomplish the label
filtering goals as requested?

a) OSPF Prefix Suppression enabled globally on PE and P routers

b) OSPF Prefix Suppression enabled on the IT Training Departments 200 loopback interfaces
c) OSPF Prefix Suppression enabled on the links between PE and P routers
d) LDP advertisement filter applied to P routers
e) LDP advertisement filter applied to PE and P routers
Answer:
-------------------------------------#

19/39

Refer to the new resource(s) available.

In the FABD2 network, what is the minimal conditions for a successful connectivity between IaaS and
MPLS L3VPN?
a) MP-BGP exchanging VPNv4 routes and labels between r30 and its PE router
b) Elementary IP routing between r30 and its PE router
c) IGP and LDP exchanging IP routes and labels between r30 and its PE router
d) BGP and LDP exchanging IP routes and labels between r30 and its PE router
Answer:
-------------------------------------#
20/39

Refer to the new resource(s) available.

Given the description of the issue, which of the following statements would explain the symptoms
described in the e-mail from Travis?
a) The hosts resolved their own hostnames to IPv6 addresses in DNS
b) IPv6 unicast routing was not enabled on sw101
c) The M-flag was not set in Router Advertisements
d) There was no IPv6 IGP running in VLAN 2001
Answer:
-------------------------------------#
21/39

Refer to the new resource(s) available.

Given the description of the issue, what are the two reasons for the absence of RAs breaking the IPv6
connectivity? (Choose two.)
a) The end hosts considered the IPv6 to be disabled in their network.
b) The end hosts could not locate their default gateway.
c) The sw101 and sw102 switches stopped routing IPv6 traffic on SVI for VLAN 2001.
d) The sw101 and sw102 switches stopped advertising the global prefix on SVI for VLAN 2001 in EIGRP
e) The end hosts could not locate their DHCPv6 server
f) The end hosts did not have the necessary information for an autoconfiguration mechanism

Answer:
-------------------------------------#
22/39

Refer to the new resource(s) available.

What would be the proper approach to meet the security requirement as stated by Travis?
a) Implement IPv6 Secure Neighbor Discovery (SeND)
b) Enable RA Guard
c) Suppress the prefix information in RAs
d) Decrease the frequency of sending out RAs
Answer:
-------------------------------------#
23/39

Refer to the new resource(s) available.

This item consists of multiple questions you may need to scroll down to be able to see all questions
Based on the Travis description, why is the authentication not available with VRRPv3?
a) It increases the router CPU utilization considerably
b) It requires the not standard jumbo MTU
c) It duplicates functionality already present in IPsec
d) It does not add any additional level of security
Answer:

Which two options can Travis use to secure the first hop redundancy protocol in HQ? (Choose two)
a) IPv6 ACLs
b) VRRPv2
c) Suppressing prefix information in RAs
d) RA Gurad
e) MLD Snooping
Answer:
-------------------------------------#
Since SD-WAN deployment has already been done, on both Branch #1 and Branch #2, we have created
two VPNs. Employee and Guest, and these are working in the full mesh mode just fine. Now,
however, we need to extend both the branches and DC with another VPN for Point Of Sale (POS)
terminals. Since these terminals process credit cards, it is imperative that the Payment Card industry
(PO) requirements are not. In short, these are requirement

• On each branch, Point Of Sale (POS) terminals must be on a different network segment,
isolated from any other networks on the branch.
Under no circumstances may POS terminals on Branch #1 communicate directly with POS terminals on
Branch #2 and vice versa. Any such communication be instead routed through
the data center where we have the necessary firewalls in place. This is departure from the full mesh SD-
WAN we have right now, and I am not entirely certain how to
implement it. I’d appreciate your guidance here.

24/39

Refer to the new resource(s) available.

When building the overall SD-WAN policy to meet the Payment Card Industry requirements for the Point
Of Sale (POS) terminals at Branch #1 and Branch #2, what three steps must be accomplished in
vManager? (Choose three.)
a) Create an ACL at Branch #1 and Branch #2 blocking their direct mutual communication
b) Create POS VPN and VPN interface feature templates and apply them to Branch #1 and Branch #2
device templates
c) Apply the policy outbound to the Site IDs of Branch #1 and Branch #2
d) Apply the policy outbound to the Site ID of the DC
e) Create a policy to set the TLOCs for Branch #1 and Branch #2 POS OMP routers to the DC TLOC(s)
f) Block Branch #1 and Branch #2 from learning each other’s TLOC routers
Answer:
-------------------------------------#
25/39

Refer to the new resource(s) available.

Based on the given constraints and existing design, which two steps can be performed to provide WAN
transport redundancy at Branch #2 (Choose two.)
a) On the link between vedge51 and vedge52, create 802.1Q subinterfaces as necessary and use them as
TLOC extensions for each vEdge’s transport
b) Add a second physical link between vedge51 and vedge52 and use the links as TLOC extensions for
each extensions for each vEdge’s transport
c) Configure a backup default route on each vEdge pointing to the address of the neighboring vEdge’s
TLOC extension interface
d) Configure an outbound localized policy on each vEdge to add the TLOC of the neighboring vEdge to
the advertised OMP routes
e) Run OMP between vedge51 and vedge52
Answer:
-------------------------------------#

26/39
Based on the chat between Anna and Travis. What is the easiest way of achieving uninterrupted SDWAN
VPN operation if the only vSmart controller in FABD2 network becomes entirely unavailable for some
time?
a) Use OMP Graceful Restart feature
b) Use OMP Send Backup Paths feature
c) Use incoming static routes on vEdges
d) Use two different transports with TLOC Extenstion on vEdges
Answer:
-------------------------------------#

27/39

Refer to the new resource(s) available.

Which two steps are required to implement the desired Guest VPN design? (Choose two)
a) Implement a localized data policy that blocks Guest VPN traffic between SD-WAN branches.
b) Configure a centralized VPN membership policy that only allows Guest VPN prefix to be
advertised in OMP.
c) Configure a centralized VPN membership policy that restricts the Guest VPN prefix from being
advertised in OMP.
d) Configure centralized data policy that perform NAT of Guest VPN traffic to VPN 0.
e) Configure a localized control policy that rewrites the TLOC of Guest VPN routes in OMP to 0.0.0.0
Answer:
-------------------------------------#
28/39

Refer to the new resource(s) available.

What is the correct response to Travis concern?
a) Any routing protocol is supported in the undelay is discovered using see devices.
b) OSPF and EIGRP are in fact supported in SDA LAN Automation
c) Any routing protocol is supported in the underlay is provisioned manually
d) Only IS-IS is supported in the underlay regardless of the provisioning method
Answer:
-------------------------------------#
29/39

Refer to the new resource(s) available.

Which option represents the smallest applicable IP pool in DNA Center to support the planned Layer3
VN handoffs on Branch #2?
a) one /25 subnet
b) one /26 subnet
c) one /24 subnet
d) two /26 subnet
Answer:
-------------------------------------#
30/39

Refer to the new resource(s) available.

Which two design options are applicable to provide transit between planned SDA fabrics in Branch #1
and #2, considering the future plans? (Choose two)
a) Deploy IP Transit between Branch #1 and Branch #2
b) Deploy a Transit Control Plane node in Data Center to facilitate the transit between Branch #1 and
Branch #2
c) Deploy SDA Transit between Branch #1 and Branch #2
d) Use BGP as a handover protocol between SDA border nodes and SD-WAN vEdge routers
e) Combine Branch #1 and Branch #2 into a single multi-location SDA fabric site
Answer:
-------------------------------------#

31/39

Refer to the new resource(s) available.

What is the correct response to Travis concern?
a) Multiple control plane nodes are supported, they operate in Active/Active mode with explicit
synchronization between them
b) Multiple control plane nodes are supported, they operate in Active/Standby mode without explicit
synchronization between them
c) Multiple control plane nodes are supported, they operate in Active/Active mode without explicit
synchronization between them
d) Only a single control plane node is supported, after its failure, DNA Center dynamically configures
another node as a control plane node
Answer:
-------------------------------------#

32/39

What are two possible ways of ensuring that authorized local administrators in the Employee VN on
Branch #1 or Branch #2 can still access the local SDA border nodes using their loopback addresses
through in-band SSH access? (Choose two.)
a) Utilize an external firewall for controlled inter-VN communication.
b) Utilize a vEdge router as a fusion router.
c) Deploy console terminal servers.
d) Implement IS-IS redistribution between VNs.
e) Set up fabric SGACLs permitting this communication.
Answer:
-------------------------------------#
33/39

Refer to the new resource(s) available.

What are the two valid design options for deploying QoS on the SDA branches that will meet FABD2
requirement? (Choose two.)
a) Extend the existing queuing model into a new 4/5 class model.
b) Use the DNA Center templates to rebuild the QoS policy.
c) Leverage the SGT-based QoS.
d) Use the DNA Center to define business-irrelevant application sets.
e) Use the DNA Center application policy to rebuild the QoS policy.
Answer:

-------------------------------------#
34/39

Refer to the new resource(s) available.

This item consist of multiple questions. You must need to scroll down to be able to see all questions
What are two consideration about the guestshell environment on an IOS-XE based edge router are
correct? (Choose two)
a) It does not have write access to the persistent storage of the hosting router.
b) It allows installing additional Linux packages using the yum package manager
c) It behaves as a Linux PC located on a network directly attached to the hosting router
d) It requires a dedicated physical interface on the hosting router for networking
e) It does not have access to the IOS-XE runtime state such as routing table concepts on its hosting
router

Answer:

Based on Travis requirements what is the most efficient approach to provide the scanning solution?
a) Use guestshell on the branch edge router to fully implement the scanning solution
b) Use Raspberry Pi connected to the branch edge router and running an IGP to fully implement the
scanning solution
c) Use guestshell on the branch edge router to post the routing table contents using a sample API to
Raspberry Pi, and implement the rest of the scanning solution on the Raspberry Pi
d) Use Raspberry Pi connected to the branch switch and having subinterfaces for every branch network
to fully implement the scanning solution

Answer:
-------------------------------------#
35/39

Refer to the new resource(s) available.

Which approach should Travis choose when writing his python script?
a) Write a Python script utilizing the “cli” module and run it from an EEM script, passing the logging
message as a parameter
b) Write a parameter-less Python script utilizing “eem” module and register it as an EEM Python Policy.
c) Write a parameter-less Python script utilizing both “cli” and “eem” modules and run it from an EEM
script.
d) Write a Python script utilizing the “cli” module and run it from an EEM script, passing the logging
message over standard input
Answer:
-------------------------------------#
36/39

Refer to the new resource(s) available.

Given the circumstances, what is the best option for Anna to develop and debug her scripts before
deploying them on FABD2 production network?
a) Use the production network while executing REST API calls bundled in a transaction and rolled back at
the end without a commit
b) Perform the development and debugging on the production network during dedicated maintenance
windows
c) Create a lab repro for development purposes
d) Use DevNet SD-WAN sandbox labs
Answer:
-------------------------------------#
37/39
Refer to the new resource(s) available.
This item consists of multiple questions you may need to scroll down to be able to see all questions
What authentication mechanism is used for API calls to vManage?
a) basic HTTP authentication with every API call
b) authentication token in HTTP headers obtained after a call to/auth/token with credentials passed as
HTTP basic authentication
c) client X 509 PKI certificate presented with every API call
d) session cookies obtained after a call to /I_security_check with credentials passed in the
request body

Answer:

What is the nature of the value for the deviceId key for a vEdge?
a) hostname
b) license number
c) device chassis/channel number
d) certificate serial number
Answer:

What is the purpose of enclosing the deviceIP / deviceId object into square brackets in the JSON call
template?
a) The request can hold multiple deviceIP / deviceId object as a list
b) The square brackets and readability but are not mandatory
c) The square brackets introduce an optional part of the request
d) The deviceIP / deviceId object is a nested object inside another one, with nesting requiring the use of
square brackets
Answer:
-------------------------------------#
38/39

Refer to the new resource(s) available.

Which two of the following changes to the script would shorten its running time without impacting its
functionality? (Choose two.)
a) Construct the JSON body of the request manually instead of using the json.dumps0 method.
b) Execute the login API0 only once and reuse the session for multiple API calls.
c) Use the put() method instead of post0 to pass the reboot API call.
d) Combine device IP/ID pairs into a list and pass them all in a single API call.
e) Refer to the vManage by its DNS FQDN instead of its IP address.
Answer:
-------------------------------------#
39/39

No Question

-------------------------------------#