TSHOOT Questions and Answers Multiple Choice Questions

remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.
255/47/0)
#pkts encaps: 116, #pkts encrypt: 116,
#pkts decaps: 110, #pkts decrypt: 110,
local crypto endpt.: 172.16.2.11,
remote crypto endpt.: 172.16.1.1
inbound esp sas:
Type text to search here...
spi: 0x6AC801F4(1791492596)
Home > Multiple Choice Questions outbound esp sas:
spi: 0x4C36F4AF(1278669999
Multiple Choice Questions There is no decap packets in Spoke1, which means esp packets are dropped somewhere in the path return from Spoke2 towards
spoke1.
May 8th, 2018 in TSHOOT v2 Go to comments
The Spoke2 router shows both encap and decap, which means that ESP traffic is filtered before reaching Spoke2. It may happen
Note: You should learn all the multiple choice questions on this page and grasp the concept behind each question as no one know at the ISP end at Spoke2 or at any firewall in path between Spoke2 router and Spoke1 router. After allowing ESP (IP Protocol 50),
when the questions will be changed. Spoke1 and Spoke2 both show encaps and decaps counters are incrementing.
================New Multiple Choice Questions (updated on 3rd-Jun-2019)================ Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-
00.html#verifyonedirection
Premium Member: You can test your knowledge with these questions first via this link.
Further, check debug crypto isakmp to verify that the spoke router is sending udp 500 packet:
Question 1
Router#debug crypto isakmp
Drag drop question about IPSec. 04:14:44.450: ISAKMP:(0):Old State = IKE_READY
New State = IKE_I_MM1
Answer: 04:14:44.450: ISAKMP:(0): beginning Main Mode exchange
04:14:44.450: ISAKMP:(0): sending packet to 172.17.0.1
my_port 500 peer_port 500 (I) MM_NO_STATE
+ show crypto isakmp sa detail: Verify the current SA lifetime and the time for next renegotiation 04:14:44.450: ISAKMP:(0):Sending an IKE IPv4 Packet.
+ show cryto ipsec sa peer: (verify) traffic flows in only one direction 04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
+ show ip eigrp neighbor: Verify that routing protocol neighbor is established 04:14:54.450: ISAKMP (0:0): incrementing error counter on sa,
+ debug crypto isakmp: Verify that the spoke router is sending udp 500 packet attempt 1 of 5: retransmit phase 1
04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
04:14:54.450: ISAKMP:(0): sending packet to 172.17.0.1
Explanation
my_port 500 peer_port 500 (I) MM_NO_STATE
04:14:54.450: ISAKMP:(0):Sending an IKE IPv4 Packet.
An example about the output of the “show crypto isakmp sa detail” is shown below: 04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
04:15:04.450: ISAKMP (0:0): incrementing error counter on sa,
Router1#show crypto isakmp sa detail attempt 2 of 5: retransmit phase 1
04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Codes: C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal The above debug output shows spoke router is sending udp 500 packet in every 10 seconds.
T – cTCP encapsulation, X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-
renc – RSA encryption 00.html
IPv4 Crypto ISAKMP SA
Question 2
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
Refer to the exhibit. Which hashing method is being used for the enable secret?
1001 192.168.3.2 192.168.4.2 ACTIVE aes sha256 psk 5 11:54:20
Engine-id:Conn-id = SW:1 …
enable secret 8 $fdiFJeJdfkjFkFjfdiKFjIgkdj/j90jdfsjifdsjFjfdPK
!
Verify whether the traffic flows in only one direction username admin privilege 15 password 7 0348378437387483E8787F
…
The VPN tunnel between the spoke-to-spoke router is up, but unable to pass data traffic. The following sample output is from the
“show crypto ipsec sa peer” command:
A. sha1
B. sha256
Spoke1# show crypto ipsec sa peer 172.16.2.11
C. scrypt
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
D. md5
remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
#pkts encaps: 110, #pkts encrypt: 110
#pkts decaps: 0, #pkts decrypt: 0,
local crypto endpt.: 172.16.1.1, Answer: B
remote crypto endpt.: 172.16.2.11
inbound esp sas: Explanation
spi: 0x4C36F4AF(1278669999)
outbound esp sas: To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the
spi: 0x6AC801F4(1791492596) configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password
================================================ has been hashed using the stronger MD5 algorithm.
Spoke2#sh crypto ipsec sa peer 172.16.1.1
local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
Note: Four Different Tunnel States
+ Type 5: MD5 There are four possible states in which a GRE tunnel interface can be:
+ Type 8: sha256 + Up/up – This implies that the tunnel is fully functional and passes traffic. It is both administratively up and it’s protocol is up as
+ Type 9: scrypt well.
+ Administratively down/down – This implies that the interface has been administratively shut down.
Question 3 + Up/down – This implies that, even though the tunnel is administratively up, something causes the line protocol on the interface
to be down.
Refer to the exhibit. PCB could not ping PCA. The admin has logged into each switch, starting from SW1 and ending with SW2 + Reset/down – This is usually a transient state when the tunnel is reset by software. This usually happens when the tunnel is
and has examined the links between each. Which troubleshooting method has been used? misconfigured with a Next Hop Server (NHS) that is it’s own IP address.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html
Question 6a
Refer to the exhibit.
aaa authentication login default group tacacs+ local-case line

aaa authentication login LOCAL-VTY line
….
username cisco password cisco123
!
line vty 0 4
password CiscoCisco
login authentication LOCAL-VTY
transport input all
User tries to connect to line vty 0 with username Cisco and password “Cisco123” while TACACS server is unreachable. What
happens?
A. top down
B. follow the path A. The user will be authenticated after the TACACS server fallback timer expires
C. bottom up B. The user will not be authenticated because the username is incorrect
D. divide and conquer C. The user will not be authenticated because the TACACS server is unreachable
D. The user will not be authenticated because the password is incorrect
Answer: B
Answer: D
Question 4
Explanation
Drag drop question about GRE characteristics (Overlay and Underlay Network).
With this config, when the user tries to connect to line vty 0, the line password (which is “CiscoCisco”) must be used to
Answer: authenticate. The TACACS server would never been used unless we remove the “login authentication LOCAL-VTY” statement
(as the first aaa command “aaa authentication login default group tacacs+ local-case line” would be used for all VTY, console,
Overlay network:
AUX line because of the “default” group).
+ deencapsulates the tunnel header before routing
+ Virtual tunnel network Question 6b
Underlay network: Refer to the exhibit.
+ Physical network
+ MTU must be increased to avoid fragmentation username cisco password 123456
aaa authentication login default local-case
Unused option: Must use IPv6 as the Layer 3 protocol
Client try to connect with this command : ssh -l Cisco 123456. What he can reach the destination
Note: The core routers are known as the underlay network. This is responsible for taking GRE packets and transporting them
from one side of the network to the other. The tunnel itself is the overlay network. Packets passing through the overlay network A. bad password
are unaware of the routers in the underlay B. bad username
C. ?
Question 5 D. ?
Drag the GRE tunnel state from the left onto the correct description on the right.
Answer: Answer: B
Match the various tunnel states to the corresponding description. Explanation
Up/up ————– tunnel is up and functional The keyword “local-case” is used in the authentication so the username is case-sensitive and we can to write the username exactly.
Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— the shutdown command has been issued on the tunnel interface Question 7
Reset/up ———- transient state where the next hop server is its own ip address
Refer to the exhibit. Why can’t an user SCP to a server at 172.16.1.200 on Monday at 11:00 pm?
Explanation
Let’s assume that you are researching a problem of a user that cannot browse a particular website and while you are verifying the
access-list 101 permit 89 any any problem, you find that the user’s workstation is not even able to obtain an IP address through the DHCP process. In this situation
access-list 101 permit tcp any any eq 179 it is reasonable to suspect lower layers of the OSI model and take a bottom-up troubleshooting approach.
access-list 101 permit tcp any eq 179 any
access-list 101 permit gre any any Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2
access-list 101 permit esp any any
Question 10
access-list 101 deny ospf any any
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh time-range TIME What is tshoot method use in spanning-tree?
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq eq 500 A. top down
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 4500 B. follow the path
access-list 101 deny tcp any any eq 21 C. bottom up
access-list 101 deny tcp any any eq 23 D. divide and conquer
access-list 101 deny ip any any log
!
time-range TIME Answer: B
periodic Mondy Wednesday Friday 6:00 to 18:00
! Question 11
interface Ethernet0/0
ip address 10.1.1.25 255.255.255.0 Refer to the exhibit.
ip access-group 101 in
A. the ACL “time-range” blocks the traffic

B. SCP is denied by ACL deny tcp any any eq 21
C. The ACL deny ip any any blocks the traffic
D. SCP is denied by ACL deny tcp any any eq 23
Answer: C
Explanation
C:> Tracert 8.8.8.8
The user cannot access the server on Monday at 11pm because of two reasons:
+ First, it does not match the time-range TIME (only allowed to access from 6am 6pm), defined by the ACL statement “access-list Tracing route to 8.8.8.8 over a maximum of 30 hops
1 1ms 1ms 1ms 192.168.100.1
101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh time-range TIME”) so this traffic is continued to check with the rest 2 3ms 2ms 3ms 172.16.10.200
of the ACL to see if there is any matched entry for it. 3 * * * Request timed out.
+ Second, the last ACL statement drops this traffic as none of the above ACL statement matched it. 4 * * * Request timed out.
5 * * * Request timed out.
So in this question the last line of the ACL is the place where the SCP traffic is dropped.
What is the next step to troubleshoot the issue?
Note: SCP runs over TCP port 22 by default and connect via an encrypted connection or secure shell connection (SSH).
A. Verify HQ Router and Firewall are in the same VLAN
Question 8 B. traceroute to the WAN IP address of HQ
C. Ping the LAN IP address of the HQ router
Drag and drop Windows and Cisco commands on the left to the corresponding description on the right. D. Check MTU between BR and HQ
Answer:
+ C:> tracert [IP address]: uses path verification from the endpoint to the destination that is unreachable Answer: A
+ C:> ping [IP address]: identifies gateway reachability from an endpoint that is experiencing the issue
+ Router# traceroute [IP address]: uses path verification from the network device where the endpoint is connected Explanation
+ Router# ping [IP address]: identifies host reachability status from the closest network device where the problem exists
The trace route stops at the inbound interface of the HQ router so the problem must be somewhere between HQ and the Firewall
Question 9 so answer A is the best choice here.
What is tshoot method use in DHCP problem? Question 12
A. top down Refer to the exhibit.

B. follow the path
C. bottom up R1
D. divide and conquer int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
Answer: C ip address 10.10.30.2 255.255.55.0
Explanation
R1#show management-interface interface Note: The OSPF process ID is just locally significant but R2 is using two different OSPF process IDs (#1 and #2) so they should
Management interface GigabitEthernet0/2 be redistributed into each other like this:
Protocol Packets processed
http 0
https 10 router ospf 1
Management interface GigabitEthernet0/3 redistribute ospf 2 subnets
Protocol Packets processed router ospf 2
http 0 redistribute ospf 1 subnets
ssh 10
snmp 110
But it is not the problem here.
R2#ssh -l admin 10.10.20.2
================Multiple Choice Questions (updated on 21st-Apr-2019)================
%Destination unreachable, gateway or host down
A company is implementing Management Plane Protection (MPP) on its network. Which of the following commands allows R2
successfully connect to R1 via SSH? Question 1
A. ssh -p 22 -l admin 10.10.30.2 Which of the following features allows a router to install a floating route in its routing table when the GRE tunnel is disrupted?
B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2 A. tracking objects
D. ssh -v 2 -l admin 10.10.20.2 B. IP SLA
C. ?
D. GRE keepalive
Answer: B
Explanation Answer: D
SSH has the following options: Explanation
R1#ssh ? GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does not keep any information about
-c Select encryption algorithm the state or availability of the remote tunnel endpoint. A consequence of this is that the local tunnel endpoint router does not have
-l Log in using this user name the ability to bring the line protocol of the GRE Tunnel interface down if the remote end of the tunnel is unreachable. The ability
-m Select HMAC algorithm to mark an interface as down when the remote end of the link is not available is used in order to remove any routes (specifically
-o Specify options static routes) in the routing table that use that interface as the outbound interface. Specifically, if the line protocol for an interface
-p Connect to this port is changed to down, then any static routes that point out that interface are removed from the routing table. This allows for the
-v Specify SSH Protocol Version installation of an alternate (floating) static route or for Policy Based Routing (PBR) in order to select an alternate next-hop or
-vrf Specify vrf name interface.
WORD IP address or hostname of a remote system
Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel source
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we have to SSH to interface Gi0/3 address or interface which is up. The tunnel destination IP address must also be routable. This is true even if the other side of the
instead. tunnel has not been configured. This means that a static route or PBR forwarding of packets via the GRE tunnel interface remains
in effect even though the GRE tunnel packets do not reach the other end of the tunnel.
Question 13
Before GRE keepalives were implemented, there were only ways to determine local issues on the router and no way to determine
Refer to the exhibit.The traceroute fails from R1 to R3.What is the cause of the failure? problems in the intervening network. For example, the case in which the GRE tunneled packets are successfully forwarded, but are
lost before they reach the other end of the tunnel. Such scenarios would cause data packets that go through the GRE tunnel to be
“black holed”, even though an alternate route that uses PBR or a floating static route via another interface might be available.
Keepalives on the GRE tunnel interface are used in order to solve this issue in the same way as keepalives are used on physical
interfaces.
R1#traceroute 3.3.3.3 Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-00.html
…
1 10.10.10.2 18msec Question 2
2 10.10.10.5 !A
… Refer to the exhibit.
!A
access-list 101 permit 89 any any
A. Redistribution of connected routes into OSPF in not configuration access-list 101 permit tcp any 10.1.1.1 0.0.0.0 eq 179
B. An ACL applied inbound on fa0/1 of R3 is dropping the traffic access-list 101 permit tcp any eq 179 any
C. An ACL applied inbound on loopback0 of R2 is dropping the traffic access-list 101 permit gre any any
D. The loopback on R3 is in a shutdown state access-list 101 permit tcp nse any
access-list 101 deny ospf any any
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 22
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq telnet
Answer: B
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 80
Explanation access-list 101 deny tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 2
The !A is the response that indicates that you received a response of Administratively Prohibited. This is the result when the Which two routing protocols are permitted by the ACL above? (Choose two)
traceroute is denied by an access list.
A. BGP -m Select HMAC algorithm
B. OSPF -o Specify options
C. EIGRP -p Connect to this port
D. GRE -v Specify SSH Protocol Version
E. NSE (something like that) -vrf Specify vrf name
WORD IP address or hostname of a remote system
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we have to SSH to interface Gi0/3
Answer: A B instead.
Explanation Question 4
BGP operates on TCP port 179 and the ACL statements “access-list 101 permit tcp any 10.1.1.1 eq 179” and “access-list 101 Section 1
permit tcp any eq 179 any” allows BGP to go through. R1#debug ip ospf hello
…
The protocol number (not port number) of OSPF is 89 so the first ACL statement “permit 89 any any” is same as “permit ospf any
Section 2
any” -> Answer B is correct.
R1#
EIGRP runs directly over IP using IP protocol number 88 – it does not use TCP or UDP. In the above ACL statements there is no Debugging is
line for EIGRP so it will be dropped by implicit “deny all” statement at the end of the ACL -> Answer C is not correct. Condition 1 – username
Condition 2 – int g0/2
GRE is allowed with the “access-list 101 permit gre any any” statement so GRE is correct but this question asks about “routing Section 3
protocol” so GRE is not a valid option. R1#debug ip ospf hello
…
Note: Keep in mind that there is a big difference between a port number and a protocol number. In an ACL, the number behind
the keyword “eq” (equal) is a port number, not a protocol number. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, Which of the following commands results in the Section 2 of the output above?
and OSPF is protocol number 89.
A.
Question 3 R#debug condition username
R#debug condition interface g0/2
B.
R1 R# debug condition interface g0/2
int Gigabitethernet 0/2 R#debug condition username
ip address 10.10.20.2 255.255.55.0
C.
!
R(conf)# debug condition username
int Gigabitethernet 0/3
R(conf)#debug condition interface g0/2
ip address 10.10.30.2 255.255.55.0
D.
R1#show management-interface interface
Management interface GigabitEthernet0/2
R(conf)#debug condition interface g0/2
Protocol Packets processed R(conf)# debug condition username
http 0
https 10
Management interface GigabitEthernet0/3
Protocol Packets processed Answer: A
http 0
ssh 10
snmp 110
Explanation
R2#ssh -l admin 10.10.20.2 The “debug condition” command must be issued in Privileged mode (not global configuration mode)
%Destination unreachable, gateway or host down
Question 5
A company is implementing Management Plane Protection (MPP) on its network. Which of the following commands allows R2
successfully connect to R1 via SSH? Two hosts (PC A & PC B) in the same subnet (IP addresses 10.10.10.10 & 10.10.10.30, both /24) connected to Layer 2 switches
each (using ports g0/5). The layer 2 switches connect to other switches which connects to a Multilayer (L3) switch.
A. ssh -p 22 -l admin 10.10.30.2
B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2
D. ssh -v 2 -l admin 10.10.20.2
Answer: B
Explanation
SSH has the following options:
R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
49 permit ip host xxxx host xxxx
-> We can insert five additional lines between two consecutive lines now.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-
seq-num.html
Question 7
What is the reason PC A cannot reach PC B? An engineer performed a router upgrade. After an unexpected reboot, the router loaded with the old IOS version instead of the
new one. What is the problem?
A. IP routing is not enabled in the L3 switch
B. Interfaces g0/5 of the switches are in different VLANs A. The configuration register is set to 0x2103
C. PC A and PC B are in different subnets B. The old IOS image is corrupted
D. Interfaces Gi0/1 and Gi0/2 are not in an Etherchannel port C. The new IOS image is corrupted
D. The boot loader is not present
Answer: B
Answer: D
Explanation
Question 8
Suppose all the related ports are in up/up state then there are only two reasons that PCA & PCB cannot communicate:
+ These two PCs are in different VLANs An exhibit with output of BGP debug
+ The ports on L3 switch that are connected to two Layer 2 switches are routing ports (with “no switchport” command)
%TCP-6-….: Active to Idle
Question 6 …
%TCP-6-BADAUTH: No MD5 digest from 192.168.1.1(179) to 192.168.4.1(45577) tabled-0
Refer to the exhibit %TCP-6-BADAUTH: No MD5 digest from 192.168.4.1(179) to 192.168.1.1(45577) tabled-0
R1#show access-list Why are the two routers not forming BGP neighborship?
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx A. Mismatched BGP authentication
2 permit ip host xxxx host xxxxx B. Mismatched BGP Autonomous System numbers
3 permit ip host xxxx host xxxxx C. Mismatched Hello and Hold timer
4 permit ip host xxxx host xxxxx D. Mismatched BGP peer-group
7 permit ip host xxxx host xxxxx Answer: A
9 permit ip host xxxx host xxxx Question 9
Which of the following commands inserts five additional lines to the ACL Entry Sequence between lines 3 and 4 without An exhibit that displays the outputs of show interface tunnel0 for two routers. Tunnel 0 is up/up on one router and up/down on
changing the existing configuration? the other router.
Which of the following commands can quickly show the cause of the up/down state of Tunnel0 on the second router?
A. R(conf)# ip access-list resequence Super_User 1 6
B. R(conf)# ip access-list resequence Super_User 1 5 A. show ip interface brief
C. R(conf-nacl)# ip access-list resequence Super_User 1 6 B. sh ip protocols (or something else)
D. R(conf-nacl)# ip access-list resequence Super_User 1 5 C. show ip route
D. show ip gre
Answer: A
Answer: C
Explanation
Question 10
The command “ip access-list resequence access-list-name starting-sequence-number increment” (for example: “Router(config)#
ip access-list resequence Super_User 1 6”) will resequence the “Super_User” ACL using the starting sequence number (1) and the A hub and spoke topology consisting of some routers and switches. Host A is attached to the spoke network and Host B is
increment of sequence numbers (6). After this command the “Super_User” ACL will be like this: attached to the hub network. There is a set of commands beside the topology:
R1#show access-list
line vty 0 4
login local
Which reversible encryption method is used?
A. SNMP
B. Local authentication
C. Enable
D. VTY
Answer: B
================New Multiple Choice Questions (updated on 10th-Mar-2019)================
Question 1
Client A cannot reach client B while other Spokes can reach client B. What command in the configuration is the cause of the Which statements about uRPF are true? (Choose two)
problem?
A. CEF should be enabled
A. ip nhrp network-id 12345 B. CEF should be disabled
B. tunnel source e0/1 C. Packet with source 0.0.0.0 destination 255.255.255.255 will be permited
C. ip nhrp shortcut D. Packet with source 0.0.0.0 destination 255.255.255.255 will be denied
D. tunnel mode gre multipoint E. ?
Answer: B Answer: A C
Note: Please check to see the NHRP address is wrong. Please read more about DMVPN and NHRP at Explanation
https://www.digitaltut.com/dmvpn-tutorial
uRPF uses the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB) to perform reverse path look-up on the
Question 11 source IP address of an incoming packet. The CEF FIB is a database of network layer routing information and associated
forwarding/adjacency information used in the CEF switching of packets.
Drag the GRE tunnel state from the left onto the correct description on the right.
Unicast RPF will allow packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that Bootstrap Protocol (BOOTP)
Answer: and Dynamic Host Configuration Protocol (DHCP) functions work properly.
Match the various tunnel states to the corresponding description. Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.pdf
Up/up ————– tunnel is up and functional Question 2
Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— tunnel is administratively shutdown (shutdown by configuration or an administrator) Routes are not advertised in the GRE tunnel. What is the problem?
Reset/up ———- tunnel is ….. (maybe “misconfigured with a Next Hop Server (NHS) that is it’s own IP address.”)
A. Implement dynamic routing in tunnel interfaces
Explanation B. ACLs are blocking packets
C. ?
Four Different Tunnel States D. ?
There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both administratively up and it’s protocol is up as
well.
+ Administratively down/down – This implies that the interface has been administratively shut down. Answer: B
+ Up/down – This implies that, even though the tunnel is administratively up, something causes the line protocol on the interface
to be down. Question 3
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This usually happens when the tunnel is
misconfigured with a Next Hop Server (NHS) that is it’s own IP address. How can we limit the number of simultaneous access to the VTY lines?
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html A. session-limit

B. something about ACL
Question 12 C. ?
D. ?
enable secret 8 8asdknkjajf89nklasdnflkjajnslkdf

Answer: A
username cisco privilleage 15 password 7 8273872397892
no aaa new-model
Explanation Answer: C
The “session-limit” command is used to configure the maximum number of the concurrent virtual terminal sessions on a device. Question 7
The range is from 1 to 64.
Question 4
Drag drop question about extended ping which includes: TTL, df-bit, ToS, Timeout.
Answer:
ToS = Specifies the packet classification Output been given of RA tunnel up &up and RC tunnel up/down.
df-bit = allows for testing the path MTU
TTL = determines the maximum hop count R-A and R-C tunnel interfaces configuration are shown. The only difference is RA MTU is 1490, RC MTU is 1476. What is the
timeout = sets the interval to wait for a response issue?
Good reference: The answers are like this:
https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html A. Loopback 1.1.1.1 is not advertised………….
B. Loopback 4.4.4.4 is not advertised………….
Question 5 C. MTU mismatched ….
D. RB configured not properly ……
There is an exhibit with hub & spook topology with 2 PCs: Pc1 spoke side and Pc2 hub . PC1 not pinging PC2. In the exhibit
there is configuration of NHRP. Something like this:
interface tunnel0 Answer: A

ip address 10.100.0.3 255.255.25.0
no ip redirects Explanation
ip nhrp network-id 12345
ip nhrp shortcut Note: The tunnel connection does not get down when the MTUs on two sides are mismatched -> C is not correct. You can find
ip nhrp nhs 10.100.0.1 nbma 200.1.1.9 multicast from the output that Loopback 1.1.1.1 is not advertised.
tunnel source e0/1
tunnel mode gre multipoint Question 8
Question about “show debug condition” command.

What command can be used to troubleshoot GRE issues?
A. show dmvpn
B. show ip interface brief
Router#show debug condition
C. show ip route
condition 1: int g0/1 …
D. show ip bgp summary
Router##no debug condition 1
Answer: A What is the output of “show debug condition “?
Note: If in the exam there is anything related to DMVPN technology then the answer should be A. Otherwise it should be B. A. Router#show debug condition
Update: The configuration is related to NHRP so the correct answer is A. condition 2: int g0/2 …
B. Router#show debug condition
Question 6 condition 1: int g0/2 …
C. Router#show debug condition
Refer to the exhibit. condition 1: int g0/1 …
D. Router#show debug condition
Answer: D
Explanation
We tested it with IOSv15.4 and this is the result:

PC was not configured to obtain default-gateway from the DHCP server. What can we do for PC to access the Internet?
A. Configure static ARP in gateway router

B. Configure dynamic ARP in gateway router
C. Configure proxy-ARP in gateway router
D. ?
A. An ACI is blocking the datat plane traffic between the remote devices
B. MTU is configured at 1500 on the tunnel interface
C. The tunel made is mismatched between the two routers
D. The tunnel interface is not participating in the dynamic routing process
Answer: D
Question 14
There is a diagram with a HQ site connected with Branch site via GRE Tunnel
Question 9 A. Change tunnel source in HQ site from G0/1 to 0/0
B. Change tunnel in Branch site from G0/0 to 0/1
Refer to exhibit. Client unable to enter the privilege mode
Topology with 2 host connected via GRE (HQ and Branch)
Answer: A
Answer: enable password should be configured
================New Multiple Choice Questions (updated on 9th-Feb-2019)================
Question 10
Question 1
ipv6 access-list INTERNET
permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64 A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements to choose. The question asks
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64 eq telnet which sequence number allows connection from R1 to R2 via SSH.
permit tcp 2001:DB8:AD59:BA21::/64 any eq http
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log
Which statement about the INTERNET ACL is true?
A. The denied entries will be logged because of the explicit deny ipv6 any any log line
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted along with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied
R1 Lo0: x:x::1
Answer: A R2 Lo0: y:y::2
R3 Lo0: z:z::3
Question 11
Similar to this question:

Answer: 20 permit tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)
Refer to the exhibit. (ClientA is connecting to the network via e0/0 interface while the “tunnel source e0/1” in the configuration).
ClientA is unable to reach ClientB while other users from other Spokes can reach ClientB. Which command resolves this issue? Question 2
A. tunnel route-via ethernet0/1 How to apply an IPv6 access-list to lines?

B. tunnel mode gre
C. tunnel destination 10.100.0.1 A. ipv6 access-group <ipv6 access-list name>
D. tunnel source ethernet0/0 B. ipv6 access-list <ipv6 access-list name>
C. ipv6 access-class <ipv6 access-list name>
Answer: D
Answer: C
Question 12
Question 3
Regarding extended ping, why ping is failed (refer to exhibit)?
Drag drop about AAA.
Answer: df bit is set (should be unset, mtu issue)
Question 13
Routes are not being shared dynamically over a functional GRE tunnel. Which scenario is causing the issue?
access-list 150 permit tcp host 192.168.x.x any eq 22
access-list 150 permit tcp host 192.168.x.x any eq telnet
line vty 0 4
access-class 2 in
session-limit 1
login local
transport input all
line con 0
(no config)
line aux 0
(no config)
Answer:
A. Set ACL 150 with inbound direction on AUX
+ AAA Accounting commands: configures AAA to send commands executed to the configured target B. Set ACL 150 on VTY lines
+ AAA Authentication banner: configures AAA to change the message displayed when a user logs in C. Set session-limit 0 command on AUX
+ AAA authorization exec: (none) D. Change session-limit to 0 on VTY
+ AAA authentication enable: configures AAA to prompt for a password to enter privileged mode
+ AAA authorization config-commands: configures AAA to validate a user’s permission to change the running configuration
Explanation Answer: A
The “AAA authentication banner” command is used to configure a banner that is displayed when a user logs in (replacing the Explanation
default message for login).
The “session-limit” command is used to configure the maximum number of the concurrent virtual terminal sessions on a device.
If aaa authorization commands level method command is enabled, all commands, including configuration commands, are The range is from 1 to 64.
authorized by AAA using the method specified. Use the aaa authorization config-commands command if you need to
reestablish the default set by the aaa authorization commands level method command. Question on restricting access via AUX to ip’s/ranges in shown ACL. Config showing all the lines, vty, aux and con and an ACL.
Only VTY had config on, including access-class but ACL number was not as in the config shown.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html Question was something like why IP’s out of the range specified in the acl can access the router via AUX – remember there was
no config on AUX at all.
Question 4
Question 6
An exhibit with three routers A, B and C. Router A is connected to Router B. Router B is connected to Router C.
A firewall has been inserted between 2 routers running GRE. Which protocol needs to be allowed through on the firewall?
A. Create a firewall rule to allow IP protocol 47

B. Create a firewall rule to allow TCP/IP Port 47
The output of “show interface Tunnel 1” on Router C shows that the tunnel is in “up/down” state. The question asks what is the
reason for this. Answer: A
A. Router C does not have a route to the loopback interface of Router A (which is used as the tunnel source on Router A and Explanation
tunnel destination on Router C).
B. The tunnel mode should be changed to “gre mode multipoint” GRE is a protocol on the same level as TCP and UDP. When configuring a firewall to allow GRE, you do not configure a port like
C. you would for Telnet or SSH. Instead, you must configure the firewall to allow protocol 47. Cisco router offer the keyword “gre”
D. for configuring access lists.
Reference: Network Warrior, page 178 by Gary Donahue.
The access-list statement should be “access-list 100 permit gre any any” (or “access-list 100 permit gre host x.x.x.x host y.y.y.y” to
Answer: A allow specific host)
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state: How to apply IPv6 access list?
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in recursion.
Answer: ipv6 traffic-filter
Question 8
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html
Router is configured with AAA using the “local-case” keyword in authentication:
Question 5
username Admin password cisco
A network administrator attempts to restrict AUX access to R4 from a single host IP address 192.168.x.x has failed. Which action aaa authentication login default local-case …
will restrict access? …
The question asks why the admin cannot login with the command:
ssh -l admin x.x.x.x Question 12
A. ssh -l Admin x.x.x.x The GRE tunnel went down when an unrelated interface went down. What is the reason for that?
B. ssh -p Admin x.x.x.x
C. ssh port 1111 A. The CEF entry for the tunnel source use that interface
D. ? B. The CEF entry for the tunnel destination uses that interface
C. The interface is configured as the tunnel source
D. The interface is configured as the tunnel destination
Answer: A
Explanation Answer: B
The keyword “local-case” is used in the authentication so the username is case-sensitive we must care about upper-case letter “A”. Question 13
Question 9 One question about OSPF and IBGP.
Refer to the exhibit (ClientA is connecting to the network via e0/0 interface while the “tunnel source e0/1” in the configuration). BGP R1 3.3.3.3 ——————OSPF Router—————–BGP R2 4.4.4.4
ClientA is unable to reach ClientB while other users from other Spokes can reach ClientB. Which command resolves this issue?
[Large output showing the BGP neighbor relationship will not establish]
A. tunnel route-via ethernet0/1
B. tunnel mode gre Why will the neighbor relationship not establish?
C. tunnel destination 10.100.0.1
D. tunnel source ethernet0/0 A. Because there’s no route between the routers from present in the routing table
B. Something about OSPF advertisement
C. ?
D. ?
Answer: D
Question 10
Suggested Answer: A
Large exhibit with many routers. Why a PC client is unable to communicate with HQ router by looking at the routing table
================New Multiple Choice Questions (updated on 11th-Jan-2019)================
Answer: did not have a route in his routing table
Question 1
Question 11
Picture of 3 routers and the question was related to IPv4 -> IPv6 tunnelling stating that all interfaces were configured with MTU
An exhibit with the Admin PC (IP address: 192.168.1.200/28) connecting to the router R1 (Lo0: 192.168.1.55/28) with AAA 1500 other than the tunnel interface which didn’t set the MTU. The engineer noticed that packets were being fragmented how do
config. The question asks why Telnet attempt to the router from the Admin PC fails. you fix this?
aaa new-model A. set the MTU on the tunnel interface to 1476

! B. increase the IPv6 packet MTU.
aaa authentication login default line enable C. increase the IPv4 packet MTU.
aaa authorization commands 15 default local D. set the MTU on the tunnel interface to 1500.
aaa authorization network default local
!
username admin privilege 15 password cisco
Answer: A
!
ip ssh version 2 Question 2
!
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 22 Refer to the statement.
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any range 22 stp
! The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message
line vty 0 4
access-class 101 in
password cico What could be causing the syslog?
transport input all
A. Source virtual interface shutdown.
!
B. Tunnel interface is not participating in routing.
line vty 5 15
C. Physical interface is down/down.
access-class 101 in
D. The route to destination was learnt by the tunnel itself
password cico
transport input all
!
Answer: D
Explanation
Answer: ACL is blocking the connection (because the ACL only allows port 22, which is SSH so Telnet would be dropped)
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message means that the generic
routing encapsulation (GRE) tunnel router has discovered a recursive routing problem. This condition is usually due to one of
these causes: Answer: A
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself
(recursive routing) Question 5
+ A temporary instability caused by route flapping elsewhere in the network
So in this question if there is an option with either of the conditions above please choose it.
line vty 0 4
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-flap.html ip access-class 1 in
transport input telnet only
Question 3 !
ip access list permit tcp any any eq 22
How do you view an access-list that’s set on a int G0/0? ip access list permit tcp any any telnet
A. show ip access-lists int g0/0
Cisco engineer is trying to setup secure access to the router but why is SSH failing?
B. show int g0/0
C. show ip access-list applied A. access-list needs to be applied with access-group command.
D. show interface G0/0 stat B. access-list only allows telnet access.
C. They’re needed to be transport input ssh on line vty 0 4.
D. ?
Answer: A
Explanation
The “show ip access-list int …” command is only available in IOS v15 or IOS XE (you cannot find it in IOS v12):
Answer: C
Question 6
R2#sh ip access-lists ?
<1-199> Access list number Diagram showing 2 hosts each connected to different access switches. Host A in VLAN 300 Host B in VLAN 200. Why can host
<1300-2699> Access list number (expanded range) A not access a DHCP server in VLAN 200?
WORD Access list name
dynamic List dynamic IP access lists A. VLAN 200 needs to be added to access switch B.
interface List ACL attached to an interface B. Create a port channel.
| Output modifiers C. Host A has the wrong subnet mask.
<cr> D. ?
R2#sh ip access-lists int ?
Async Async interface
Auto-Template Auto-Template interface Answer: C (Host A has /24 and the gateway ( int vlan 300) was /22)
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface Question 7a
CTunnel CTunnel interface
Dialer Dialer interface There was a question on how to limit debug output for a particular interface and one of the options was debug condition
Ethernet IEEE 802.3 interface g0/0.
GMPLS MPLS interface
LISP Locator/ID Separation Protocol Virtual Interface A. debug condition interface g0/0
LongReachEthernet Long-Reach Ethernet interface B. ?
Loopback Loopback interface C. ?
Lspvif LSP virtual interface D. ?
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Answer: A
Tunnel Tunnel interface
Vif PGM Multicast Host interface Explanation
Virtual-PPP Virtual PPP interface
Virtual-TokenRing Virtual TokenRing The command “debug condition interface <interface>” command is used to disable debugging messages for all interfaces except
vmi Virtual Multipoint Interface the specified interface so in this case the debug output will be shown on Fa0/1 interface only.
Note: If in this question there is another “debug condition interface …” command configured then the answer should be both
Question 4 interfaces will show debugging ouput.
What can you use to collect stats on Cisco IOS? Question 7b
A. SNMP An exhibit showing output of a debug command that would display debugs on interfaces g0/0 and g/2, and then second output
B. LLDP showing only messages for G0/2.
C. HSRP
D. ICMP The question was what is the command that would limit the debug output as shown in the exhibit (only for G0/2)?
A. debug condition interface g0/2 Question about engineer can’t reach http://www.cisco.com server so what is the command to check the issue with presenting all
B. debug condition interface g0/0 the encountered hops
C. debug condition 192.168.22.2
D. debug condition … A. traceroute to http://www.cisco.com
B. check physical interface on firewall
C. nslookup http://www.cico.com
D. ?
Answer: A
Question 8
Answer: A
Refer to the exhibit. How would you confirm on R1 that load balancing is actually occurring on the default-network (0.0.0.0)?
Question 11
A. Use ping and the show ip route command to confirm the timers for each default network resets to 0.
B. Load balancing does not occur over default networks; the second route will only be used for failover. Which AAA command configures login using the local database?
C. Use an extended ping along with repeated show ip route commands to confirm the gateway of last resort address toggles back
and forth. A. aaa authentication login default local
D. Use the traceroute command to an address that is not explicitly in the routing table. B. ?
C. ?
D. ?
Answer: D
Question 9 Answer: A
Which statement indicates a cause for Tunnel0‘s connection failure? Question 12
A. The tunnel source interface is in an up/down state and the tunnel destination is recursively routing as a result. Which Cisco IOS feature allows you to create your own event definition for a network device and specify the action that should be
B. The tunnel destination interface is flapping, which causes the tunnel to go up and down. performed in response to that event?
C. The tunnel is configured with the wrong encapsulation.
D. The tunnel destination is intermittently reachable via multiple routing protocols. A. Embedded Event Manager (EEM)
B. ?
C. ?
D. ?
Answer: D
Explanation
Answer: A
Answer A says “the tunnel destination is recursively routing” as a result of “tunnel source interface is in up/down state” is not
correct according to this paragraph from Cisco website: Question 13a
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message means that the generic GRE tunnel is in down/down on source host. What can be a cause? (What causes GRE tunnel interface to be in down/down state?)
these causes: A. The source interface is administrative shutdown.
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself B. physical interface of source is down/down
(recursive routing) C. Wrong source/destination addressing (something like that).
+ A temporary instability caused by route flapping elsewhere in the network D. The destination interface is down/not reachable.
Tunnel interface status depends on the IP reachability to the tunnel destination. When the router detects a recursive routing failure E. Shutdown the virtual interface
for the tunnel destination, it shuts the tunnel interface down for a few minutes so that the situation causing the problem can resolve
itself as routing protocols converge. If the problem is caused by misconfiguration, the link can oscillate indefinitely.
Another symptom of this problem is continuously flapping Enhanced Interior Gateway Routing Protocol (EIGRP), Open
Shortest Path First (OSPF), or Border Gateway Protocol (BGP) neighbors, when the neighbors are over a GRE tunnel. Answer: A (in fact it is not correct)
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-flap.html Explanation
The tunnel source does not know the state of tunnel destination so answer B is not correct. A tunnel interface is in up/down state right after we create it (with the “interface tunnel <tunnel-number>” command). We cannot
put it into down/down state, even if we shut down the source interface. We can only put it into “administratively down/down” by
If the tunnel is configured with wrong encapsulation then the tunnel is still up but packets go through it would be dropped. shutting down the tunnel itself. The tunnel interface does not change state when we change/configure the other end of the tunnel.
Although this answer seems to be correct but we believe answer D is the best choice as it matches to the above Cisco statement:
Question 13b
“Another symptom of this problem is continuously flapping Enhanced Interior Gateway Routing Protocol (EIGRP), Open
Shortest Path First (OSPF), or Border Gateway Protocol (BGP) neighbors, when the neighbors are over a GRE tunnel.“ Which scenario would cause the tunnel interface on a router to show a status of down/down?
Question 10 A. The destination address is missing on the tunnel configuration.

B. The shutdown command has been issued on the virtual interface.
Refer to exhibit. Host A is not able to https to http://www.cisco.com. All NAT was checked and confirmed as OK. What would be C. The source physical interface is in a down/down state.
the first step in troubleshooting. D. the destination router’s physical interface is shut down.
OR
Answer: B
Explanation A. Straight-through
B. Crossover
A tunnel interface is in up/down state right after we create it (with the “interface tunnel <tunnel-number>” command). We cannot C. Rollover
put it into down/down state, even if we shut down the source interface. We can only put it into “administratively down/down” by D. DB 25 DCE
shutting down the tunnel itself. Therefore in fact this question is not totally correct. The tunnel interface does not change state
when we change/configure the other end of the tunnel.
Question 14 Answer: C
There are two exhibit of GRE tunnel interface configuration on R1 and R2, they look almost identical in terms of configuration Question 5
expect on R1 the interface is configured with keepalive 4 5 and R2 doesn’t. Question says something like which statement best
describes how the GRE interfaces will behave. Which statement best describes GRE protocol?
A. R1 will send keepalives, but R2 will drop them. A. GRE adds the new IP header, encapsulates the original IP packet, and adds the GRE header at the end of the IP packet.
B. R1 does not send keepalives until R2 is also configured with keepalive. B. GRE adds the new IP header, inserts the GRE header, and encapsulates the original IP packet.
C. R1 will detect tunnel outage within 5 seconds. C. GRE uses the original IP header and adds the GRE header at the end of the packet.
D. R1 will detect tunnel outage within 20 seconds. D. GRE uses the original IP header and inserts the GRE header between the IP header and payload.
Answer: D (R1 will shutdown the tunnel after 20 sec ( 4 sec with 5 retries)) Answer: B
================================================================================== Question 6
Old Questions: A network administrator is troubleshooting an EIGRP connection between RouterA, IP address 10.1.2.1, and RouterB, IP address
10.1.2.2. Given the debug output on RouterA, which two statements are true? (Choose two)
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.1.1.1
Question 1 AS 1, Flags 0x1, Seq 478/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
K-value mismatch
Which of the following is the ping response to a transmitted ICMP echo datagram that needed to be fragmented when
fragmentation was not permitted?
A. RouterA received a hello packet with mismatched autonomous system numbers.
A. U B. RouterA received a hello packet with mismatched hello timers.
B. . C. RouterA received a hello packet with mismatched authentication parameters.
C. M D. RouterA received a hello packet with mismatched metric-calculation mechanisms.
D. D E. RouterA will form an adjacency with RouterB.
F. RouterA will not form an adjacency with RouterB.
Answer: C
Answer: D F
Question 2
Question 7
Which two of the following options are categories of Network Maintenance tasks? (Choose two)
You are troubleshooting an issue with a GRE tunnel between R1 and R2 and find that routing is OK on all intermediary routers.
A. Firefighting The tunnel is up on R1, but down on R2. Which two possible issues can prevent the tunnel from coming up? (Choose two)
B. Interrupt-driven
C. Policy-based A. The tunnel does not come up unless traffic is sent through it.
D. Structured B. The tunnel source interface is down on R2.
C. No specific route interface is down on R2.
D. R2 does not know how to reach the tunnel destination.
E. The tunnel keep alive timer doesn’t match on R1 and R2.
Answer: B D
Question 3
Answer: B D
Which three of the following are reasons EIGRP neighbor relationships might not form? (Choose three)
Question 8
A. Different autonomous system numbers
B. Different K values How to check debugging fragmentation?
C. Different timers
D. Different authentication parameters A. debug tcp
B. debug ip icmp
C. debug ip packet detail
D. debug ip policy
Answer: A B D
Question 4
What type of cable is used to connect to the console port and aux port of two routers together?
Answer: B
Question 9 Answer: B
Refer to exhibit. Question 13
(exhibit missing) Which two statements about GRE tunnels are true? (Choose two)
Which IP address should be configured as the tunnel source on the HQ router for maximum resiliency? A. GRE tunnels operate in GRE/IPsec mode by default
B. GRE tunnels operate in GRE/IP mode by default
A. Loopback IP address of HQ C. GRE encapsulates the original packet
B. Serial IP address of HQ D. The carrier protocol adds the delivery header
C. Fastethernet IP address of HQ E. The IP header encapsulates the GRE header
D. ?
Answer: B C
Answer: A
Explanation
Question 10
By default GRE tunnel operates in GRE/IP mode so the command “tunnel mode gre ip” command is not necessary -> B is correct.
WFQ not supported on control plane.
When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole packet into another IP packet
A. Router capabilities with two headers: one is the GRE header which uses to manage the tunnel itself. The other is called “Delivery header” which
B. bandwidth command not supported includes the new source and destination IP addresses of two virtual interfaces of the tunnel (called tunnel interfaces). This process
C. cannot be input (pick this one as fragmentation only occurs outbound, but I’m not completely sure) is called encapsulation -> C is correct.
D. missing license
Answer D seems to be correct but a bit unclear. If answer D said “GRE adds the delivery header” then it would be correct.
Answer E seems to be correct too but it said “The IP header encapsulates …” which is not totally correct. It should be “The
delivery header (not IP header) encapsulates the GRE header”.
Answer: B
Question 11
A client reports all password in plan text after running ‘show archive log config all’. How can you prevent/encrypt all messages?
A. password encrypt aes

B. hidekeys
C. service-password encryption
D. aaa authentication arap
Answer: B
Question 14
Explanation
When troubleshooting recursive routing issues with GRE tunnels, which three actions resolve the issue? (Choose three)
The command “hidekeys” (Device(config-archive-log-config)# hidekeys) suppresses the display of password information in
A. Add static routes …
configuration log files.
B. Remove the network advertisements…
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-3s/config-mgmt-xe-3s-book/cm- C. If using OSPF to peer across …
config-logger.html D. Change the tunnel source or destination interface
E. Remove the configuration on the tunnel interface and reconfigure
Question 12 F. Perform shut and no shut commands on the tunnel interface
Client X unable telnet the terminal Server – IPv6 ACL
Client X – adb:2018::xx:1 Answer: A B D

Client Y – adb:2018::xx:2
Terminal Server – adb::2018:yy:1 Question 15
something to do with sequence on ACL. Refer to the exhibit.
10 permit tcp host adb:2018::xx:2 host adb::2018:yy:1 eq telnet service password-encryption

20 deny tcp any host adb::2018:yy:1 eq telnet !
30 ? line console
password a123124
A. ? !
B. Add sequence 15 & permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet line vty 0 4
C. Delete sequence 20 & add sequence 5 permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet password asdfasf12
D. Add sequence 25 & permit … login
transport input telnet
What will happen if client A telnet to this device? A. encryption algorithm
B. isakmp profile name
A. Telnet will be successful C. destination IP address
B. Telnet will fail D. front door vrf name/instance
E. router event filter
Answer: A
Answer: B D
Question 16
Good reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-
Refer to the statement. ipsec-xe-3s-book/sec-crypto-debug-sup.html
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message Question 3
Which statement indicates a cause for Tunnel0’s connection failure? What are components of GRE packet? (Choose two)
A. The tunnel source interface is in an up/down state and the tunnel destination is recursively routing as a result A. GRE header
B. The tunnel destination interface is flapping, which causes the tunnel to go up and down B. Payload packet
C. The tunnel is configured with the wrong encapsulation C.
D. The tunnel destination is intermittently reachable via multiple routing protocols D.
Answer: D Answer: A B
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message means that the generic What are properties of GRE? (Choose two)
A. Data encapsulation
these causes:
B. Multicast support
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself
(recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network
Answer: A B
So in this question if there is an option with either of the conditions above please choose it. Otherwise answer D is the best option.
Question 5
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-flap.html
What are two requirements for GRE? (Choose two)
Question 17
A. Protocol 47 should be allowed
A network engineer has configured GRE between two IOS routers. The state of the tunnel interface is continuously oscillating B. Destination of the tunnel should be reachable
between up and down. What is the solution to this problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router. Answer: A B
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable Question 6
You see a running config user logins.

Answer: A
aaa new-model
=========================================================================== aaa authentication login default tacacs+ enable
aaa authentication login ONLYLOCAL local
Old questions: aaa authentication ppp default radius local
username xxx password xxx
Question 1 line vty 0 4
password xxxxx
Which tunnel technology provide multicast, security and simplicity?
Which login procedure will ask first?
A. IPSec
B. GRE over IPSec A. RADIUS
B. TACACS+
Answer: B C. local
Question 2
Which two condition can be used to filter the output of debug crypto condition? (Choose two) Answer: B
Explanation
If under “line vty 0 4” is not configured with ONLYLOCAL group as follows: Question 9
line vty 0 4 Which statements about extended ping are true? (Choose two)
login authentication ONLYLOCAL
A. You can use data gram size option to set size of ping in bytes
Then this group would never be used for authentication. Only the default method list is used (which uses TACACS+ first then B. You can use minimum and maximum TTL
enable password if TACACS+ fails to respond). So in this question the device will authenticate with the default method list. C. You can select UDP destination port
D. You can use data pattern to troubleshoot framing error on serial lines
Question 7a E. You can use ToS bit to control fragmentation of data gram
User was not able to login using telnet.
Router#show management-interface Answer: A D

Management interface FastEthernet0/0
Protocol Packets processed Good reference:
ssh 0
snmp 0 https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
Question 10
What is the issue?
Question about creating or generating a new crypto key.
A. MPP applied on wrong interface
B. MPP does not allow telnet by default Answer: crypto key generate rsa
C. MPP is not configured for telnet
D. ? Question 11
How do you check the crypto public key?

Answer: C A. show crypto session
B. show crypto map
Explanation C. show crypto key mypubkey rsa
D. ?
According to the output above, we can conclude that MPP is enabled on Fa0/0 interface and only accepts SSH and SNMP
management protocols. In particular, MPP was configured with the following command:
Router(config)# control-plane host Answer: C

Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp
Old questions:
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html
Question 1
As a result of this, other management traffic would be blocked, including Telnet traffic.
Which alerts will be seen on the console by issuing logging console critical? (Choose three)
Question 7b
A. Emergency
R1 is configured with MPP, f0/0 is configured to connect from console. client is able to login on port 22 is but not on 23 B. Alert
C. Critical
R1# show management-interface D. Notification
Management interface FastEthernet0/0 E. Informational
SSH 42
FTP 147
HTTPs 68
Answer: A B C
A. MPP configured with only SSH
B. MPP does not allow SSH and telnet at the same time Explanation
C. MPP configured with SSH however telnet is not configured
Syslog levels are listed below
D. ?
Level Keyword Description
0 emergencies System is unusable
Answer: C
1 alerts Immediate action is needed
Question 8 2 critical Critical conditions exist
3 errors Error conditions exist
Which command will encrypt the enable password? (Choose two)
4 warnings Warning conditions exist
A. enable secret 5 notification Normal, but significant, conditions exist
B. service password-encryption
6 informational Informational messages
7 debugging Debugging messages
Answer: A (although in real life it should be B but in the exam they want answer A)
The highest level is level 0 (emergencies). The lowest level is level 7. By default, the router will send informational messages periodic daily 06:01 to 23:59
(level 6). That means it will send all the syslog messages from level 0 to 6.
D.
Question 2 time-range SWITCH_ACCESS
periodic daily 06:01 to 23:59
Question about telnet, what should be done to make router to listen only on port 3033 rather then on 23
A. add rotary 33
B. remove authentication login TTC Answer: B
C. remove authorization exec TTC
D. remove transport input telnet Question 5a
E. using access-lists
“show version” command output. – SSH not working. What is the issue?
Check the configuration register, it is 0x2142.

Answer: A
A. IOS upgrade
Explanation B. ROM memory upgrade
C. incorrect Configuration register 0x2102
Adjust the expected ssh listening port and assign that to a rotary group: D. ?
Router(config)#ip ssh port 3333 rotary 1
Apply the rotary group to your vty interface

Router(config)#line vty 0 4 Answer: C
Router(config-line)#rotary 1
Note: In this question you will be shown with the “show version” output on a router. Please check carefully if:
Your router will now listen for ssh on port 3333 on these 5 vty ports. + The “Configuration register” is set to 0x2142 or not. With this value the device will bypass the startup configuration stored in
NVRAM during its boot sequence
Question 3 + The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we need to upgrade IOS so that
SSH can work. According to recent reports this is the correct answer.
Which two site-to-site technologies allows dynamic routing, private addressing and multicasting? (Choose two)
Question 5b
A. GRE
B. DMVPN A question with “show version” output. The register was 0x2102
C. MPLS VPN
D. IPSec A. IOS update
B. less memory
C. configuration register is wrong
D. need new boot ROM
Answer: A B
Question 4
Answer: A
User is supposed to access between 6:00 PM to 6:00 AM.
Explanation
ip access-list SWITCH_ACCESS time-range NOC_ACCESS The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we need to upgrade IOS so that SSH
permit x.x.x.x can work. According to recent reports this is the correct answer.
!
line vty 0 4 Question 6
access-class SWITCH_ACCESS
! Must use route protocol for using TLV and fast-reroute (Choose two)
time-range NOC_ACCESS
A. ISIS
B. OSPF
C. EIGRP
! D. RIP
username NOC_ACCESS password xxxx E. RIPv2
A. Answer: A B
time-range NOC_ACCESS
periodic daily 18:00 to 06:00 Explanation
B. Prerequisites for Loop-Free Alternate Fast Reroute
time-range NOC_ACCESS Any of the following protocols must be supported for Loop-Free Alternate Fast Reroute:
periodic daily 18:00 to 23:59 – Intermediate System-to-Intermediate System (IS-IS)
periodic daily 00:00 to 06:00 – Open Shortest Path First (OSPF)
While configuring ISIS protocol, isis network point-to-point must be configured.
C.
time-range NOC_ACCESS Question 7
Which system architect allow GRE and IPSec perform routing separately? OR
A. Server-client A question about extended traceroute (Choose two)

B. peer-to-peer
C. Headend A. verbose mode
D. Backend B. strict mode
C. changing TTL
D. changing IP Header option
E. ?
Answer: C
Explanation
Answer: C D
Headend System Architectures
The following two headend system architectures are described in this design guide: Question 10a
+ Single Tier Headend Architecture – Incorporates both the p2p GRE and crypto functions onto a single routing processor.
+ Dual Tier Headend Architecture – Splits the p2p GRE and crypto functions onto two different routing processors. Which options are correct about enable secret and enable password? (Choose two)
Reference: A. Enable secret and enable password can not be configured same time
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html B. Enable password is difficult to decipher
C. Enable secret is difficult to decipher
Question 8 D. Enable password is more preferable than enable secret
E. Enable secret is more preferable than enable password
Which technology support dynamic routing and non-ip protocals?
A. Easy VPN
B. GET VPN Answer: C E
C. DMVPN
D. GRE Question 10b
Which options are correct about enable secret and enable password? (Choose two)
Answer: D A. Enable secret and enable password can not be configured same time
B. Enable password is easy to decipher
Question 9 C. Enable secret is easy to decipher
D. Enable password has higher preference than enable secret
A question about extended traceroute (Choose two) E. Enable secret has higher preference than enable password
A. TTL can be modified
B. Can use strict IP header options
C. IP header options verbose allow you to specify the hops you want the packet to go through Answer: B E
D. ?
E. ? Question 11
Which tunnel supports routing and multicasting?
Answer: A B A. DMVPN
B. GRE
OR C. IPSec
D. ?
Which two statements about traceroute are true? (Choose two)
A. It supports a variety of IP header options, including verbose

B. The DF bit is set by default Answer: B
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3 =================================================================
E. Extended traceroute operation can use a modified data pattern
Old questions:
Question 1
Answer: A D
Drag and drop the sequence for configuring SSH in correct order.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
A. ip ssh ver 2
+ Probe count: limits the number of traceroute B. ip domain-name cisco.com
+ Port Number: troubleshoot TCP and UDP port C. crypto-key generate rsa
+ Source address: troubleshoot connections generated from specific interface D. line vty 0 4
+ Max TTL: limits the number of hops a packet travel E. Transport input ssh
+ Type of Service: troubleshoot QoS issues Transport input telnet
Should read: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html

Answer: B -> C -> A -> D -> E Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398
Question 2
Question 5
Drag and drop about uRPF strict and loose mode
Which topologies are allowed with p2p GRE over IPsec? (Choose two)
Option 1. Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing table)
Option 2. Must have the same path back A. Hub and Spoke
Option 3. Supports asymmetric routing feature B. Partial mesh
Option 4. Can be used to configure on the inside interface of the Internet router C. Point to multipoint
Option 5. Can be used to configure on the outside interface of the Internet router D. Bus
Option 6. Supports symmetric routing feature E. Star
Answer:
Strict mode: Answer: A B

+ Must have the same path back
+ Can be used to configure on the inside interface of the Internet router Question 6
+ Supports symmetric routing feature
Which keywords can be used with debug condition to filter output? (Choose two)
Loose mode:
+ Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing table) A. Username
+ Can be used to configure on the outside interface of the Internet router B. Interface ID
C. Port number
Question 3 D. Protocol
Ε. Packet Size
Which protocol does mGRE use to send packets?
A. DMVPN
B. NHRP Answer: A B
C. OSPF
D. IPSec Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcndtr.html
Question 7
Answer: B Output of sh access-list, what can you do to correct SSH?
Question 4 Extended IP access-list 100

Deny tcp any any eq 22
Which protocols are supported with MPP? (choose three) Permit ip any any
Extended IP access-list 150
A. HTTP only Permit tcp any any eq 23
B. HTTP and HTTPS Deny tcp any any eq 22
C. SSH Permit ip any any
D. FTP Extended IP access-list 175
E. SFTP Permit tcp any any eq 22
F. TFTP Permit tcp any any eq 23
Line vty 0 4
Access-class 100 in
Transport input ssh
Answer: B C F
A. Change access-class 100 in with access-class 150 in
Explanation B. Change transport input ssh with transport input telnet
C. Change access-class 100 in with access-class 100 out
The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which D. Change access-class 100 in with access-class 175 in
network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more
router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these
management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network
management traffic destined to the device. Answer: D
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html#wp1047623 Question 8
Following are the management protocols that the management plane protection (MPP) feature supports. These management How will you troubleshoot OSPF adjacency issue?
protocols are also the only protocols affected when MPP is enabled.
A. Using ‘debug ospf adj’ command on a router
+ SSH, v1 and v2 B. Process ID on the routers should match
+ SNMP, all versions C. Router IDs should match
+ Telnet D. Using ‘debug ospf nsf’ command
+ TFTP E. Hello timers mismatch (or Subnets should match)
+ HTTP
+ HTTPS
Answer: A E (in fact the correct answer on answer A should be “debug ip ospf adj”) Old questions:
Question 9 Question 1
Which IPSec mode with least overhead? Which two can use to protect and secure management plane from unwanted & unauthorized access? (Choose two)
A. dynamic A. Limit physical access to network devices

B. transport B. Use RADIUS instead of TACACS+ for AAA
C. transparent C. Create an ACL to permit Telnet access only
D. tunnel D. Enable authentication for the routing protection
E. Use MPP to limit the interfaces on which management traffic can traverse the device
Answer: B
Answer: A E
Explanation
Explanation
IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the data portion
(payload) of each packet and leaves the packet header untouched. The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which
network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more
Tunnel mode is more secure than Transport mode because it encrypts both the payload and the header. router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these
management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network
Reference: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2- management traffic destined to the device.
0/ip_security/provisioning/guide/IPsecPG1.html
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html#wp1047623
GRE IPsec tunnel mode consists of the following overhead:
Question 2
ESP Overhead: 52 Bytes
GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes One router and a computer (exhibit) 192.168.10.0/24
Total Overhead: 52 + 24 = 76 Bytes You receive timed out when you start to SSH the router. Which layer is the first that you are going to look into this matter?
GRE IPsec transport mode consists of the following overhead: A. Physical

B. Datalink
ESP Overhead: 52 Bytes C. Network
GRE Overhead: 4 (GRE) = 4 Bytes
Total Overhead: 52 + 4 = 56 Bytes
Question 10 Answer: C
A question showing EIGRP logs, something like this: Question 3
*Aug 1 13:09:38.896: EIGRP: received packet with MD5 authentication, key id = 1234 When your network experiences Cisco Discovery Protocol and LLDP issues, with which layer of the OSI model must you begin
*Aug 1 13:09:38.896: EIGRP: Received HELLO on Gi0/0 – paklen 70 nbr 192.168.1.2 troubleshooting ?
*Aug 1 13:09:38.897: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
*Aug 1 13:09:38.898: EIGRP: Add Peer: Total 1 (3/0/0/0/0) A. Physical layer
*Aug 1 13:09:38.898: K-value mismatch B. Datalink layer
*Aug 1 13:09:38.899: EIGRP: Sending TIDLIST on GigabitEthernet0/0 – 1 items0 C. Network layer
*Aug 1 13:09:38.902: EIGRP: Sending HELLO on Gi0/0 – paklen 70 D. Transport layer
*Aug 1 13:09:38.903: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Aug 1 13:09:38.904: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.1.2 (GigabitEthernet0/0) is down: K-value
mismatch
R1# Answer: B
*Aug 1 13:09:38.905: EIGRP: Lost Peer: Total 1 (2/0/0/0/0)
*Aug 1 13:09:39.894: EIGRP: Gi0/1: ignored packet from 192.168.2.3, opcode = 5 (missing authentication) Question 4
R1#
About pass encryption in CISCO IOS software, which statement is true?
*Aug 1 13:09:40.204: EIGRP: Sending HELLO on Gi0/1 – paklen 60
*Aug 1 13:09:40.204: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 A. encrypted user type 7 password indicate hashed with MD5
B. encrypted user type 7 password indicate hashed with weak reversible
C. you can choose to encrypt enable secret pass with weak reversible or MD5
A. Hello Timers mismatches D. enable secret is more secure than enable pass, because secret store in configuration file type 7
B. Hold Timers mismatches
C. AS mismatches
D. Metric calculation mismatches Answer: B
E. Authentication mismatches
Explanation
Type 7 means the password will be encrypted when router store it in Run/Start Files using Vigenere cipher which any website with
Answer: D E type7 reversal can crack it in less than one second.
================================================================= Question 5
GRE with IPsec tunnel are true (choose two) Question 8
A. The header overhead is reduced If you want to use GRE with IPSec which compatible with NAT traversal?
B. using crypto map is the only way to encrypt a GRE Tunnel
C. crypto map required an ACL allow protocol 47 A. Enable MD5 mode
D. support hub-and-spoke topologies only B. Enable SHA mode
E. Tunnel is first encapsulated, then just encrypted C. Implement IPSec Tunnel mode
D. Implement IPSec Tunnel transport
Answer: C E
Answer: C
Question 6
Explanation
Question refering to an exhibit – something with PIM, tunnel flapping and neighboring get rejected, regardless Tunnel 1018 went
down. This is not officially written by Cisco but it is the best we can find:
A. Tunnel interface is misconfigured What is the difference between tunnel mode and transport mode?
B. PIM neighbor is misconfigured The differences are as follow; Tunnel mode is widely implemented in site-to-site VPN scenarios. While transport mode is
C. route neighbor 10.111.254.213 was removed implemented for client-to-site VPN scenarios. Also, NAT traversal is supported with the tunnel mode while NAT traversal is
D. Route flapping and instability is occuring within the network not supported with the transport mode.
E. tunnel destination using tunnel itself
Reference: https://www.coursehero.com/file/p7qcduh/No-GRE-provides-a-stateless-private-connection-15-What-is-the-GRE-
header-for-It/
Answer: D E Question 9
Explanation Troubleshoot uRPF loose mode at client gateway router for networks that are not in the routing table. (Choose two)
The tunnel destination must be the physical destination address of the other end of the tunnel. For example in this topology: A. Dynamic routing is configured on the router
B. CEF is enabled on the router
C. allow-default is configured for loose mode
D. CFE is disabled on the router
E. Static Routing is configured on the router
Answer: B C
Question 10
Which two statements about traceroute are true? (Choose two)

GRE Tunnel must be configured as follows:
A. It supports a variety of IP header options, including verbose
Then configure GRE Tunnel B. The DF bit is set by default
C. The TTL value can be set to 0
R1 R2 D. The default probe count for each TTL level is 3
interface tunnel0 interface tunnel0 E. Extended traceroute operation can use a modified data pattern
ip address 12.12.12.1 255.255.255.252 ip address 12.12.12.2 255.255.255.252
tunnel mode gre ip //this command can be ignored tunnel mode gre ip //this command can be ignored
tunnel source 192.168.13.1 tunnel source 192.168.23.2
tunnel destination 192.168.23.2 tunnel destination 192.168.13.1 Answer: A D
For R1, the tunnel destination must point to 192.168.23.2 (the physical IP address of other end of the tunnel, not 12.12.12.2 – the
other destination of the tunnel itself)
Question 7
How do you make sure AAA will still allow you to login if TACACS fails? (Choose two) =========================================================================
(or Which command enables authenticated login if a TACACS+ failure occurs?) Old questions:
A. aaa authentication login test group local tacacs+ Question 1
B. aaa authentication login test group tacacs+ local
C. aaa authentication login test group radius local The WAN link is 1500 MTU. How to configure GRE Tunnel so that the packets do not get fragmented? (Choose three)
D. aaa authentication ppp dialins group tacacs+ local
A. ip tcp path-mtu-discovery
B. ip mtu 1400
C. ip tcp adjust-mss 1360
Answer: B D. tunnel mode gre ip
E. tunnel mode gre multipoint
Move R1 to global routing
Put R3 on VRF Red
Answer: B C and ?
Question 7
Explanation
Which two protocols does the management plane protection feature support? (Choose two)
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size
(mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must A. HTTPS
reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet B. ARP
fragmentation is kept to a minimum. C. DNS
D. TFTP
Question 2 E. DHCP
Which two ACLs use with IPv6 traffic filters?
A. tagged Answer: A D
B. standard
C. named Explanation
D. numbered
E. dynamic Following are the management protocols that the management plane protection (MPP) feature supports. These management
protocols are also the only protocols affected when MPP is enabled.
+ SSH, v1 and v2
Answer: A C + SNMP, all versions
+ Telnet
Explanation + TFTP
+ HTTP
Named and tagged ACLs are both supported in IPv6. + HTTPS
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-3s/ipv6-xe-36s-book/ip6-sec-trfltr-fw.html Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398
Question 3
Question 8
Which two statements about time based ACL are true? (Choose two)
Which method should we use to troubleshooting DHCP issues?
A. It can use the router’s clock as the time source
B. Only extended ACL can use time ranges A. divide and conquer
C. It must be defined with an inspect name value B. top-down
D. It require NTP to be configured C. bottom-up
E. Both standard & extended ACLs can use time ranges D. follow-the-path
Answer: A B Answer: C
Question 4 Explanation
GRE tunnel IPv6 over IPv4 (choose two). Let’s assume that you are researching a problem of a user that cannot browse a particular website and while you are verifying the
problem, you find that the user’s workstation is not even able to obtain an IP address through the DHCP process. In this situation
it is reasonable to suspect lower layers of the OSI model and take a bottom-up troubleshooting approach.
Answer: SRC must be IPv4, IPv6 over IPv4 Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2
Which two statements about uRPF are true? (Choose two) A router knows one destination using EIGRP and two OSPF networks, which will be the best way to determine the path? (choose
two)
A. Support with extended ACL and time based ACL
B. Applied to input interface only A. show ip eigrp topology
C. Require Cisco Express Forwarding to populate FIB B. show ip ospf database
D. It is output function C. traceroute
E. It can mitigate asymmetric routing D. ping
E. show ip route
Answer: B C
Answer: C E
Question 6
Question 10
GRE tunnel is up but the server or host cannot pass through traffic what are the two things need to be fixed? (Choose two)
Which two statements about ping & traceroute are true? (Choose two)
Answer:
A. ping only use ICMP A. change authorization level
B. only ping have TTL B. change accounting
C. to determine if a host is reachable, using traceroute is better than ping C. change authentication
D. traceroute use UDP datagram and ICMP D. create username and password
E. ping use TCP and ICMP
Answer: A
Answer: A D
Question 5
Reference: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-
traceroute.html Which trouble shooting method is used when we troubleshoot a spanning tree issue for any VLAN?
Old MCQs: A. divide and conquer

B. top-down
Question 1 C. bottom-up
D. follow-the-path
What is common protocol for ping and traceroute?
A. ICMP
B. PIM Answer: D
C. IGMP
D. IP Question 6
D&D Question on Extended Ping
Answer: A Answer:
Question 2 Tos – …quality of service

Df-bit – prevent packets from being segmented or broken up
Which two options about GRE keepalives are true? (Choose two) Data pattern – detect framing errors
Hop count – verify routing metrics
A. enabled by default Reply – verify reachability
B. supports on point-to-point GRE tunnel interface
C. supports on point-to-multipoint mGRE OR
D. support broadcast
E. supported in VRFs only if fVRF and iVRF match data pattern — troubleshoot framing errors
F. support broadcast multicast df-bit — enable do not fragment bit in IP header
source — specify source address or name
tos — specify type of service value
validate — validate reply data
Answer: B E
Good reference:
Explanation
https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
GRE tunnel keepalives are only supported on point-to-point GRE tunnels. Tunnel keepalives are configurable on multipoint GRE
(mGRE) tunnels but have no effect. Question 7
GRE keepalives are not supported together with IPsec tunnel protection under any circumstances. Which two statements about IPv6 traffic filtering are true? (Choose two)
In general, tunnel keepalives will not work when VRFs are used on the tunnel interface and the fVRF (‘tunnel vrf …’) and iVRF A. needs to be enable at the interface level
(‘ip vrf forwarding …’ on tunnel interface) do not match. B. needs to enabled with egress ACL only
C. needs to be enabled with ingress ACL only
Good reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-00.html D. It performs virtual fragmentation reassembly after checking ingress ACL
E. It performs virtual fragmentation reassembly after checking egress ACLs
Question 3
When the user is changing configuration of router, which plane is affected?

Answer: A D
A. Data
B. Management Question 8
C. Control
D. Forwarding There was also a question about GRE tunnel with the options of it support multicast, broadcast traffic or only broadcast and some
other options that we needed to choose 2 correct ones.
A. GRE supports broadcast and multicast

Answer: B B. GRE tunnels broadcast traffic
C. GRE is a non-tunneling VPN technology
Question 4 D. Option about IPSec
A user is able to log into the switch but cannot go to the global config mode. What needs to be done?
Answer: A B A. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 21
B. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 23
Question 9 C. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 22
D. Access-list 142 permit tcp 10.10.15.0 0.0.0.0 any eq 22
Question about authentication, TACAS/local, based on piece of configuration
AAA and what will be the result with this configuration: it either checks the local database first or it only authenticate 2 listed
users – Answer: C
A. It will check TACAS authentication but skip for the two users created locally Or
B. aaa-new model not used and hence policy will not be applied.
C. aaa- not used hence policy will not be applied Question 3b
D. Part of the script is reject
and 1 more options Securing control plane on R1 connected via SSH to the network 10.10.0.0/16. You should choose right answers and place in right
configuring order. Not all options will be used.
Answer:
1. aaa-new-model command is not there in the script ; hence the script will not work
2. Part of the script is reject (as 2 local username and password are there)
Question 10
Drag and drop question related to Tunnel GRE. What are the require configuration and what are optional?
Answer:
Require:
+ Tunnel destination IP
+ Tunnel Original IP
+ Tunnel IP
Optional:
+ TCP MSS
+ Tunnel key
+ Tunnel mode Answer:
============================================================================= Sequence 1:
access-list X permit tcp 10.10.0.0/16 eq 22 any estab
Old questions access-list X permit tcp 10.10.0.0/16 any eq 22
Question 1 Sequence 2:
class-map match-all SSH
In which troubleshooting approach, you start troubleshooting from middle of OSI layer stack and then either go up or down layer match access-group X
for further troubleshooting?
Sequence 3:
A. Bottom-up Policy Y
B. Top-down Class SSH
C. Divide-and-conquer
D. Follow-the-path Sequence 4:
Control plane
service-policy input Y
Answer: C
Which two things should you check while troubleshooting uRPF? (Choose two) What could be reason for GRE Tunnel interface in up/down state? (Choose two)
A. uRPF enabled on interface A. GRE tunnel mode is set to transport mode

B. uRPF enabled global B. Tunnel source is in down state
C. CEF disabled C. Route to tunnel destination points to tunnel interface itself
D. CEF enabled global
E. Strict or loose mode configured global
Answer: B C
Answer: A D Question 5
Question 3a Which are valid AAA authentications methods? (Choose two)
Which access-list allows SSH access from network 10.10.15.0/24? A. Line

B. Krb6
C. LDAP A. Destination tunnel IP header
D. Local B. Source tunnel IP header
E. Blowfish C. GRE header
D. Original destination IP header
E. Original source IP header
F. Data
Answer: A D
Answer: B -> C -> E -> F
Question 6
=============================================================
Question 1
GRE Tunnel Drag and Drop. Which fields are optional and mandatory in a GRE header?
Which commands required to setup GRE tunnel between R2 & R3? (Choose two)
A.
R2:
interface tunnel 1
ip address 10.1.1.1 255.255.255.252
tunnel source 192.168.1.1
tunnel destination 192.168.2.3
B.
R3:
interface tunnel 1
ip address 10.1.1.2 255.255.255.252
tunnel source g0/0
tunnel destination 192.168.1.1
Answer: A B
Answer:
Question 7
Mandatory: Reserved0, Version, Protocol Type
While troubleshooting you noticed *** as output of traceroute command. What is the reason for that? Optional: Checksum, Key, Sequence Number
Answer: Probe is timed out. Question 2
Question 8 GRE tunnel Header. Which one is standard,which one is extended?
Drag drop question about MPP.
Answer:
Constructing the CoPP Policy

For CoPP policy construction, several steps are required to create the MQC classification and policing functions. These include:
access-list construction, class-map construction, and finally, policy-map construction.
https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
Question 9
Drag Drop question about four valid debug commands on switch (Choose four)
A. debug hsrp
B. debug glbp errors
C. debug ip igmp snooping
D. debug ip interface route-cache
E. debug spanning-tree mstp init Answer:
Standard Header: Checksum, Reserved0, Version, Protocol Type
Answer: B C D E Extended Header: Sequence Number, Key
Drag and drop question. Choose and place in the right order headers when monitoring GRE packet What IP header option fields can you modify in an extended ping? (Choose three)
A. Value
B. Strict
C. Record
D. Timestamp
E. Timeout
Answer: B C D
Explanation
All of these can be modified: protocol, IP destination address, repeat count, Datagram size, Timeout, source address/interface, type
of service, DF bit, Validate reply data, Data pattern, Loose, Strict, Record, Timestamp, Verbose, Sweep range of sizes.
Question 4
Select valid type of tunnels mode (Choose four)
A. GRE
B. 6to4
C. ISATAP
D. NHRP
E. IPv6IP
F. mGRE
Answer: A B C E
Question 5
Associate debug and show commands with what they do (7 options)
Answer:
debug ip mpacket <-> multicast packet

debug standby errors<-> HSRP issues
debug ip packet <-> All IPv4 information
debug ipv6 packet <-> All IPv6 information
debug vlan <-> 802.1q troubleshoot
debug ip cef <-> hardware forwarding
Question 6
Extended Traceroute Drag Drop. What extended tracroute troubleshooting functions?
+ Probe count <-> limits the number of traceroute

+ Port Number <-> troubleshoot TCP and UDP port
+ Source address <-> troubleshoot connections generated from specific interface
+ Max TTL <-> limits the number of hops a packet travel
+ Type of Service <-> troubleshoot QoS issues
Comments (46) Comments

Comment pages
« Previous 1 … 64 65 66 707
1. Gabox
June 11th, 2019
Hello people, just passed my exam, the question from @Shinigami did came on my exam too exactly as he said, passed with
94x/1000, there was a ticket of ipv6 redistribution from ospfv3 to rip and another from rip to ospf, read carefully, also the
variation of ticket 11 came on my exam were the route map has the deny on the ospf to eigrp.
Also the parts that i had less points were as dollows, 33% on network principles and 75% on vpn technologies, not sure
what i had wrong
2. John
June 11th, 2019

TSHOOT Questions and Answers Multiple Choice Questions

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

TSHOOT Questions and Answers Multiple Choice Questions

Hochgeladen von

Copyright:

Verfügbare Formate

remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.

Refer to the exhibit.

aaa authentication login default group tacacs+ local-case line

A. the ACL “time-range” blocks the traffic

What is tshoot method use in DHCP problem? Question 12

A. top down Refer to the exhibit.

SSH has the following options:

Which reversible encryption method is used?

================New Multiple Choice Questions (updated on 10th-Mar-2019)================

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html A. session-limit

enable secret 8 8asdknkjajf89nklasdnflkjajnslkdf

interface tunnel0 Answer: A

Question about “show debug condition” command.

Answer: A What is the output of “show debug condition “?

We tested it with IOSv15.4 and this is the result:

A. Configure static ARP in gateway router

Which statement about the INTERNET ACL is true?

Similar to this question:

A. tunnel route-via ethernet0/1 How to apply an IPv6 access-list to lines?

Answer: df bit is set (should be unset, mtu issue)

A. Create a firewall rule to allow IP protocol 47

Question 9 One question about OSPF and IBGP.

aaa new-model A. set the MTU on the tunnel interface to 1476

What can you use to collect stats on Cisco IOS? Question 7b

Which statement indicates a cause for Tunnel0‘s connection failure? Question 12

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-flap.html Explanation

Question 10 A. The destination address is missing on the tunnel configuration.

Refer to exhibit. Question 13

A. password encrypt aes

Client X unable telnet the terminal Server – IPv6 ACL

Client X – adb:2018::xx:1 Answer: A B D

something to do with sequence on ACL. Refer to the exhibit.

10 permit tcp host adb:2018::xx:2 host adb::2018:yy:1 eq telnet service password-encryption

You see a running config user logins.

Router#show management-interface Answer: A D

How do you check the crypto public key?

Router(config)# control-plane host Answer: C

Check the configuration register, it is 0x2142.

Apply the rotary group to your vty interface

A. Server-client A question about extended traceroute (Choose two)

Which tunnel supports routing and multicasting?

A. It supports a variety of IP header options, including verbose

Should read: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html

Strict mode: Answer: A B

Answer: B Output of sh access-list, what can you do to correct SSH?

Question 4 Extended IP access-list 100

A. dynamic A. Limit physical access to network devices

GRE IPsec transport mode consists of the following overhead: A. Physical

A question showing EIGRP logs, something like this: Question 3

Which two statements about traceroute are true? (Choose two)

Which two ACLs use with IPv6 traffic filters?

Old MCQs: A. divide and conquer

D&D Question on Extended Ping

Question 2 Tos – …quality of service

When the user is changing configuration of router, which plane is affected?

A. GRE supports broadcast and multicast

A. uRPF enabled on interface A. GRE tunnel mode is set to transport mode

Question 3a Which are valid AAA authentications methods? (Choose two)

Which access-list allows SSH access from network 10.10.15.0/24? A. Line

Answer: Probe is timed out. Question 2

Question 8 GRE tunnel Header. Which one is standard,which one is extended?

Drag drop question about MPP.

Constructing the CoPP Policy