Beruflich Dokumente
Kultur Dokumente
Notice that in the exam, the tickets are randomly given so the best way to troubleshooting is to
try pinging to all the devices from nearest to farthest from the client until you don‘t receive the
replies.
One more thing to remember: you can only use ―show‖ commands to find out the problems and
you are not allowed to make any changes in the configuration. In fact, in the exam you can not
enter the global configuration mode!
Multiple Choice Questions
http://www.networktut.com/multiple-choice-questions
Question 1
A. telnet
B. scp
C. tftp
D. smtp
Answer: A C
Explanation
Following are the management protocols that the MPP feature supports. These management
protocols are also the only protocols affected when MPP is enabled.
+ Blocks Extensible Exchange Protocol (BEEP)
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.h
tml
Question 2
OSPF neighbor not forming. Exhibit shows DBD packets are being re-transmitted to the
neighbor. Debug shows that Exstart state to Down. What is the reason?
A. MTU mismatch
B. The router did not receive a Hello packet
C. OSPF is not running on the other router
D. The packet does not have RID
Answer: A
Explanation
After two OSPF neighboring routers establish bi-directional communication and complete
DR/BDR election (on multi-access networks), the routers transition to the exstart state. In this
state, the neighboring routers establish a master/slave relationship and determine the initial
database descriptor (DBD) sequence number to use while exchanging DBD packets.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-
12.html
Question 3
Question about PPTP tunnel is not forming. There is a NAT device. Which two filters should be
captured to check all the tunnel traffic? (Choose two)
Answer: D E
Explanation
The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure
transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-
based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over
the Internet or other public TCP/IP-based networks.
PPTP establishes a tunnel for each communicating PPTP network server (PNS)-PPTP Access
Concentrator (PAC) pair. After the tunnel is set up, PPP packets are exchanged using enhanced
generic routing encapsulation (GRE). A call ID present in the GRE header indicates the session
to which a particular PPP packet belongs.
Network Address Translation (NAT) translates only the IP address and the port number of a
PPTP message. Static and dynamic NAT configurations work with PPTP without the
requirement of the PPTP application layer gateway (ALG). However, Port Address Translation
(PAT) configuration requires the PPTP ALG to parse the PPTP header and facilitate the
translation of call IDs in PPTP control packets. NAT then parses the GRE header and translates
call IDs for PPTP data sessions. The PPTP ALG does not translate any embedded IP address in
the PPTP payload. The PPTP ALG is enabled by default when NAT is configured.
NAT recognizes PPTP packets that arrive on the default TCP port, 1723, and invokes the PPTP
ALG to parse control packets. NAT translates the call ID parsed by the PPTP ALG by assigning
a global address or port number. Based on the client and server call IDs, NAT creates two doors
based on the request of the PPTP ALG. ( A door is created when there is insufficient
information to create a complete NAT-session entry. A door contains information about the
source IP address and the destination IP address and port.) Two NAT sessions are created (one
with the server call ID and the other with the client call ID) for two-way data communication
between the client and server. NAT translates the GRE packet header for data packets that
complies with RFC 2673.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
16/nat-xe-16-book/iadnat-pptp-pat.html
Question 4
The user was able to access the router via line vty 5 min ago. But he is no longer able to log in
now. No change in the network. What is the issue?
A. exec-timeout 0 0
B. all line vty in use.
C. SSH is not configured
D. Console line is in use by someone else
Answer: B
Question 5
Answer:
Question 6
The command ―ip verify unicast source reachable-via any‖ is configured on the interface.
Router received with source IP address 172.16.100.10. Routing table shows a valid route to
172.16.100.0/24 is learned via OSPF.
There is a null static route to 172.16.0.0/16.
Question is what the router will do that packet?
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets.
If it matches with the interface used to reach this source IP then the packets are allowed to enter
(strict mode).
The any option enables a Loose Mode uRPF on the router. This mode allows the router to
reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router
reaches the source address only via the interface on which the packet was receive.
In this case the router was configured with uRPF in loose mode.
Question 7
After applying below config on one router, OTHER router started showing authentication errors
(you will see output log with errors).
Applied configuration:
Standby 100
Standby 100 vip 172.x.x.x
Standby 100 md5 authentictaion cisco123!
Question 8
High CPU utilization of the router. How to display the lines including a process name Or
beginning with CPU from show proc cpu output.
Answer: C
Explanation
Question 9
Someone has changed the password for a router and saved the configuration, anyway he forget
the password and unable to access the router anymore. Which actions needed to solve the issue?
Answer: B
Explanation
With the value 0x2142, the device will bypass the startup configuration stored in NVRAM
during its boot sequence.
Question 10
Answer: B
Explanation
In order to make a Point-to-Point GRE Tunnel interface in up/up state, two requirements must
be met:
+ A valid tunnel source (which is in up/up state and has an IP address configured on it) and
tunnel destination must be configured
+ A valid tunnel destination is one which is routable. However, it does not have to be reachable.
Question 11
Router L ==== Router C ==== Router R
L and R routers were showing GRE and IPSec configurations, questions is an ACL applied in
router C is blocking all IP traffic, which protocol should be allowed in the ACL to allow traffic.
A. ESP
B. GRE
C. ICMP
D. UDP
Answer: D
Explanation
GRE with IPSec traffic will be encrypted/encapsulated inside an ESP packet. ESP packet, in
turn, will be encapsulated inside a UDP port 500 (or UDP port 4500 in case of NAT) datagram.
Therefore we have to permit UDP port 500/4500 on the middle routers so that GRE with IPSec
traffic can flow through.
Question 12
There is a time-range acl but the query is to resolve a ping issue from interface eth0/0 to a host
on 172.16.10.100 with an ACL line. The ACL is applied inbound of the router. The question
asks what ACL line needs to be added in order to allow ping access from the local router to
server 172.16.10.100.
Answer: E
Explanation
This ACL was applied to the inbound direction of e0/0 interface so we need to permit the ICMP
reply packet to go through. Therefore the source IP address must be the server IP address and
the destination IP address range must cover the e0/0 interface IP address. In this case only
answer E with the destination wildcard mask of 0.0.0.31 covers 10.1.1.25 so it is the correct
answer. Notice that answer A has similar solution but its wildcard mask of 0.0.0.15 does not
cover 10.1.1.25.
Note: There are two cases for ticket 11 so please check them carefully
Problem was disable authentication on R1, check where authentication is not given under router
ospf of R1. (use ipv4 Layer 3)
Configuration of R1:
interface Serial0/0/0
description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf network point-to-point
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 10.1.2.0 0.0.0.255 area 12
network 10.1.10.0 0.0.0.255 area 12
default-information originate always
!
Configuration of R2:
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
!
Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the ―ip ospf authentication
message-digest‖ command.
Ticket 2 – HSRP Track (removed)
HSRP was configured on DSW1 & DSW2. DSW1 is configured to be active but it does not
become active.
Configuration of DSW1:
interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60
Note: 10.1.21.129 is the IP address of a loopback interface on R4. This IP belongs to subnet
10.1.21.128/27.
Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track
10 decrement 60).
Note: For more information about IP route tracking and why the command ―threshold metric up
63 down 64″ is used here please read this tutorial: http://networktut.iptut.com/hsrp-ip-route-
tracking.
Configuration of R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary
Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the
neighbor command (change ―neighbor 209.56.200.226 remote-as 65002″ to ―neighbor
209.65.200.226 remote-as 65002″)
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat inside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest
Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside
command.
Ticket 5 – R1 ACL
Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer:
Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‗ip access-list extended edge_security‘ configuration add the ‗permit ip
209.65.200.224 0.0.0.3 any‘ command.
Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the
access-list 30 is applied to the inbound direction of S0/0/1 of R1.
Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0
Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.
Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the
VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to
be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also
"VLAN ACL/Port ACL" option for answer 2 if you choose ASW1 but it is wrong.
Configuration of ASW1
interface fa1/0/1
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001
Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-
security, followed by shutdown, no shutdown interface configuration commands.
Ans1) ASW1
Ans2) Access Vlans
Ans3) In Configuration mode, using the ‗interface range Fastethernet 1/0/1 – 2‘, then
‗switchport access vlan 10‘ command.
Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)Under interface Port-Channel 13, 23, add vlan 10,200 and then no shutdown interface
fa1/0/1
Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
‗Show ip route‘ on DSW1 you will not see any 10.x.x.x network route.
On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp
1)
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Change the ―route-map OSPF->EIGRP deny 20‖ to ―route-map OSPF->EIGRP permit
20‖
In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R4, DSW1 & DSW2), which is a very common cause of network problems,
especially routing loops so you should use route-map to prevent redistributed routes from
redistributing again into the original domain.
In this ticket, route-map is also used for this purpose. For example, the route-map ―EIGRP-
>OSPF‖ is used to prevent any routes that have been redistributed into OSPF from redistributed
again into EIGRP domain by tagging these routes with tag 90. These routes are prevented from
redistributed again by route-map OSPF->EIGRP by denying any routes with tag 90 set.
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Under the EIGRP process, delete the ‗redistribute ospf 1 route-map OSPF->EIGRP‘
command and enter ‗redistribute ospf 1 route-map OSPF_to_EIGRP‘ command.
Configuration of R2
ipv6 router ospf 6
!
interface s0/0/0.23
ipv6 address 2026::1:1/122
Configuration of R3
ipv6 router ospf 6
router-id 3.3.3.3
!
interface s0/0/0.23
ipv6 address 2026::1:2/122
ipv6 ospf 6 area 0
Answer:
Ans1) R2
Ans2) IPv6 OSPF Routing
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is ―area
0″, not ―area 12″)
Configuration on DSW1:
!
interface Vlan 10
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.21.129
!
Note: In this ticket you will find port-security configured on ASW1 but it is not the problem.
Ans1) DSW1
Ans2) IP DHCP Server (or DHCP)
Ans3) on DSW1 delete ―ip helper-address 10.2.21.129‖ and apply ―ip helper-address
10.1.21.129‖ command
Answer 1) R4
Answer 2) IPv4 EIGRP Routing
Answer 3) enter no passive interface for interfaces connected to DSW1 under EIGRP process
(or in Interface f0/1 and f0/0, something like this)
Note: There is a loopback interface on this device which has an IP address of 10.1.21.129 so we
have to include the ―network 10.1.21.128 0.0.0.3‖ command.
* Just for your information, in fact Clients 1 & 2 in this ticket CANNOT receive IP addresses
from DHCP Server because DSW1 cannot reach 10.1.21.129 (an loopback interface on R4)
because of the ―passive-interface default‖ command. But in the exam you will see that Clients 1
& 2 can still get their IP addresses! It is a bug in the exam.
Configuration of R3:
!
interface Tunnel34
no ip address
ipv6 address 2026::34:1/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0.34
tunnel destination 10.1.1.10
tunnel mode ipv6
!
Configuration of R4:
interface Tunnel34
no ip address
ipv6 address 2026::34:2/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0
tunnel destination 10.1.1.9
!
Answer:
Ans1) R3
Ans2) Ipv4 and Ipv6 Interoperability
Ans3) Under the interface Tunnel34, remove ‗tunnel mode ipv6′ command
Configuration of R4:
ipv6 router ospf 6
log-adjacency-changes
!
ipv6 router rip RIP_ZONE
redistribute ospf 6 metric 2 include-connected
!
Answer:
Ans1) R4
Ans2) Ipv6 OSPF Routing
Ans3) Under ipv6 ospf process add the ‗redistribute rip RIP_Zone include-connected‘ command
Answer:
Ans1) ASW1
Ans2) Access VLANs
Ans3) In configuration mode, use ‗interface range fa1/0/1-2‘ then ‗switchport mode access‘,
then ‗no switchport trunk encapsulation dot1q‘