Beruflich Dokumente
Kultur Dokumente
Notice that in the exam, the tickets are randomly given so the best way to troubleshooting is to
try pinging to all the devices from nearest to farthest from the client until you don‘t receive the
replies.
One more thing to remember: you can only use ―show‖ commands to find out the problems and
you are not allowed to make any changes in the configuration. In fact, in the exam you can not
enter the global configuration mode!
Multiple Choice Questions
https://www.networktut.com/multiple-choice-questions
Question 1
Answer: D
Explanation
So in this question maybe there is something wrong with the tunnel destination so we should
add static route to solve it.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/22327-gre-flap.html
Question 2
Something related to a firewall in the middle of the path and how to make it reachable. Which
port should be allowed?
A. port 47
B. port 50
C. TCP port 1723
D. IP protocol 47
Answer: D
Question 3
What is the output of the ―show crypto ipsec sa | in indent‖? (There is an output of the access-
list with ―permit gre any any‖)
Answer: B
Explanation
The line ―local ident (addr/mask/prot/port)‖ means local selector that is used for encryption and
decryption.
The answer of this question is based on the ACL applied. Thanks Shaunthesheep for sharing
this:
VPN Tunnel can be established using IPSec or IPSec+GRE. The configuration requires to
define a Crypto map which refers to an ACL for Interesting traffic or the traffic to be encrypted.
Look for the values in the ACL. e.g.
1) permit gre any any —> Answer will be both local and remote indent address entries as 0 and
47 in the protocol field. Like this :
2) Permit ip any any —> Answer will be both local and remote indent address entries as 0 and 0
in the protocol field. Like this :
3) Permit ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 —> Answer will be both local and remote
indent address entries as in ACL and 0 in the protocol field. Like this :
local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
Update: We cannot explain why all fields are ―0‖ here but our candidates got full mark so please
choose it.
Question 4
A. document it
B. knowledge transfer
C. result analysis
D. ?
Answer: A
Explanation
Although some online document does not mention about step 8 (document the changes) (like
the link http://www.ciscopress.com/articles/article.asp?p=1578504&seqNum=2) but this step is
very important so that repeated issue can be solved quickly in the future.
Question 5
A.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.0.255
B.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.255.255
C.
ip access-list extended 101
no 100
Answer: B (Modify access-list , no entry 30 and re-add it changing the netmask to 192.168.0.0
0.0.255.255)
Question 6
A topology with three routers R1, R2 and R3 connected to each other and a list of ACL
statements to choose. The question asks which sequence number prevented connection from R1
to R2 via SSH.
R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3
Answer: 20 deny tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)
Question 7
A. CEF
B. VRF
Answer: A
Question 8
Answer: A
Explanation
Question 9
Answer: C
Question 10
Topology with three switches which are connected to each other via Gi0/0 & Gi0/1. All
interfaces are configured in VLAN 100 and voice VLAN 101. Duplex mismatch between two
switches (one interface in full duplex which the opposite interface in half duplex). Spanning tree
is detecting a loop in the network, what is causing the loop.
A. duplex mismatch
B. speed mismatch
C. vlan missconfiguration
Answer: A
Explanation
Duplex mismatch is a configuration issue where one side of the network is set to one duplex
mode and the other to another duplex mode. Having one bridge on half duplex and the other on
full duplex results in collisions that cause bridging loops
Question 11
A. NPD is not working correctly because NS and NA messages are being denied
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port
80 will be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted
along with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied
Answer: A
Explanation
Answer B and C are not correct as the IPv6 address 2001:DB80:AD59… is different from the
IPv6 address 2001:DB8:AD59… (trailing 0 cannot be omitted).
For your information, by default an IPv6 ACL has three implicit statements at the end:
+ permit icmp any any nd-na
+ permit icmp any any nd-ns
+ deny ipv6 any any
The first two statements are required for IPv6 neighbor discovery protocol which are very
important so they are always permitted in an IPv6 ACL. But in this case we explicitly used the
―deny ipv6 any any (log)‖ command so the two above commands must be typed just before the
last statement (―deny ipv6 any any log‖) or that traffic will be blocked.
Question 12
A. Policy-map
B. Control-plane
C. Access-list
D. Class-map
Answer: B
Note: There are two cases for ticket 11 so please check them carefully
Problem was disable authentication on R1, check where authentication is not given under router
ospf of R1. (use ipv4 Layer 3)
Configuration of R1:
interface Serial0/0/0
description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf network point-to-point
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 10.1.2.0 0.0.0.255 area 12
network 10.1.10.0 0.0.0.255 area 12
default-information originate always
!
Configuration of R2:
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
!
Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the ―ip ospf authentication
message-digest‖ command.
Configuration of DSW1:
interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60
Note: 10.1.21.129 is the IP address of a loopback interface on R4. This IP belongs to subnet
10.1.21.128/27.
Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track
10 decrement 60).
Note: For more information about IP route tracking and why the command ―threshold metric up
63 down 64″ is used here please read this tutorial: http://networktut.iptut.com/hsrp-ip-route-
tracking.
Configuration of R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary
Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the
neighbor command (change ―neighbor 209.56.200.226 remote-as 65002″ to ―neighbor
209.65.200.226 remote-as 65002″)
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat inside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest
Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside
command.
Ticket 5 – R1 ACL
Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer:
Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‗ip access-list extended edge_security‘ configuration add the ‗permit ip
209.65.200.224 0.0.0.3 any‘ command.
Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the
access-list 30 is applied to the inbound direction of S0/0/1 of R1.
Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0
Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.
Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the
VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to
be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also
"VLAN ACL/Port ACL" option for answer 2 if you choose ASW1 but it is wrong.
Configuration of ASW1
interface fa1/0/1
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001
Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-
security, followed by shutdown, no shutdown interface configuration commands.
Answer:
Ans1) ASW1
Ans2) Access Vlans
Ans3) In Configuration mode, using the ‗interface range Fastethernet 1/0/1 – 2‘, then
‗switchport access vlan 10‘ command.
Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)Under interface Port-Channel 13, 23, add vlan 10,200 and then no shutdown interface
fa1/0/1
Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
‗Show ip route‘ on DSW1 you will not see any 10.x.x.x network route.
On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp
1)
Ans1) R4
Ans2) EIGRP
Ans3) Change EIGRP AS number from 1 to 10
Ticket 11a – Redistribution Route-map
On R4:
router eigrp 10
redistribute ospf 1 route-map OSPF->EIGRP
network 10.1.4.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 10.1.21.128 0.0.0.3
default-metric 100000 100 100 1 1500
no auto-summary
!
route-map OSPF->EIGRP deny 10
match tag 90
route-map OSPF->EIGRP deny 20
set tag 110
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Change the ―route-map OSPF->EIGRP deny 20‖ to ―route-map OSPF->EIGRP permit
20‖
In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R4, DSW1 & DSW2), which is a very common cause of network problems,
especially routing loops so you should use route-map to prevent redistributed routes from
redistributing again into the original domain.
In this ticket, route-map is also used for this purpose. For example, the route-map ―EIGRP-
>OSPF‖ is used to prevent any routes that have been redistributed into OSPF from redistributed
again into EIGRP domain by tagging these routes with tag 90. These routes are prevented from
redistributed again by route-map OSPF->EIGRP by denying any routes with tag 90 set.
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Under the EIGRP process, delete the ‗redistribute ospf 1 route-map OSPF->EIGRP‘
command and enter ‗redistribute ospf 1 route-map OSPF_to_EIGRP‘ command.
Configuration of R2
ipv6 router ospf 6
!
interface s0/0/0.23
ipv6 address 2026::1:1/122
Configuration of R3
ipv6 router ospf 6
router-id 3.3.3.3
!
interface s0/0/0.23
ipv6 address 2026::1:2/122
ipv6 ospf 6 area 0
Answer:
Ans1) R2
Ans2) IPv6 OSPF Routing
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is ―area
0″, not ―area 12″)
Configuration on DSW1:
!
interface Vlan 10
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.21.129
!
Note: In this ticket you will find port-security configured on ASW1 but it is not the problem.
Ans1) DSW1
Ans2) IP DHCP Server (or DHCP)
Ans3) on DSW1 delete ―ip helper-address 10.2.21.129‖ and apply ―ip helper-address
10.1.21.129‖ command
Answer 1) R4
Answer 2) IPv4 EIGRP Routing
Answer 3) enter no passive interface for interfaces connected to DSW1 under EIGRP process
(or in Interface f0/1 and f0/0, something like this)
Note: There is a loopback interface on this device which has an IP address of 10.1.21.129 so we
have to include the ―network 10.1.21.128 0.0.0.3‖ command.
* Just for your information, in fact Clients 1 & 2 in this ticket CANNOT receive IP addresses
from DHCP Server because DSW1 cannot reach 10.1.21.129 (an loopback interface on R4)
because of the ―passive-interface default‖ command. But in the exam you will see that Clients 1
& 2 can still get their IP addresses! It is a bug in the exam.
Configuration of R3:
!
interface Tunnel34
no ip address
ipv6 address 2026::34:1/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0.34
tunnel destination 10.1.1.10
tunnel mode ipv6
!
Configuration of R4:
interface Tunnel34
no ip address
ipv6 address 2026::34:2/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0
tunnel destination 10.1.1.9
!
Answer:
Ans1) R3
Ans2) Ipv4 and Ipv6 Interoperability
Ans3) Under the interface Tunnel34, remove ‗tunnel mode ipv6′ command
Configuration of R4:
ipv6 router ospf 6
log-adjacency-changes
!
ipv6 router rip RIP_ZONE
redistribute ospf 6 metric 2 include-connected
!
Answer:
Ans1) R4
Ans2) Ipv6 OSPF Routing
Ans3) Under ipv6 ospf process add the ‗redistribute rip RIP_Zone include-connected‘ command
interface fa1/0/1
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
interface fa1/0/2
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
Answer:
Ans1) ASW1
Ans2) Access VLANs
Ans3) In configuration mode, use ‗interface range fa1/0/1-2‘ then ‗switchport mode access‘,
then ‗no switchport trunk encapsulation dot1q‘