MCQ - Networktut V2

MCQ – Networktut (Premium Account) 27th Nov to 27th Dec
=================== New Multiple-Choice Questions (updated on 13th-Nov-2019) ===================
Question 1
Which configuration command is used to add an IPv6 ACL to an interface?
A. ipv6 access-class (in/out)
B. ipv6 traffic-filter (in/out)
C. ip access-class (in/out)
D. ip accesss-group (in/out)
Answer: B
Question 2
Refer to the exhibit.
R1#debug ip ospf adj

OSPF adjacency events debugging is on
* Feb 4 110:34:34.245:OSPF: Caanot see ourself in hello from 192.168.1.10 on Serial0/0/0, state INIT
* Feb 4 110:34:34.248:OSPF: Rcv DBD from 192.168.1.10 on Serial0/0/0 seq 0x17B opt 0x58 flag 0x7 len 32 mtu 1500
state INIT
* Feb 4 110:34:34.248:OSPF: 2 Way Communication to 192.168.1.10 on Serial0/0/0, state 2WAY
* Feb 4 110:34:34.252:OSPF: Rcv DBD from 192.168.1.10 on Serial0/0/0 seq 0x23B0 opt 0x58 flag 0x3 len 112 mtu
1500 state ___________
Which output is expected in the blank line?

A. DOWN
B. EXSTART
C. LOADING
D. EXCHANGE
Answer: B
Explanation
Neighbors Stuck in Exstart/Exchange State
The problem occurs most frequently when attempting to run OSPF between a Cisco router and another vendor’s router.
The problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces don’t match.
If the router with the higher MTU sends a packet larger that the MTU set on the neighboring router, the neighboring
router ignores the packet.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-12.html
Question 3 ***
Exhibit with the “show spanning-tree” command and shows G1/1 as cost 4, G1/2 as cost 1. Please choose the command
so G1/1 can be the new root port?
A. spanning-tree cost 1 on interface g1/1
B. spanning-tree cost 5 on interface g1/2
C. spanning-tree port priority 0 on g1/1
D. spanning-tree port priority 0 on g1/2
Answer: B
Question 4 ***
Which two commands are used to choose uRPF drops? (Choose two)
A. show ip interface
B. show interface
C. show ip cef
D. show ip traffic
E. show cef traffic
Answer: A D
Explanation
With uRPF properly deployed and configured throughout the network infrastructure, administrators can use the show cef
interface type slot/port internal, show ip interface, show cef drop, show ip cef switching statistics feature, and show
ip traffic commands to identify the number of packets that uRPF has dropped.
Note: Beginning with Cisco IOS Software Release 12.4(20)T, the command show ip cef switching has been replaced
by show ip cef switching statistics feature.
Reference: https://www.cisco.com/c/en/us/about/security-center/identification-ios-security-mitigations-effectiveness.html
Question 5
Drag drop question about bottom-up troubleshooting method.
Following the bottom-up tshoot method, please order from step 1 to step 4 how to solve an issue with an IP phone.
Answer:
1. Check PoE
2. Check VLAN
3. Change DHCP gateway with option 150
4. Check image file from TFTP server
Question 6
Console session is being closed by a network device; how can this be solved?
A. Apply exec-timeout 0 0 in line console 0
B. Modify exec-timeout in line vty 0 15
C. Change banner motd
Answer: A
Explanation
By default, an IOS device will disconnect a console or VTY user after 10 minutes of inactivity. You can specify a
different inactivity timer using the exec-timeout MINUTES SECONDS line mode command.
For example, to disconnect a console user after 90 seconds of inactivity, we can use the following command:
R1(config)#line con 0
R1(config-line)#exec-timeout 1 30
To prevent Telnet (or SSH) sessions from timing out, use the value of 0 (exec-timeout 0 0)
Question 7
Which sequence allows the communication from router to another router via ssh.
A. 60 permit tcp host xxxx host yyyy eq 22
B. 50 permit tcp host xxxx host yyyy eq 21
C. ?
D. ?
Answer: A
Question 8
Why do clients frequently lose connection at the remote site? (Exhibit of tunnel gre and outputs from devices)
A. recursive routing
B. static route
C. ACL
D. RIP summarization
Answer: A
Question 9 ***
When is uRPF desired to be applied using loose-mode for security reasons?
A. Asymmetric
B. PIMv2
Answer: A
Question 10 ***
Two switches asking why DTP isn’t working one switch GigabitEthernet, other FastEthernet?
A. Because of a speed issue
B. Different VTP domains
C. SWA has a FastEthernet port
D. Because of dynamic desirable mode
Answer: B
Question 11
Drag drop question about GRE tunnel. GRE tunnel is missing configuration between R1 and R2.
R1: R2:
interface s0/0/0 interface s0/0/0
ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0
interface tunnel0 interface tunnel0
Which configuration will complete the configuration on R1 & R2? (Choose two)
A. R1
source 10.1.1.1
destination 10.1.2.1
B. R1
source 10.1.2.1
C. R2
source 10.1.2.1
D. R2
source 10.1.1.1
Answer: A C
===================== Multiple-Choice Questions (updated on 27th-Sep-2019) ======================
Question 12
Refer to the statement.
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
How to correct it?

A. change the source IP of tu0
B. change the destination IP of tu0
C. add tunnel key
D. add static route to tu0 destination
Answer: D
Explanation
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message means that the
generic routing encapsulation (GRE) tunnel router has discovered a recursive routing problem. This condition is usually
due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself
(recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network
So, in this question maybe there is something wrong with the tunnel destination so we should add static route to solve it.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/22327-gre-
flap.html
Question 13
A network contains a remote tunnel interface and firewalls in the network path of each router. An attempt to ping the IP
address of the remote tunnel interface fails. Which connections should be allowed through the firewalls?
A. port 47
B. port 50
C. TCP port 1723
D. IP protocol 47
Answer: D
Question 14
What is the output of the “show crypto ipsec sa | in indent”? (There is an output of the access-list with “permit gre any
any”)
crypto ipsec transform-set AES256 ah-sha256-nmac

mode tunnel
!
crypto ipsec profile default
set transform-set AES256
!
crypto map GRE 10 ipsec-isakmp
set peer 209.165.201.2
set transform-set AES256
match address GRE
!
interface tunnel1
ip address 172.16.1.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 209.165.201.2
tunnel protection ipsec profile default
!
interface FastEthernet0/0
ip address 209.165.201.6 255.255.255.252
!
ip access-list extended GRE
permit gre any any
A. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
B. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)
C. local ident(addr/mask/prot/port):(209.165.201.6/255.255.255.255/47/0)
D. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)
Answer: B
Explanation
The line “local ident (addr/mask/prot/port)” means local selector that is used for encryption and decryption.
The answer of this question is based on the ACL applied. Thanks Shaunthesheep for sharing this:
VPN Tunnel can be established using IPSec or IPSec+GRE. The configuration requires to define a Crypto map which
refers to an ACL for Interesting traffic or the traffic to be encrypted. Look for the values in the ACL. e.g.
1) permit gre any any —> Answer will be both local and remote indent address entries as 0 and 47 in the protocol field.
Like this :
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/47/0)
2) Permit ip any any —> Answer will be both local and remote indent address entries as 0 and 0 in the protocol field.
Like this :
remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/0/0)
3) Permit ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 —> Answer will be both local and remote indent address entries as in
ACL and 0 in the protocol field. Like this :
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
Update: We cannot explain why all fields are “0” here but our candidates got full mark so please choose it.
Question 15
What should be the next step after the problem is solved?
A. document it
B. knowledge transfer
C. result analysis
D. create an action plan
Answer: A
Explanation
Cisco has broken this process into eight steps:
1. Define the problem.
2. Gather detailed information.
3. Consider probable cause for the failure.
4. Devise a plan to solve the problem.
5. Implement the plan.
6. Observe the results of the implementation.
7. Repeat the process if the plan does not resolve the problem.
8. Document the changes made to solve the problem.
Although some online document does not mention about step 8 (document the changes) (like the
link http://www.ciscopress.com/articles/article.asp?p=1578504&seqNum=2) but this step is very important so that
repeated issue can be solved quickly in the future.
Question 16
This question have 3 router (R1,R2,R3), (R1_fa0/0====fa0/0_R2_fa0/1====fa0/1_R3) and have loopback, acl for each a
router. Loopback from R1 can’t ping loopback of R3 (192.168.254.1/24). An ACL is configured on R3 that only permits
192.168.0.0 0.0.0.255. What changes need to occur so R1 can ping R3 loopback?
A.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.0.255
B.
no 30
30 permit 192.168.0.0 0.0.255.255
C.
no 100
Answer: B
(Modify access-list, no entry 30 and re-add it changing the netmask to 192.168.0.0 0.0.255.255)
Question 17
A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements to choose. The
question asks which sequence number prevented connection from R1 to R2 via SSH.
R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3
A.20 deny tcp x:x::/64 host y:y::2 eq 22
B. 30 permit host y:y::2 tcp x:x:::/64 eq 22
C. 40 permit tcp x:x::/64 host y:y::2 eq 23
Answer: A
Question 18
interface Serial0/1/0
ip address 10.12.13.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0
!
interface serial0/2/0
ip address 10.12.23.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0
R3#sh ip route
[output omitted]
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.12.13.0/24 is directly connected, Serial0/1/0
L 10.12.13.3/32 is directly connected, Serial0/1/0
C 10.12.23.0/24 is directly connected, Serial0/2/0
L 10.12.23.3/32 is directly connected, Serial0/2/0
S 192.168.0.0/16 is directly connected, Null0
O 192.168.1.0/24 [110/65] via 10.12.13.1, 00:05:51, Serial0/1/0
O 192.168.2.0/24 [110/65] via 10.12.23.2, 00:05:51, Serial0/1/0
O 192.168.17.0/24 [110/65] via 10.12.23.2, 00:03:13, Serial0/1/0
O 192.168.27.0/24 [110/65] via 10.12.13.1, 00:04:14, Serial0/1/0
Which feature is required to enable Unicast reverse path forwarding?

A. access control list
B. Cisco express forwarding
C. virtual routing and forwarding
D. bidirectional forwarding detection
Answer: B
Question 19
Which command is used to check the SSH version?
A. show ip ssh
B. show crypto key mypubkey rsa
C. show ssh sessions
Answer: A
Explanation
R1# show ip ssh

Connection Version Encryption Username HMAC Server Hostkey IP Address
Inbound:
1 SSH-2 3des-cbc Raymond hmac-sha1 ssh-dss 10.120.54.2
Outbound:
6 SSH-2 aes256-cbc Steve hmac-sha1 ssh-dss 10.37.77.15
SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048)
Question 20 ***
interface Tunnel0
description Tunnel to Main Office
ip address 192.168.1.1 255.255.255.252
tunnel source 209.165.200.225
tunnel path-mtu-discovery
A remote office was recently connected to the main office by using a GRE tunnel. Path MTU Discovery (PMTUD) is
enabled on the tunnel interface. End users at the remote office report having issues accessing a file sever in the main
office. PMTUD is not working, what is the issue?
A. Local router MTU is 1500

B. Local router MTU is 1400
C. Router in the path has “no ip host unreachable” configured
D. Router in path has ICMP Redirects enabled
Answer: C
Question 21 ***
Topology with three switches which are connected to each other via Gi0/0 & Gi0/1. All interfaces are configured in
VLAN 100 and voice VLAN 101. Duplex mismatch between two switches (one interface in full duplex which the
opposite interface in half duplex). Spanning tree is detecting a loop in the network, what is causing the loop.
A. duplex mismatch
B. speed mismatch
C. vlan missconfiguration
Answer: A
Explanation
Duplex mismatch is a configuration issue where one side of the network is set to one duplex mode and the other to
another duplex mode. Having one bridge on half duplex and the other on full duplex results in collisions that cause
bridging loops
Question 22
Which statement about the INTERNET ACL is true?
ipv6 access-list INTERNET
permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA::/64
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA13::/64 eq telnet
permit tcp 2001:DB8:AD59:BA21::/64 any eq www
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log
A. NPD is not working correctly because NS and NA messages are being denied
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted along with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied
Answer: A
Explanation
Answer B and C are not correct as the IPv6 address 2001:DB80:AD59… is different from the IPv6 address
2001:DB8:AD59… (trailing 0 cannot be omitted).
Answer D is not correct as the source address of 2001:DB8:AD59:ACC0:2020:882:DB8:1125 matches the ACL
statement “permit ipv6 2001:DB8:AD59::/48 any” so it will be permitted.
Therefore only answer A is the suitable answer left.
For your information, by default an IPv6 ACL has three implicit statements at the end:
+ permit icmp any any nd-na
+ permit icmp any any nd-ns
+ deny ipv6 any any
The first two statements are required for IPv6 neighbor discovery protocol which are very important so they are always
permitted in an IPv6 ACL. But in this case we explicitly used the “deny ipv6 any any (log)” command so the two above
commands must be typed just before the last statement (“deny ipv6 any any log”) or that traffic will be blocked.
Question 23 ***
R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.255.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.255.0
R1#show management-interface
Management interface GigabitEthernet0/2
Protocol Packets processed
http 0
https 10
Management interface GigabitEthernet0/3
http 0
ssh 10
snmp 1110
R2#ssh -l admin 10.10.20.2

%Destination unreachable, gateway or host down
The organization has implemented Management Plane Protection. Headquarters has decided that FTP needs to be enabled
on all management ports. Which configuration context must be modified to accomplish this configuration?
A. Policy-map
B. Control-plane
C. Access-list
D. Class-map
Answer: B
====================New Multiple Choice Questions (updated on 4th-Aug-2019)=====================
Question 24
Which protocol can be added into MPP? (Choose two)
A. telnet
B. scp
C. tftp
D. smtp
Answer: A C
Explanation
Following are the management protocols that the MPP feature supports. These management protocols are also the only
protocols affected when MPP is enabled.
+ Blocks Extensible Exchange Protocol (BEEP)
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html
Question 25 ***
OSPF neighbor not forming. Exhibit shows DBD packets are being re-transmitted to the neighbor. Debug shows that
Exstart state to Down. What is the reason?
A. MTU mismatch
B. The router did not receive a Hello packet
C. OSPF is not running on the other router
D. The packet does not have RID
Answer: A
Explanation
After two OSPF neighboring routers establish bi-directional communication and complete DR/BDR election (on multi-
access networks), the routers transition to the exstart state. In this state, the neighboring routers establish a master/slave
relationship and determine the initial database descriptor (DBD) sequence number to use while exchanging DBD packets.
Neighbors Stuck in Exstart/Exchange State
The problem occurs most frequently when attempting to run OSPF between a Cisco router and another vendor’s router.
The problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces don’t match.
If the router with the higher MTU sends a packet larger that the MTU set on the neighboring router, the neighboring
router ignores the packet.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-12.html
Question 26 ***
When troubleshoot a connection to a Point-to-Point Tunneling Protocol server behind a NAT router, which two filters
should be used to capture all traffic related to the Point-to-Point Tunneling Protocol? (Choose two)
A. UDP port 500
B. protocol ESP (or protocol 50)
C. TCP port 47
D. protocol 47
E. TCP port 1723
Answer: D E
Explanation
The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote
client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into
IP datagrams for transmission over the Internet or other public TCP/IP-based networks.
PPTP establishes a tunnel for each communicating PPTP network server (PNS)-PPTP Access Concentrator (PAC) pair.
After the tunnel is set up, PPP packets are exchanged using enhanced generic routing encapsulation (GRE). A call ID
present in the GRE header indicates the session to which a particular PPP packet belongs.
Network Address Translation (NAT) translates only the IP address and the port number of a PPTP message. Static and
dynamic NAT configurations work with PPTP without the requirement of the PPTP application layer gateway (ALG).
However, Port Address Translation (PAT) configuration requires the PPTP ALG to parse the PPTP header and facilitate
the translation of call IDs in PPTP control packets. NAT then parses the GRE header and translates call IDs for PPTP data
sessions. The PPTP ALG does not translate any embedded IP address in the PPTP payload. The PPTP ALG is enabled by
default when NAT is configured.
NAT recognizes PPTP packets that arrive on the default TCP port, 1723, and invokes the PPTP ALG to parse control
packets. NAT translates the call ID parsed by the PPTP ALG by assigning a global address or port number. Based on the
client and server call IDs, NAT creates two doors based on the request of the PPTP ALG. ( A door is created when there
is insufficient information to create a complete NAT-session entry. A door contains information about the source IP
address and the destination IP address and port.) Two NAT sessions are created (one with the server call ID and the other
with the client call ID) for two-way data communication between the client and server. NAT translates the GRE packet
header for data packets that complies with RFC 2673.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-
pptp-pat.html
Question 27
The user was able to access the router via line vty 5 min ago. But he is no longer able to log in now. No change in the
network. What is the issue?
A. exec-timeout 0 0
B. the VTY lines are at capacity
C. SSH is not configured
D. Console line is in use by someone else
Answer: B
Question 28
Drag drop question about debug commands.
Answer:
Debug condition standby -> display debug messages related to HSRP
Debug condition glbp -> displays debug messages from virtual MAC address 0007.b400.0101
Debug aaa authentication -> displays debug messages related to determine the users’ identity
Debug aaa authorization -> displays debug messages related to determine the users’ permissions
Question 29 ***
The command “ip verify unicast source reachable-via any” is configured on the interface. Router received with source
IP address 172.16.100.10. Routing table shows a valid route to 172.16.100.0/24 is learned via OSPF.
There is a null static route to 172.16.0.0/16.
Question is what the router will do that packet?
A. The packet is dropped
B. The packet is allowed to route to the destination
Answer: B
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the
interface used to reach this source IP then the packets are allowed to enter (strict mode).
The syntax of configuring uRPF in interface mode is:
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]
The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via
any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address
only via the interface on which the packet was receive.
In this case the router was configured with uRPF in loose mode.
Question 30
After applying below config on one router, OTHER router started showing authentication errors (you will see output log
with errors).
Applied configuration:
Standby group 100
Standby 100 vip 172.x.x.x
Standby 100 md5 authentictaion cisco123!
What is likely the cause?
A. Configure “standby 100 authentication md5 key-string cisco123!” on both routers
B. Configure “standby 100 authentication text cisco123!” on both routers
C. Configure the aaa authentication login default group standby enable command
D. Configure the aaa authentication login default group 100 enable command
Answer: A
Question 31
High CPU utilization of the router. How to display the lines including a process name or beginning with CPU from show
proc cpu output.
A. show proc cpu | include process_name | begin CPU
B. show proc cpu | include process_name |$CPU
C. show xxx | include process_name |^CPU
Answer: C
Explanation
Below is an example of the “show process cpu” output:
Let’s check various “show process cpu” with pipe commands

In the above output we only see the pipe “^CPU” displays the “CPU utilization for five seconds …” line so this is the
correct answer.
Question 32
Someone has changed the password for a router and saved the configuration, anyway he forget the password and unable
to access the router anymore. Which actions needed to solve the issue?
A. Change configuration register to 0x2102
B. Change configuration register to 0x2142
C. Reboot the router
Answer: B
Explanation
With the value 0x2142, the device will bypass the startup configuration stored in NVRAM during its boot sequence.
0x2102 boots and loads your saved configuration.
0x2142 boots and by-passes the configuration and allows you to view/edit the save configuration if you need to do any
kind of password recovery, etc.
Question 33
Refer to the exhibit about GRE tunnel0 interface:
R1#show ip interface brief

Interface IP-Address OK? Method Status Protocol
...
Tunnel0 unassigned YES manual up down
What is required to bring up a point-to-point tunnel?

A. assign IP to the tunnel interface
B. define tunnel source and destination IP
C. apply no shut command to Tunnel0
Answer: B
Explanation
In order to make a Point-to-Point GRE Tunnel interface in up/up state, two requirements must be met:
+ A valid tunnel source (which is in up/up state and has an IP address configured on it) and tunnel destination must be
configured
+ A valid tunnel destination is one which is routable. However, it does not have to be reachable.
Question 34 ***
Router L ==== Router C ==== Router R
L and R routers were showing GRE and IPSec configurations, questions is an ACL applied in router C is blocking all IP
traffic, which protocol should be allowed in the ACL to allow traffic.
A. ESP
B. GRE
C. ICMP
D. UDP
Answer: D
Explanation
GRE with IPSec traffic will be encrypted/encapsulated inside an ESP packet. ESP packet, in turn, will be encapsulated
inside a UDP port 500 (or UDP port 4500 in case of NAT) datagram.
Therefore, we have to permit UDP port 500/4500 on the middle routers so that GRE with IPSec traffic can flow through.
Question 35
There is a time-range acl but the query is to resolve a ping issue from interface eth0/0 to a host on 172.16.10.100 with an
ACL line. The ACL is applied inbound of the router. The question asks what ACL line needs to be added in order to
allow ping access from the local router to server 172.16.10.100.
A. access-list 101 permit icmp host 172.16.10.100 10.1.1.0 0.0.0.15
B. access-list 101 permit icmp host 172.16.10.100 10.1.1.x 0.0.0.3
C. access-list 101 permit icmp 10.1.1.0 0.0.0.15 172.16.10.100 0.0.0.255
D. access-list 101 permit icmp 10.1.1.0 0.0.0.255 host 172.16.10.100
E. access-list 101 permit icmp host 172.16.10.100 10.1.1.0 0.0.0.31
Answer: E
Explanation
This ACL was applied to the inbound direction of e0/0 interface so we need to permit the ICMP reply packet to go
through. Therefore, the source IP address must be the server IP address and the destination IP address range must cover
the e0/0 interface IP address. In this case only answer E with the destination wildcard mask of 0.0.0.31 covers 10.1.1.25
so it is the correct answer. Notice that answer A has similar solution but its wildcard mask of 0.0.0.15 does not cover
10.1.1.25.
==================== New Multiple-Choice Questions (updated on 3rd-Jun-2019) ====================
Question 36 ***
Drag drop question about IPSec.
Answer:
+ show crypto isakmp sa detail: Verify the current SA lifetime and the time for next renegotiation
+ show cryto ipsec sa peer: Verify traffic flows in only one direction
+ show ip eigrp neighbor: Verify that routing protocol neighbor is established
+ debug crypto isakmp: Verify that the spoke router is sending udp 500 packet
Explanation
1. An example about the output of the “show crypto isakmp sa detail” is shown below:
2. Verify whether the traffic flows in only one direction
The VPN tunnel between the spoke-to-spoke router is up, but unable to pass data traffic. The following sample output is
from the “show crypto ipsec sa peer” command:
There is no decap packets in Spoke1, which means esp packets are dropped somewhere in the path return from Spoke2
towards spoke1.
The Spoke2 router shows both encap and decap, which means that ESP traffic is filtered before reaching Spoke2. It may
happen at the ISP end at Spoke2 or at any firewall in path between Spoke2 router and Spoke1 router. After allowing ESP
(IP Protocol 50), Spoke1 and Spoke2 both show encaps and decaps counters are incrementing.
Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-
troubleshoot-00.html#verifyonedirection
4. Further, check debug crypto isakmp to verify that the spoke router is sending udp 500 packet:
The above debug output shows spoke router is sending udp 500 packet in every 10 seconds.
Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-
troubleshoot-00.html
Question 37
Refer to the exhibit. Which hashing method is being used for the enable secret?
A. sha1
B. sha256
C. scrypt
D. md5
Answer: B
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string
in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5,
the password has been hashed using the stronger MD5 algorithm.
Note:
+ Type 5: MD5
+ Type 8: sha256
+ Type 9: scrypt
Question 38 ***
Refer to the exhibit. PCB could not ping PCA. The admin has logged into each switch, starting from SW1 and ending
with SW2 and has examined the links between each. Which troubleshooting method has been used?
A. top down
B. follow the path
C. bottom up
D. divide and conquer
Answer: B
Question 39 ***
Drag drop question about GRE characteristics (Overlay and Underlay Network).
Answer:
Overlay network:
+ de-encapsulates the tunnel header before routing
+ Virtual tunnel network
Underlay network:
+ Physical network
+ MTU must be increased to avoid fragmentation
Unused option: Must use IPv6 as the Layer 3 protocol
Explanation
The core routers are known as the underlay network. This is responsible for taking GRE packets and transporting them
from one side of the network to the other. The tunnel itself is the overlay network. Packets passing through the overlay
network are unaware of the routers in the underlay.
Question 40 ***
Drag the GRE tunnel state from the left onto the correct description on the right.
Answer:
Match the various tunnel states to the corresponding description.
Up/up ----------------- traffic is flowing across the tunnel
Up/down ------------- the shutdown command has been issued on the physical interface
Down/down --------- the shutdown command has been issued on the tunnel interface
Reset/up -------------- transient state where the next hop server is its own ip address
Explanation
Four Different Tunnel States
There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both administratively up and it’s protocol
is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes the line protocol on the
interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This usually happens when the
tunnel is misconfigured with a Next Hop Server (NHS) that is its own IP address.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-
00.html
Question 41a ***
User tries to connect to line vty 0 with username Cisco and password “Cisco123” while TACACS server is
unreachable. What happens?
A. The user will be authenticated after the TACACS server fallback timer expires
B. The user will not be authenticated because the username is incorrect
C. The user will not be authenticated because the TACACS server is unreachable
D. The user will not be authenticated because the password is incorrect
Answer: D
Explanation
With this config, when the user tries to connect to line vty 0, the line password (which is “CiscoCisco”) must be used to
authenticate. The TACACS server would never been used unless we remove the “login authentication LOCAL-VTY”
statement (as the first aaa command “aaa authentication login default group tacacs+ local-case line” would be used for all
VTY, console, AUX line because of the “default” group).
Question 42b ***
username cisco password 123456
aaa authentication login default local-case
Client try to connect with this command: ssh -l Cisco 123456. Why he can reach the destination
A. bad password
B. bad username
C. ?
D. ?
Answer: B
Explanation
The keyword “local-case” is used in the authentication so the username is case-sensitive and we can to write the username
exactly.
Question 43 ***
Refer to the exhibit. Why can’t a user SCP to a server at 172.16.1.200 on Monday at 11:00 pm?
A. the ACL “time-range” blocks the traffic

B. SCP is denied by ACL deny tcp any any eq 21
C. The ACL deny ip any any blocks the traffic
D. SCP is denied by ACL deny tcp any any eq 23
Answer: C
Explanation
The user cannot access the server on Monday at 11pm because of two reasons:
+ First, it does not match the time-range TIME (only allowed to access from 6am 6pm), defined by the ACL statement
“access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh time-range TIME”, so this traffic is
continued to check with the rest of the ACL to see if there is any matched entry for it.
+ Second, the last ACL statement drops this traffic as none of the above ACL statement matched it.
So, in this question the last line of the ACL is the place where the SCP traffic is dropped.
Note: SCP runs over TCP port 22 by default and connects via an encrypted connection or secure shell connection (SSH).
Question 44 ***
Drag and drop Windows and Cisco commands on the left to the corresponding description on the right.
Answer:
+ C:> tracert [IP address]: uses path verification from the endpoint to the destination that is unreachable
+ C:> ping [IP address]: identifies gateway reachability from an endpoint that is experiencing the issue
+ Router# traceroute [IP address]: uses path verification from the network device where the endpoint is connected
+ Router# ping [IP address]: identifies host reachability status from the closest network device where the problem exists
Question 45
What is tshoot method use in DHCP problem?
A. top down
B. follow the path
C. bottom up
Answer: C
Explanation
Let’s assume that you are researching a problem of a user that cannot browse a particular website and while you are
verifying the problem, you find that the user’s workstation is not even able to obtain an IP address through the DHCP
process. In this situation it is reasonable to suspect lower layers of the OSI model and take a bottom-up troubleshooting
approach.
Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2
Question 46
What is tshoot method use in spanning-tree?
A. top down
B. follow the path
C. bottom up
Answer: B
Question 47
C:> Tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops

1 1ms 1ms 1ms 192.168.100.1
2 3ms 2ms 3ms 172.16.10.200
3 * * * Request timed out.
What is the next step to troubleshoot the issue?

A. Verify HQ Router and Firewall are in the same VLAN
B. traceroute to the WAN IP address of HQ
C. Ping the LAN IP address of the HQ router
D. Check MTU between BR and HQ
Answer: A
Explanation
The trace route stops at the inbound interface of the HQ router so the problem must be somewhere between HQ and the
Firewall so answer A is the best choice here.
Question 48
R2#ssh -l admin 10.10.20.2

A company is implementing Management Plane Protection (MPP) on its network. The team needs to copy the
configuration of Router A via CLI encrypted transport. Which interface must the team use?
A. GigabitEthernet0/2
B. mgmt0
C. con0
D. GigabitEthernet0/3
Answer: D
Explanation
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we have to SSH to
interface Gi0/3 instead.
Question 49
Refer to the exhibit. The traceroute fails from R1 to R3.What is the cause of the failure?
R1#traceroute 3.3.3.3
…
1 10.10.10.2 18msec
2 10.10.10.5 !A
…
!A
A. Redistribution of connected routes into OSPF in not configuration
B. An ACL applied inbound on fa0/1 of R3 is dropping the traffic
C. An ACL applied inbound on loopback0 of R2 is dropping the traffic
D. The loopback on R3 is in a shutdown state
Answer: B
Explanation
The !A is the response that indicates that you received a response of Administratively Prohibited. This is the result when
the traceroute is denied by an access list.
Note: The OSPF process ID is just locally significant but R2 is using two different OSPF process IDs (#1 and #2) so they
should be redistributed into each other like this:
router ospf 1
redistribute ospf 2 subnets
router ospf 2
redistribute ospf 1 subnets
But it is not the problem here.
Question 50 ***
Which scenario causes a GRE tunnel interface to be in an up/down state?
A. The is no route to the tunnel destination address
B. The tunnel source and destination addresses are in different subnets
C. The subnet masks on the tunnel interfaces do not match
D. The route to the tunnel destination address is not routed through the tunnel
Answer: A
Explanation
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in recursion.
00.html
===================== Multiple-Choice Questions (updated on 21st-Apr-2019) ======================
Question 51 ***
Which of the following features allows a router to install a floating route in its routing table when the GRE tunnel is
disrupted?
A. tracking objects
B. IP SLA
C. ?
D. GRE keepalive
Answer: D
Explanation
GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does not keep any information
about the state or availability of the remote tunnel endpoint. A consequence of this is that the local tunnel endpoint router
does not have the ability to bring the line protocol of the GRE Tunnel interface down if the remote end of the tunnel is
unreachable. The ability to mark an interface as down when the remote end of the link is not available is used in order to
remove any routes (specifically static routes) in the routing table that use that interface as the outbound interface.
Specifically, if the line protocol for an interface is changed to down, then any static routes that point out that interface are
removed from the routing table. This allows for the installation of an alternate (floating) static route or for Policy Based
Routing (PBR) in order to select an alternate next-hop or interface.
Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel
source address or interface which is up. The tunnel destination IP address must also be routable. This is true even if the
other side of the tunnel has not been configured. This means that a static route or PBR forwarding of packets via the GRE
tunnel interface remains in effect even though the GRE tunnel packets do not reach the other end of the tunnel.
Before GRE keepalives were implemented, there were only ways to determine local issues on the router and no way to
determine problems in the intervening network. For example, the case in which the GRE tunnelled packets are
successfully forwarded, but are lost before they reach the other end of the tunnel. Such scenarios would cause data
packets that go through the GRE tunnel to be “black holed”, even though an alternate route that uses PBR or a floating
static route via another interface might be available. Keepalives on the GRE tunnel interface are used in order to solve this
issue in the same way as keepalives are used on physical interfaces.
00.html
Question 52
Which two routing protocols are permitted by the ACL above? (Choose two)
A. BGP
B. OSPF
C. EIGRP
D. GRE
E. NSE (something like that)
Answer: A B
Explanation
BGP operates on TCP port 179 and the ACL statements “access-list 101 permit tcp any 10.1.1.1 eq 179” and “access-
list 101 permit tcp any eq 179 any” allows BGP to go through.
The protocol number (not port number) of OSPF is 89 so the first ACL statement “permit 89 any any” is same as
“permit ospf any any” -> Answer B is correct.
EIGRP runs directly over IP using IP protocol number 88 – it does not use TCP or UDP. In the above ACL statements
there is no line for EIGRP so it will be dropped by implicit “deny all” statement at the end of the ACL -> Answer C is not
correct.
GRE is allowed with the “access-list 101 permit gre any any” statement so GRE is correct but this question asks about
“routing protocol” so GRE is not a valid option.
Note: Keep in mind that there is a big difference between a port number and a protocol number. In an ACL, the
number behind the keyword “eq” (equal) is a port number, not a protocol number. For example, IP is protocol number 4,
ICMP is 1, EIGRP is 88, and OSPF is protocol number 89.
Question 53
R2#ssh -l admin 10.10.20.2
A company is implementing Management Plane Protection (MPP) on its network. Which of the following commands
allows R2 successfully connect to R1 via SSH?
A. ssh -p 22 -l admin 10.10.30.2
B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2
D. ssh -v 2 -l admin 10.10.20.2
Answer: B
Explanation
SSH has the following options:
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we have to SSH to
interface Gi0/3 instead.
Question 54
Section 1
R1#debug ip ospf hello
…
Section 2
R1#
Debugging is
Condition 1 – username
Condition 2 – int g0/2
Section 3
R1#debug ip ospf hello
…
Which of the following commands results in the Section 2 of the output above?
A.
R#debug condition username
R#debug condition interface g0/2
B.
R#debug condition interface g0/2
R#debug condition username
C.
R(conf)# debug condition username
R(conf)#debug condition interface g0/2
D.
R(conf)#debug condition interface g0/2
R(conf)# debug condition username
Answer: A
Explanation
The “debug condition” command must be issued in Privileged mode (not global configuration mode)
Question 55
Two hosts (PC A & PC B) in the same subnet (IP addresses 10.10.10.10 & 10.10.10.30, both /24) connected to Layer 2
switches each (using ports g0/5). The layer 2 switches connect to other switches which connects to a Multilayer (L3)
switch.
What is the reason PC A cannot reach PC B?

A. IP routing is not enabled in the L3 switch
B. Interfaces g0/5 of the switches are in different VLANs
C. PC A and PC B are in different subnets
D. Interfaces Gi0/1 and Gi0/2 are not in an Etherchannel port
Answer: B
Explanation
Suppose all the related ports are in up/up state then there are only two reasons that PCA & PCB cannot communicate:
+ These two PCs are in different VLANs
+ The ports on L3 switch that are connected to two Layer 2 switches are routing ports (with “no switchport” command)
Question 56 ***
Refer to the exhibit
R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
9 permit ip host xxxx host xxxx
Which of the following commands inserts five additional lines to the ACL Entry Sequence between lines 3 and 4 without
changing the existing configuration?
A. R(conf)# ip access-list resequence Super_User 1 6

B. R(conf)# ip access-list resequence Super_User 1 5
C. R(conf-nacl)# ip access-list resequence Super_User 1 6
D. R(conf-nacl)# ip access-list resequence Super_User 1 5
Answer: A
Explanation
The command “ip access-list resequence access-list-name starting-sequence-number increment” (for example:
“Router(config)# ip access-list resequence Super_User 1 6”) will resequence the “Super_User” ACL using the starting
sequence number (1) and the increment of sequence numbers (6). After this command the “Super_User” ACL will be like
this:
R1#show access-list
IP access-list extended Super_User
49 permit ip host xxxx host xxxx
We can insert five additional lines between two consecutive lines now.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-
book/sec-acl-seq-num.html
Question 57
An engineer performed a router upgrade. After an unexpected reboot, the router loaded with the old IOS version instead
of the new one. What is the problem?
A. The configuration register is set to 0x2103
B. The old IOS image is corrupted
C. The new IOS image is corrupted
D. The boot loader is not present
Answer: D
Question 58
An exhibit with output of BGP debug
%TCP-6-….: Active to Idle
…
%TCP-6-BADAUTH: No MD5 digest from 192.168.1.1(179) to 192.168.4.1(45577) tabled-0
%TCP-6-BADAUTH: No MD5 digest from 192.168.4.1(179) to 192.168.1.1(45577) tabled-0
Why are the two routers not forming BGP neighborship?
A. Mismatched BGP authentication
B. Mismatched BGP Autonomous System numbers
C. Mismatched Hello and Hold timer
D. Mismatched BGP peer-group
Answer: A
Question 59 ***
An exhibit that displays the outputs of show interface tunnel0 for two routers. Tunnel 0 is up/up on one router and
up/down on the other router.
Which of the following commands can quickly show the cause of the up/down state of Tunnel0 on the second router?
A. show ip interface brief
B. sh ip protocols (or something else)
C. show ip route
D. show ip gre
Answer: C
Question 60
A hub and spoke topology consisting of some routers and switches. Host A is attached to the spoke network and Host B is
attached to the hub network. There is a set of commands beside the topology:
Client A cannot reach client B while other Spokes can reach client B. What command in the configuration is the cause of
the problem?
A. ip nhrp network-id 12345
B. tunnel source e0/1
C. ip nhrp shortcut
D. tunnel mode gre multipoint
Answer: B
Note: Please check to see the NHRP address is wrong. Please read more about DMVPN and NHRP
at https://www.digitaltut.com/dmvpn-tutorial
Question 61 ***
Drag the GRE tunnel state from the left onto the correct description on the right.
Answer:
Match the various tunnel states to the corresponding description.
Up/up ————– tunnel is up and functional
Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— tunnel is administratively shutdown (shutdown by configuration or an administrator)
Reset/up ———- tunnel is ….. (maybe “misconfigured with a Next Hop Server (NHS) that is its own IP address.”)
Explanation
Four Different Tunnel States
There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both administratively up and it’s protocol
is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes the line protocol on the
interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This usually happens when the
tunnel is misconfigured with a Next Hop Server (NHS) that is it’s own IP address.
00.html
Question 62
enable secret 8 8asdknkjajf89nklasdnflkjajnslkdf

username cisco privilege 15 password 7 8273872397892
no aaa new-model
line vty 0 4
login local
Which reversible encryption method is used?
A. SNMP
B. Local authentication
C. Enable
D. VTY
Answer: B
=================== New Multiple-Choice Questions (updated on 10th-Mar-2019) ====================
Question 63 ***
Which statements about uRPF are true? (Choose two)
A. CEF should be enabled
B. CEF should be disabled
C. Packet with source 0.0.0.0 destination 255.255.255.255 will be permitted
D. Packet with source 0.0.0.0 destination 255.255.255.255 will be denied
E. ?
Answer: A C
Explanation
uRPF uses the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB) to perform reverse path look-up on
the source IP address of an incoming packet. The CEF FIB is a database of network layer routing information and
associated forwarding/adjacency information used in the CEF switching of packets.
Unicast RPF will allow packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that Bootstrap Protocol
(BOOTP) and Dynamic Host Configuration Protocol (DHCP) functions work properly.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.pdf
Question 64 ***
Routes are not advertised in the GRE tunnel. What is the problem?
A. Implement dynamic routing in tunnel interfaces
B. ACLs are blocking packets
C. ?
D. ?
Answer: B
Question 65
How can we limit the number of simultaneous access to the VTY lines?
A. session-limit
B. something about ACL
C. ?
D. ?
Answer: A
Explanation
The “session-limit” command is used to configure the maximum number of the concurrent virtual terminal sessions on a
device. The range is from 1 to 64.
Question 66 ***
Drag drop question about extended ping which includes: TTL, df-bit, ToS, Timeout.
Answer:
ToS = Specifies the packet classification
df-bit = allows for testing the path MTU
TTL = determines the maximum hop count
timeout = sets the interval to wait for a response
Good reference:
https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
Question 67 ***
There is an exhibit with hub & spook topology with 2 PCs: Pc1 spoke side and Pc2 hub. PC1 not pinging PC2. In the
exhibit there is configuration of NHRP. Something like this:
interface tunnel0
ip address 10.100.0.3 255.255.25.0
no ip redirects
ip nhrp network-id 12345
ip nhrp shortcut
ip nhrp nhs 10.100.0.1 nbma 200.1.1.9 multicast
tunnel source e0/1
tunnel mode gre multipoint
What command can be used to troubleshoot GRE issues?

A. show dmvpn
B. show ip interface brief
C. show ip route
D. show ip bgp summary
Answer: A
Note: If in the exam there is anything related to DMVPN technology then the answer should be A. Otherwise it should be
B.
Update: The configuration is related to NHRP so the correct answer is A.
Question 68
PC was not configured to obtain default-gateway from the DHCP server. What can we do for PC to access the Internet?
A. Configure static ARP in gateway router
B. Configure dynamic ARP in gateway router
C. Configure proxy-ARP in gateway router
D. ?
Answer: C
Question 69 ***
Output been given of RA tunnel up/up and RC tunnel up/down.

R-A and R-C tunnel interfaces configuration are shown. The only difference is RA MTU is 1490, RC MTU is 1476. What
is the issue?
The answers are like this:
A. Loopback 1.1.1.1 is not advertised………….
B. Loopback 4.4.4.4 is not advertised………….
C. MTU mismatched ….
D. RB configured not properly ……
Answer: A
Explanation
Note: The tunnel connection does not get down when the MTUs on two sides are mismatched -> C is not correct. You can
find from the output that Loopback 1.1.1.1 is not advertised.
Question 70
Question about “show debug condition” command.
Router#show debug condition

condition 1: int g0/1 …
Router##no debug condition 1
What is the output of “show debug condition “?
A. Router#show debug condition

B. Router#show debug condition
C. Router#show debug condition
D. Router#show debug condition
Answer: D
Explanation
We tested it with IOSv15.4 and this is the result:
Question 71
Refer to exhibit. Client unable to enter the privilege mode
A. enable password should be configured
B. VTY password should be configured
C. enable password should be disabled
Answer: A
Question72 ***
ipv6 access-list INTERNET

permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64 eq telnet
permit tcp 2001:DB8:AD59:BA21::/64 any eq http
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log
Which statement about the INTERNET ACL is true?
A. The denied entries will be logged because of the explicit deny ipv6 any any log line
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted along with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied
Answer: A
Question 73
Similar to this question:
Refer to the exhibit. (ClientA is connecting to the network via e0/0 interface while the “tunnel source e0/1” in the
configuration). ClientA is unable to reach ClientB while other users from other Spokes can reach ClientB. Which
command resolves this issue?
A. tunnel route-via ethernet0/1
B. tunnel mode gre
C. tunnel destination 10.100.0.1
D. tunnel source ethernet0/0
Answer: D
Question 74 ***
Regarding extended ping, why ping is failed (refer to exhibit)?
A. df bit is set // should be unset, MTU issue)
B. df bit is not set
Answer: A
Question 75 ***
Routes are not being shared dynamically over a functional GRE tunnel. Which scenario is causing the issue?
A. An ACL is blocking the data plane traffic between the remote devices
B. MTU is configured at 1500 on the tunnel interface
C. The tunnel mode is mismatched between the two routers
D. The tunnel interface is not participating in the dynamic routing process
Answer: D
Question 76
There is a diagram with a HQ site connected with Branch site via GRE Tunnel
A. Change tunnel source in HQ site from G0/1 to 0/0
B. Change tunnel in Branch site from G0/0 to 0/1
Topology with 2 host connected via GRE (HQ and Branch)
Answer: A
=================== New Multiple-Choice Questions (updated on 9th-Feb-2019) ====================
Question 77
A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements to choose. The
question asks which sequence number allows connection from R1 to R2 via SSH.
R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3
10 permit tcp y:y::2 host x:x::/64 eq 22
20 permit tcp x:x::/64 host y:y::2 eq 22
30 deny tcp x:x::/64 host y:y::2 eq 22
40 deny tcp x:x::/64 host y:y::2 eq 22
A. 30
B. 20
C. 40
D. 10
Answer: B
Explanation
20 permit tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)
Question 78 ***
How to apply an IPv6 access-list to lines?
A. ipv6 access-group <ipv6 access-list name>
B. ipv6 access-list <ipv6 access-list name>
C. ipv6 access-class <ipv6 access-list name>
Answer: C
Question 79 ***
Drag drop about AAA.
Answer:
+ AAA Accounting commands: configures AAA to send commands executed to the configured target
+ AAA Authentication banner: configures AAA to change the message displayed when a user logs in
+ AAA authorization exec: (none)
+ AAA authentication enable: configures AAA to prompt for a password to enter privileged mode
+ AAA authorization config-commands: configures AAA to validate a user’s permission to change the running
configuration
Explanation
The “AAA authentication banner” command is used to configure a banner that is displayed when a user logs in (replacing
the default message for login).
If aaa authorization commands level method command is enabled, all commands, including configuration commands,
are authorized by AAA using the method specified. Use the aaa authorization config-commands command if you need
to reestablish the default set by the aaa authorization commands level method command.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html
Question 80 ***
An exhibit with three routers A, B and C. Router A is connected to Router B. Router B is connected to Router C.
The output of “show interface Tunnel 1” on Router C shows that the tunnel is in “up/down” state. The question asks
what is the reason for this.
A. Router C does not have a route to the loopback interface of Router A (which is used as the tunnel source on Router A
and tunnel destination on Router C).
B. The tunnel mode should be changed to “gre mode multipoint”
C.
D.
Answer: A
Explanation
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in recursion.
00.html
Question 81 ***
A network administrator attempts to restrict AUX access to R4 from a single host IP address 192.168.x.x has failed.
Which action will restrict access?
access-list 150 permit tcp host 192.168.x.x any eq 22

access-list 150 permit tcp host 192.168.x.x any eq telnet
line vty 0 4
access-class 2 in
session-limit 1
login local
transport input all
line con 0
(no config)
line aux 0
(no config)
A. Set ACL 150 with inbound direction on AUX

B. Set ACL 150 on VTY lines
C. Set session-limit 0 command on AUX
D. Change session-limit to 0 on VTY
Answer: A
Explanation
The “session-limit” command is used to configure the maximum number of the concurrent virtual terminal sessions on a
device. The range is from 1 to 64.
Question on restricting access via AUX to ip’s/ranges in shown ACL. Config showing all the lines, vty, aux and con and
an ACL. Only VTY had config on, including access-class but ACL number was not as in the config shown.
Question was something like why IP’s out of the range specified in the acl can access the router via AUX – remember
there was no config on AUX at all.
Question 82
A firewall has been inserted between 2 routers running GRE. Which protocol needs to be allowed through on the
firewall?
A. Create a firewall rule to allow IP protocol 47
B. Create a firewall rule to allow TCP/IP Port 47
Answer: A
Explanation
GRE is a protocol on the same level as TCP and UDP. When configuring a firewall to allow GRE, you do not configure a
port like you would for Telnet or SSH. Instead, you must configure the firewall to allow protocol 47. Cisco router offer
the keyword “gre” for configuring access lists.
The access-list statement should be “access-list 100 permit gre any any” (or “access-list 100 permit gre host x.x.x.x host
y.y.y.y” to allow specific host)
Question 83 ***
How to apply IPv6 access list?
A. ipv6 access-class <ipv6 access-list name>
B. ipv6 access-group <ipv6 access-list name>
C. ipv6 access-list <ipv6 access-list name>
D. ipv6 traffic-filter <ipv6 access-list name>
Answer: D
Question 84 ***
Router is configured with AAA using the “local-case” keyword in authentication:
username Admin password cisco

aaa authentication login default local-case …
The question asks why the admin cannot login with the command: ssh -l admin x.x.x.x
A. ssh -l Admin x.x.x.x

B. ssh -p Admin x.x.x.x
C. ssh port 1111
D. ?
Answer: A
Explanation
The keyword “local-case” is used in the authentication, so the username is case-sensitive we must care about upper-case
letter “A”.
Question 85
Refer to the exhibit (ClientA is connecting to the network via e0/0 interface while the “tunnel source e0/1” in the
configuration). ClientA is unable to reach ClientB while other users from other Spokes can reach ClientB. Which
command resolves this issue?
A. tunnel route-via ethernet0/1
B. tunnel mode gre
C. tunnel destination 10.100.0.1
D. tunnel source ethernet0/0
Answer: D
Question 86 ???
Large exhibit with many routers. Why a PC client is unable to communicate with HQ router by looking at the routing
table
A. Did not advertise the correct subnet
B. Did not have a route in his routing table
C. Did not have a default route in the routing table
Answer: B
Question 87 ***
An exhibit with the Admin PC (IP address: 192.168.1.200/28) connecting to the router R1 (Lo0: 192.168.1.55/28) with
AAA config. The question asks why Telnet attempt to the router from the Admin PC fails.
aaa new-model
!
aaa authentication login default line enable
aaa authorization commands 15 default local
aaa authorization network default local
!
username admin privilege 15 password cisco
!
ip ssh version 2
!
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any range 22 stp
!
line vty 0 4
access-class 101 in
password cico
transport input all
!
line vty 5 15
access-class 101 in
password cico
transport input all
!
A. The AAA configuration is misconfigured

B. Telnet has been removed from the VTP lines
C. ACL is blocking the connection
Answer: C
Explanation
Because the ACL only allows port 22, which is SSH so Telnet port 23 will be dropped
Question 88 ***
The GRE tunnel went down when an unrelated interface went down. What is the reason for that?
A. The CEF entry for the tunnel source use that interface
B. The CEF entry for the tunnel destination uses that interface
C. The interface is configured as the tunnel source
D. The interface is configured as the tunnel destination
Answer: B
Question 89 ???
One question about OSPF and IBGP.
BGP R1 3.3.3.3 ———— OSPF Router —————– BGP R2 4.4.4.4

[Large output showing the BGP neighbor relationship will not establish]
Why will the neighbor relationship not establish?
A. Because there’s no route between the routers that is present in the routing table
B. Something about OSPF advertisement
C. ?
D. ?
Suggested Answer: A
=================== New Multiple-Choice Questions (updated on 11th-Jan-2019) =====================
Question 90
Picture of 3 routers and the question was related to IPv4 -> IPv6 tunnelling stating that all interfaces were configured with
MTU 1500 other than the tunnel interface which didn’t set the MTU. The engineer noticed that packets were being
fragmented how do you fix this?
A. set the MTU on the tunnel interface to 1476
B. increase the IPv6 packet MTU.
C. increase the IPv4 packet MTU.
D. set the MTU on the tunnel interface to 1500.
Answer: A
Question 91
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message
What could be causing the syslog?
A. Source virtual interface shutdown.

B. Tunnel interface is not participating in routing.
C. Physical interface is down/down.
D. The route to destination was learnt by the tunnel itself
Answer: D
Explanation
(recursive routing)
So, in this question if there is an option with either of the conditions above please choose it.
flap.html
Question 92
How do you view an access-list that’s set on an int G0/0?
A. show ip access-lists int g0/0
B. show int g0/0
C. show ip access-list applied
D. show interface G0/0 stat
Answer: A
Explanation
The “show ip access-list int …” command is only available in IOS v15 or IOS XE (you cannot find it in IOS v12):
R2#sh ip access-lists ?
<1-199> Access list number
<1300-2699> Access list number (expanded range)
WORD Access list name
dynamic List dynamic IP access lists
interface List ACL attached to an interface
| Output modifiers
<cr>
R2#sh ip access-lists int ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
Ethernet IEEE 802.3
GMPLS MPLS interface
LISP Locator/ID Separation Protocol Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
Lspvif LSP virtual interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-TokenRing Virtual TokenRing
vmi Virtual Multipoint Interface
Question 93
What can you use to collect stats on Cisco IOS?

A. SNMP
B. LLDP
C. HSRP
D. ICMP
Answer: A
Question 94***
line vty 0 4
ip access-class 1 in
transport input telnet only
!
ip access list permit tcp any any eq 22
ip access list permit tcp any any telnet
Cisco engineer is trying to setup secure access to the router but why is SSH failing?
A. access-list needs to be applied with access-group command.

B. access-list only allows telnet access.
C. They’re needed to be transport input ssh on line vty 0 4.
D. ?
Answer: C
Question 95 ***
Diagram showing 2 hosts each connected to different access switches. Host A in VLAN 300 Host B in VLAN 200. Why
can host A not access a DHCP server in VLAN 200?
A. VLAN 200 needs to be added to access switch B.
B. Create a port channel.
C. Host A has the wrong subnet mask.
D. ?
Answer: C (Host A has /24 and the gateway (int vlan 300) was /22)
Question 96a ???
There was a question on how to limit debug output for a particular interface and one of the options was debug condition
interface g0/0.
A. debug condition interface g0/0
B. ?
C. ?
D. ?
Answer: A
Explanation
The command “debug condition interface <interface>” command is used to disable debugging messages for all interfaces
except the specified interface so in this case the debug output will be shown on Fa0/1 interface only.
Note: If in this question there is another “debug condition interface …” command configured then the answer should be
both interfaces will show debugging ouput.
Question 96b
An exhibit showing output of a debug command that would display debugs on interfaces g0/0 and g/2, and then second
output showing only messages for G0/2.
The question was what is the command that would limit the debug output as shown in the exhibit (only for G0/2)?
A. debug condition interface g0/2
B. debug condition interface g0/0
C. debug condition 192.168.22.2
D. debug condition …
Answer: A
Question 97
Refer to the exhibit. How would you confirm on R1 that load balancing is actually occurring on the default-network
(0.0.0.0)?
A. Use ping and the show ip route command to confirm the timers for each default network resets to 0.
B. Load balancing does not occur over default networks; the second route will only be used for failover.
C. Use an extended ping along with repeated show ip route commands to confirm the gateway of last resort address
toggles back and forth.
D. Use the traceroute command to an address that is not explicitly in the routing table.
Answer: D
Question 98 ***
Which statement indicates a cause for Tunnel0‘s connection failure?
A. The tunnel source interface is in an up/down state and the tunnel destination is recursively routing as a result.
B. The tunnel destination interface is flapping, which causes the tunnel to go up and down.
C. The tunnel is configured with the wrong encapsulation.
D. The tunnel destination is intermittently reachable via multiple routing protocols.
Answer: D
Explanation
Answer A says “the tunnel destination is recursively routing” as a result of “tunnel source interface is in up/down state” is
not correct according to this paragraph from Cisco website:
+ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel
interface itself (recursive routing)
Tunnel interface status depends on the IP reachability to the tunnel destination. When the router detects a recursive
routing failure for the tunnel destination, it shuts the tunnel interface down for a few minutes so that the situation causing
the problem can resolve itself as routing protocols converge. If the problem is caused by misconfiguration, the link can
oscillate indefinitely.
Another symptom of this problem is continuously flapping Enhanced Interior Gateway Routing Protocol
(EIGRP), Open Shortest Path First (OSPF), or Border Gateway Protocol (BGP) neighbors, when the neighbors
are over a GRE tunnel.
flap.html
The tunnel source does not know the state of tunnel destination so answer B is not correct.
If the tunnel is configured with wrong encapsulation then the tunnel is still up but packets go through it would be
dropped. Although this answer seems to be correct but we believe answer D is the best choice as it matches to the above
Cisco statement:
“Another symptom of this problem is continuously flapping Enhanced Interior Gateway Routing Protocol
(EIGRP), Open Shortest Path First (OSPF), or Border Gateway Protocol (BGP) neighbors, when the neighbors
are over a GRE tunnel.“
Question 99
Refer to exhibit. Host A is not able to https to http://www.cisco.com. All NAT was checked and confirmed as OK. What
would be the first step in troubleshooting?
OR
Question about engineer can’t reach http://www.cisco.com server so what is the command to check the issue with
presenting all the encountered hops
A. traceroute to http://www.cisco.com
B. check physical interface on firewall
C. nslookup http://www.cico.com
D. ?
Answer: A
Question 100
Which AAA command configures login using the local database?
A. aaa authentication login local default
B. aaa authentication login default local
C. aaa authentication local login
D. aaa authentication default login default
Answer: B
Question 101 ***
Which Cisco IOS feature allows you to create your own event definition for a network device and specify the action that
should be performed in response to that event?
A. Embedded Event Manager (EEM)
B. Cisco Security Device Manager (SDM)
C. ?
D. ?
Answer: A
Question 102a
GRE tunnel is in down/down on source host. What can be a cause? (What causes GRE tunnel interface to be in
down/down state?)
A. The source interface is administrative shutdown.
B. physical interface of source is down/down
C. Wrong source/destination addressing (something like that).
D. The destination interface is down/not reachable.
E. Shutdown the virtual interface
Answer: A (in fact it is not correct)
Explanation
A tunnel interface is in up/down state right after we create it (with the “interface tunnel <tunnel-number>” command).
We cannot put it into down/down state, even if we shut down the source interface. We can only put it into
“administratively down/down” by shutting down the tunnel itself. The tunnel interface does not change state when we
change/configure the other end of the tunnel.
Question 102b
Which scenario would cause the tunnel interface on a router to show a status of down/down?
A. The destination address is missing on the tunnel configuration.
B. The shutdown command has been issued on the virtual interface.
C. The source physical interface is in a down/down state.
D. the destination router’s physical interface is shut down.
Answer: B
Explanation
A tunnel interface is in up/down state right after we create it (with the “interface tunnel <tunnel-number>” command).
We cannot put it into down/down state, even if we shut down the source interface. We can only put it into
“administratively down/down” by shutting down the tunnel itself. Therefore, in fact this question is not totally correct.
The tunnel interface does not change state when we change/configure the other end of the tunnel.
Question 103 ***
There are two exhibit of GRE tunnel interface configuration on R1 and R2, they look almost identical in terms of
configuration expect on R1 the interface is configured with keepalive 4 5 and R2 doesn’t. Question says something like
which statement best describes how the GRE interfaces will behave.
A. R1 will send keepalives, but R2 will drop them.
B. R1 does not send keepalives until R2 is also configured with keepalive.
C. R1 will detect tunnel outage within 5 seconds.
D. R1 will detect tunnel outage within 20 seconds.
Answer: D (R1 will shut down the tunnel after 20 sec (4 sec with 5 retries))
========================= Year 2018 Questions =========================

Question 1 ***
Which of the following is the ping response to a transmitted ICMP echo datagram that needed to be fragmented when
fragmentation was not permitted?
A. U
B. .
C. M
D. D
Answer: C
Question 2 ***
Which two of the following options are categories of Network Maintenance tasks? (Choose two)
A. Firefighting
B. Interrupt-driven
C. Policy-based
D. Structured
Answer: B D
Question 3
Which three of the following are reasons EIGRP neighbor relationships might not form? (Choose three)
A. Different autonomous system numbers
B. Different K values
C. Different timers
D. Different authentication parameters
Answer: A B D
Question 4
What type of cable is used to connect to the console port and aux port of two routers together?
A. Straight-through
B. Crossover
C. Rollover
D. DB 25 DCE
Answer: C
Question 5 ***
Which statement best describes GRE protocol?
A. GRE adds the new IP header, encapsulates the original IP packet, and adds the GRE header at the end of the IP packet.
B. GRE adds the new IP header, inserts the GRE header, and encapsulates the original IP packet.
C. GRE uses the original IP header and adds the GRE header at the end of the packet.
D. GRE uses the original IP header and inserts the GRE header between the IP header and payload.
Answer: B
Question 6 ***
A network administrator is troubleshooting an EIGRP connection between RouterA, IP address 10.1.2.1, and RouterB, IP
address 10.1.2.2. Given the debug output on RouterA, which two statements are true? (Choose two)
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.1.1.1

AS 1, Flags 0x1, Seq 478/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
K-value mismatch
A. RouterA received a hello packet with mismatched autonomous system numbers.

B. RouterA received a hello packet with mismatched hello timers.
C. RouterA received a hello packet with mismatched authentication parameters.
D. RouterA received a hello packet with mismatched metric-calculation mechanisms.
E. RouterA will form an adjacency with RouterB.
F. RouterA will not form an adjacency with RouterB.
Answer: D F
Question 7 ***
You are troubleshooting an issue with a GRE tunnel between R1 and R2 and find that routing is OK on all intermediary
routers. The tunnel is up on R1, but down on R2. Which two possible issues can prevent the tunnel from coming up?
(Choose two)
A. The tunnel does not come up unless traffic is sent through it.
B. The tunnel source interface is down on R2.
C. No specific route interface is down on R2.
D. R2 does not know how to reach the tunnel destination.
E. The tunnel keep alive timer doesn’t match on R1 and R2.
Answer: B D
Question 8 ***
How to check debugging fragmentation?
A. debug tcp
B. debug ip icmp
C. debug ip packet detail
D. debug ip policy
Answer: B
Question 9
Refer to exhibit.
(exhibit missing)
Which IP address should be configured as the tunnel source on the HQ router for maximum resiliency?
A. Loopback IP address of HQ
B. Serial IP address of HQ
C. Fastethernet IP address of HQ
D. ?
Answer: A
Question 10 ***
WFQ not supported on control plane.
A. Router capabilities
B. bandwidth command not supported
C. cannot be input (pick this one as fragmentation only occurs outbound, but I’m not completely sure)
D. missing license
Answer: B
Explanation
Weighted Fair Queuing". A flow-based queuing algorithm used in Quality of Service (QoS) network applications that
schedules low-volume traffic first, while letting high-volume traffic share the remaining bandwidth. This is handled by
assigning a weight to each flow, where lower weights are the first to be serviced.
Question 11
A client reports all password in plain text after running ‘show archive log config all’. How can you prevent/encrypt all
messages?
A. password encrypt aes
B. hidekeys
C. service-password encryption
D. aaa authentication arap
Answer: B
Explanation
The command “hidekeys” (Device(config-archive-log-config)# hidekeys) suppresses the display of password information
in configuration log files.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-3s/config-mgmt-xe-3s-
book/cm-config-logger.html
Question 12
Client X unable telnet the terminal Server – IPv6 ACL
Client X – adb:2018::xx:1
Client Y – adb:2018::xx:2
Terminal Server – adb::2018:yy:1
something to do with sequence on ACL.
10 permit tcp host adb:2018::xx:2 host adb::2018:yy:1 eq telnet
20 deny tcp any host adb::2018:yy:1 eq telnet
30 ?
A. ?
B. Add sequence 15 & permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet
C. Delete sequence 20 & add sequence 5 permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet
D. Add sequence 25 & permit …
Answer: B
Question 13 ***
Which two statements about GRE tunnels are true? (Choose two)
A. GRE tunnels operate in GRE/IPsec mode by default
B. GRE tunnels operate in GRE/IP mode by default
C. GRE encapsulates the original packet
D. The carrier protocol adds the delivery header
E. The IP header encapsulates the GRE header
Answer: B C
Explanation
By default, GRE tunnel operates in GRE/IP mode so the command “tunnel mode gre ip” command is not necessary -> B
is correct.
When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole packet into another IP
packet with two headers: one is the GRE header which uses to manage the tunnel itself. The other is called “Delivery
header” which includes the new source and destination IP addresses of two virtual interfaces of the tunnel (called tunnel
interfaces). This process is called encapsulation -> C is correct.
Answer D seems to be correct but a bit unclear. If answer D said “GRE adds the delivery header” then it would be correct.
Answer E seems to be correct too but it said “The IP header encapsulates …” which is not totally correct. It should be
“The delivery header (not IP header) encapsulates the GRE header”.
Question 14 ***
When troubleshooting recursive routing issues with GRE tunnels, which three actions resolve the issue? (Choose three)
A. Add static routes …
B. Remove the network advertisements…
C. If using OSPF to peer across …
D. Change the tunnel source or destination interface
E. Remove the configuration on the tunnel interface and reconfigure
F. Perform shut and no shut commands on the tunnel interface
Answer: A B D
Question 15
service password-encryption
!
line console
password a123124
!
line vty 0 4
password asdfasf12
login
transport input telnet
What will happen if client A telnet to this device?
A. Telnet will be successful

B. Telnet will fail
Answer: A
Explanation
With this configuration, we can telnet to this device (as there is a password under VTY lines).
Question 16 ***
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message
Which statement indicates a cause for Tunnel0’s connection failure?

A. The tunnel source interface is in an up/down state and the tunnel destination is recursively routing as a result
B. The tunnel destination interface is flapping, which causes the tunnel to go up and down
C. The tunnel is configured with the wrong encapsulation
D. The tunnel destination is intermittently reachable via multiple routing protocols
Answer: D
Explanation
(recursive routing)
So, in this question if there is an option with either of the conditions above please choose it. Otherwise answer D is the
best option.
flap.html
Question 17
A network engineer has configured GRE between two IOS routers. The state of the tunnel interface is continuously
oscillating between up and down. What is the solution to this problem?
A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable
Answer: A
Question 18 ***
Which tunnel technology provide multicast, security and simplicity?

A. IPSec
B. GRE over IPSec
Answer: B
Question 19 ***
Which two condition can be used to filter the output of debug crypto condition? (Choose two)
A. encryption algorithm
B. isakmp profile name
C. destination IP address
D. front door vrf name/instance
E. router event filter
Answer: B D
Question 20 ***
What are components of GRE packet? (Choose two)
A. GRE header
B. Payload packet
C.
D.
Answer: A B
Question 21 ***
What are properties of GRE? (Choose two)
A. Data encapsulation
B. Multicast support
Answer: A B
Question 22 ***
What are two requirements for GRE? (Choose two)
A. Protocol 47 should be allowed
B. Destination of the tunnel should be reachable
Answer: A B
Question 23
You see a running config user login.
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login ONLYLOCAL local
aaa authentication ppp default radius local
username xxx password xxx
line vty 0 4
password xxxxx
Which login procedure will ask first?
A. RADIUS
B. TACACS+
C. local
Answer: B
Explanation
If under “line vty 0 4” is not configured with ONLYLOCAL group as follows:
line vty 0 4
login authentication ONLYLOCAL
Then this group would never be used for authentication. Only the default method list is used (which uses TACACS+ first
then enable password if TACACS+ fails to respond). So in this question the device will authenticate with the default
method list.
Question 24a ***
User was not able to login using telnet.
Router#show management-interface
Management interface FastEthernet0/0
ssh 0
snmp 0
What is the issue?
A. MPP applied on wrong interface

B. MPP does not allow telnet by default
C. MPP is not configured for telnet
D. ?
Answer: C
Explanation
According to the output above, we can conclude that MPP is enabled on Fa0/0 interface and only accepts SSH and SNMP
management protocols. In particular, MPP was configured with the following command:
Router(config)# control-plane host
Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html
As a result of this, other management traffic would be blocked, including Telnet traffic.
Question 24b ***
R1 is configured with MPP, f0/0 is configured to connect from console. Client is able to login on port 22 is but not on 23
R1# show management-interface

Management interface FastEthernet0/0
SSH 42
FTP 147
HTTPs 68
A. MPP configured with only SSH

B. MPP does not allow SSH and telnet at the same time
C. MPP configured with SSH however telnet is not configured
D. ?
Answer: C
Question 25 ***
Which command will encrypt the enable password? (Choose two)
A. enable secret
B. service password-encryption
Answer: A (although in real life it should be B but in the exam they want answer A)
Question 26 ***
Which statements about extended ping are true? (Choose two)
A. You can use data gram size option to set size of ping in bytes
B. You can use minimum and maximum TTL
C. You can select UDP destination port
D. You can use data pattern to troubleshoot framing error on serial lines
E. You can use ToS bit to control fragmentation of data gram
Answer: A D
Question 27 ***
Question about creating or generating a new crypto key.
Answer: crypto key generate rsa
Question 28 ***
How do you check the crypto public key?
A. show crypto session
B. show crypto map
C. show crypto key mypubkey rsa
D. ?
Answer: C
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 29 ***
Which alerts will be seen on the console by issuing logging console critical? (Choose three)
A. Emergency
B. Alert
C. Critical
D. Notification
E. Informational
Answer: A B C
Explanation
Syslog levels are listed below
Level Keyword Description
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. By default, the router will send informational
messages (level 6). That means it will send all the syslog messages from level 0 to 6.
Question 30 ***
Question about telnet, what should be done to make router to listen only on port 3033 rather then on 23
A. add rotary 33
B. remove authentication login TTC
C. remove authorization exec TTC
D. remove transport input telnet
E. using access-lists
Answer: A
Explanation
Adjust the expected ssh listening port and assign that to a rotary group:
Router(config)#ip ssh port 3333 rotary 1
Apply the rotary group to your vty interface
Router(config)#line vty 0 4
Router(config-line)#rotary 1
Your router will now listen for ssh on port 3333 on these 5 vty ports.
Question 31 ***
Which two site-to-site technologies allows dynamic routing, private addressing and multicasting? (Choose two)
A. GRE
B. DMVPN
C. MPLS VPN
D. IPSec
Answer: A B
Question 32 ***
User is supposed to access between 6:00 PM to 6:00 AM.
ip access-list SWITCH_ACCESS time-range NOC_ACCESS

permit x.x.x.x
!
line vty 0 4
access-class SWITCH_ACCESS
!
time-range NOC_ACCESS
periodic daily 06:00 to 18:00
!
username NOC_ACCESS password xxxx
A.
B.
C.
D.
time-range SWITCH_ACCESS
Answer: B
Question 33a ***
“show version” command output. – SSH not working. What is the issue?
# Check the configuration register, it is 0x2142.
A. IOS upgrade
B. ROM memory upgrade
C. incorrect Configuration register 0x2102
D. ?
Answer: C
Note: In this question you will be shown with the “show version” output on a router. Please check carefully if:
+ The “Configuration register” is set to 0x2142 or not. With this value the device will bypass the startup configuration
stored in NVRAM during its boot sequence
+ The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we need to upgrade IOS so
that SSH can work. According to recent reports this is the correct answer.
Question 33b ***
A question with “show version” output. The register was 0x2102
A. IOS update
B. less memory
C. configuration register is wrong
D. need new boot ROM
Answer: A
Explanation
The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we need to upgrade IOS so
that SSH can work. According to recent reports this is the correct answer.
Question 34 ***
Must use route protocol for using TLV and fast-reroute (Choose two)
A. ISIS
B. OSPF
C. EIGRP
D. RIP
E. RIPv2
Answer: A B
Explanation
Prerequisites for Loop-Free Alternate Fast Reroute
Any of the following protocols must be supported for Loop-Free Alternate Fast Reroute:
– Intermediate System-to-Intermediate System (IS-IS)
– Open Shortest Path First (OSPF)
While configuring ISIS protocol, ISIS network point-to-point must be configured.
Question 35 ***
Which system architect allow GRE and IPSec perform routing separately?
A. Server-client
B. peer-to-peer
C. Headend
D. Backend
Answer: C
Explanation
Headend System Architectures
The following two headend system architectures are described in this design guide:
+ Single Tier Headend Architecture – Incorporates both the p2p GRE and crypto functions onto a single routing
processor.
+ Dual Tier Headend Architecture – Splits the p2p GRE and crypto functions onto two different routing processors.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_
p2pGRE_Phase2.html
Question 36 ***
Which technology support dynamic routing and non-ip protocols?
A. Easy VPN
B. GET VPN
C. DMVPN
D. GRE
Answer: D
Question 37 ***
A question about extended traceroute (Choose two)
A. TTL can be modified
B. Can use strict IP header options
C. IP header options verbose allow you to specify the hops you want the packet to go through
D. ?
E. ?
Answer: A B
OR
Which two statements about traceroute are true? (Choose two)
A. It supports a variety of IP header options, including verbose
B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern
Answer: A D
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
+ Probe count: limits the number of traceroute
+ Port Number: troubleshoot TCP and UDP port
+ Source address: troubleshoot connections generated from specific interface
+ Max TTL: limits the number of hops a packet travel
+ Type of Service: troubleshoot QoS issues
Should read: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
OR
A question about extended traceroute (Choose two)
A. verbose mode
B. strict mode
C. changing TTL
D. changing IP Header option
E. ?
Answer: C D
Question 38a
Which options are correct about enable secret and enable password? (Choose two)
A. Enable secret and enable password cannot be configured same time
B. Enable password is difficult to decipher
C. Enable secret is difficult to decipher
D. Enable password is more preferable than enable secret
E. Enable secret is more preferable than enable password
Answer: C E
Question 38b
Which options are correct about enable secret and enable password? (Choose two)
A. Enable secret and enable password cannot be configured same time
B. Enable password is easy to decipher
C. Enable secret is easy to decipher
D. Enable password has higher preference than enable secret
E. Enable secret has higher preference than enable password
Answer: B E
Question 39
Which tunnel supports routing and multicasting?
A. DMVPN
B. GRE
C. IPSec
D. ?
Answer: B
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 40 ***
Drag and drop the sequence for configuring SSH in correct order.
A. ip ssh ver 2
B. ip domain-name cisco.com
C. crypto-key generate rsa
D. line vty 0 4
E. Transport input ssh
Transport input telnet
Answer: B -> C -> A -> D -> E
B. ip domain-name cisco.com
C. crypto-key generate rsa
A. ip ssh ver 2
D. line vty 0 4
E. Transport input ssh
Question 41 ***
Drag and drop about uRPF strict and loose mode
Option 1. Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing table)
Option 2. Must have the same path back
Option 3. Supports asymmetric routing feature
Option 4. Can be used to configure on the inside interface of the Internet router
Option 5. Can be used to configure on the outside interface of the Internet router
Option 6. Supports symmetric routing feature
Answer:
Strict mode:
+ Must have the same path back
+ Can be used to configure on the inside interface of the Internet router
+ Supports symmetric routing feature
Loose mode:
+ Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing table)
+ Can be used to configure on the outside interface of the Internet router
+ Supports asymmetric routing feature
Question 42 ***
Which protocol does mGRE use to send packets?

A. DMVPN
B. NHRP
C. OSPF
D. IPSec
Answer: B
Question 43
Which protocols are supported with MPP? (choose three)
A. HTTP only
B. HTTP and HTTPS
C. SSH
D. FTP
E. SFTP
F. TFTP
Answer: B C F
Explanation
The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces
on which network management packets are allowed to enter a device. The MPP feature allows a network operator to
designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a
device only through these management interfaces. After MPP is enabled, no interfaces except designated management
interfaces will accept network management traffic destined to the device.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html#wp10476
23
Following are the management protocols that the management plane protection (MPP) feature supports. These
management protocols are also the only protocols affected when MPP is enabled.
+ SSH, v1 and v2
+ Telnet
+ TFTP
+ HTTP
+ HTTPS
Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398
Question 44 ***
Which topologies are allowed with p2p GRE over IPsec? (Choose two)
A. Hub and Spoke
B. Partial mesh
C. Point to multipoint
D. Bus
E. Star
Answer: A B
Question 45 ***
Which keywords can be used with debug condition to filter output? (Choose two)
A. Username
B. Interface ID
C. Port number
D. Protocol
Ε. Packet Size
Answer: A B
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcndtr.html
Question 46
Output of sh access-list, what can you do to correct SSH?
Extended IP access-list 100
Deny tcp any any eq 22
Permit ip any any
Permit tcp any any eq 23
Deny tcp any any eq 22
Permit ip any any
Line vty 0 4
Access-class 100 in
Transport input ssh
A. Change access-class 100 in with access-class 150 in
B. Change transport input ssh with transport input telnet
C. Change access-class 100 in with access-class 100 out
D. Change access-class 100 in with access-class 175 in
Answer: D
Question 47 ***
How will you troubleshoot OSPF adjacency issue? (Choose 2)
A. Using ‘debug ospf adj’ command on a router
B. Process ID on the routers should match
C. Router IDs should match
D. Using ‘debug ospf nsf’ command
E. Hello timers mismatch (or Subnets should match)
Answer: A E (in fact the correct answer on answer A should be “debug ip ospf adj”)
Question 48 ***
Which IPSec mode with least overhead?
A. dynamic
B. transport
C. transparent
D. tunnel
Answer: B
Explanation
IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the data
portion (payload) of each packet and leaves the packet header untouched.
Tunnel mode is more secure than Transport mode because it encrypts both the payload and the header.
Reference: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-
0/ip_security/provisioning/guide/IPsecPG1.html
GRE IPsec tunnel mode consists of the following overhead:
ESP Overhead: 52 Bytes
GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
Total Overhead: 52 + 24 = 76 Bytes
GRE IPsec transport mode consists of the following overhead:
ESP Overhead: 52 Bytes
GRE Overhead: 4 (GRE) = 4 Bytes
Total Overhead: 52 + 4 = 56 Bytes
Question 49
A question showing EIGRP logs, something like this: (Choose two)
*Aug 1 13:09:38.896: EIGRP: received packet with MD5 authentication, key id = 1234
*Aug 1 13:09:38.896: EIGRP: Received HELLO on Gi0/0 – paklen 70 nbr 192.168.1.2
*Aug 1 13:09:38.897: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
*Aug 1 13:09:38.898: EIGRP: Add Peer: Total 1 (3/0/0/0/0)
*Aug 1 13:09:38.898: K-value mismatch
*Aug 1 13:09:38.899: EIGRP: Sending TIDLIST on GigabitEthernet0/0 – 1 items0
*Aug 1 13:09:38.902: EIGRP: Sending HELLO on Gi0/0 – paklen 70
*Aug 1 13:09:38.903: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Aug 1 13:09:38.904: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.1.2 (GigabitEthernet0/0) is down:
K-value mismatch
R1#
*Aug 1 13:09:38.905: EIGRP: Lost Peer: Total 1 (2/0/0/0/0)
*Aug 1 13:09:39.894: EIGRP: Gi0/1: ignored packet from 192.168.2.3, opcode = 5 (missing authentication)
R1#
*Aug 1 13:09:40.204: EIGRP: Sending HELLO on Gi0/1 – paklen 60
*Aug 1 13:09:40.204: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
A. Hello Timers mismatches
B. Hold Timers mismatches
C. AS mismatches
D. Metric calculation mismatches
E. Authentication mismatches
Answer: D E
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 50 ***
Which two can use to protect and secure management plane from unwanted & unauthorized access? (Choose two)
A. Limit physical access to network devices
B. Use RADIUS instead of TACACS+ for AAA
C. Create an ACL to permit Telnet access only
D. Enable authentication for the routing protection
E. Use MPP to limit the interfaces on which management traffic can traverse the device
Answer: A E
Explanation
The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces
on which network management packets are allowed to enter a device. The MPP feature allows a network operator to
designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a
device only through these management interfaces. After MPP is enabled, no interfaces except designated management
interfaces will accept network management traffic destined to the device.
Question 51 ***
One router and a computer (exhibit) 192.168.10.0/24
You receive timed out when you start to SSH the router. Which layer is the first that you are going to look into this
matter?
A. Physical
B. Datalink
C. Network
Answer: C
Question 52
When your network experiences Cisco Discovery Protocol and LLDP issues, with which layer of the OSI model must you
begin troubleshooting?
A. Physical layer
B. Datalink layer
C. Network layer
D. Transport layer
Answer: B
Question 53 ***
About pass encryption in CISCO IOS software, which statement is true?
A. encrypted user type 7 password indicate hashed with MD5
B. encrypted user type 7 password indicate hashed with weak reversible
C. you can choose to encrypt enable secret pass with weak reversible or MD5
D. enable secret is more secure than enable pass, because secret store in configuration file type 7
Answer: B
Explanation
Type 7 means the password will be encrypted when router store it in Run/Start Files using Vigenere cipher which any
website with type7 reversal can crack it in less than one second.
Question 54 ***
GRE with IPsec tunnel are true (choose two)
A. The header overhead is reduced
B. using crypto map is the only way to encrypt a GRE Tunnel
C. crypto map required an ACL allow protocol 47
D. support hub-and-spoke topologies only
E. Tunnel is first encapsulated, then just encrypted
Answer: C E
Question 55 ***
Question referring to an exhibit – something with PIM, tunnel flapping and neighboring get rejected, regardless Tunnel
1018 went down. (Choose two)
A. Tunnel interface is misconfigured
B. PIM neighbor is misconfigured
C. route neighbor 10.111.254.213 was removed
D. Route flapping and instability is occuring within the network
E. tunnel destination using tunnel itself
Answer: D E
Explanation
The tunnel destination must be the physical destination address of the other end of the tunnel. For example, in this
topology:
GRE Tunnel must be configured as follows:
Then configure GRE Tunnel
R1 R2
interface tunnel0 interface tunnel0
tunnel mode gre ip //this command can be ignored tunnel mode gre ip //this command can be ignored
tunnel source 192.168.13.1 tunnel source 192.168.23.2
tunnel destination 192.168.23.2 tunnel destination 192.168.13.1
For R1, the tunnel destination must point to 192.168.23.2 (the physical IP address of other end of the tunnel, not
12.12.12.2 – the other destination of the tunnel itself)
Question 56
How do you make sure AAA will still allow you to login if TACACS fails?
(or Which command enables authenticated login if a TACACS+ failure occurs?)
A. aaa authentication login test group local tacacs+
B. aaa authentication login test group tacacs+ local
C. aaa authentication login test group radius local
D. aaa authentication ppp dialins group tacacs+ local
Answer: B
Question 57 ***
If you want to use GRE with IPSec which compatible with NAT traversal?
A. Enable MD5 mode
B. Enable SHA mode
C. Implement IPSec Tunnel mode
D. Implement IPSec Tunnel transport
Answer: C
Explanation
This is not officially written by Cisco but it is the best we can find:
What is the difference between tunnel mode and transport mode?
The differences are as follow; Tunnel mode is widely implemented in site-to-site VPN scenarios. While transport mode is
implemented for client-to-site VPN scenarios. Also, NAT traversal is supported with the tunnel mode while NAT
traversal is not supported with the transport mode.
Reference: https://www.coursehero.com/file/p7qcduh/No-GRE-provides-a-stateless-private-connection-15-What-is-the-
GRE-header-for-It/
Question 58 ***
Troubleshoot uRPF loose mode at client gateway router for networks that are not in the routing table. (Choose two)
A. Dynamic routing is configured on the router
B. CEF is enabled on the router
C. allow-default is configured for loose mode
D. CFE is disabled on the router
E. Static Routing is configured on the router
Answer: B C
Question 59 ***
Which two statements about traceroute are true? (Choose two)
A. It supports a variety of IP header options, including verbose
B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern
Answer: A D
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 60 ***
The WAN link is 1500 MTU. How to configure GRE Tunnel so that the packets do not get fragmented? (Choose three)
A. ip tcp path-mtu-discovery
B. ip mtu 1400
C. ip tcp adjust-mss 1360
D. tunnel mode gre ip
E. tunnel mode gre multipoint
Answer: B C and ?
Explanation
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment
size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE,
we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure
unnecessary packet fragmentation is kept to a minimum.
Question 61 ***
Which two ACLs use with IPv6 traffic filters?
A. tagged
B. standard
C. named
D. numbered
E. dynamic
Answer: A C
Explanation
Named and tagged ACLs are both supported in IPv6.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-3s/ipv6-xe-36s-book/ip6-sec-trfltr-
fw.html
Question 62 ***
Which two statements about time-based ACL are true? (Choose two)
A. It can use the router’s clock as the time source
B. Only extended ACL can use time ranges
C. It must be defined with an inspect name value
D. It requires NTP to be configured
E. Both standard & extended ACLs can use time ranges
Answer: A B
Question 63 ***
GRE tunnel IPv6 over IPv4 (choose two).
Answer:
A. SRC must be IPv4,
B. IPv6 over IPv4
Question 64 ***
Which two statements about uRPF are true? (Choose two)
A. Support with extended ACL and time-based ACL
B. Applied to input interface only
C. Require Cisco Express Forwarding to populate FIB
D. It is output function
E. It can mitigate asymmetric routing
Answer: B C
Question 65 ***
GRE tunnel is up but the server or host cannot pass through traffic what are the two things need to be fixed? (Choose two)
Answer:
A. Move R1 to global routing
B. Put R3 on VRF Red
Question 66
Which two protocols does the management plane protection feature support? (Choose two)
A. HTTPS
B. ARP
C. DNS
D. TFTP
E. DHCP
Answer: A D
Explanation
Following are the management protocols that the management plane protection (MPP) feature supports. These
management protocols are also the only protocols affected when MPP is enabled.
+ SSH, v1 and v2
+ Telnet
+ TFTP
+ HTTP
+ HTTPS
Question 67
Which method should we use to troubleshooting DHCP issues?
A. divide and conquer
B. top-down
C. bottom-up
D. follow-the-path
Answer: C
Explanation
Let’s assume that you are researching a problem of a user that cannot browse a particular website and while you are
verifying the problem, you find that the user’s workstation is not even able to obtain an IP address through the DHCP
process. In this situation it is reasonable to suspect lower layers of the OSI model and take a bottom-up troubleshooting
approach.
Question 68 ***
A router knows one destination using EIGRP and two OSPF networks, which will be the best way to determine the path?
(choose two)
A. show ip eigrp topology
B. show ip ospf database
C. traceroute
D. ping
E. show ip route
Answer: C E
Question 69 ***
Which two statements about ping & traceroute are true? (Choose two)
A. ping only use ICMP
B. only ping have TTL
C. to determine if a host is reachable, using traceroute is better than ping
D. traceroute use UDP datagram and ICMP
E. ping use TCP and ICMP
Answer: A D
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 70
What is common protocol for ping and traceroute?
A. ICMP
B. PIM
C. IGMP
D. IP
Answer: A
Question 71 ***
Which two options about GRE keepalives are true? (Choose two)
A. enabled by default
B. supports on point-to-point GRE tunnel interface
C. supports on point-to-multipoint mGRE
D. support broadcast
E. supported in VRFs only if fVRF and iVRF match
F. support broadcast multicast
Answer: B E
Explanation
GRE tunnel keepalives are only supported on point-to-point GRE tunnels. Tunnel keepalives are configurable on
multipoint GRE (mGRE) tunnels but have no effect.
GRE keepalives are not supported together with IPsec tunnel protection under any circumstances.
In general, tunnel keepalives will not work when VRFs are used on the tunnel interface and the fVRF (‘tunnel vrf …’)
and iVRF (‘ip vrf forwarding …’ on tunnel interface) do not match.
Good reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-
00.html
Question 72 ***
When the user is changing configuration of router, which plane is affected?
A. Data
B. Management
C. Control
D. Forwarding
Answer: B
Question 73
A user is able to log into the switch but cannot go to the global config mode. What needs to be done?
A. change authorization level
B. change accounting
C. change authentication
D. create username and password
Answer: A
Question 74 ***
Which troubleshooting method is used when we troubleshoot a spanning tree issue for any VLAN?
A. divide and conquer
B. top-down
C. bottom-up
D. follow-the-path
Answer: D
Question 75 ***
D&D Question on Extended Ping
Answer:
Tos – …quality of service
Df-bit – prevent packets from being segmented or broken up
Data pattern – detect framing errors
Hop count – verify routing metrics
Reply – verify reachability
OR
data pattern — troubleshoot framing errors
df-bit — enable do not fragment bit in IP header
source — specify source address or name
tos — specify type of service value
validate — validate reply data
Question 76 ***
Which two statements about IPv6 traffic filtering are true? (Choose two)
A. needs to be enabled at the interface level
B. needs to enabled with egress ACL only
C. needs to be enabled with ingress ACL only
D. It performs virtual fragmentation reassembly after checking ingress ACL
E. It performs virtual fragmentation reassembly after checking egress ACLs
Answer: A D
Question 77 ***
There was also a question about GRE tunnel with the options of it support multicast, broadcast traffic or only broadcast
and some other options that we needed to choose 2 correct ones.
A. GRE supports broadcast and multicast
B. GRE tunnels broadcast traffic
C. GRE is a non-tunneling VPN technology
D. Option about IPSec
Answer: A B
Question 78 ***
Question about authentication, TACAS/local, based on piece of configuration
AAA and what will be the result with this configuration: it either checks the local database first or it only authenticate 2
listed users –
A. It will check TACAS authentication but skip for the two users created locally
B. aaa-new model not used and hence policy will not be applied.
C. aaa- not used hence policy will not be applied
D. Part of the script is reject
and 1 more options
Answer:
1. aaa-new-model command is not there in the script ; hence the script will not work
2. Part of the script is reject (as 2 local username and password are there)
Question 79 ***
Drag and drop question related to Tunnel GRE. What are the required configurations and what are optional?
Answer:
Require:
+ Tunnel destination IP
+ Tunnel Original IP
+ Tunnel IP
Optional:
+ TCP MSS
+ Tunnel key
+ Tunnel mode
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 80 ***
In which troubleshooting approach, you start troubleshooting from middle of OSI layer stack and then either go up or
down layer for further troubleshooting?
A. Bottom-up
B. Top-down
C. Divide-and-conquer
D. Follow-the-path
Answer: C
Question 81 ***
Which two things should you check while troubleshooting uRPF? (Choose two)
A. uRPF enabled on interface
B. uRPF enabled global
C. CEF disabled
D. CEF enabled global
E. Strict or loose mode configured global
Answer: A D
Question 82a
Which access-list allows SSH access from network 10.10.15.0/24?
A. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 21
B. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 23
C. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 22
D. Access-list 142 permit tcp 10.10.15.0 0.0.0.0 any eq 22
Answer: C
Question 82b ***
Securing control plane on R1 connected via SSH to the network 10.10.0.0/16. You should choose right answers and place
in right configuring order. Not all options will be used.
Answer:
Sequence 1:
access-list X permit tcp 10.10.0.0/16 eq 22 any estab
access-list X permit tcp 10.10.0.0/16 any eq 22
Sequence 2:
class-map match-all SSH
match access-group X
Sequence 3:
Policy Y
Class SSH
Sequence 4:
Control plane
service-policy input Y
Question 83 ***
What could be reason for GRE Tunnel interface in up/down state? (Choose two)
A. GRE tunnel mode is set to transport mode
B. Tunnel source is in down state
C. Route to tunnel destination points to tunnel interface itself
Answer: B C
Question 84
Which are valid AAA authentications methods? (Choose two)
A. Line
B. Krb6
C. LDAP
D. Local
E. Blowfish
Answer: A D
Question 85
Which commands required to setup GRE tunnel between R2 & R3? (Choose two)
A.
R2:
interface tunnel 1
ip address 10.1.1.1 255.255.255.252
tunnel source 192.168.1.1
B.
R3:
interface tunnel 1
ip address 10.1.1.2 255.255.255.252
tunnel source g0/0
Answer: A B
Question 86 ***
While troubleshooting you noticed ‘***’ as output of traceroute command. What is the reason for that?
Answer: Probe is timed out.
Question 87 *** ???
Drag drop question about MPP.
Answer:
Constructing the CoPP Policy
For CoPP policy construction, several steps are required to create the MQC classification and policing functions. These
include: access-list construction, class-map construction, and finally, policy-map construction.
Question 88
Drag Drop question about four valid debug commands on switch (Choose four)
A. debug hsrp
B. debug glbp errors
C. debug ip igmp snooping
D. debug ip interface route-cache
E. debug spanning-tree mstp init
Answer: B C D E
Question 89
Drag and drop question. Choose and place in the right order headers when monitoring GRE packet
A. Destination tunnel IP header
B. Source tunnel IP header
C. GRE header
D. Original destination IP header
E. Original source IP header
F. Data
Answer: B -> C -> E -> F
B. Source tunnel IP header
C. GRE header
E. Original source IP header
F. Data
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 90
GRE Tunnel Drag and Drop. Which fields are optional and mandatory in a GRE header?
Answer:
Mandatory: Reserved0, Version, Protocol Type
Optional: Checksum, Key, Sequence Number
Question 91
GRE tunnel Header. Which one is standard, which one is extended?
.
Answer:
Standard Header: Checksum, Reserved0, Version, Protocol Type
Extended Header: Sequence Number, Key
Question 92
What IP header option fields can you modify in an extended ping? (Choose three)
A. Value
B. Strict
C. Record
D. Timestamp
E. Timeout
Answer: B C D
Explanation
All of these can be modified: protocol, IP destination address, repeat count, Datagram size, Timeout, source
address/interface, type of service, DF bit, Validate reply data, Data pattern, Loose, Strict, Record, Timestamp, Verbose,
Sweep range of sizes.
Question 93
Select valid type of tunnels mode (Choose four)
A. GRE
B. 6to4
C. ISATAP
D. NHRP
E. IPv6IP
F. mGRE
Answer: A B C E
Question 94
Associate debug and show commands with what they do (7 options)
Answer:
debug ip mpacket <-> multicast packet
debug standby errors <-> HSRP issues
debug ip packet <-> All IPv4 information
debug ipv6 packet <-> All IPv6 information
debug vlan <-> 802.1q troubleshoot
debug ip cef <-> hardware forwarding
Question 95
Extended Traceroute Drag Drop. What extended traceroute troubleshooting functions?
+ Probe count <-> limits the number of traceroute

+ Port Number <-> troubleshoot TCP and UDP port
+ Source address <-> troubleshoot connections generated from specific interface
+ Max TTL <-> limits the number of hops a packet travel
+ Type of Service <-> troubleshoot QoS issues
********************************************** END **********************************************

MCQ - Networktut V2

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MCQ - Networktut V2

Hochgeladen von

Copyright:

Verfügbare Formate

MCQ – Networktut (Premium Account) 27th Nov to 27th Dec

=================== New Multiple-Choice Questions (updated on 13th-Nov-2019) ===================

R1#debug ip ospf adj

Which output is expected in the blank line?

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

How to correct it?

crypto ipsec transform-set AES256 ah-sha256-nmac

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

Which feature is required to enable Unicast reverse path forwarding?

R1# show ip ssh

A. Local router MTU is 1500

R2#ssh -l admin 10.10.20.2

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]

Let’s check various “show process cpu” with pipe commands

R1#show ip interface brief

What is required to bring up a point-to-point tunnel?

A. the ACL “time-range” blocks the traffic

C:> Tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

What is the next step to troubleshoot the issue?

R2#ssh -l admin 10.10.20.2

What is the reason PC A cannot reach PC B?

A. R(conf)# ip access-list resequence Super_User 1 6

enable secret 8 8asdknkjajf89nklasdnflkjajnslkdf

Which reversible encryption method is used?

What command can be used to troubleshoot GRE issues?

Output been given of RA tunnel up/up and RC tunnel up/down.

Router#show debug condition

A. Router#show debug condition

ipv6 access-list INTERNET

Which statement about the INTERNET ACL is true?

access-list 150 permit tcp host 192.168.x.x any eq 22

A. Set ACL 150 with inbound direction on AUX

username Admin password cisco

A. ssh -l Admin x.x.x.x

A. The AAA configuration is misconfigured

BGP R1 3.3.3.3 ———— OSPF Router —————– BGP R2 4.4.4.4

What could be causing the syslog?

A. Source virtual interface shutdown.

What can you use to collect stats on Cisco IOS?

A. access-list needs to be applied with access-group command.

========================= Year 2018 Questions =========================

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.1.1.1

A. RouterA received a hello packet with mismatched autonomous system numbers.

What will happen if client A telnet to this device?

A. Telnet will be successful

Which statement indicates a cause for Tunnel0’s connection failure?

Which tunnel technology provide multicast, security and simplicity?

Which login procedure will ask first?

What is the issue?

A. MPP applied on wrong interface

R1# show management-interface

A. MPP configured with only SSH

Level Keyword Description

0 emergencies System is unusable

1 alerts Immediate action is needed

2 critical Critical conditions exist

3 errors Error conditions exist

4 warnings Warning conditions exist

5 notification Normal, but significant, conditions exist

6 informational Informational messages

7 debugging Debugging messages

END