Beruflich Dokumente
Kultur Dokumente
Question 1
Which configuration command is used to add an IPv6 ACL to an interface?
A. ipv6 access-class (in/out)
B. ipv6 traffic-filter (in/out)
C. ip access-class (in/out)
D. ip accesss-group (in/out)
Answer: B
Question 2
Refer to the exhibit.
Answer:
1. Check PoE
2. Check VLAN
3. Change DHCP gateway with option 150
4. Check image file from TFTP server
Question 6
Console session is being closed by a network device; how can this be solved?
A. Apply exec-timeout 0 0 in line console 0
B. Modify exec-timeout in line vty 0 15
C. Change banner motd
Answer: A
Explanation
By default, an IOS device will disconnect a console or VTY user after 10 minutes of inactivity. You can specify a
different inactivity timer using the exec-timeout MINUTES SECONDS line mode command.
For example, to disconnect a console user after 90 seconds of inactivity, we can use the following command:
R1(config)#line con 0
R1(config-line)#exec-timeout 1 30
To prevent Telnet (or SSH) sessions from timing out, use the value of 0 (exec-timeout 0 0)
Question 7
Which sequence allows the communication from router to another router via ssh.
A. 60 permit tcp host xxxx host yyyy eq 22
B. 50 permit tcp host xxxx host yyyy eq 21
C. ?
D. ?
Answer: A
Question 8
Why do clients frequently lose connection at the remote site? (Exhibit of tunnel gre and outputs from devices)
A. recursive routing
B. static route
C. ACL
D. RIP summarization
Answer: A
Question 9 ***
When is uRPF desired to be applied using loose-mode for security reasons?
A. Asymmetric
B. PIMv2
Answer: A
Question 10 ***
Two switches asking why DTP isn’t working one switch GigabitEthernet, other FastEthernet?
A. Because of a speed issue
B. Different VTP domains
C. SWA has a FastEthernet port
D. Because of dynamic desirable mode
Answer: B
Question 11
Drag drop question about GRE tunnel. GRE tunnel is missing configuration between R1 and R2.
R1: R2:
interface s0/0/0 interface s0/0/0
ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0
interface tunnel0 interface tunnel0
ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.2 255.255.255.0
Which configuration will complete the configuration on R1 & R2? (Choose two)
A. R1
source 10.1.1.1
destination 10.1.2.1
B. R1
source 10.1.2.1
destination 10.1.1.1
C. R2
source 10.1.2.1
destination 10.1.1.1
D. R2
source 10.1.1.1
destination 10.1.2.1
Answer: A C
===================== Multiple-Choice Questions (updated on 27th-Sep-2019) ======================
Question 12
Refer to the statement.
A. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
B. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)
C. local ident(addr/mask/prot/port):(209.165.201.6/255.255.255.255/47/0)
remote ident(addr/mask/prot/port):(209.165.201.2/255.255.255.255/47/0)
D. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)
Answer: B
Explanation
The line “local ident (addr/mask/prot/port)” means local selector that is used for encryption and decryption.
The answer of this question is based on the ACL applied. Thanks Shaunthesheep for sharing this:
VPN Tunnel can be established using IPSec or IPSec+GRE. The configuration requires to define a Crypto map which
refers to an ACL for Interesting traffic or the traffic to be encrypted. Look for the values in the ACL. e.g.
1) permit gre any any —> Answer will be both local and remote indent address entries as 0 and 47 in the protocol field.
Like this :
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/47/0)
2) Permit ip any any —> Answer will be both local and remote indent address entries as 0 and 0 in the protocol field.
Like this :
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/0/0)
3) Permit ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 —> Answer will be both local and remote indent address entries as in
ACL and 0 in the protocol field. Like this :
local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
Update: We cannot explain why all fields are “0” here but our candidates got full mark so please choose it.
Question 15
What should be the next step after the problem is solved?
A. document it
B. knowledge transfer
C. result analysis
D. create an action plan
Answer: A
Explanation
Cisco has broken this process into eight steps:
1. Define the problem.
2. Gather detailed information.
3. Consider probable cause for the failure.
4. Devise a plan to solve the problem.
5. Implement the plan.
6. Observe the results of the implementation.
7. Repeat the process if the plan does not resolve the problem.
8. Document the changes made to solve the problem.
Although some online document does not mention about step 8 (document the changes) (like the
link http://www.ciscopress.com/articles/article.asp?p=1578504&seqNum=2) but this step is very important so that
repeated issue can be solved quickly in the future.
Question 16
This question have 3 router (R1,R2,R3), (R1_fa0/0====fa0/0_R2_fa0/1====fa0/1_R3) and have loopback, acl for each a
router. Loopback from R1 can’t ping loopback of R3 (192.168.254.1/24). An ACL is configured on R3 that only permits
192.168.0.0 0.0.0.255. What changes need to occur so R1 can ping R3 loopback?
A.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.0.255
B.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.255.255
C.
ip access-list extended 101
no 100
Answer: B
(Modify access-list, no entry 30 and re-add it changing the netmask to 192.168.0.0 0.0.255.255)
Question 17
A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements to choose. The
question asks which sequence number prevented connection from R1 to R2 via SSH.
R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3
A.20 deny tcp x:x::/64 host y:y::2 eq 22
B. 30 permit host y:y::2 tcp x:x:::/64 eq 22
C. 40 permit tcp x:x::/64 host y:y::2 eq 23
Answer: A
Question 18
Refer to the exhibit.
interface Serial0/1/0
ip address 10.12.13.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0
!
interface serial0/2/0
ip address 10.12.23.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0
R3#sh ip route
[output omitted]
interface Tunnel0
description Tunnel to Main Office
ip address 192.168.1.1 255.255.255.252
tunnel source 209.165.200.225
tunnel destination 209.165.202.129
tunnel path-mtu-discovery
A remote office was recently connected to the main office by using a GRE tunnel. Path MTU Discovery (PMTUD) is
enabled on the tunnel interface. End users at the remote office report having issues accessing a file sever in the main
office. PMTUD is not working, what is the issue?
R1#show management-interface
Management interface GigabitEthernet0/2
Protocol Packets processed
http 0
https 10
Management interface GigabitEthernet0/3
Protocol Packets processed
http 0
ssh 10
snmp 1110
The organization has implemented Management Plane Protection. Headquarters has decided that FTP needs to be enabled
on all management ports. Which configuration context must be modified to accomplish this configuration?
A. Policy-map
B. Control-plane
C. Access-list
D. Class-map
Answer: B
====================New Multiple Choice Questions (updated on 4th-Aug-2019)=====================
Question 24
Which protocol can be added into MPP? (Choose two)
A. telnet
B. scp
C. tftp
D. smtp
Answer: A C
Explanation
Following are the management protocols that the MPP feature supports. These management protocols are also the only
protocols affected when MPP is enabled.
+ Blocks Extensible Exchange Protocol (BEEP)
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html
Question 25 ***
OSPF neighbor not forming. Exhibit shows DBD packets are being re-transmitted to the neighbor. Debug shows that
Exstart state to Down. What is the reason?
A. MTU mismatch
B. The router did not receive a Hello packet
C. OSPF is not running on the other router
D. The packet does not have RID
Answer: A
Explanation
After two OSPF neighboring routers establish bi-directional communication and complete DR/BDR election (on multi-
access networks), the routers transition to the exstart state. In this state, the neighboring routers establish a master/slave
relationship and determine the initial database descriptor (DBD) sequence number to use while exchanging DBD packets.
Neighbors Stuck in Exstart/Exchange State
The problem occurs most frequently when attempting to run OSPF between a Cisco router and another vendor’s router.
The problem occurs when the maximum transmission unit (MTU) settings for neighboring router interfaces don’t match.
If the router with the higher MTU sends a packet larger that the MTU set on the neighboring router, the neighboring
router ignores the packet.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-12.html
Question 26 ***
When troubleshoot a connection to a Point-to-Point Tunneling Protocol server behind a NAT router, which two filters
should be used to capture all traffic related to the Point-to-Point Tunneling Protocol? (Choose two)
A. UDP port 500
B. protocol ESP (or protocol 50)
C. TCP port 47
D. protocol 47
E. TCP port 1723
Answer: D E
Explanation
The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote
client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into
IP datagrams for transmission over the Internet or other public TCP/IP-based networks.
PPTP establishes a tunnel for each communicating PPTP network server (PNS)-PPTP Access Concentrator (PAC) pair.
After the tunnel is set up, PPP packets are exchanged using enhanced generic routing encapsulation (GRE). A call ID
present in the GRE header indicates the session to which a particular PPP packet belongs.
Network Address Translation (NAT) translates only the IP address and the port number of a PPTP message. Static and
dynamic NAT configurations work with PPTP without the requirement of the PPTP application layer gateway (ALG).
However, Port Address Translation (PAT) configuration requires the PPTP ALG to parse the PPTP header and facilitate
the translation of call IDs in PPTP control packets. NAT then parses the GRE header and translates call IDs for PPTP data
sessions. The PPTP ALG does not translate any embedded IP address in the PPTP payload. The PPTP ALG is enabled by
default when NAT is configured.
NAT recognizes PPTP packets that arrive on the default TCP port, 1723, and invokes the PPTP ALG to parse control
packets. NAT translates the call ID parsed by the PPTP ALG by assigning a global address or port number. Based on the
client and server call IDs, NAT creates two doors based on the request of the PPTP ALG. ( A door is created when there
is insufficient information to create a complete NAT-session entry. A door contains information about the source IP
address and the destination IP address and port.) Two NAT sessions are created (one with the server call ID and the other
with the client call ID) for two-way data communication between the client and server. NAT translates the GRE packet
header for data packets that complies with RFC 2673.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-
pptp-pat.html
Question 27
The user was able to access the router via line vty 5 min ago. But he is no longer able to log in now. No change in the
network. What is the issue?
A. exec-timeout 0 0
B. the VTY lines are at capacity
C. SSH is not configured
D. Console line is in use by someone else
Answer: B
Question 28
Drag drop question about debug commands.
Answer:
Debug condition standby -> display debug messages related to HSRP
Debug condition glbp -> displays debug messages from virtual MAC address 0007.b400.0101
Debug aaa authentication -> displays debug messages related to determine the users’ identity
Debug aaa authorization -> displays debug messages related to determine the users’ permissions
Question 29 ***
The command “ip verify unicast source reachable-via any” is configured on the interface. Router received with source
IP address 172.16.100.10. Routing table shows a valid route to 172.16.100.0/24 is learned via OSPF.
There is a null static route to 172.16.0.0/16.
Question is what the router will do that packet?
A. The packet is dropped
B. The packet is allowed to route to the destination
Answer: B
Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the
interface used to reach this source IP then the packets are allowed to enter (strict mode).
The syntax of configuring uRPF in interface mode is:
The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via
any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address
only via the interface on which the packet was receive.
In this case the router was configured with uRPF in loose mode.
Question 30
After applying below config on one router, OTHER router started showing authentication errors (you will see output log
with errors).
Applied configuration:
Standby group 100
Standby 100 vip 172.x.x.x
Standby 100 md5 authentictaion cisco123!
What is likely the cause?
A. Configure “standby 100 authentication md5 key-string cisco123!” on both routers
B. Configure “standby 100 authentication text cisco123!” on both routers
C. Configure the aaa authentication login default group standby enable command
D. Configure the aaa authentication login default group 100 enable command
Answer: A
Question 31
High CPU utilization of the router. How to display the lines including a process name or beginning with CPU from show
proc cpu output.
A. show proc cpu | include process_name | begin CPU
B. show proc cpu | include process_name |$CPU
C. show xxx | include process_name |^CPU
Answer: C
Explanation
Below is an example of the “show process cpu” output:
Question 33
Refer to the exhibit about GRE tunnel0 interface:
There is a time-range acl but the query is to resolve a ping issue from interface eth0/0 to a host on 172.16.10.100 with an
ACL line. The ACL is applied inbound of the router. The question asks what ACL line needs to be added in order to
allow ping access from the local router to server 172.16.10.100.
A. access-list 101 permit icmp host 172.16.10.100 10.1.1.0 0.0.0.15
B. access-list 101 permit icmp host 172.16.10.100 10.1.1.x 0.0.0.3
C. access-list 101 permit icmp 10.1.1.0 0.0.0.15 172.16.10.100 0.0.0.255
D. access-list 101 permit icmp 10.1.1.0 0.0.0.255 host 172.16.10.100
E. access-list 101 permit icmp host 172.16.10.100 10.1.1.0 0.0.0.31
Answer: E
Explanation
This ACL was applied to the inbound direction of e0/0 interface so we need to permit the ICMP reply packet to go
through. Therefore, the source IP address must be the server IP address and the destination IP address range must cover
the e0/0 interface IP address. In this case only answer E with the destination wildcard mask of 0.0.0.31 covers 10.1.1.25
so it is the correct answer. Notice that answer A has similar solution but its wildcard mask of 0.0.0.15 does not cover
10.1.1.25.
==================== New Multiple-Choice Questions (updated on 3rd-Jun-2019) ====================
Question 36 ***
Drag drop question about IPSec.
Answer:
+ show crypto isakmp sa detail: Verify the current SA lifetime and the time for next renegotiation
+ show cryto ipsec sa peer: Verify traffic flows in only one direction
+ show ip eigrp neighbor: Verify that routing protocol neighbor is established
+ debug crypto isakmp: Verify that the spoke router is sending udp 500 packet
Explanation
1. An example about the output of the “show crypto isakmp sa detail” is shown below:
2. Verify whether the traffic flows in only one direction
The VPN tunnel between the spoke-to-spoke router is up, but unable to pass data traffic. The following sample output is
from the “show crypto ipsec sa peer” command:
There is no decap packets in Spoke1, which means esp packets are dropped somewhere in the path return from Spoke2
towards spoke1.
The Spoke2 router shows both encap and decap, which means that ESP traffic is filtered before reaching Spoke2. It may
happen at the ISP end at Spoke2 or at any firewall in path between Spoke2 router and Spoke1 router. After allowing ESP
(IP Protocol 50), Spoke1 and Spoke2 both show encaps and decaps counters are incrementing.
Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-
troubleshoot-00.html#verifyonedirection
4. Further, check debug crypto isakmp to verify that the spoke router is sending udp 500 packet:
The above debug output shows spoke router is sending udp 500 packet in every 10 seconds.
Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-
troubleshoot-00.html
Question 37
Refer to the exhibit. Which hashing method is being used for the enable secret?
A. sha1
B. sha256
C. scrypt
D. md5
Answer: B
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string
in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5,
the password has been hashed using the stronger MD5 algorithm.
Note:
+ Type 5: MD5
+ Type 8: sha256
+ Type 9: scrypt
Question 38 ***
Refer to the exhibit. PCB could not ping PCA. The admin has logged into each switch, starting from SW1 and ending
with SW2 and has examined the links between each. Which troubleshooting method has been used?
A. top down
B. follow the path
C. bottom up
D. divide and conquer
Answer: B
Question 39 ***
Drag drop question about GRE characteristics (Overlay and Underlay Network).
Answer:
Overlay network:
+ de-encapsulates the tunnel header before routing
+ Virtual tunnel network
Underlay network:
+ Physical network
+ MTU must be increased to avoid fragmentation
Unused option: Must use IPv6 as the Layer 3 protocol
Explanation
The core routers are known as the underlay network. This is responsible for taking GRE packets and transporting them
from one side of the network to the other. The tunnel itself is the overlay network. Packets passing through the overlay
network are unaware of the routers in the underlay.
Question 40 ***
Drag the GRE tunnel state from the left onto the correct description on the right.
Answer:
Match the various tunnel states to the corresponding description.
Up/up ----------------- traffic is flowing across the tunnel
Up/down ------------- the shutdown command has been issued on the physical interface
Down/down --------- the shutdown command has been issued on the tunnel interface
Reset/up -------------- transient state where the next hop server is its own ip address
Explanation
Four Different Tunnel States
There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both administratively up and it’s protocol
is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes the line protocol on the
interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This usually happens when the
tunnel is misconfigured with a Next Hop Server (NHS) that is its own IP address.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-
00.html
Question 41a ***
Refer to the exhibit.
User tries to connect to line vty 0 with username Cisco and password “Cisco123” while TACACS server is
unreachable. What happens?
A. The user will be authenticated after the TACACS server fallback timer expires
B. The user will not be authenticated because the username is incorrect
C. The user will not be authenticated because the TACACS server is unreachable
D. The user will not be authenticated because the password is incorrect
Answer: D
Explanation
With this config, when the user tries to connect to line vty 0, the line password (which is “CiscoCisco”) must be used to
authenticate. The TACACS server would never been used unless we remove the “login authentication LOCAL-VTY”
statement (as the first aaa command “aaa authentication login default group tacacs+ local-case line” would be used for all
VTY, console, AUX line because of the “default” group).
Question 42b ***
Refer to the exhibit.
username cisco password 123456
aaa authentication login default local-case
Client try to connect with this command: ssh -l Cisco 123456. Why he can reach the destination
A. bad password
B. bad username
C. ?
D. ?
Answer: B
Explanation
The keyword “local-case” is used in the authentication so the username is case-sensitive and we can to write the username
exactly.
Question 43 ***
Refer to the exhibit. Why can’t a user SCP to a server at 172.16.1.200 on Monday at 11:00 pm?
R1#traceroute 3.3.3.3
…
1 10.10.10.2 18msec
2 10.10.10.5 !A
…
!A
A. Redistribution of connected routes into OSPF in not configuration
B. An ACL applied inbound on fa0/1 of R3 is dropping the traffic
C. An ACL applied inbound on loopback0 of R2 is dropping the traffic
D. The loopback on R3 is in a shutdown state
Answer: B
Explanation
The !A is the response that indicates that you received a response of Administratively Prohibited. This is the result when
the traceroute is denied by an access list.
Note: The OSPF process ID is just locally significant but R2 is using two different OSPF process IDs (#1 and #2) so they
should be redistributed into each other like this:
router ospf 1
redistribute ospf 2 subnets
router ospf 2
redistribute ospf 1 subnets
But it is not the problem here.
Question 50 ***
Which scenario causes a GRE tunnel interface to be in an up/down state?
A. The is no route to the tunnel destination address
B. The tunnel source and destination addresses are in different subnets
C. The subnet masks on the tunnel interfaces do not match
D. The route to the tunnel destination address is not routed through the tunnel
Answer: A
Explanation
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in recursion.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-
00.html
===================== Multiple-Choice Questions (updated on 21st-Apr-2019) ======================
Question 51 ***
Which of the following features allows a router to install a floating route in its routing table when the GRE tunnel is
disrupted?
A. tracking objects
B. IP SLA
C. ?
D. GRE keepalive
Answer: D
Explanation
GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does not keep any information
about the state or availability of the remote tunnel endpoint. A consequence of this is that the local tunnel endpoint router
does not have the ability to bring the line protocol of the GRE Tunnel interface down if the remote end of the tunnel is
unreachable. The ability to mark an interface as down when the remote end of the link is not available is used in order to
remove any routes (specifically static routes) in the routing table that use that interface as the outbound interface.
Specifically, if the line protocol for an interface is changed to down, then any static routes that point out that interface are
removed from the routing table. This allows for the installation of an alternate (floating) static route or for Policy Based
Routing (PBR) in order to select an alternate next-hop or interface.
Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel
source address or interface which is up. The tunnel destination IP address must also be routable. This is true even if the
other side of the tunnel has not been configured. This means that a static route or PBR forwarding of packets via the GRE
tunnel interface remains in effect even though the GRE tunnel packets do not reach the other end of the tunnel.
Before GRE keepalives were implemented, there were only ways to determine local issues on the router and no way to
determine problems in the intervening network. For example, the case in which the GRE tunnelled packets are
successfully forwarded, but are lost before they reach the other end of the tunnel. Such scenarios would cause data
packets that go through the GRE tunnel to be “black holed”, even though an alternate route that uses PBR or a floating
static route via another interface might be available. Keepalives on the GRE tunnel interface are used in order to solve this
issue in the same way as keepalives are used on physical interfaces.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-
00.html
Question 52
Refer to the exhibit.
Which two routing protocols are permitted by the ACL above? (Choose two)
A. BGP
B. OSPF
C. EIGRP
D. GRE
E. NSE (something like that)
Answer: A B
Explanation
BGP operates on TCP port 179 and the ACL statements “access-list 101 permit tcp any 10.1.1.1 eq 179” and “access-
list 101 permit tcp any eq 179 any” allows BGP to go through.
The protocol number (not port number) of OSPF is 89 so the first ACL statement “permit 89 any any” is same as
“permit ospf any any” -> Answer B is correct.
EIGRP runs directly over IP using IP protocol number 88 – it does not use TCP or UDP. In the above ACL statements
there is no line for EIGRP so it will be dropped by implicit “deny all” statement at the end of the ACL -> Answer C is not
correct.
GRE is allowed with the “access-list 101 permit gre any any” statement so GRE is correct but this question asks about
“routing protocol” so GRE is not a valid option.
Note: Keep in mind that there is a big difference between a port number and a protocol number. In an ACL, the
number behind the keyword “eq” (equal) is a port number, not a protocol number. For example, IP is protocol number 4,
ICMP is 1, EIGRP is 88, and OSPF is protocol number 89.
Question 53
Refer to the exhibit.
R2#ssh -l admin 10.10.20.2
%Destination unreachable, gateway or host down
A company is implementing Management Plane Protection (MPP) on its network. Which of the following commands
allows R2 successfully connect to R1 via SSH?
A. ssh -p 22 -l admin 10.10.30.2
B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2
D. ssh -v 2 -l admin 10.10.20.2
Answer: B
Explanation
SSH has the following options:
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we have to SSH to
interface Gi0/3 instead.
Question 54
Section 1
R1#debug ip ospf hello
…
Section 2
R1#
Debugging is
Condition 1 – username
Condition 2 – int g0/2
Section 3
R1#debug ip ospf hello
…
Which of the following commands results in the Section 2 of the output above?
A.
R#debug condition username
R#debug condition interface g0/2
B.
R#debug condition interface g0/2
R#debug condition username
C.
R(conf)# debug condition username
R(conf)#debug condition interface g0/2
D.
R(conf)#debug condition interface g0/2
R(conf)# debug condition username
Answer: A
Explanation
The “debug condition” command must be issued in Privileged mode (not global configuration mode)
Question 55
Two hosts (PC A & PC B) in the same subnet (IP addresses 10.10.10.10 & 10.10.10.30, both /24) connected to Layer 2
switches each (using ports g0/5). The layer 2 switches connect to other switches which connects to a Multilayer (L3)
switch.
R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
2 permit ip host xxxx host xxxxx
3 permit ip host xxxx host xxxxx
4 permit ip host xxxx host xxxxx
5 permit ip host xxxx host xxxxx
6 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
8 permit ip host xxxx host xxxxx
9 permit ip host xxxx host xxxx
Which of the following commands inserts five additional lines to the ACL Entry Sequence between lines 3 and 4 without
changing the existing configuration?
R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
13 permit ip host xxxx host xxxxx
19 permit ip host xxxx host xxxxx
25 permit ip host xxxx host xxxxx
31 permit ip host xxxx host xxxxx
37 permit ip host xxxx host xxxxx
43 permit ip host xxxx host xxxxx
49 permit ip host xxxx host xxxx
We can insert five additional lines between two consecutive lines now.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-
book/sec-acl-seq-num.html
Question 57
An engineer performed a router upgrade. After an unexpected reboot, the router loaded with the old IOS version instead
of the new one. What is the problem?
A. The configuration register is set to 0x2103
B. The old IOS image is corrupted
C. The new IOS image is corrupted
D. The boot loader is not present
Answer: D
Question 58
An exhibit with output of BGP debug
%TCP-6-….: Active to Idle
…
%TCP-6-BADAUTH: No MD5 digest from 192.168.1.1(179) to 192.168.4.1(45577) tabled-0
%TCP-6-BADAUTH: No MD5 digest from 192.168.4.1(179) to 192.168.1.1(45577) tabled-0
Why are the two routers not forming BGP neighborship?
A. Mismatched BGP authentication
B. Mismatched BGP Autonomous System numbers
C. Mismatched Hello and Hold timer
D. Mismatched BGP peer-group
Answer: A
Question 59 ***
An exhibit that displays the outputs of show interface tunnel0 for two routers. Tunnel 0 is up/up on one router and
up/down on the other router.
Which of the following commands can quickly show the cause of the up/down state of Tunnel0 on the second router?
A. show ip interface brief
B. sh ip protocols (or something else)
C. show ip route
D. show ip gre
Answer: C
Question 60
A hub and spoke topology consisting of some routers and switches. Host A is attached to the spoke network and Host B is
attached to the hub network. There is a set of commands beside the topology:
Client A cannot reach client B while other Spokes can reach client B. What command in the configuration is the cause of
the problem?
A. ip nhrp network-id 12345
B. tunnel source e0/1
C. ip nhrp shortcut
D. tunnel mode gre multipoint
Answer: B
Note: Please check to see the NHRP address is wrong. Please read more about DMVPN and NHRP
at https://www.digitaltut.com/dmvpn-tutorial
Question 61 ***
Drag the GRE tunnel state from the left onto the correct description on the right.
Answer:
Match the various tunnel states to the corresponding description.
Up/up ————– tunnel is up and functional
Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— tunnel is administratively shutdown (shutdown by configuration or an administrator)
Reset/up ———- tunnel is ….. (maybe “misconfigured with a Next Hop Server (NHS) that is its own IP address.”)
Explanation
Four Different Tunnel States
There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both administratively up and it’s protocol
is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes the line protocol on the
interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This usually happens when the
tunnel is misconfigured with a Next Hop Server (NHS) that is it’s own IP address.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-
00.html
Question 62
Refer to the exhibit.
A. SNMP
B. Local authentication
C. Enable
D. VTY
Answer: B
=================== New Multiple-Choice Questions (updated on 10th-Mar-2019) ====================
Question 63 ***
Which statements about uRPF are true? (Choose two)
A. CEF should be enabled
B. CEF should be disabled
C. Packet with source 0.0.0.0 destination 255.255.255.255 will be permitted
D. Packet with source 0.0.0.0 destination 255.255.255.255 will be denied
E. ?
Answer: A C
Explanation
uRPF uses the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB) to perform reverse path look-up on
the source IP address of an incoming packet. The CEF FIB is a database of network layer routing information and
associated forwarding/adjacency information used in the CEF switching of packets.
Unicast RPF will allow packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that Bootstrap Protocol
(BOOTP) and Dynamic Host Configuration Protocol (DHCP) functions work properly.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.pdf
Question 64 ***
Routes are not advertised in the GRE tunnel. What is the problem?
A. Implement dynamic routing in tunnel interfaces
B. ACLs are blocking packets
C. ?
D. ?
Answer: B
Question 65
How can we limit the number of simultaneous access to the VTY lines?
A. session-limit
B. something about ACL
C. ?
D. ?
Answer: A
Explanation
The “session-limit” command is used to configure the maximum number of the concurrent virtual terminal sessions on a
device. The range is from 1 to 64.
Question 66 ***
Drag drop question about extended ping which includes: TTL, df-bit, ToS, Timeout.
Answer:
ToS = Specifies the packet classification
df-bit = allows for testing the path MTU
TTL = determines the maximum hop count
timeout = sets the interval to wait for a response
Good reference:
https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
Question 67 ***
There is an exhibit with hub & spook topology with 2 PCs: Pc1 spoke side and Pc2 hub. PC1 not pinging PC2. In the
exhibit there is configuration of NHRP. Something like this:
interface tunnel0
ip address 10.100.0.3 255.255.25.0
no ip redirects
ip nhrp network-id 12345
ip nhrp shortcut
ip nhrp nhs 10.100.0.1 nbma 200.1.1.9 multicast
tunnel source e0/1
tunnel mode gre multipoint
PC was not configured to obtain default-gateway from the DHCP server. What can we do for PC to access the Internet?
A. Configure static ARP in gateway router
B. Configure dynamic ARP in gateway router
C. Configure proxy-ARP in gateway router
D. ?
Answer: C
Question 69 ***
Question 71
Refer to exhibit. Client unable to enter the privilege mode
A. enable password should be configured
B. VTY password should be configured
C. enable password should be disabled
Answer: A
Question72 ***
Refer to the exhibit.
A. The denied entries will be logged because of the explicit deny ipv6 any any log line
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted along with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied
Answer: A
Question 73
Similar to this question:
Refer to the exhibit. (ClientA is connecting to the network via e0/0 interface while the “tunnel source e0/1” in the
configuration). ClientA is unable to reach ClientB while other users from other Spokes can reach ClientB. Which
command resolves this issue?
A. tunnel route-via ethernet0/1
B. tunnel mode gre
C. tunnel destination 10.100.0.1
D. tunnel source ethernet0/0
Answer: D
Question 74 ***
Regarding extended ping, why ping is failed (refer to exhibit)?
A. df bit is set // should be unset, MTU issue)
B. df bit is not set
Answer: A
Question 75 ***
Routes are not being shared dynamically over a functional GRE tunnel. Which scenario is causing the issue?
A. An ACL is blocking the data plane traffic between the remote devices
B. MTU is configured at 1500 on the tunnel interface
C. The tunnel mode is mismatched between the two routers
D. The tunnel interface is not participating in the dynamic routing process
Answer: D
Question 76
There is a diagram with a HQ site connected with Branch site via GRE Tunnel
A. Change tunnel source in HQ site from G0/1 to 0/0
B. Change tunnel in Branch site from G0/0 to 0/1
Topology with 2 host connected via GRE (HQ and Branch)
Answer: A
=================== New Multiple-Choice Questions (updated on 9th-Feb-2019) ====================
Question 77
A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements to choose. The
question asks which sequence number allows connection from R1 to R2 via SSH.
R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3
10 permit tcp y:y::2 host x:x::/64 eq 22
20 permit tcp x:x::/64 host y:y::2 eq 22
30 deny tcp x:x::/64 host y:y::2 eq 22
40 deny tcp x:x::/64 host y:y::2 eq 22
A. 30
B. 20
C. 40
D. 10
Answer: B
Explanation
20 permit tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)
Question 78 ***
How to apply an IPv6 access-list to lines?
A. ipv6 access-group <ipv6 access-list name>
B. ipv6 access-list <ipv6 access-list name>
C. ipv6 access-class <ipv6 access-list name>
Answer: C
Question 79 ***
Drag drop about AAA.
Answer:
+ AAA Accounting commands: configures AAA to send commands executed to the configured target
+ AAA Authentication banner: configures AAA to change the message displayed when a user logs in
+ AAA authorization exec: (none)
+ AAA authentication enable: configures AAA to prompt for a password to enter privileged mode
+ AAA authorization config-commands: configures AAA to validate a user’s permission to change the running
configuration
Explanation
The “AAA authentication banner” command is used to configure a banner that is displayed when a user logs in (replacing
the default message for login).
If aaa authorization commands level method command is enabled, all commands, including configuration commands,
are authorized by AAA using the method specified. Use the aaa authorization config-commands command if you need
to reestablish the default set by the aaa authorization commands level method command.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html
Question 80 ***
An exhibit with three routers A, B and C. Router A is connected to Router B. Router B is connected to Router C.
The output of “show interface Tunnel 1” on Router C shows that the tunnel is in “up/down” state. The question asks
what is the reason for this.
A. Router C does not have a route to the loopback interface of Router A (which is used as the tunnel source on Router A
and tunnel destination on Router C).
B. The tunnel mode should be changed to “gre mode multipoint”
C.
D.
Answer: A
Explanation
Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in recursion.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-
00.html
Question 81 ***
A network administrator attempts to restrict AUX access to R4 from a single host IP address 192.168.x.x has failed.
Which action will restrict access?
Answer: A
Explanation
The “session-limit” command is used to configure the maximum number of the concurrent virtual terminal sessions on a
device. The range is from 1 to 64.
Question on restricting access via AUX to ip’s/ranges in shown ACL. Config showing all the lines, vty, aux and con and
an ACL. Only VTY had config on, including access-class but ACL number was not as in the config shown.
Question was something like why IP’s out of the range specified in the acl can access the router via AUX – remember
there was no config on AUX at all.
Question 82
A firewall has been inserted between 2 routers running GRE. Which protocol needs to be allowed through on the
firewall?
A. Create a firewall rule to allow IP protocol 47
B. Create a firewall rule to allow TCP/IP Port 47
Answer: A
Explanation
GRE is a protocol on the same level as TCP and UDP. When configuring a firewall to allow GRE, you do not configure a
port like you would for Telnet or SSH. Instead, you must configure the firewall to allow protocol 47. Cisco router offer
the keyword “gre” for configuring access lists.
The access-list statement should be “access-list 100 permit gre any any” (or “access-list 100 permit gre host x.x.x.x host
y.y.y.y” to allow specific host)
Question 83 ***
How to apply IPv6 access list?
A. ipv6 access-class <ipv6 access-list name>
B. ipv6 access-group <ipv6 access-list name>
C. ipv6 access-list <ipv6 access-list name>
D. ipv6 traffic-filter <ipv6 access-list name>
Answer: D
Question 84 ***
Router is configured with AAA using the “local-case” keyword in authentication:
The question asks why the admin cannot login with the command: ssh -l admin x.x.x.x
Answer: B
Question 87 ***
An exhibit with the Admin PC (IP address: 192.168.1.200/28) connecting to the router R1 (Lo0: 192.168.1.55/28) with
AAA config. The question asks why Telnet attempt to the router from the Admin PC fails.
aaa new-model
!
aaa authentication login default line enable
aaa authorization commands 15 default local
aaa authorization network default local
!
username admin privilege 15 password cisco
!
ip ssh version 2
!
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any range 22 stp
!
line vty 0 4
access-class 101 in
password cico
transport input all
!
line vty 5 15
access-class 101 in
password cico
transport input all
!
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message
R2#sh ip access-lists ?
<1-199> Access list number
<1300-2699> Access list number (expanded range)
WORD Access list name
dynamic List dynamic IP access lists
interface List ACL attached to an interface
| Output modifiers
<cr>
R2#sh ip access-lists int ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
Ethernet IEEE 802.3
GMPLS MPLS interface
LISP Locator/ID Separation Protocol Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
Lspvif LSP virtual interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-TokenRing Virtual TokenRing
vmi Virtual Multipoint Interface
Question 93
line vty 0 4
ip access-class 1 in
transport input telnet only
!
ip access list permit tcp any any eq 22
ip access list permit tcp any any telnet
Cisco engineer is trying to setup secure access to the router but why is SSH failing?
A network administrator is troubleshooting an EIGRP connection between RouterA, IP address 10.1.2.1, and RouterB, IP
address 10.1.2.2. Given the debug output on RouterA, which two statements are true? (Choose two)
Answer: D F
Question 7 ***
You are troubleshooting an issue with a GRE tunnel between R1 and R2 and find that routing is OK on all intermediary
routers. The tunnel is up on R1, but down on R2. Which two possible issues can prevent the tunnel from coming up?
(Choose two)
A. The tunnel does not come up unless traffic is sent through it.
B. The tunnel source interface is down on R2.
C. No specific route interface is down on R2.
D. R2 does not know how to reach the tunnel destination.
E. The tunnel keep alive timer doesn’t match on R1 and R2.
Answer: B D
Question 8 ***
How to check debugging fragmentation?
A. debug tcp
B. debug ip icmp
C. debug ip packet detail
D. debug ip policy
Answer: B
Question 9
Refer to exhibit.
(exhibit missing)
Which IP address should be configured as the tunnel source on the HQ router for maximum resiliency?
A. Loopback IP address of HQ
B. Serial IP address of HQ
C. Fastethernet IP address of HQ
D. ?
Answer: A
Question 10 ***
WFQ not supported on control plane.
A. Router capabilities
B. bandwidth command not supported
C. cannot be input (pick this one as fragmentation only occurs outbound, but I’m not completely sure)
D. missing license
Answer: B
Explanation
Weighted Fair Queuing". A flow-based queuing algorithm used in Quality of Service (QoS) network applications that
schedules low-volume traffic first, while letting high-volume traffic share the remaining bandwidth. This is handled by
assigning a weight to each flow, where lower weights are the first to be serviced.
Question 11
A client reports all password in plain text after running ‘show archive log config all’. How can you prevent/encrypt all
messages?
A. password encrypt aes
B. hidekeys
C. service-password encryption
D. aaa authentication arap
Answer: B
Explanation
The command “hidekeys” (Device(config-archive-log-config)# hidekeys) suppresses the display of password information
in configuration log files.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-3s/config-mgmt-xe-3s-
book/cm-config-logger.html
Question 12
Client X unable telnet the terminal Server – IPv6 ACL
Client X – adb:2018::xx:1
Client Y – adb:2018::xx:2
Terminal Server – adb::2018:yy:1
something to do with sequence on ACL.
10 permit tcp host adb:2018::xx:2 host adb::2018:yy:1 eq telnet
20 deny tcp any host adb::2018:yy:1 eq telnet
30 ?
A. ?
B. Add sequence 15 & permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet
C. Delete sequence 20 & add sequence 5 permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet
D. Add sequence 25 & permit …
Answer: B
Question 13 ***
Which two statements about GRE tunnels are true? (Choose two)
A. GRE tunnels operate in GRE/IPsec mode by default
B. GRE tunnels operate in GRE/IP mode by default
C. GRE encapsulates the original packet
D. The carrier protocol adds the delivery header
E. The IP header encapsulates the GRE header
Answer: B C
Explanation
By default, GRE tunnel operates in GRE/IP mode so the command “tunnel mode gre ip” command is not necessary -> B
is correct.
When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole packet into another IP
packet with two headers: one is the GRE header which uses to manage the tunnel itself. The other is called “Delivery
header” which includes the new source and destination IP addresses of two virtual interfaces of the tunnel (called tunnel
interfaces). This process is called encapsulation -> C is correct.
Answer D seems to be correct but a bit unclear. If answer D said “GRE adds the delivery header” then it would be correct.
Answer E seems to be correct too but it said “The IP header encapsulates …” which is not totally correct. It should be
“The delivery header (not IP header) encapsulates the GRE header”.
Question 14 ***
When troubleshooting recursive routing issues with GRE tunnels, which three actions resolve the issue? (Choose three)
A. Add static routes …
B. Remove the network advertisements…
C. If using OSPF to peer across …
D. Change the tunnel source or destination interface
E. Remove the configuration on the tunnel interface and reconfigure
F. Perform shut and no shut commands on the tunnel interface
Answer: A B D
Question 15
Refer to the exhibit.
service password-encryption
!
line console
password a123124
!
line vty 0 4
password asdfasf12
login
transport input telnet
The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login ONLYLOCAL local
aaa authentication ppp default radius local
username xxx password xxx
line vty 0 4
password xxxxx
A. RADIUS
B. TACACS+
C. local
Answer: B
Explanation
If under “line vty 0 4” is not configured with ONLYLOCAL group as follows:
line vty 0 4
login authentication ONLYLOCAL
Then this group would never be used for authentication. Only the default method list is used (which uses TACACS+ first
then enable password if TACACS+ fails to respond). So in this question the device will authenticate with the default
method list.
Question 24a ***
User was not able to login using telnet.
Router#show management-interface
Management interface FastEthernet0/0
Protocol Packets processed
ssh 0
snmp 0
Answer: C
Question 25 ***
Which command will encrypt the enable password? (Choose two)
A. enable secret
B. service password-encryption
Answer: A (although in real life it should be B but in the exam they want answer A)
Question 26 ***
Which statements about extended ping are true? (Choose two)
A. You can use data gram size option to set size of ping in bytes
B. You can use minimum and maximum TTL
C. You can select UDP destination port
D. You can use data pattern to troubleshoot framing error on serial lines
E. You can use ToS bit to control fragmentation of data gram
Answer: A D
Question 27 ***
Question about creating or generating a new crypto key.
Answer: crypto key generate rsa
Question 28 ***
How do you check the crypto public key?
A. show crypto session
B. show crypto map
C. show crypto key mypubkey rsa
D. ?
Answer: C
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 29 ***
Which alerts will be seen on the console by issuing logging console critical? (Choose three)
A. Emergency
B. Alert
C. Critical
D. Notification
E. Informational
Answer: A B C
Explanation
Syslog levels are listed below
A.
time-range NOC_ACCESS
periodic daily 18:00 to 06:00
B.
time-range NOC_ACCESS
periodic daily 18:00 to 23:59
periodic daily 00:00 to 06:00
C.
time-range NOC_ACCESS
periodic daily 06:01 to 23:59
D.
time-range SWITCH_ACCESS
periodic daily 06:01 to 23:59
Answer: B
Question 33a ***
“show version” command output. – SSH not working. What is the issue?
# Check the configuration register, it is 0x2142.
A. IOS upgrade
B. ROM memory upgrade
C. incorrect Configuration register 0x2102
D. ?
Answer: C
Note: In this question you will be shown with the “show version” output on a router. Please check carefully if:
+ The “Configuration register” is set to 0x2142 or not. With this value the device will bypass the startup configuration
stored in NVRAM during its boot sequence
+ The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we need to upgrade IOS so
that SSH can work. According to recent reports this is the correct answer.
Question 33b ***
A question with “show version” output. The register was 0x2102
A. IOS update
B. less memory
C. configuration register is wrong
D. need new boot ROM
Answer: A
Explanation
The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we need to upgrade IOS so
that SSH can work. According to recent reports this is the correct answer.
Question 34 ***
Must use route protocol for using TLV and fast-reroute (Choose two)
A. ISIS
B. OSPF
C. EIGRP
D. RIP
E. RIPv2
Answer: A B
Explanation
Prerequisites for Loop-Free Alternate Fast Reroute
Any of the following protocols must be supported for Loop-Free Alternate Fast Reroute:
– Intermediate System-to-Intermediate System (IS-IS)
– Open Shortest Path First (OSPF)
While configuring ISIS protocol, ISIS network point-to-point must be configured.
Question 35 ***
Which system architect allow GRE and IPSec perform routing separately?
A. Server-client
B. peer-to-peer
C. Headend
D. Backend
Answer: C
Explanation
Headend System Architectures
The following two headend system architectures are described in this design guide:
+ Single Tier Headend Architecture – Incorporates both the p2p GRE and crypto functions onto a single routing
processor.
+ Dual Tier Headend Architecture – Splits the p2p GRE and crypto functions onto two different routing processors.
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_
p2pGRE_Phase2.html
Question 36 ***
Which technology support dynamic routing and non-ip protocols?
A. Easy VPN
B. GET VPN
C. DMVPN
D. GRE
Answer: D
Question 37 ***
A question about extended traceroute (Choose two)
A. TTL can be modified
B. Can use strict IP header options
C. IP header options verbose allow you to specify the hops you want the packet to go through
D. ?
E. ?
Answer: A B
OR
Which two statements about traceroute are true? (Choose two)
A. It supports a variety of IP header options, including verbose
B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern
Answer: A D
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
+ Probe count: limits the number of traceroute
+ Port Number: troubleshoot TCP and UDP port
+ Source address: troubleshoot connections generated from specific interface
+ Max TTL: limits the number of hops a packet travel
+ Type of Service: troubleshoot QoS issues
Should read: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
OR
A question about extended traceroute (Choose two)
A. verbose mode
B. strict mode
C. changing TTL
D. changing IP Header option
E. ?
Answer: C D
Question 38a
Which options are correct about enable secret and enable password? (Choose two)
A. Enable secret and enable password cannot be configured same time
B. Enable password is difficult to decipher
C. Enable secret is difficult to decipher
D. Enable password is more preferable than enable secret
E. Enable secret is more preferable than enable password
Answer: C E
Question 38b
Which options are correct about enable secret and enable password? (Choose two)
A. Enable secret and enable password cannot be configured same time
B. Enable password is easy to decipher
C. Enable secret is easy to decipher
D. Enable password has higher preference than enable secret
E. Enable secret has higher preference than enable password
Answer: B E
Question 39
Which tunnel supports routing and multicasting?
A. DMVPN
B. GRE
C. IPSec
D. ?
Answer: B
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 40 ***
Drag and drop the sequence for configuring SSH in correct order.
A. ip ssh ver 2
B. ip domain-name cisco.com
C. crypto-key generate rsa
D. line vty 0 4
E. Transport input ssh
Transport input telnet
Answer: B -> C -> A -> D -> E
B. ip domain-name cisco.com
C. crypto-key generate rsa
A. ip ssh ver 2
D. line vty 0 4
E. Transport input ssh
Question 41 ***
Drag and drop about uRPF strict and loose mode
Option 1. Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing table)
Option 2. Must have the same path back
Option 3. Supports asymmetric routing feature
Option 4. Can be used to configure on the inside interface of the Internet router
Option 5. Can be used to configure on the outside interface of the Internet router
Option 6. Supports symmetric routing feature
Answer:
Strict mode:
+ Must have the same path back
+ Can be used to configure on the inside interface of the Internet router
+ Supports symmetric routing feature
Loose mode:
+ Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing table)
+ Can be used to configure on the outside interface of the Internet router
+ Supports asymmetric routing feature
Question 42 ***
R1 R2
interface tunnel0 interface tunnel0
ip address 12.12.12.1 255.255.255.252 ip address 12.12.12.2 255.255.255.252
tunnel mode gre ip //this command can be ignored tunnel mode gre ip //this command can be ignored
tunnel source 192.168.13.1 tunnel source 192.168.23.2
tunnel destination 192.168.23.2 tunnel destination 192.168.13.1
For R1, the tunnel destination must point to 192.168.23.2 (the physical IP address of other end of the tunnel, not
12.12.12.2 – the other destination of the tunnel itself)
Question 56
How do you make sure AAA will still allow you to login if TACACS fails?
(or Which command enables authenticated login if a TACACS+ failure occurs?)
A. aaa authentication login test group local tacacs+
B. aaa authentication login test group tacacs+ local
C. aaa authentication login test group radius local
D. aaa authentication ppp dialins group tacacs+ local
Answer: B
Question 57 ***
If you want to use GRE with IPSec which compatible with NAT traversal?
A. Enable MD5 mode
B. Enable SHA mode
C. Implement IPSec Tunnel mode
D. Implement IPSec Tunnel transport
Answer: C
Explanation
This is not officially written by Cisco but it is the best we can find:
What is the difference between tunnel mode and transport mode?
The differences are as follow; Tunnel mode is widely implemented in site-to-site VPN scenarios. While transport mode is
implemented for client-to-site VPN scenarios. Also, NAT traversal is supported with the tunnel mode while NAT
traversal is not supported with the transport mode.
Reference: https://www.coursehero.com/file/p7qcduh/No-GRE-provides-a-stateless-private-connection-15-What-is-the-
GRE-header-for-It/
Question 58 ***
Troubleshoot uRPF loose mode at client gateway router for networks that are not in the routing table. (Choose two)
A. Dynamic routing is configured on the router
B. CEF is enabled on the router
C. allow-default is configured for loose mode
D. CFE is disabled on the router
E. Static Routing is configured on the router
Answer: B C
Question 59 ***
Which two statements about traceroute are true? (Choose two)
A. It supports a variety of IP header options, including verbose
B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern
Answer: A D
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 60 ***
The WAN link is 1500 MTU. How to configure GRE Tunnel so that the packets do not get fragmented? (Choose three)
A. ip tcp path-mtu-discovery
B. ip mtu 1400
C. ip tcp adjust-mss 1360
D. tunnel mode gre ip
E. tunnel mode gre multipoint
Answer: B C and ?
Explanation
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment
size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE,
we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure
unnecessary packet fragmentation is kept to a minimum.
Question 61 ***
Which two ACLs use with IPv6 traffic filters?
A. tagged
B. standard
C. named
D. numbered
E. dynamic
Answer: A C
Explanation
Named and tagged ACLs are both supported in IPv6.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-3s/ipv6-xe-36s-book/ip6-sec-trfltr-
fw.html
Question 62 ***
Which two statements about time-based ACL are true? (Choose two)
A. It can use the router’s clock as the time source
B. Only extended ACL can use time ranges
C. It must be defined with an inspect name value
D. It requires NTP to be configured
E. Both standard & extended ACLs can use time ranges
Answer: A B
Question 63 ***
GRE tunnel IPv6 over IPv4 (choose two).
Answer:
A. SRC must be IPv4,
B. IPv6 over IPv4
Question 64 ***
Which two statements about uRPF are true? (Choose two)
A. Support with extended ACL and time-based ACL
B. Applied to input interface only
C. Require Cisco Express Forwarding to populate FIB
D. It is output function
E. It can mitigate asymmetric routing
Answer: B C
Question 65 ***
GRE tunnel is up but the server or host cannot pass through traffic what are the two things need to be fixed? (Choose two)
Answer:
A. Move R1 to global routing
B. Put R3 on VRF Red
Question 66
Which two protocols does the management plane protection feature support? (Choose two)
A. HTTPS
B. ARP
C. DNS
D. TFTP
E. DHCP
Answer: A D
Explanation
Following are the management protocols that the management plane protection (MPP) feature supports. These
management protocols are also the only protocols affected when MPP is enabled.
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
+ HTTP
+ HTTPS
Question 67
Which method should we use to troubleshooting DHCP issues?
A. divide and conquer
B. top-down
C. bottom-up
D. follow-the-path
Answer: C
Explanation
Let’s assume that you are researching a problem of a user that cannot browse a particular website and while you are
verifying the problem, you find that the user’s workstation is not even able to obtain an IP address through the DHCP
process. In this situation it is reasonable to suspect lower layers of the OSI model and take a bottom-up troubleshooting
approach.
Question 68 ***
A router knows one destination using EIGRP and two OSPF networks, which will be the best way to determine the path?
(choose two)
A. show ip eigrp topology
B. show ip ospf database
C. traceroute
D. ping
E. show ip route
Answer: C E
Question 69 ***
Which two statements about ping & traceroute are true? (Choose two)
A. ping only use ICMP
B. only ping have TTL
C. to determine if a host is reachable, using traceroute is better than ping
D. traceroute use UDP datagram and ICMP
E. ping use TCP and ICMP
Answer: A D
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 70
What is common protocol for ping and traceroute?
A. ICMP
B. PIM
C. IGMP
D. IP
Answer: A
Question 71 ***
Which two options about GRE keepalives are true? (Choose two)
A. enabled by default
B. supports on point-to-point GRE tunnel interface
C. supports on point-to-multipoint mGRE
D. support broadcast
E. supported in VRFs only if fVRF and iVRF match
F. support broadcast multicast
Answer: B E
Explanation
GRE tunnel keepalives are only supported on point-to-point GRE tunnels. Tunnel keepalives are configurable on
multipoint GRE (mGRE) tunnels but have no effect.
GRE keepalives are not supported together with IPsec tunnel protection under any circumstances.
In general, tunnel keepalives will not work when VRFs are used on the tunnel interface and the fVRF (‘tunnel vrf …’)
and iVRF (‘ip vrf forwarding …’ on tunnel interface) do not match.
Good reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-
00.html
Question 72 ***
When the user is changing configuration of router, which plane is affected?
A. Data
B. Management
C. Control
D. Forwarding
Answer: B
Question 73
A user is able to log into the switch but cannot go to the global config mode. What needs to be done?
A. change authorization level
B. change accounting
C. change authentication
D. create username and password
Answer: A
Question 74 ***
Which troubleshooting method is used when we troubleshoot a spanning tree issue for any VLAN?
A. divide and conquer
B. top-down
C. bottom-up
D. follow-the-path
Answer: D
Question 75 ***
D&D Question on Extended Ping
Answer:
Tos – …quality of service
Df-bit – prevent packets from being segmented or broken up
Data pattern – detect framing errors
Hop count – verify routing metrics
Reply – verify reachability
OR
data pattern — troubleshoot framing errors
df-bit — enable do not fragment bit in IP header
source — specify source address or name
tos — specify type of service value
validate — validate reply data
Question 76 ***
Which two statements about IPv6 traffic filtering are true? (Choose two)
A. needs to be enabled at the interface level
B. needs to enabled with egress ACL only
C. needs to be enabled with ingress ACL only
D. It performs virtual fragmentation reassembly after checking ingress ACL
E. It performs virtual fragmentation reassembly after checking egress ACLs
Answer: A D
Question 77 ***
There was also a question about GRE tunnel with the options of it support multicast, broadcast traffic or only broadcast
and some other options that we needed to choose 2 correct ones.
A. GRE supports broadcast and multicast
B. GRE tunnels broadcast traffic
C. GRE is a non-tunneling VPN technology
D. Option about IPSec
Answer: A B
Question 78 ***
Question about authentication, TACAS/local, based on piece of configuration
AAA and what will be the result with this configuration: it either checks the local database first or it only authenticate 2
listed users –
A. It will check TACAS authentication but skip for the two users created locally
B. aaa-new model not used and hence policy will not be applied.
C. aaa- not used hence policy will not be applied
D. Part of the script is reject
and 1 more options
Answer:
1. aaa-new-model command is not there in the script ; hence the script will not work
2. Part of the script is reject (as 2 local username and password are there)
Question 79 ***
Drag and drop question related to Tunnel GRE. What are the required configurations and what are optional?
Answer:
Require:
+ Tunnel destination IP
+ Tunnel Original IP
+ Tunnel IP
Optional:
+ TCP MSS
+ Tunnel key
+ Tunnel mode
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 80 ***
In which troubleshooting approach, you start troubleshooting from middle of OSI layer stack and then either go up or
down layer for further troubleshooting?
A. Bottom-up
B. Top-down
C. Divide-and-conquer
D. Follow-the-path
Answer: C
Question 81 ***
Which two things should you check while troubleshooting uRPF? (Choose two)
A. uRPF enabled on interface
B. uRPF enabled global
C. CEF disabled
D. CEF enabled global
E. Strict or loose mode configured global
Answer: A D
Question 82a
Which access-list allows SSH access from network 10.10.15.0/24?
A. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 21
B. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 23
C. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 22
D. Access-list 142 permit tcp 10.10.15.0 0.0.0.0 any eq 22
Answer: C
Question 82b ***
Securing control plane on R1 connected via SSH to the network 10.10.0.0/16. You should choose right answers and place
in right configuring order. Not all options will be used.
Answer:
Sequence 1:
access-list X permit tcp 10.10.0.0/16 eq 22 any estab
access-list X permit tcp 10.10.0.0/16 any eq 22
Sequence 2:
class-map match-all SSH
match access-group X
Sequence 3:
Policy Y
Class SSH
Sequence 4:
Control plane
service-policy input Y
Question 83 ***
What could be reason for GRE Tunnel interface in up/down state? (Choose two)
A. GRE tunnel mode is set to transport mode
B. Tunnel source is in down state
C. Route to tunnel destination points to tunnel interface itself
Answer: B C
Question 84
Which are valid AAA authentications methods? (Choose two)
A. Line
B. Krb6
C. LDAP
D. Local
E. Blowfish
Answer: A D
Question 85
Refer to the exhibit.
Which commands required to setup GRE tunnel between R2 & R3? (Choose two)
A.
R2:
interface tunnel 1
ip address 10.1.1.1 255.255.255.252
tunnel source 192.168.1.1
tunnel destination 192.168.2.3
B.
R3:
interface tunnel 1
ip address 10.1.1.2 255.255.255.252
tunnel source g0/0
tunnel destination 192.168.1.1
Answer: A B
Question 86 ***
While troubleshooting you noticed ‘***’ as output of traceroute command. What is the reason for that?
Answer: Probe is timed out.
Question 87 *** ???
Drag drop question about MPP.
Answer:
Constructing the CoPP Policy
For CoPP policy construction, several steps are required to create the MQC classification and policing functions. These
include: access-list construction, class-map construction, and finally, policy-map construction.
Question 88
Drag Drop question about four valid debug commands on switch (Choose four)
A. debug hsrp
B. debug glbp errors
C. debug ip igmp snooping
D. debug ip interface route-cache
E. debug spanning-tree mstp init
Answer: B C D E
Question 89
Drag and drop question. Choose and place in the right order headers when monitoring GRE packet
A. Destination tunnel IP header
B. Source tunnel IP header
C. GRE header
D. Original destination IP header
E. Original source IP header
F. Data
Answer: B -> C -> E -> F
B. Source tunnel IP header
C. GRE header
E. Original source IP header
F. Data
---------------------------------------------------------------------------------------------------------------------------------------------------
Question 90
GRE Tunnel Drag and Drop. Which fields are optional and mandatory in a GRE header?
Answer:
Mandatory: Reserved0, Version, Protocol Type
Optional: Checksum, Key, Sequence Number
Question 91
GRE tunnel Header. Which one is standard, which one is extended?
.
Answer:
Standard Header: Checksum, Reserved0, Version, Protocol Type
Extended Header: Sequence Number, Key
Question 92
What IP header option fields can you modify in an extended ping? (Choose three)
A. Value
B. Strict
C. Record
D. Timestamp
E. Timeout
Answer: B C D
Explanation
All of these can be modified: protocol, IP destination address, repeat count, Datagram size, Timeout, source
address/interface, type of service, DF bit, Validate reply data, Data pattern, Loose, Strict, Record, Timestamp, Verbose,
Sweep range of sizes.
Question 93
Select valid type of tunnels mode (Choose four)
A. GRE
B. 6to4
C. ISATAP
D. NHRP
E. IPv6IP
F. mGRE
Answer: A B C E
Question 94
Associate debug and show commands with what they do (7 options)
Answer:
debug ip mpacket <-> multicast packet
debug standby errors <-> HSRP issues
debug ip packet <-> All IPv4 information
debug ipv6 packet <-> All IPv6 information
debug vlan <-> 802.1q troubleshoot
debug ip cef <-> hardware forwarding
Question 95
Extended Traceroute Drag Drop. What extended traceroute troubleshooting functions?