ICND1 & ICND2 » New Updated Questions

New Updated Questions Category

ICND2v3 – New Questions Part 8

February 2nd, 2020 49 comments

Premium Members: You can practice these questions with our quiz here.

Question 1

R1 and R2 are eBGP peers connected via the 192.168.12.0/24 network as follows:

R1
interface FastEtherent0/0
description to HQ-A662:55028
ip address 192.168.12.33 255.255.255.224
router bgp 100
network 192.168.12.0
neighbor 192.168.1234 remote-as 200

R2
interface FastEthernet0/0
description to HQ-B652:42891
ip address 192.168.12.34 255.255.255.224
router bgp 200
network 192.168.12.0
neighbor 192.168.12.33 remote-as 100

Both R1 and R2 are failing to advertise the network. Which action must be taken to correct the problem?
A. changing the router bgp 200 command on R2 to router bgp 100
B. changing the neighbor statement on either router so that the neighbor IP addresses on both devices are
the same
C. adding the /27 network mask to the network 192.168.12.0 statement on both routers
D. adding the ebgp-multihop command to both routers

Answer: C

Question 2

Which two statements about configuring a PPP connection between two routers using CHAP authentication are true? (Choose two)

A. Each router can have a different password
B. Each router can have a different username
C. Each router’s username must be the same as its hostname
D. Each router must have the same username
E. Each router must have the same password

Answer: B E

Question 3

Which two characteristics of standard access lists are true? (Choose two)

A. They can compare source traffic only against a permit or deny statement
B. They must be identified with a number between 1 and 99 or 1300 and 1999
C. They can be identified only with a number between 1 and 99
D. They cannot be used to identify traffic path
E. They can compare source and destination traffic against a permit or deny statement

Answer: A B

Question 4

Which two criteria does a host use to choose from among multiple PADO packets? (Choose two)

A. MAC address of the access concentrator
B. IP address of the access concentrator
C. services offered by the access concentrator
D. packet size
E. name of the access concentrator

Answer: C E

Question 5

Which two options are well-known southbound APIs? (Choose two)

A. OpenFlow
B. OpFlex
C. OpenStack Neutron
D. VTN Coordinator
E. Controller

Answer: A B

Question 6

Which two best practices can you apply to secure the native VLAN? (Choose two)

A. Change the VLAN ID to a value other than the default value
B. Assign it as VLAN 1
C. Assign it as a different VLAN ID at each end of the link
D. Separate it from other VLANs within the administrative domain
E. Assign it a value in the private VLAN range

Answer: A D

Question 7

Which statement would prevent a host from being able to connect to a server that resides in a different VLAN?

A. The server is connected to a Layer 3 switch.
B. The server and its default gateway are on the same subnet.
C. The host is connected to an access port on a switch.
D. The gateway on the host is misconfigured.

Answer: D

Question 8

Which type of routing protocol is used to exchange routes between different autonomous systems?

A. link-state
B. distance-vector
C. exterior routing
D. interior routing

Answer: C

Question 9

Which three types of multicast messages do HSRP-configured routers use to communicate? (Choose three)

A. resign
B. hello
C. ping
D. coup
E. ack
F. syn

Answer: A B D

Explanation

With HSRP, three types of multicast messages are sent between the devices:

+ Hello – The hello message is sent between the active and standby devices (by default, every 3 seconds). If the standby device does not hear from the active device (via a hello message) in about 10 seconds, it will take over the active role.
+ Resign – The resign message is sent by the active HSRP device when it is getting ready to go offline or relinquish the active role for some other reason. This message tells the standby router to be ready and take over the active role.
+ Coup – The coup message is used when a standby router wants to assume the active role (preemption).

Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=2141271

Question 10

Which type of traffic does an 802.1x port pass before authentication?

A. DHCP traffic
B. all normal traffic
C. control-plane traffic
D. EAPOL traffic

Answer: D

Question 11

Which two functions of an SDN controller are true? (Choose two)

A. managing the topology
B. protection against DDoS attacks
C. coordinating VTNs
D. tracking hosts
E. Layer 2 forwarding

Answer: A C

Question 12

Refer to the exhibit. If all four routers come up at the same time, which router becomes the HSRP active router for the 192.168.10.0/24 subnet?

R1 interface fastethernet0/0 ip address 192.168.1.1 255.255.255.0 standby ip 192.168.1.254 standby priority 125 preempt	R2 interface fastethernet0/0 ip address 192.168.1.2 255.255.255.0 standby ip 192.168.1.254 standby priority 110 preempt
R3 interface fastethemet0/0 ip address 192.168.1.3 255.255.255.0 standby ip 192.168.1.254 standby priority 125 preempt	R4 interface fastethernet0/0 ip address 192.168.1.4 255.255.255.0 standby ip 192.168.1.254 standby priority 115 preempt

A. R1
B. R2
C. R3
D. R4

Answer: C

Question 13

Which command do you enter to view OSPFv3 adjacencies?

A. show ipv6 ospf database
B. show running-configuration ospfv3
C. show ipv6 ospf neighbor
D. show ipv6 ospf retransmission-list

Answer: C

Question 14

Which command can you enter to verify the status and ports of a specific VLAN?

A. show interfaces trunk
B. show vlan brief
C. show vlan id <vlan-id>
D. show running-config

Answer: C

Question 15

Which technology can identify and classify mission-critical applications for path selection?

A. PBR
B. NBAR
C. PfR
D. QoS

Answer: C

Question 16

Which two pieces of information can be reported by an IP SLA? (Choose two)

A. delay
B. reachability
C. connected devices
D. Cisco IOS version
E. serial number

Answer: A B

Question 17

Which event triggers a switch stack election?

A. disconnecting a stack member
B. changing the priority of the master switch
C. adding a new powered-on standalone switch to the stack
D. resetting any stack member

Answer: C

====================== New Questions (added on 6th-Feb-2020) ======================

Question 18

Refer to the exhibit. Which type of port generated this output?

R1#sh interface switchport module 1
Name: Fa1/0
Switchport: Enabled
Administrative Mode: static access
Operational mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none

A. Layer 3 port
B. trunk port
C. access port
D. private VLAN port

Answer: C

Question 19

Which two best practices do you apply to your network to mitigate the potential security risk of the default VLAN? (Choose two)

A. Use a different VLAN ID for the default VLAN on each device within a VTP domain
B. Configure the default VLAN as a private VLAN
C. Configure the default VLAN on trunk ports only
D. Assign all switch ports to a VLAN other than VLAN 1
E. Configure the management VLAN on a VLAN other than the default VLAN

Answer: D E

Question 20

What command sequence will configure a router to run OSPF and to add network 10.1.1.0/24 to area 0?

A. router ospf
network 10.1.1.0 0.0.0.255

B. router ospf 1
network 10.1.1.0 0.0.0.255

C. router ospf
network 10.1.1.0 255.255.255.0 area 0

D. router ospf 1
network 10.1.1.0 0.0.0.255 area 0

E. router ospf area 0
network 10.1.1.0 255.255.255.0 area 0

F. router ospf area 0
network 10.1.1.0 0.0.0.255 area 0

Answer: D

Question 21

You are configuring an EtherChannel interface to carry multiple VLANs using a Cisco proprietary protocol. Drag and drop the relevant configuration commands from the left onto a valid configuration sequence on the right. Not all commands are used.

Answer:

1 – interface range fa0/0-2
2 – channel-group B mode desirable
3 – interface port-channel B
4 – switchport mode trunk

Explanation

First we have to create an Etherchannel port from a group of interfaces (fa0/0 to fa0/2) using PAgP (which is a Cisco proprietary protocol). Then we can set that logical port-channel interface to trunk mode.

Question 22

Drag and drop the GRE configuration commands from the left onto the correct effects on the right.

Answer:

+ assigns a local interface address as a tunnel endpoint: tunnel source
+ prevents packets from being blackholed: keepalive
+ sets the maximum size of a packet that can traverse the tunnel: ip mtu
+ specifies the IP address of the remote tunnel endpoint: tunnel destination
+ specifies the IP address of the tunnel interface: ip address

Question 23

Which effect of the “router ospf 10” command is true?

A. It disables static routing on the router
B. It enables OSPF on a Layer 3 device
C. It enables OSPF on all connected interfaces on a Layer 3 device
D. It sets the device domain ID to 10

Answer: B

Question 24

Which channel group mode must you configure on both ports to enable a static EtherChannel?

A. auto
B. passive
C. active
D. desirable
E. on

Answer: E

Question 25

What happens when you execute the APIC-EM ACL path trace feature and it fails to discover a matching ACE along the path?

A. The ACLs along the path block the path trace attempt
B. The feature reports the flow as implicitly denied
C. The feature aborts the path trace
D. The feature flags all possible ACE entries as invalid

Answer: B

Explanation

An ACL path trace shows whether the traffic matching your criteria would be permitted or denied based on the ACLs configured on the path.
The following rules effect the ACL path trace results:
+ Only matching ACEs are reported.
+ If you leave out the protocol, source port, or destination port when defining a path trace, the results include ACE matches for all possible values for these fields.
+ If no matching ACEs exists in the ACL, the flow is reported to be implicitly denied.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-6-x/path_trace/user-guide/b_Cisco_Path_Trace_User_Guide_1_6_0_x/b_Cisco_Path_Trace_User_Guide_1_6_0_x_chapter_0111.html

Question 26

Which type of ACL does the access-list command create?

A. standard numbered IPv4 ACL
B. extended named IPv4 ACL
C. extended named IPv6 ACL
D. standard numbered IPv6 ACL

Answer: A

Question 27

Which troubleshooting tool can you use to replicate traffic within a single switch for analysis?

A. RSPAN
B. EEM
C. local SPAN
D. ERSPAN

Answer: C

ICND1v3 – New Questions Part 3

September 15th, 2019 26 comments

Question 1

Drag and drop the router DHCP configuration steps from the left into the Cisco-recommended sequence on the right.

Answer:

+ Step 1: Exclude reserved addresses
+ Step 2: Create one or more IP address pools
+ Step 3: Configure the network ID and subnet mask
+ Step 4: Configure the default gateway
+ Step 5: Configure one or more DNS servers
+ Step 6: If desired, configure the lease time

Explanation

The first step of configuring DHCP is to list the IP addresses that should be excluded from DHCP assignment via the “ip dhcp exclude-address <first-IP> <last-IP>” because this command must be configured in global configuration mode (Router#). Therefore we can only use this command in the first step or last step, but in this question the last step (step 6) should be used to configure the lease time.

Also, according to the “CCNA Official Cert Guide” book, the following steps should be used to configure a DHCP server:

Step 1. Use the “ip dhcp excluded-address first last” command in global configuration mode to list addresses that should be excluded (that is, not leased by DHCP).

Step 2. Use the “ip dhcp pool name” command in global configuration mode to both create a DHCP pool for a subnet and to navigate into DHCP pool configuration mode. Then also:

1. Use the “network subnet-ID mask or network subnet-ID prefix-length” command in DHCP pool configuration mode to define the subnet for this pool.
2. Use the “default-router address1 address2 …” command in DHCP pool configuration mode to define default router IP address(es) in that subnet
3. Use the “dns-server address1 address2 …” command in DHCP pool configuration mode to define the list of DNS server IP addresses used by hosts in this subnet
4. Use the “lease days hours minutes” command in DHCP pool configuration mode to define the length of the lease, in days, hours, and minutes
5. Use the “domain-name name” command in DHCP pool configuration mode to define the DNS domain name.
6. Use the “next-server ip-address” command in DHCP pool configuration mode to define the TFTP server IP address used by any hosts (like phones) that need a TFTP server.

The example below shows how to configure a DHCP server based on above steps:

ip dhcp excluded-address 172.16.1.1 172.16.1.50 
ip dhcp pool subnet-left
 network 172.16.1.0 255.255.255.0
 default-router 172.16.1.1 
 dns-server 172.16.1.12
 lease 0 23 59 //means the lease time is "0 Day 23 hours and 59 minutes".
 domain-name example.com
 next-server 172.16.2.5

Question 2

Drag and drop the wireless access-point components or features from the left onto the correct description on the right

Answer:

+ QBSS: beacon value that prevents VoIP calls from being transmitted on a network without enough bandwidth to support them
+ VLAN: destination for wireless traffic
+ Wireless Controller: provides centralized management for multiple access points
+ PoE: provides electrical power to connected devices without a wall plug
+ spectrum: communication frequency

Question 3

Drag and drop the TCP/IP protocols from the left onto the correct transmission protocols on the right.

Answer:

TCP:
+ SMTP
+ Telnet
+ HTTP

UDP:
+ SNMP
+ DNS
+ RTP

Explanation

Real Time Transport Protocol (RTP) is a data transfer protocol designed specifically to exchange real-time sensitive, audio-visual data on IP-based networks. RTP is often used in Voice-over-IP telephony (VoIP telephony). RTP is fairly insensitive to packet loss, so it doesn’t require the reliability of TCP.

Question 4

Drag and drop the steps in the process of reloading a router without loading its running configuration from the correct sequence on the right. Not all steps are used.

Answer:

1: Power-cycle the router
2: Enter the break command
3: Enter the confreg 0x2142 command
4: Enter the reset command to reboot the router and ignore the saved configuration

Explanation

Step-by-Step Procedures (to reset your password on 2600 and 2800 Series Routers):

…
3. Use the power switch in order to turn off the router, and then turn the router back on.
4. Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMmon.
If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
5. Type confreg 0x2142 at the rommon 1> prompt in order to boot from Flash.
This step bypasses the startup configuration where the passwords are stored.
6. Type reset at the rommon 2> prompt.
The router reboots, but ignores the saved configuration.

Reference: https://www.cisco.com/c/en/us/support/docs/routers/2600-series-multiservice-platforms/22188-pswdrec-2600.html

Question 5

Drag and drop the DHCP configuration commands from the left onto the correct effects on the right.

Answer:

+ configure the default gateway: default-router 192.168.0.1
+ configure the name server: dns-server 192.168.0.10
+ configures the network ID and subnet mask: network 192.168.0.0 255.255.255.0
+ creates the LAN address space: ip dhcp pool HR
+ reserves IP addresses: ip dhcp excluded-address 192.168.0.1 192.168.0.10

Question 6

Drag and drop the steps in the process of configuring an ACL to allow web access from a server on the left into the correct sequence on the right. Not all steps are used.

Answer:

1: Begin configuring an extended access list
2: Configure the permit tcp any eq http any statement
3: Apply the ip access-group command to the interface
4: Save the configuration.
(Not used 1): Begin configuring a standard access list
(Not used 2): Apply an access class to the interface

Explanation

This question requires to allow port access so we must use an extended ACL, not a standard ACL.

The command “ip access-class” is only used when applying an ACL to a virtual terminal line (VTY) so it is not correct. Therefore we only have four suitable choices left.

But it seems something is not correct with the “permit tcp any eq http any” statement. With this command HTTP is considered the source port, not destination port. This command is only suitable when we want to drop the reply HTTP traffic from the web server (to the clients).

Note: When a client wants to connect to a web server, it uses the destination port of 80 but chooses a random source port.

Question 7

Which command can you enter to add VLAN 800 to an existing trunk without affecting other VLANs?

A. switchport trunk pruning vlan add 800
B. switchport trunk allowed vlan 800
C. switchport trunk native vlan 800
D. switchport trunk allowed vlan add 800

Answer: D

Explanation

The command “switchport trunk allowed vlan add <vlan-id> adds a new VLAN to the previously allowed VLANs on the trunk. For example suppose our trunk is currently allowing VLANs 1, 4 ,5, 9, 12 then the command “switchport trunk allowed vlan add 10” will allow VLANs 1, 4 ,5, 9, 10, 12 on the trunk.

Question 8

Which purpose of a floating static route is true?

A. It disables dynamic routing.
B. It supersedes the route that is installed in the routing table.
C. It improves resiliency when an interface goes down.
D. It is used in the absence of a default route.

Answer: C

Explanation

Floating static routes are static routes that have an administrative distance greater than the administrative distance (AD) of another static route or dynamic routes. By default a static route has an AD of 1 then floating static route must have the AD greater than 1. Floating static route has a manually configured administrative distance greater than that of the primary route and therefore would not be in the routing table until the primary route fails.

Question 9

Which type of IPv6 address does the SLAAC process create?

A. link-local address
B. multicast address
C. anycast address
D. global address

Answer: D

Explanation

IPv6 stateless address autoconfiguration (SLAAC) is the native IPv6 method used to provide end hosts with IPv6 address and default gateway information dynamically without requiring DHCPv6 address allocation.

Stateless Address Auto-Configuration (SLAAC) is configured as follows:
+ Host sends a router solicitation message.
+ Hosts waits for a Router Advertisement message.
+ Hosts take the first 64 bits of the IPv6 prefix from the Router Advertisement message and combines it with the 64 bit EUI-64 address (in the case of ethernet, this is created from the MAC Address) to create a global unicast message (-> Answer D is correct). The host also uses the source IP address, in the IP header, of the Router Advertisement message, as its default gateway.

Question 10

Which two IPv6 addresses are valid? (Choose two)

A. 2020::DBB::1337:0:5709:3670
B. 2000:::1
C. FF01::101
D. FE80:CD00::0:CDE:1227:0:211D:7790
E. 0001::1:1CD0:8665:9801:96C3:C409

Answer: C E

Explanation

Answer B is not correct with “:::”.

Answer D is not correct as FE80:CD00::0:CDE:1227:0:211D:7790 should be written FE80:CD00::CDE:1227:0:211D:7790 (remove “::0:” with only “::”)

Question 11

Which two differences between the OSI and TCP/IP networking models are true? (Choose two)

A. Only the TCP/IP model has a network interface layer.
B. The OSI model places the TCP protocol in the application layer.
C. Only the OSI model has seven layers.
D. Only the TCP/IP model has a session layer.
E. Only the TCP/IP model has six layers.

Answer: A C

Explanation

The picture below compares the two TCP/IP and OSI models:

Note: the Network Interface layer (or “Network Access Layer” in the picture above) corresponds to the Physical and Data Link layer in the OSI model. This layer deals with binary digits (0s and 1s) being transmitted across the network medium.

Question 12

Which step is first in the DHCP process between a DHCP client and a DHCP server?

A. The client sends a DHCP Request packet to the server.
B. The server sends a DHCP Offer packet to the client.
C. The client sends a DHCP Discover packet to the server.
D. The server sends a DHCP Ack packet to the client.

Answer: C

Explanation

Remember this order of DHCP messages: DORA (Discover -> Offer -> Request -> Ack). For more information of how DHCP messages are exchanged, please read our DHCP tutorial.

Question 13

Which feature is only supported by named access lists?

A. TCP flag filtering
B. destination-address filtering
C. logging
D. contiguous ports

Answer: A

Explanation

The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Before this feature, an incoming packet was matched if any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allowed for a security loop hole, because packets with all flags set could get past the access control list (ACL). TCP flag filtering can be used only with named, extended ACLs.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-data-acl-xe-3e-book/sec-create-filter-tcp.pdf

Question 14

Which type of server is the main authoritative server for DNS requests?

A. recursive resolver
B. root server
C. query server
D. stratum server

Answer: B

Explanation

All DNS servers fall into one of four categories: Recursive resolvers, root name servers, TLD name servers, and authoritative name servers. In a typical DNS lookup (when there is no caching in play), these four DNS servers work together in harmony to complete the task of delivering the IP address for a specified domain to the client (the client is usually a stub resolver – a simple resolver built into an operating system).

Reference: https://www.cloudflare.com/learning/dns/dns-server-types/

The root servers contain the information that makes up the root zone, which is the global list of top level domains. The root zone contains generic top level domains (such as .com, .net, and .org), country code top level domain (such as .se for Sweden or .no for Norway).

Question 15

Drag and drop the ping output characters from the left onto the correct meanings on the right.

Answer:

+ The destination is busy: Q
+ The destination is unreachable: U
+ The lifetime of the packet has been exceeded: &
+ The local router received a reply: !
+ The server timed out while waiting for a reply: .

Question 16

Which statement about IPv6 address denotation is true?

A. Any group of four zeroes can be omitted from the notation
B. Any group of two or more zeroes can be reduced to a single zero
C. All numbers must be annotated
D. The use of :: indicates a multicast address

Answer: B

Question 17

For which reason does a switch flood a frame to all ports?

A. The destination MAC address of the frame is unknown.
B. The source and destination MAC addresses of the frame are the same.
C. The frame has zero destination MAC addresses.
D. The source MAC address of the frame is unknown.

Answer: A

Question 18

Which banner is the first to be displayed when a user establishes a connection to a router?

A. the MOTD banner
B. the login banner
C. the incoming banner
D. the EXEC banner

Answer: A

ICND1v3 – New Questions Part 2

June 27th, 2019 43 comments

Note: These new questions have not been classified into specific topics so please learn them separately.

Premium Member: You can test your knowledge with these questions first via these links:
+ Question 1 to 15
+ Question 16 to 30
+ Question 31 to 50
+ Question 51 to 70
+ Question 71 to 90
+ Question 91 to 110
+ Question 111 to 124

Question 1

Drag and drop the Ethernet types from the left onto the correct service descriptions on the right.

Answer:

+ provides 100 Mbps over copper segments up to 100 meters long: 100Base-TX
+ provides 100 Mbps over fiber segments up to 412 meters long: 100Base-FX
+ provides 10 Gbps over copper segments up to 100 meters long: 10GBase-T
+ provides 1 Gbps over fiber segments up to 550 meters long: 1000Base-SX
+ provides 1 Gbps over fiber segments up to 10 kilometers long: 1000Base-LX
+ provides 1 Gbps over copper segments up to 100 meters long: 1000Base-T

Explanation

First we need to understand the meaning behind each Ethernet type. Let’s take an example with 100Base-FX:
+ 100: represents frequency in MHz (Mega Hertz) for which this cable is made. The greater the MHz, the greater speeds the cable can handle. In this example it is 100MHz. The 100 MHz speed translates to 100Mbit per second.
+ Base (in Ethernet standards): refers to the baseband signalling, which uses the entire bandwidth of the cable to transmit a single signal. Therefore only one communication channel is available at any given time. It is contradict to broadband which shares the bandwidth of the cable.
+ TX/FX: The “T” refers to “Twisted Pair” (pairs that are twisted) physical medium that carries the signal so all “BASE-T…” types are copper.. The “FX” means it’s a two strand fiber-optic cable and supports speeds up to 100 Mbps. Maximum length is usually up to two kms.

100Base-TX (sometimes referred as “T” only) is the IEEE standard that defines the requirement for sending information at 100Mbps on unshielded twisted-pair (UTP) cabling. It uses two of the four available pairs within the UTP cable. It is also called fast Ethernet. Maximum length of 100Base-TX cable is 100 meters.

100Base-FX is simply Fast Ethernet over fiber. The maximum length of any segment of fiber-optic cabling connecting a station (computer) to a hub is 412 meters.

+ SX refers to Short-wavelength laser. It is a fiber optic Gigabit Ethernet standard for operation over multi-mode fiber using a 770 to 860 nanometer, near infrared (NIR) light wavelength. The standard specifies a distance capability between 220 meters and 550 meters.
+ LX refers to Long-wavelength laser. 1000BASE-LX can run over both single mode fiber and multimode fiber with a distance of up to 10 km (for single mode fiber) and 3km (for multimode fiber).
+ ZX refers to extended-wavelength laser. 1000BASE-ZX can only run in single mode fiber. The maximum length can be up to 100km

-> The frequency (in MHz) can be used to eliminate wrong options easily. For the rest we have to remember the maximum distance to solve this question:

Maximum distance: T (TX) (100m) < FX (412m)< SX (220m to 550m) < LX (3km to 10km) < ZX (over 10km)

Question 2

Drag and drop the DHCP messages from the left into the correct sequence for a DHCP IP address request on the right.

Answer:

+ first: DHCPDISCOVER
+ second: DHCPOFFER
+ third: DHCPREQUEST
+ fourth: DHCPACK

Explanation

Remember this order of DHCP messages: DORA (Discover -> Offer -> Request -> Ack). For more information of how DHCP messages are exchanged, please read our DHCP tutorial.

Question 3

Drag and drop the descriptions of static routing or dynamic routing from the left onto the correct categories on the right.

Answer:

Dynamic Routing:
+ able to use different routes depending on the current network topology
+ efficient as the network grows
+ less secure than other options for routing updates

Static Routing:
+ allows for highly secure routing updates
+ always uses the same route to the same destination
+ inefficient as the network grows

Question 4

You are configuring a default route on a Cisco router. Drag and drop the commands from the left into the correct sequence on the right. Not all commands are used.

Answer:

+ first: enable
+ second: configure terminal
+ third: ip routing
+ fourth: ip route 0.0.0.0 0.0.0.0 10.20.20.1
+ fifth: exit

Question 5

Drag and drop the address blocks from the left onto the correct address types on the right.

Answer:

+ global unicast: 2000::/3
+ link-local unicast: FE80::/10
+ multicast: FF00::/8
+ unique-local unicast: FC00::/8

Explanation

Below is the list of common kinds of IPv6 addresses:

Loopback address	::1
Link-local address	FE80::/10
Site-local address	FEC0::/10
Global address	2000::/3
Multicast address	FF00::/8

Link-local addresses only used for communications within the local subnetwork (automatic address configuration, neighbor discovery, router discovery, and by many routing protocols). It is only valid on the current subnet. It is usually created dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on 48-bit MAC address).

Global (unicast) address is globally unicast address sent through the public Internet (equivalent to public IPv4 addresses).

Unique-local unicast (also known as Site-local address). They are analogous to IPv4’s private address classes.

Question 6

Drag and drop the show cdp commands from the left onto the output they generate on the right.

Answer:

+ show cdp:
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

+ show cdp traffic:
CDP counters:
Total packets output: 19, Input: 16
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
CDP version 1 advertisements output: 0. Input: 0
CDP version 2 advertisements output: 19, Input: 16

+ show cdp neighbor detail:

Device ID: R2
Entry address(es):
   IP address: 192.168.1.2 
Platform: Cisco 7206VXR, Capabilities: Router 
Interface: Ethernet1/1, Port ID (outgoing port): Ethernet1/1 
Holdtime: 174 
Version:
Cisco IOS Software, 7200 Software (C7200-ADVTPSERVICESK9-M),
   Version 12.4(2)T, RELEASE SOFTWARE(fc1)
Advertisement version: 2
Duplex: Half

+ show cdp neighbor ethernet1/1:

Capability Codes: R — Router, T - Trans Bridge, B — Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Interface Holdtime Capability Platform Port ID
 R2       Eth 1/1	    162	        R     7206VXR  Eth 1/1

Question 7

You are updating the IOS on a Cisco router. Drag and drop the tasks from the left into the correct sequence on the right.

Answer:

Step 1: Ensure that the router and the FTP server have connectivity to one another
Step 2: Copy the IOS image to the router
Step 3: Validate that the correct IOS image is stored in NVRAM
Step 4: Verify that the configuration register and boot variable are set correctly on the router
Step 5: Save the running configuration of the router
Step 6: Reload the router

Explanation

According to https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/49044-sw-upgrade-proc-ram.html, the following steps should be performed to upgrade a Cisco IOS software image:

Step 1: Select a Cisco IOS Software Image
Step 2: Download the Cisco IOS Software Image to the TFTP Server
Step 3: Identify the File System to Copy the Image
Step 4: Prepare for the Upgrade
Step 5: Verify that the TFTP Server has IP Connectivity to the Router (equivalent to our Step 1)
Step 6: Copy IOS Image to the Router (equivalent to our Step 2)
Step 7: Verify the Cisco IOS Image in the File System (equivalent to our Step 3)
Step 8: Verify the Configuration Register (equivalent to our Step 4)
Step 9: Verify the Boot Variable (equivalent to our Step 4)
Step 10: Save the Configuration and Reload the Router (equivalent to our Step 5 & 6)
Step 11: Verify the Cisco IOS Upgrade (Verify that the router runs with the proper image)

Question 8

Drag and drop the components of a standard IPv4 access list entry from the left into the correct sequence on the right.

Answer:

+ component 1: access-list
+ component 2: 10
+ component 3: permit
+ component 4: 192.168.1.0
+ component 5: 0.0.0.255
+ component 6: log

Explanation

The full command is “access-list 10 permit 192.168.1.0 0.0.0.255 log”. It allows packets with source IP addresses in the range of 192.168.1.0/24 and creates a log message to the device console. The first packet that the access list inspects triggers the access list to log a message at the device console. Subsequent packets are collected over 5-minute intervals before they are displayed or logged. Log messages include information about the access list number, the source IP address of packets, the number of packets from the same source that were permitted or denied in the previous 5-minute interval, and whether a packet was permitted or denied.

Question 9

Drag and drop the VTP terms from the left onto the correct descriptions on the right.

Answer:

+ enables the administrator to set the VTP version for all switches in the domain: VTP server mode
+ forwards VTP advertisements out of a trunk port: VTP transparent mode
+ operates without the ability to delete VLANs: VTP client mode
+ removes VTP information from unknown unicast traffic on the VLAN: VTP pruning
+ supports Ethernet VLANs only: VTP version 1

Explanation

VTPv1 & VTPv2 support VLANs 1 to 1000 only (which is called the Ethernet VLANs).

Question 10

A host is sending packets to a router. Drag and drop the steps in the packet-handling process from the left into the correct sequence on the right.

Answer:

+ Step 1: The packet is created
+ Step 2: A frame encapsulates the packet
+ Step 3: The destination IP address is checked
+ Step 4: The frame is transmitted
+ Step 5: The packet is extracted from the frame
+ Step 6: The packet is forwarded to the exit interface

Explanation

Step 1 to 4 describe how the packet is sent from the host: At the host side, data is encapsulated from Layer 7 to Layer 1 so at Layer 3 the packet is created and at Layer 2, a frame encapsulate the packet. The destination IP address is checked before transmitting this frame to the router.

In step 5, the frame arrived to the router and the router extracts the frame to get the packet inside. Then finally the packet is forwarded to the suitable exit interface. Many steps were omitted between step 5 & 6 so it is difficult to understand this question.

Question 11

Drag and drop the OSI model layers from the left onto the correct TCP/IP model layers on the right.

Answer:

+ application layer: session layer
+ internet layer: network layer
+ link layer: physical layer
+ TCP/UDP layer: transport layer

Explanation

The Internet Layer in TCP/IP Model is equivalent to the Network Layer of the OSI Model.

Question 12

Drag and drop the routing protocols from the left onto the default administrative distances on the right.

Answer:

+ 0: connected
+ 120: RIP
+ 1: static
+ 90: EIGRP
+ 110: OSPF

Question 13

Drag and drop the VLAN port membership modes from the left onto the correct descriptions on the right.

Answer:

+ manual configuration that allows the access port to belong to exactly one VLAN: static-access
+ allows the port to belong to one or more VLANs: trunk
+ allows the port to be assigned automatically to exactly one VLAN: dynamic-access
+ allows the port to support a single VLAN across a service-provider network: tunnel
+ configures the port to communicate only with a community port: private VLAN

Question 14

Drag and drop the IOS commands from a RIP router from the left onto the correct effects on the right.

Answer:

+ configures the device to listen to broadcasts to learn routes: version 1
+ configures the device to listen to routes from both multicast and broadcast but does not send any: passive-interface
+ configures the device to send multicast updates: version 2
+ configures the device to send unicast route updates to a specific destination: neighbor
+ controls the number of routes to a specific destination that the device supports: maximum-paths
+ sets the route broadcast interval on the device: timers

Question 15

Drag and drop the DNS-lookup configuration commands from the left onto the correct effects on the right.

Answer:

+ adds an entry to the host table: ip host switch_1 192.168.0.1
+ completes the FQDN of the DNS server: ip domain-name
+ displays address-mapping information: show hosts
+ enables host-to-IP-address translation: ip domain-lookup
+ specifies the IP address of the DNS server: ip name-server

Explanation

The command “ip name-server <IP address>” specifies the address of one or more name servers.
The command “ip domain-name” defines a default domain name that is used to complete unqualified host names. For example, if we defines “ip domain-name 9tut.net” then a host3 queries to this router is known as host3.9tut.net.
The command “ip domain-lookup” enables DNS lookup feature (DNS-based host name-to-address translation). This command is enabled by default.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html

The command “ip host” defines a static hostname-to-address mapping in the hostname cache. For example if we define “ip host sw1 192.168.1.1” then we can ping to Sw1 with the command “ping sw1” (or telnet, traceroute… to it with the “telnet sw1”), which is easier to remember than the “ping 192.168.1.1” command.

The following example shows how to configure the DNS server lookup feature:
Switch(config)#ip domain-name 9tut
Switch(config)#ip name-server 192.1.0.1
Switch(config)#ip domain-lookup //Note: this command is enabled by default

Note: A fully qualified domain name (FQDN) is an unambiguous domain name that specifies the exact location in the Domain Name System’s tree hierarchy through to a top-level domain and finally to the root domain. Technically, a FQDN has a trailing dot. For example: router3.9tut.net

The “show hosts” command displays the cached DNS name servers and domain names. For example:

router# show hosts
Default domain is 9tut.net
Name/address lookup uses domain service
Name servers are 255.255.255.255
Host              Flags        Age(hr)   Type       Address(es)
host1.9tut.net   (temp, OK)    1         IP         192.168.1.10
abc              (perm, OK)    0         IP         10.0.0.0 10.0.0.2 10.0.0.3

Question 16

Drag and drop the logging types from the left onto the correct descriptions on the right. Not all logging types are used.

Answer:

+ deletes old log messages to prevent the RAM consumption from exceeding a specified limit: buffered logging
+ displays logs to users who are physically connected to the device: console logging
+ displays logs to users who are remotely connected to the device: terminal logging
+ exports logs to a remote device: syslog server logging

Explanation

Console logging: By default, the router sends all log messages to its console port. Hence only the users that are physically connected to the router console port can view these messages.

Terminal logging: It is similar to console logging, but it displays log messages to the router’s VTY lines instead. This is not enabled by default.

Buffered logging: This type of logging uses router’s RAM for storing log messages. Buffer has a fixed size to ensure that the log will not deplete valuable system memory. The router accomplishes this by deleting old messages from the buffer as new messages are added.

Syslog Server logging: The router can use syslog to forward log messages to external syslog servers for storage. This type of logging is not enabled by default.

Question 17

Refer to the exhibit. Drag and drop the TCP header fields from the left into the correct positions on the right.

Answer:

+ position A: source port
+ position B: destination port
+ position C: sequence number
+ position D : acknowledgement number
+ position E: checksum
+ position F: data

Explanation

Question 18

Drag and drop the logging configuration commands from the left onto the logging locations they configure on the right.

Answer:

+ syslog server: logging host
+ VTY session: terminal monitor
+ console: logging console
+ internal buffer: logging buffered

Explanation

Console logging: By default, the router sends all log messages to its console port. Hence only the users that are physically connected to the router console port can view these messages. If the console logging is disabled for some reasons, we can enable it again with the “logging console” command. By default, the console receives debugging messages and numerically lower levels. If we want to change the level, we can use the “logging console level” command.

The command “terminal monitor” helps logging messages appear on the your current terminal session.

Syslog Server (logging): The router can use syslog to forward log messages to external syslog servers for storage. This type of logging is not enabled by default.

Question 19

Drag and drop the DNS lookup commands from the left onto the correct effects on the right.

Answer:

+ enable the DNS server on the device: ip name-server
+ specifies a sequence of domain names: ip domain-list
+ enable dns lookup on an individual interface: ip domain lookup source-interface
+ specifies the default domain to append to unqualified host name: ip domain-name
+ statically map on ip address to host name: ip host
+ identified a DNS server to provide lookup service: ip dns-server

Explanation

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-config-dns.html

Question 20

Drag and drop the DHCP client states from the left into the standard order in which the client passes through them on the right.

Answer:

initializing – first
selecting – second
requesting – third
bound (binding)– fourth
renewing – fifth
rebinding – sixth

Reference: https://technet.microsoft.com/en-us/library/cc958935.aspx

Question 21

Drag and drop the PDUs from the left onto the correct TCP/IP layers on the right.

Answer:

+ application layer: data
+ data link layer: frames
+ network layer: packets
+ physical layer: bits
+ transport layer: segments

Question 22

Drag and drop the route source codes in a routing table from the left onto the correct meanings on the right.

Answer:

+ directly connected network: C
+ manually configured static route: S
+ route learned dynamically by EIGRP: D
+ route learned dynamically by IGRP: I
+ route learned dunamically by IS-IS: i
+ route learned dynamically by OSPF: O

Explanation

The symbol of EIGRP routes is “D”, not “E” because “E” has been used for Exterior Gateway Protocol (EGP), which is the BGP predecessor. But the support for EGP has been removed since Cisco IOS 12.2T.

Question 23

Drag and drop the IEEE standard Cable names from the left onto the correct cable types on the right.

Answer:

Copper:
+ 10BASE-T
+ 100BASE-TX
+ 10GBASE-T

Fiber:
+ 10GBASE-LR
+ 1000BASE-LX
+ 1000BASE-SC

Explanation

The “T” letter symbolizes for “twisted pair cable” so all “BASE-T…” types are copper.

Question 24

Drag and drop the benefits of a Cisco wireless Lan controller from the left onto the correct examples on the right.

Answer:

+ Access points automatically adjust their signal strength: Dynamic RF Feature
+ The controller image is deployed automatically to access points: Easy upgrade process
+ The controller provides centralized management of users and VLANs: Easy Deployment Process
+ The controller uses load balancing to maximize throughput: Optimized user performance

Question 25

Drag and Drop the protocols from the left onto the correct IP traffic types on the right.

Answer:

TCP:
+ SMTP
+ Telnet
+ HTTP

UDP:
+ SNMP
+ DHCP
+ VoIP

Explanation

In this question we should remember that Simple Mail Transfer Protocol (SMTP) runs on TCP port because email is very important.

Question 26

Drag and drop the IPv6 addresses from the left onto the correct types on the right

Answer:

+ Modified EUI-64: DB:FC:93:FF:FE:D8:05:0A
+ multicast: FF01::1
+ unicast: 2020:10D8:0:0:85:800:52:7348
+ unspecified: ::

Question 27

Drag and drop the values in a routing table from the left onto the correct meanings on the right

Answer:

+ Administrative distance: indicator of the trustworthiness of the route
+ Destination network: remote network address
+ Metric: value used by the router to determine the preferred route
+ Next hop: network to which the router forwards packets on the associated route
+ Route source: code that indicates the method by which the router learned the route

Question 28

Drag and drop the switching concepts from the left onto the correct descriptions on the right.

Answer:

+ Dynamic MAC address: MAC that is learned by the switch through normal traffic
+ MAC ACL: feature that determines whether incoming traffic will be allowed
+ MAC address table: associates a learned MAC address with its connected interface
+ MAC learning: adding a previously unknown MAC into the address table
+ MAC aging: removing an inactive MAC after a specified time
+ Static MAC: MAC address that remains in the MAC address table after reboot

Question 29

Refer to the exhibit. Router R4 is reachable from Router R3. Which two scenarios would prevent the subnet 172.16.2.0/24 from being added to the routing table on router R3? (Choose two)

R3#show ip route
Gateway of last resort is not set
C  192.168.4.0/24 is directly connected, Ethernet1/2 
R  192.168.1.0/24 [120/1] via 192.168.3.1, 00:00:09, Ethernet1/0 
C  192.168.2.0/24 is directly connected, Ethernet1/1 
C  192.168.3.0/24 is directly connected, Ethernet1/0 
R3#ping 192.168.4.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68

A. Router R4 is running RIPv1 instead of RIPv2.
B. Network updates are looping around routers R1, R2, and R3.
C. The subnet uses a loopback interface.
D. Routers R3 and R4 are running different versions of RIP.
E. The subnet uses a classless network.
F. Router R3 has split horizon enabled.

Answer: A D

Explanation

Remember that RIPv2 device can understand RIPv1 device but not vice versa so:
+ If R3 runs RIPv1 and R4 runs RIPv2 then R3 cannot understand R4 so it ignores all RIPv2 updates sent from R4.
+ If R3 runs RIPv2 and R4 runs RIPv1 then R4 can only advertise major network 172.16.0.0/24 so R3 can only learn this major network, not the subnet 172.16.2.0/24 (-> Answer A is correct)

-> Answer D is correct.

Question 30

Which address scheme is used to route traffic to the public Internet?

A. 2000::/3
B. 172.30.1.024
C. FC007
D. 192.168.10.024

Answer: A

Explanation

All IPv6 global address starts with 2000::/3 so an IPv6 address must belong to this range to route on the public Internet.

Question 31

Which IP address is the broadcast address for subnet 172.16.0.0/19?

A. 172.16.0.255
B. 172.16.31.255
C. 172.16.32.255
D. 172.31.255.255

Answer: B

Explanation

Increment: 32 (/19 is 1110 0000 at 3rd octet)
Network address: 172.16.0.0
Broadcast address: 172.16.31.255

Question 32

Refer to the exhibit.

If host A is sending packets to host B, where does the Layer 2 frame rewrite occur?

A. on the router before it forwards the packet to host B
B. on host B when it receives the packet from the router
C. on the router when it receives the packet from host A
D. on host A before it sends the packet toward the router

Answer: A

Explanation

Before forwarding packet to Host B, router R1 needs to rewrite both the source & destination MAC address. The new source MAC would be the MAC address of the exiting interface of R1 and the new destination MAC address would be the MAC address of Host B.

Question 33

Which condition is most important to support the use of syslog messages for troubleshooting?

A. Messages are logged to a UNIX-based server.
B. The router has a large internal buffer space.
C. NTP is in use to ensure accurate timestamps.
D. Messages are logged to a Cisco UCS Server.

Answer: C

Explanation

We have to configure Network Time Protocol (NTP) so that each syslog message is recorded with the correct time which can help us to identify the problem more easily.

Question 34

Which value in a routing table entry represents the subnet mask?

A. prefix length
B. route source code
C. administrative distance
D. next-hop

Answer: A

Explanation

The prefix length in the routing table, for example: 192.168.1.0/24, helps us indicate the subnet mask (in this case /24 is equivalent to the subnet mask of 255.255.255.0).

Question 35

Which statement about port security is true?

A. It is not supported on private VLANs.
B. It can be configured on SPAN destination ports.
C. The default port security configuration allows for a maximum of 10 MAC addresses.
D. In sticky mode, the port retains dynamically-learned addresses during a link failure.

Answer: D

Explanation

The “sticky ” keyword (in the command switchport port-security mac-address sticky [MAC]) is used to make the MAC address appear in the running configuration so even if during a link failure, the port still retains the dynamically-learned addresses. But if we don’t save them (to the startup configuration) before rebooting, they will be lost.

Question 36

Which configuration register value do you enter on a device to bypass the startup configuration?

A. 0x2102
B. 0x2120
C. 0x2124
D. 0x2142

Answer: D

Explanation

By changing the configuration register to 0x2142, when that router reboots it will bypass the startup-config and no password is required.

Question 37

Which two DNS record types are currently supported? (Choose two)

A. NIL
B. A
C. MX
D. B
E. ACK

Answer: B C

Explanation

Commonly used record types:
+ A (Host address)
+ AAAA (IPv6 host address)
+ ALIAS (Auto resolved alias)
+ CNAME (Canonical name for an alias)
+ MX (Mail eXchange)
+ NS (Name Server)
+ PTR (Pointer)
+ SOA (Start Of Authority)
+ SRV (location of service)
+ TXT (Descriptive text)

Question 38

Which command can you enter to forward DHCP requests to a server on behalf of a client on a different network?

A. service dhcp
B. network 192.168.100.0 255.255.255.0
C. ip helper-address address
D. ip dhcp-pool pool_name

Answer: C

Explanation

If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure the router on the DHCP client side to act as a DHCP Relay Agent so that it can forward DHCP messages between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent, simply put the “ip helper-address <IP-address-of-DHCP-Server>” command under the interface that receives the DHCP messages from the DHCP Client.

Question 39

Which statement about device security is true?

A. A router can have a maximum of two passwords configured
B. The password you configure is encrypted in the running configuration by default
C. The enable password must be used before the enable secret password
D. If an encrypted password is lost, the NVRAM configuration must be ignored on boot

Answer: D

Explanation

NVRAM holds the router’s startup configuration file. Therefore if we forget the password of the device, we should ignored the NVRAM configuration on boot. We usually do this by changing the configuration register to 0x2142.

Question 40

Which option can be used in case a backup route is required in the routing table?

A. floating static route
B. No extra configuration is required.
C. next hop
D. route distribution

Answer: A

Explanation

Question 41

Which two features are supported with SLAAC? (Choose two)

A. Duplicate IPv6 addresses are detected.
B. The first 64 bits of a device IPv6 address can be calculated automatically from its MAC address.
C. IPv6 address have an infinite lifetime by default.
D. Router advertisements can track lifetime timers.
E. Globally-routed paths are preferred over equal-cost link-local paths.

Answer: A D

Explanation

Stateless Address Auto-Configuration (SLAAC) is configured as follows:
+ Host sends a router solicitation message.
+ Hosts waits for a Router Advertisement message.
+ Hosts take the first 64 bits of the IPv6 prefix from the Router Advertisement message and combines it with the 64 bit EUI-64 address (in the case of ethernet, this is created from the MAC Address) to create a global unicast message (-> Answer B is not correct). The host also uses the source IP address, in the IP header, of the Router Advertisement message, as its default gateway.
+ Duplicate Address Detection is performed by IPv6 clients in order to ensure that random addresses that are picked do not collide with other clients.
+ The choice of algorithm is up to the client and is often configurable.

Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0101011.html

The Router Lifetime field in the Router advertisement (RA) can track lifetime timers.

Question 42a

Which IPv4 address type is used to communicate with all hosts on a subnet?

A. broadcast
B. link-local
C. anycast
D. multicast

Answer: A

Question 42b

Which IPv4 address type can reach each node on a network?

A. unicast
B. anycast
C. broadcast
D. multicast

Answer: C

Question 43

Which VLAN ID is reserved?

A. 1
B. 1002
C. 1006
D. 4094

Answer: B

Explanation

VLANs 1002-1005 are default VLANs for FDDI & Token Ring. They are reserved and cannot be deleted or used for Ethernet.

Question 44

An administrator is in the process of changing the configuration of a router. What command will allow the administrator to check the changes that have been made prior to saving the new configuration?

A. Router# show startup-config
B. Router(config)# show running-config
C. Router# show running-config
D. Router# show running-config changes

Answer: C

Question 45

Which step is needed to configure SSH on a switch?

A. Configuring an IP domain name.
B. Configuring RSTP.
C. Configuring an SNMP community string.
D. Configuring Telnet on a VTY line.

Answer: A

Explanation

There are four steps required to enable SSH support on a Cisco IOS router:
1. Configure the hostname command.
2. Configure the DNS domain.
3. Generate the SSH key to be used.
4. Enable SSH transport support for the virtual type terminal (vtys).

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

Question 46a

You attempt to ping a remote device by name from a PC, and the ping operation fails and returns the error message “Ping request could not find host.” You verify that the router DHCP pool is configured with a name server. What are two possible reasons for the problem? (Choose two)

A. The DNS server is not reachable.
B. The PC network interface card device driver is missing.
C. The host that must be resolved does not exist.
D. The subnet mask of the DHCP pool is incorrect.
E. The DHCP server cannot provide an address to the PC.

Answer: A C

Explanation

As we ping by name so a valid DNS server is required. Therefore if we cannot ping to the destination device then maybe either the DNS server or the remote device was down/unreachable.

Question 46b

Refer to the exhibit.

% Unrecognized host or address, or protocol not running

You ping a remote device by name from a router, and the ping operation returns this response. What are two reasons for this problem? (Choose two)

A. An ACL on the router blocked the ping.
B. A firewall blocked the ping.
C. The DNS server database does not include a record for the name.
D. The router is blacklisted by the DNS server.
E. Only one DNS server is configured on the router.

Answer: C D

Question 47

Which value does an IPv6 host use to create an EUI-64?

A. the MAC address
B. the OSPFv6 router ID
C. the IPv6 address
D. the IPv4 address

Answer: A

Explanation

Extended Unique Identifier (EUI) allows a host to assign itself a unique 64-Bit IPv6 interface identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

For example, suppose we have the MAC address of C601.420F.0007. It would be divided into two 24-bit parts, which are “C60142” (OUI) and “0F0007” (NIC). Then “FFFE” is inserted in the middle. Therefore we have the address: C601.42FF.FE0F.0007.

Then, according to the RFC 3513 we need to invert the Universal/Local bit (“U/L” bit) in the 7th position of the first octet. The “u” bit is set to 1 to indicate Universal, and it is set to zero (0) to indicate local scope.

Therefore with the subnet of 2001:DB8:0:1::/64, the full IPv6 address is 2001:DB8:0:1:C601:42FF:FE0F:7/64

Question 48

Which protocol does a Cisco IP phone use to identify the voice VLAN?

A. CDP
B. LDAP
C. SIP
D. COS

Answer: A

Explanation

Cisco IP phones use Cisco Discovery Protocol (CDP) to know which VLANs to use.
Note: Voice vlan is just an ordinary VLAN. But in access port configuration you can specify that voice VLAN is exactly for voice traffic.

Question 49

You ping a remote device by name from a router, and the router you are using immediately displays a new prompt. What are two possible reasons for the problem? (Choose two)

A. The IP address of the remote device is listed in multiple ip host statements in the router configuration.
B. The ACL on the router blocked the ping.
C. The DNS server configuration on the router is missing.
D. The DNS server is unreachable.
E. The no ip domain-lookup command is configured on the router.

Answer: C E

Question 50

Which three statements about a meshed topology are true? (Choose three)

A. Every core device is connected to a distribution device.
B. Each access switch must be connected to at least one upstream distribution device and at least one core device.
C. Each distribution device is connected to exactly one core device.
D. Each access switch must be connected to exactly one upstream distribution device.
E. Every upstream distribution device is connected to an access switch.
F. Each access switch must be connected to at least two upstream distribution devices.

Answer: A E F

Explanation

This question wants to mention about hierarchical and meshed topology. Such a topology is shown below:

Note: Hierarchical network design has three layers: core, distribution, and access

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html

Question 51

Which two fields are included in an Ethernet header? (Choose two)

A. source MAC address
B. destination IP address
C. payload
D. Ether Type
E. source IP address

Answer: A D

Explanation

Below is the Ethernet frame format which includes source MAC address and (Ether) type:

Ethernet802.3_Frame_Format.jpg

Question 52

Refer to the exhibit.

Which interface must be configured as the DHCP relay agent so that host A can receive an IP address from the DHCP server?

A. 1
B. 2
C. 3
D. 4
E. 5

Answer: C

Explanation

Question 53

Which two network device types perform the translation of internal IP addresses to external IP addresses? (Choose two)

A. ACS
B. routers
C. bridges
D. WLCs
E. firewalls

Answer: B E

Question 54

Which two fields are used in TCP and UDP headers? (Choose two)

A. urgent pointer
B. ACK number
C. checksum
D. length
E. padding

Answer: C D

Explanation

The TCP and UDP headers are shown below:

As we can see, the UDP header is very simple with only 4 fields: source port, destination port, length and checksum. The two last fields also present in TCP headers. In which the length field is the size (in bytes) of the UDP header and the encapsulated data.

Question 55

Which two statements about access ports are true? (Choose two)

A. They can act as a host and a trunk port simultaneously
B. They forward all 802.1Q packets to trunk ports
C. An individual access port can transmit traffic for only one data VLAN
D. Each individual access port can support multiple data VLANs
E. They are assigned to VLAN 1 by default

Answer: C E

Question 56

You recently applied a common configuration to several PCs on different VLANs. The PCs are connected to the same switch with a router-on-a-stick, but users report that the PCs cannot ping one another. Which two are possible reasons for the problem? (Choose two)

A. The access ports on the PCs are misconfigured.
B. The native VLAN on the router is misconfigured.
C. The ip default-network command is misconfigured on the router.
D. The trunking protocol is configured incorrectly on the router subinterfaces.
E. The VLAN is configured incorrectly on the router subinterfaces.

Answer: A E

Question 57

Refer to the exhibit.

switch-A#show mac address-table
           MAC Address Table
----------------------------------------
Vlan	Mac Address	Type	Ports
----	-----------	------- --------
   1	0000.0000.0001	DYNAMIC	Fa0/1
Total Mac Addresses for this criterion: 1

If switch-A receives a frame with destination MAC address 0000.0000.0001 on its Fa0/1 interface, how does it process the frame?

A. It holds the packet until MAC address timer expires and then drops the frame.
B. It forwards the frame back out of interface Fa0/1.
C. It floods the frame to all interfaces except Fa0/1.
D. It drops the frame immediately.

Answer: D

Explanation

In brief, the basic switching function at Layer 2 adheres to these rules for determining forwarding responsibility:
+ If the destination MAC address is found in the CAM table, the switch sends the frame out the port that is associated with that destination MAC address in the CAM table. This process is called forwarding.
+ If the associated port to send the frame out is the same port that the frame originally came in on, there is no need to send the frame back out that same port, and the frame is ignored. This process is called filtering.
+ If the destination MAC address is not in the CAM table (that is, unknown unicast), the switch sends the frame out all other ports that are in the same VLAN as the received frame. This is called flooding. It does not flood the frame out the same port on which the frame was received.
+ If the destination MAC address of the received frame is the broadcast address (FFFF.FFFF.FFFF), the frame is sent out all ports that are in the same VLAN as the received frame. This is also called flooding. The only exception is the frame is not sent out the same port on which the frame was received.

Reference: http://www.ciscopress.com/articles/article.asp?p=2348264

In the output, switch A learned that the device with MAC address of 0000.0000.0001 is attached to port Fa0/1. But the switch receives a frame with the same destination MAC address from port Fa0/1 so the switch will filter out (drop) this frame.

Question 58

Which two statements about prefixes in a routing table are true? (Choose two)

A. The router prefers longer prefixes over shorter prefixes.
B. The router prefers prefixes that have more bit positions for the host than for the network.
C. The router prefers the prefix that includes the most 1 bits in the subnet mask.
D. The router prefers shorter prefixes over longer prefixes.
E. The router prefers the prefix that includes the most 0 bits in the subnet mask.

Answer: A C

Explanation

Suppose there are three routes in our routing table:

router# show ip route
....
D   192.168.32.0/26 [90/25789217] via 10.1.1.1
R   192.168.32.0/24 [120/4] via 10.1.1.2
O   192.168.32.0/19 [110/229840] via 10.1.1.3
....

If a packet arrives on a router interface destined for 192.168.32.1, which route would the router choose? It depends on the prefix length, or the number of bits set in the subnet mask. Longer prefixes are always preferred over shorter ones when forwarding a packet.

In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.1, because 192.168.32.1 falls within the 192.168.32.0/26 network (192.168.32.0 to 192.168.32.63). It also falls within the other two routes available, but the 192.168.32.0/26 has the longest prefix within the routing table (26 bits verses 24 or 19 bits).

Likewise, if a packet destined for 192.168.32.100 arrives on one of the router’s interfaces, it’s forwarded to 10.1.1.2, because 192.168.32.100 doesn’t fall within 192.168.32.0/26 (192.168.32.0 through 192.168.32.63), but it does fall within the 192.168.32.0/24 destination (192.168.32.0 through 192.168.32.255). Again, it also falls into the range covered by 192.168.32.0/19, but 192.168.32.0/24 has a longer prefix length.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html

-> This is called “longest prefix match” rule so answer A is correct.

Answer C has the same meaning as “the most 1 bits in the subnet mask” means “longer prefix”

Question 59

Which two attributes of a packet change at every router along the path from source to destination? (Choose two)

A. destination IP address
B. source MAC address
C. packet MTU
D. source IP address
E. destination MAC address

Answer: B E

Explanation

When a packet is sent from a source to a destination, only the source & destination MAC addresses are changed on each segment while the source & destination IP addresses remain unchanged.

Question 60

Refer to the exhibit.

If Host A pings Host B, which statement about the ping is true?

A. The router looks up the destination IP network of the ping in its MAC address table
B. Host A encapsulates the packet within a frame before sending it
C. The ping packet includes both the destination MAC address and the source address
D. Host A sends the packet one byte at a time

Answer: B

Explanation

The router will check the destination IP network in its routing table -> Answer A is not correct.
The ping packet from host A will include: the source IP address of host A, the destination IP address of host B; the source MAC address of host A and the destination MAC address of the inbound interface of R1 -> Answer C is not correct.

When we make a ping from a Windows OS host, each ping packet is 32 bytes but if we ping from a Linux OS host, each ping packet is 64 bytes so it depends on the Operating System (OS) of the host. But each ping packet is surely larger than one byte -> Answer D is not correct.

Question 61

Which statement about port security on a trunk link is true?

A. It error-disables the port after 10 MAC addresses are statically configured
B. It is not supported
C. By default, it shuts down the port if it learns more than one MAC address
D. When it is enabled, it disables the native VLAN configuration

Answer: C

Explanation

Although some online Cisco documents say that “A secure port cannot be a trunk port” (like this document) but some say “Trunk port security extends port security to trunk ports” (like this document) so we decided to test on a Cisco switch version 15.1 and had this result:

So we can configure port-security on a trunk port and the maximum MAC addresses allowed is 1 and the violation mode is “Shutdown” by default. Therefore it will shutdown the port if it learns more than one MAC address.

Question 62

Which component of an Ethernet frame supports error detection?

A. EtherType
B. frame check sequence
C. 802.1Q tag
D. preamble

Answer: B

Explanation

At the end of each frame there is a Frame Check Sequence (FCS) field. FCS can be analyzed to determine if errors have occurred. FCS uses cyclic redundancy check (CRC) algorithm to detect errors in the transmitted frames. Before sending data, the sending host generates a CRC based on the header and data of that frame. When this frame arrives, the receiving host uses the same algorithm to generate its own CRC and compare them. If they do not match then a CRC error will occur.

Ethernet802.3_Frame_Format.jpg

Question 63

Which two statements about administrative distance are true? (Choose two)

A. The metric is used to determine which administrative distance is selected from the routing table.
B. The metric is calculated independently of the administrative distance.
C. It identifies the routing protocol priority.
D. It identifies the metric used for path calculation.
E. The metric uses the administrative distance to calculate a path.

Answer: B C

Explanation

The administrative distance (AD) of a routing protocol is fixed while the metric of each routing protocol is calculated based on some parameters (for example in RIP it is the hop count, in OSPF it is the bandwidth…) -> Answer B is correct.

The lower the AD, the higher priority of the routing protocol. For example, EIGRP (AD of 90) is always preferred to OSPF (AD of 110).

Question 64

Which two IPv6 multicast groups are joined when an IPv6 address is configured on an interface? (Choose two)

A. FF02::2
B. 2002::5
C. FF80::6
D. FF80::5
E. FF02::1

Answer: A E

Explanation

Every device automatically joins the all nodes (FF02::1) and solicited-node (FF02::1:FFxx:xxxx) multicast groups. The all-node group is used to communicate with all interfaces on the local link, and the solicited-nodes multicast group is required for link-layer address resolution. Routers also join a third multicast group, the all-routers group (FF02::2).

Reference: IP Routing on Cisco IOS, IOS XE, and IOS XR: AN Essential Guide to Understanding and Implementing IP Routing Protocols

These addresses are equivalent to IPv4 well-known multicast addresses in the range 224.0.0.0 to 239.255.255.255

Question 65

Which command do you enter to assign all untagged packets on a trunk to VLAN 999?

A. switchport trunk pruning vlan add 999
B. switchport trunk allowed vlan 999
C. switchport trunk native vlan 999
D. swtichport trunk allowed vlan add 999

Answer: C

Explanation

By default the native VLAN is 1 but we can assign a new native VLAN by the command “switchport trunk native vlan <vlan-id>”.

Question 66

Which two commands must you apply to a router to configure it as a router-on-a-stick? (Choose two)

A. spanning-tree portfast
B. encapsulation
C. vtp domain
D. vtp transparent
E. ip address

Answer: B E

Explanation

An example of how to configure a router-on-a-stick at router side is shown below:

R1(config)#int fa0/0
R1(config-if)#no ip address
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#int fa0/0.10
R1(config-subif)#encapsulation dot1q 10 //Configure dot1q encapsulation for VLAN 10 on sub-interface fa0/0.10
R1(config-subif)#ip address 192.168.1.0 255.255.255.0
R1(config-subif)#no shutdown
R1(config)#int fa0/0.20
R1(config-subif)#ip address 192.168.2.0 255.255.255.0
R1(config-subif)#no shutdown

Question 67

How does an access port configured for VLAN 10 handle an incoming packet with an 802.1q tag for VLAN 2?

A. It drops the packet.
B. It dynamically configures the port to accept traffic on VLAN 2.
C. It adds VLAN 2 to the VLAN database.
D. It forwards the packet to a port on VLAN 2.
E. It processes the packet and places it in a queue for future delivery.

Answer: A

Question 68

In which network topology does each network device have a direct physical connection to every other device?

A. point-to-multipoint
B. mesh
C. bus
D. star

Answer: B

Explanation

Full-mesh is a network topology in which there is a direct link between all pairs of nodes. Below is an example of full-mesh topology.

Question 69

Which two statements about IPv6 SLAAC are true? (Choose two)

A. The default gateway of the host is configured during the SLAAC process
B. It is incompatible with DHCP
C. The host uses the EUI-64 algorithm to calculate the first 64 bits of the destination IPv6 address from the MAC address
D. It has a built-in mechanism to identify duplicate IP addresses on the network
E. The host sends a router advertisement message to begin the SLAAC process

Answer: A D

Explanation

IPv6 stateless address autoconfiguration (SLAAC) is the native IPv6 method used to provide end hosts with IPv6 address and default gateway information dynamically without requiring DHCPv6 address allocation.

Stateless Address Auto-Configuration (SLAAC) is configured as follows:
+ Host sends a router solicitation message.
+ Hosts waits for a Router Advertisement message.
+ Hosts take the first 64 bits of the IPv6 prefix from the Router Advertisement message and combines it with the 64 bit EUI-64 address (in the case of ethernet, this is created from the MAC Address) to create a global unicast message (-> Answer B is not correct). The host also uses the source IP address, in the IP header, of the Router Advertisement message, as its default gateway.
+ Duplicate Address Detection is performed by IPv6 clients in order to ensure that random addresses that are picked do not collide with other clients.
+ The choice of algorithm is up to the client and is often configurable.

Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0101011.html

Question 70

In which two scenarios do you implement private IPv4 IP addresses? (Choose two)

A. on the webmail portal of an organization
B. on the connection that a mobile device uses for application updates
C. to connect network equipment between different IDFs
D. for the VPN solution that end users use to connect to the local network
E. on an application server that connects to a local database server

Answer: C E

Explanation

In general, private IPv4 addresses are suitable for applications/connections that do not need to go to the Internet.

The intermediate distribution frames (IDF) refers to the switches in the access layer which provide connection in a building so they don’t need to use public IPv4 address to go to the Internet -> Answer C is correct.

Question 71

Which two ACL types support IP Access List Entry Sequence Numbering? (Choose two)

A. named
B. reflexive
C. firewall
D. dynamic
E. standard

Answer: A E

Explanation

The IP Access List Entry Sequence Numbering feature allows you to apply sequence numbers to permit or deny statements as well as reorder, add, or remove such statements from a named IP access list. The IP Access List Entry Sequence Numbering feature makes revising IP access lists much easier. Prior to this feature, you could add access list entries to the end of an access list only; therefore, needing to add statements anywhere except at the end of a named IP access list required reconfiguring the entire access list.

For example, we can resequence a standard/extended access list like this:

Device(config)# ip access-list resequence MYACCESSLIST 100 15 //resequence the MYACCESSLIST, starting from 100 and increment 15

After this command the “MYACCESSLIST” ACL will be like this:

R1#show access-list
Standard IP access list MYACCESSLIST
100 permit ip host xxxx host xxxxx
115 permit ip host xxxx host xxxxx
130 permit ip host xxxx host xxxxx
145 permit ip host xxxx host xxxxx
160 permit ip host xxxx host xxxxx
175 permit ip host xxxx host xxxxx
190 permit ip host xxxx host xxxxx

We can use The IP Access List Entry Sequence Numbering feature in standard, extended and named ACL.

Question 72

Which command can you enter in ROMmon to bypass the password in the router startup configuration?

A. confreg 0x2142
B. configure terminal
C. config-register 0x2102
D. reset

Answer: A

Question 73

For which reason is a DHCP client unable to reach a host in different subnet?

A. The client and its gateway router have been assigned different subnet masks.
B. The client has been configured with only one DNS server.
C. DNS lookup has been disabled on the gateway router.
D. The client is connected to a switch in the same VLAN as its gateway router.

Answer: A

Question 74

Which command or command sequence do you enter to install a default route into a router that is configured with the no ip routing command?

A. ip route 0.0.0.0 0.0.0.0
B. router rip ip default-gateway
C. ip default-network
D. ip default-gateway

Answer: D

Explanation

When using the “no ip routing” command, a router will function like a host so we cannot perform routing function on it. We can only use the “ip default-gateway <IP address>” command to assign a default gateway for it (same as the default gateway in a host).

Question 75

Refer to the exhibit.

show ip route
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

Router R1 produced this partial output running on a current IOS. Which two statements about R1 and its network environment are true? (Choose two)

A. R1 has a combination of local and connected routes totaling two subnets.
B. R1 has learned a maximum of four networks via routing protocols.
C. R1 has a maximum of two connected subnets including local route.
D. R1 has learned at least one network via routing protocols.
E. R1 has a network environment that supports a maximum of 16 hosts.

Answer: C D

Question 76

Under which circumstance should a network administrator implement only outgoing NAT towards an ISP?

A. when traffic that originates inside the network must be routed to internal hosts
B. when the network has few public IP addresses and many private IP addresses that require outside access
C. when the network must route UDP traffic
D. when traffic that originates outside the network must be routed to internal hosts

Answer: B

Question 77

Which two syslog configuration commands do you use to log warnings to the syslog server? (Choose two)

A. logging trap level informational
B. logging trap level alerts
C. logging trap level notice
D. logging trap level critical
E. logging trap level error

Answer: A C

Question 78

Which three values must you specify to resequence an IP access list? (Choose three)

A. access list name
B. increment
C. starting sequence number
D. interface
E. dynamic access list number
F. ending sequence number

Answer: A B C

Question 79

For which two reasons might you choose to configure dynamic routing instead of static routing on a router? (Choose two)

A. The router is part of a stub network.
B. The router needs access only to a single default route.
C. Dynamic routing requires less router configuration throughout the network than static routing.
D. The network is growing intermittently.
E. Dynamic routing updates are more secure than static routing updates.

Answer: C D

Question 80

All protocols on a network are using their default administrative distances with no redistribution. In which two different ways can you modify them so that OSPF and RIPv2 learned routes are preferred over EIGRP-learned routes? (Choose two)

A. Change the OSPF administrative distance to 5.
B. Change the RIP administrative distance to 70.
C. Change the EIGRP administrative distance to 70.
D. Change the RIP administrative distance to 100.
E. Change the EIGRP administrative distance to 100.

Answer: A B

Question 81

Which two characteristics of plenum cable are true? (Choose two)

A. It is more fire-resistant than nonplenum cable.
B. It can be installed above a drop-down ceiling without additional safety precautions.
C. It is less fire-resistant than nonplenum cable.
D. When it burns, it may release more toxins than nonplenum cable.
E. It requires additional safety precautions when installed above a drop-down ceiling.

Answer: A B

Question 82

Which statement about wireless access points is true?

A. They are Layer 2 devices that are used to extend a LAN to wireless clients.
B. They provide full duplex connectivity to host devices.
C. They are used as routers between LANs in a wireless network.
D. They are used to physically connect host devices to the wireless network.

Answer: A

Question 83

Which option is the default time zone used on Cisco devices?

A. CST
B. UTC
C. EST
D. GMT
E. PST

Answer: B

Question 84

Which circumstance causes a security violation on a switch port with port security enabled?

A. The maximum number of secure MAC addresses is reached on a secure port and an unidentified MAC address attempts an ingress connection.
B. A configured MAC address attempts an ingress connection on a different port in a different VLAN.
C. The minimum number of secure MAC addresses is configured on a secure port and an unidentified MAC address attempts an ingress connection.
D. A minimum number of secure MAC addresses has filled the dynamic table.

Answer: A

Question 85

You have configured two hosts that are connected to a single switch, but reside in different VLANs. Which statement about the configuration is true?

A. The two hosts are unable to communicate without a router.
B. The two hosts can communicate with ICMP.
C. The two hosts are unable to communicate without a trunk port.
D. The two hosts are unable to communicate without a hub.

Answer: A

Question 86

Which type of route is the most trusted?

A. BGP
B. OSPF
C. static
D. connected

Answer: D

Question 87

Which statement about the enable password is true?

A. The space character is not supported.
B. It is not stored in a secured format.
C. It can be up to 32 characters long.
D. It is stored in a secured format.

Answer: B

Question 88

For what reason do you use a standard access list?

A. to filter traffic from identified source addresses
B. to deny traffic to identified destination addresses
C. to load-balance traffic over different interfaces
D. to identify traffic to be label-switched through the network
E. to deny traffic to unidentified destination addresses

Answer: A

Question 89

How does a switch handle a frame in which it detects an error in the frame check sequence?

A. It updates the frame check sequence and forwards the frame to its destination.
B. It discards the damaged frame without further action.
C. It forwards the frame to its destination unchanged.
D. It discards the damaged frame and requests the sender to retransmit it.

Answer: B

Question 90

Which static route can be used to forward a packet that is destined to 192.168.1.23?

A. ip route 192.168.1.16 255.255.255.252 192.168.255.1
B. ip route 192.168.1.0 255.255.255.240 192.168.255.1
C. ip route 192.168.0.0 255.255.255.0 192.168.255.1
D. ip route 192.168.1.20 255.255.255.252 192.168.255.1

Answer: D

Question 91

If a router receives a route 192.168.1.0/24 from peers running OSPF and EIGRP, how does the router forward traffic destined to that network?

A. It uses the path with the lowest metric.
B. It always uses the path learned from OSPF because OSPF is a vendor-neutral protocol.
C. It load-balances traffic across both paths.
D. It always uses the path learned from EIGRP because EIGRP has a lower administrative distance.

Answer: D

Question 92

Which statement about a router on a stick is true?

A. It requires encapsulation to be configured on subinterfaces.
B. It requires encapsulation to be configured on the main interface.
C. The VLAN tag is randomly assigned as a frame exists the interface.
D. A single VLAN can traverse the link.

Answer: A

Question 93

Which IPv6 address does a device use for neighbor discovery?

A. the link-local address
B. the multicast address
C. the unique local address
D. the global unicast address

Answer: A

Question 94

How are MAC addresses removed from a MAC address table?

A. They are removed automatically if they remain inactive for the duration of the switch aging timer.
B. They are removed automatically on a FIFO basis when the address-table limit has been reached.
C. They must be manually cleared from the table.
D. They are removed automatically if they remain inactive for the duration of the global MAC address timer.

Answer: D

Question 95

Which two statements are true about the operation of a full-duplex Ethernet network? (Choose two)

A. There are no collisions in full-duplex mode.
B. A dedicated switch port is not required for each full-duplex node.
C. Ethernet hub ports are preconfigured for full-duplex mode.
D. The device network card and the switch port must be capable of operating in full-duplex mode.
E. In a full-duplex environment, the host network card must check for the availability of the network media before transmitting.

Answer: A D

Question 96

Which value represents a host route?

A. 192.168.1.0/30
B. 192.168.1.0/24
C. 192.168.1.2/31
D. 192.168.1.0/32

Answer: D

Question 97

Which Cisco IOS feature can dynamically assign IP addresses to hosts?

A. DHCP Relay
B. TFTP
C. DNS
D. DHCP

Answer: D

Question 98

Which two statements about the default configuration of a Cisco IOS router are true? (Choose two)

A. In privileged EXEC mode, the console times out after 10 minutes of inactivity.
B. The loopback 0 interface is enabled.
C. The first connected interface becomes the gateway of last resort.
D. The enable password password and enable secret password are both set to cisco.
E. The hostname of the device is displayed in lower-case letters only, even if you specify capital letters.
F. The default hostname is Router.

Answer: A F

Question 99

Which statement about a router-on-a-stick configuration is true?

A. It is most appropriate for use on large networks with both Layer2 and Layer3 switches.
B. It can perform 802.1q encapsulation.
C. It can act as a multilayer switch.
D. It can classify packets for QoS.

Answer: B

Question 100

Which information is missing from a default syslog message?

A. HOSTNAME
B. SEVERITY
C. MESSAGE
D. TIMESTAMP

Answer: A

Question 101

Which statement about the default Cisco Discovery Protocol configuration is true?

A. CDPv1 is disabled on FastEthernet interfaces.
B. CDPv2 advertisements are unicast.
C. CDPv1 is enabled on Frame Relay subinterfaces.
D. CDPv2 advertisements are broadcast.

Answer: D

Question 102

A router is deployed with the default factory settings. If a user on the router mistypes a command, which option is the result?

A. The router immediately returns an error message.
B. The router recognizes the mistake and discards the request.
C. The router autocorrects the mistyped command.
D. The router attempts to resolve the command to an IP address.
E. The router disables DNS lookup.

Answer: D

Explanation

When you mistype a command in privileged mode (Router#), the router thinks you’re trying to Telnet to a remote host so you have to wait with a message like this:

Translating “contin”…domain server (255.255.255.255)

This is because by default the command “ip domain-lookup” is enabled. It enables the Domain Name Server (DNS) lookup feature which performs a DNS lookup on what you entered. If you haven’t configured DNS on the router, the command prompt will hang until the DNS lookup fails. We can cancel the translation with Ctrl + Shift + 6. If we don’t have a real DNS server then we should turn this feature off with the “no ip domain-lookup” command.

Question 103

Which value does RIPv2 use to calculate its route metric?

A. delay
B. bandwidth
C. hop count
D. reliability

Answer: C

Explanation

RIP only uses hop count (the number of routers) to determine the best way to a remote network.

Question 104

Which value is calculated by the sender and receiver of a frame to determine whether the frame has been damaged in transit?

A. the runt value
B. the CRC value
C. the giant value
D. the collision value

Answer: B

Explanation

Ethernet802.3_Frame_Format.jpg

Note:
+ Runts are frames which do not meet the minimum frame size of 64 bytes. Runts are usually created by collisions.
+ Giants: frames that are larger than 1,518 bytes

Question 105

What is the default number of secure MAC addresses for an interface configured with port security?

A. 1
B. 255
C. 1042
D. 3072

Answer: A

Question 106

Which device mode must you use to recover a password on a Cisco IOS device?

A. privileged EXEC
B. global configuration
C. user EXEC
D. ROMmon

Answer: D

Explanation

To reset the password we can type “confreg 0x2142” under rommon mode to set the configuration register to 2142 in hexadecimal (the prefix 0x means hexadecimal (base 16)). With this setting when that router reboots, it bypasses the startup-config.

Question 107

Which difference between TCP and UDP is true?

A. Only TCP orders the packets that are transmitted.
B. Only UDP retransmits packets to ensure delivery.
C. Only TCP has eliminated error checking.
D. Only UDP requires recipients to acknowledge packet receipt.

Answer: A

Explanation

UDP header does have a checksum field which provides error detection for this protocol. But the difference (from TCP) is it does not request a retransmit when an error is found, it just simply discards that packet. In short, UDP has error detection while TCP has error recovery mechanism.

Question 108

Which command do you enter to configure a device as an authoritative time server?

A. ntp authenticate
B. ntp server 127.0.0.1
C. ntp source 127.0.0.1
D. ntp master 1

Answer: D

Explanation

An Authoritative NTP Server can distribute time even when it is not synchronized to an existing time server. To configure a Cisco device as an Authoritative NTP Server, use the ntp master [stratum] command.

Question 109

Which two configuration steps will prevent an unauthorized PC from accessing the corporate network? (Choose two)

A. set the port security aging time to 0
B. create the port as a protected port and statically assign the MAC address to the address table
C. configure the switch to discover new MAC addresses after a set time of inactivity
D. enable port security on the switch
E. create the port as an access port and statically assign the MAC address to the address table

Answer: D E

Question 110

Which description refers to administrative distance?

A. the advertised metric to reach a network
B. the cost of a link between two neighboring routers
C. the cost to reach a network that is administratively set
D. a measure of the trustworthiness of a routing information source

Answer: D

Question 111

Which command do you enter on a router running RIP so that it advertises a route on the same interface on which it received the route?

A. no auto-summary
B. no ip split-horizon
C. passive-interface default
D. ip rip v2-broadcast

Answer: B

Explanation

The split-horizon rule states that “a router never sends information about a route back in same direction which is original information came”. This rule is used in distance vector protocol (like RIP or EIGRP) to prevent Layer 3 routing loop. But we can disable the rule with the “no ip split-horizon” command.

Question 112

Which hashing algorithm does NTP use for its authentication keys?

A. MD5
B. AES-256
C. 3DES
D. SHA

Answer: A

Explanation

MD5 keys are used for authentication only, not encryption. The purpose of the keys is to ensure a client it is receiving NTP time stamps from ONLY the intended server.

Question 113

Multicast IP addresses can be grouped into which two address-range assignments? (Choose two)

A. registered
B. dynamic
C. GLOP
D. source-specific multicast
E. private

Answer: A B

Question 114

Which two statements about 802.1Q are true? (Choose two)

A. It is an open-standard trunking protocol
B. It is a Cisco-proprietary trunking protocol
C. It inserts a 4-byte identifying tag in the Ethernet frame after the source MAC address field.
D. It encapsulates the original data frame inside a trunking header.
E. It uses a 20-bit label to identify packets within a trunk.

Answer: A C

Explanation

IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frame itself between the Source Address (SA) and Type/Length fields. Because the frame is altered, the trunking device recomputes the FCS on the modified frame.

802.1Q_frame.gif

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html

Question 115

Which component is part of an Ethernet frame?

A. checksum
B. TTL
C. sequence number
D. frame check sequence

Answer: D

Explanation

An Ethernet frame structure is shown below:

Ethernet802.3_Frame_Format.jpg

There are no checksum, Time-to-live (TTL) or sequence number in an Ethernet frame.

Note: In fact in the Ethernet frame structure shown above, the CRC field should be written as FCS field.

Question 116

Which Cisco SDN controller supports existing enterprise network devices?

A. APIC-EM
B. OpenFlow
C. Open SDN
D. ACI

Answer: A

Question 117

Which command can you enter to configure an IPv6 floating static route?

A. router(config)#ipv6 route FE80:0202::/32 serial 0/1 1
B. router (config)#ipv6 route ::/0 serial 0/1
C. router(config)#ipv6 route static resolve default
D. router(config)#ipv6 route FE80.0202::/32serial 0/1 201

Answer: D

Explanation

IPv6 Floating static route is static route with a higher administrative distance than the dynamic routing protocol it is backing up.

Question 118

Which feature can validate address requests and filter out invalid messages?

A. IP Source Guard
B. port security
C. DHCP snooping
D. dynamic ARP inspection

Answer: C

Explanation

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests.

Question 119

Which subnet address is for the IP address 172.19.20.23/28?

A. 172.19.20.20
B. 172.19.20.0
C. 172.19.20.32
D. 172.19.20.15
E. 172.19.20.16

Answer: E

Explanation

Increment: 16 (/28 = 1111 0000 in fourth octet)
Network address: 172.19.20.16
Broadcast address: 172.19.20.31

Question 120

Which two statements are true for multicast MAC address directions? (Choose two)

A. 01:00:5E:AE:17:28
B. one to one
C. 01 00 43 AF5426B
D. 02 46 54BDCF6A8
E. one to many

Answer: A E

Question 121

How many host addresses are available on the network 192.168.1.0 subnet 255.255.255.240? (Choose two)

A. 6
B. 8
C. 14
D. 16

Answer: C

Explanation

240 = 1111 0000 in fourth octet so the formula of host addresses is: the number of host addresses = 2^k – 2 (where k is the number of bit 0). In this case k = 4 so the number of host addresses = 2⁴ – 2 = 14.

Question 122

Which two statements about fiber cable are true? (Choose two)

A. Single-mode fiber supports SC and LC connectors only.
B. Multimode cable supports speeds between 100 Mbps and 9.92 Gbps.
C. Single-mode cable is most appropriate for installations longer than 10 km.
D. Fiber cable is relatively inexpensive and supports a higher data rate than coaxial cable.
E. Mulitimode cable supports speeds between 100 Mbps and 100 Gpbs.

Answer: D E

Question 123

After you configure the ip dns spoofing command globally on a device, under which two conditions is DNS spoofing enabled on the device? (Choose two)

A. The ip dns spoofing command is disabled on the local interface
B. The ip host command is disabled
C. All configured IP name server addresses are removed
D. The DNS server queue limit is disabled
E. The no ip domain lookup command is configured

Answer: B C

Explanation

DNS spoofing is designed to allow a router to act as a proxy DNS server and “spoof” replies to any DNS queries using either the configured IP address in the ip dns spoofing ip-address command or the IP address of the incoming interface for the query. This feature is useful for devices where the interface toward the Internet service provider (ISP) is not up. Once the interface to the ISP is up, the router forwards DNS queries to the real DNS servers.This feature turns on DNS spoofing and is functional if any of the following conditions are true:
+ The no ip domain-lookup command is configured.
+ IP name server addresses are not configured.
+ There are no valid interfaces or routes for sending to the configured name server addresses

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/12-2sr/dns-12-2sr-book.pdf

Question 124

Which statement about unique local IPv6 addresses is true?

A. Summarization is not supported.
B. They require all prefixes to be unique.
C. Their global IDs are assigned sequentially.
D. They are routable to the public Internet.

Answer: B

Explanation

IPv6 Unique Local Address is the approximate IPv6 counterpart of the IPv4 private address. It is not routable on the global Internet but it can be routable inside of a company’s multiple sites. A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7.

Unique Local IPv6 addresses can be viewed as globally unique “private routable” IPv6 addresses, but only inside an organization -> Answer B seems to be correct.

ICND2v3 – New Questions Part 7

June 22nd, 2019 70 comments

Premium Members: You can practice these questions with our quizzes first at:

+ Question 1 to 20
+ Question 21 to 40
+ Question 41 to 60
+ Question 61 to 80
+ Question 81 to 102

Question 1

Which two statements about the Cisco APIC-EM ACL Path Trace feature are true? (Choose two)

A. Higher-priority ACEs override lower-priority ACEs in the same ACL.
B. The trace analyzes only the egress interface of all devices in the path.
C. The trace analyzes the ingress interface and the egress interface of all devices in the path.
D. The trace analysis stops as soon as the trace encounters a deny entry on the path.
E. The trace analyzes only the ingress interface of all devices in the path.

Answer: A C

Explanation

Access Control List (ACL) Trace analyzes how a flow is affected by ACLs programmed on the path. After the path is calculated between the source and the destination, the ACL Trace analyzes both ingress and egress interfaces of all devices on the path -> C is correct.

Analysis of entries within an individual ACL is cumulative. That is, if a higher priority ACE is a match, lower-priority ACEs are ignored -> A is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-4-x/path_trace/user-guide/b_Cisco_Path_Trace_User_Guide_1_4_0_x/b_Cisco_Path_Trace_Solution_Guide_1_4_0_x_chapter_01.html

Question 2

Which effect of the monitor session 16 source interface gigabitethernet 3/1 command is true?

A. It configures the device to monitor uni-directional source traffic for session 16.
B. It configures the device to monitor uni-directional destination traffic for session 16.
C. It configures the device interface as a source to monitor bi-directional traffic for session 16.
D. It configures the device interface as destination to monitor bi-directional traffic for session 16.

Answer: C

Explanation

Switched Port Analyzer (SPAN) feature copies network traffic from a VLAN or group of ports to a selected port. SPAN is generally referred to as Port mirroring. An example of configuring SPAN port is shown below:

Switch(config)#monitor session 1 source interface FastEthernet 0/1
Switch(config)#monitor session 1 destination interface FastEthernet 0/2

The above configuration will capture all traffic from interface FastEthernet 0/1 and send it to interface FastEthernet 0/2.

By default, both incoming and outgoing traffic is monitored.

Question 3

Which two benefits of using MPLS for WAN access are true? (Choose two)

A. It supports hub-and-spoke connectivity.
B. It supports CoS.
C. It provides VPN support.
D. It provides payload security with ESP.
E. It supports Authentication Header.

Answer: B C

Question 4

Which BGP command do you enter to allow a device to exchange IPv6 prefixes with its neighbor?

A. neighbor ip-address activate
B. neighbor ip-address remote-as ASN
C. router bgp ASN
D. show ip bgp neighbors

Answer: A

Question 5

For which type of connection is broadband PPPoE most appropriate?

A. satellite
B. DSL
C. GRE tunnel
D. PPTP

Answer: B

Explanation

PPPoE is commonly used in a broadband aggregation, such as by digital subscriber line (DSL). PPPoE provides authentication with the CHAP or PAP protocol.

Reference: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_17.2/02System_and_Interfaces/06Configuring_Network_Interfaces/Configuring_PPPoE

Question 6

While troubleshooting the failure of an OSPFv3 Ethernet connection between routers R1 and R2, you determine that the hello timers are mismatched and that R2 is configured with default settings. Which command do you enter on R1 to correct the problem?

A. R1(config-if)#ipv6 ospf hello-interval 20
B. R1(config-if)#ip ospf hello-interval 10
C. R1(config-if)#ip ospf hello-interval 20
D. R1(config-if)#no ipv6 ospf hello-interval

Answer: D

Explanation

The default hello interval of OSPFv3 is 10 seconds when using Ethernet and 30 seconds when using nonbroadcast. To change the hello interval of OSPFv3, we use the “ipv6 ospf hello-interval seconds” command. Or we can use the “no” form to reset the hello timers to the default values.

Note: Answer B is not correct as it is for IPv4 OSPF, not IPv6 OSPF (should be “ipv6 ospf hello-interval 10, not “ip ospf hello-interval 10”)

Question 7

Which three statements about inform-request options are true? (Choose three)

A. The default number of retries is 3.
B. By default, the maximum number of pending informs is 10.
C. The default timeout is 60 seconds.
D. The default number of retries is 5.
E. The default timeout is 30 seconds.
F. By default, the maximum number of pending informs is 25.

Answer: A E (?) F

Explanation

SNMP inform-request. To specify inform request options, use the snmp-server inform [ pending pending ] [ retries retries ] [ timeout seconds ] command in global configuration mode.

The default value of “retries” is 3.
The default value of “timeout” is 15 seconds -> answer E is not correct but we don’t have any better choice.
The default value of “pending” is 25 (Number of unacknowledged informs to hold).

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/command/nm-snmp-cr-book/nm-snmp-cr-s5.html

Question 8

Which switch port mode prevents DTP frames from being sent?

A. trunk
B. dynamic auto
C. dynamic desirable
D. nonegotiate

Answer: D

Explanation

Disable DTP with the “switchport nonegotiate” so that DTP messages are not advertised out of the interface is also a good way to prevent auto trunking.

Question 9

Which difference between PVST+ and RPVST+ is true?

A. RPVST+ is based on 802.1D and PVST+ is based on 802.1s.
B. RPVST+ is based on 802.1w and PVST+ is based on 802.1s.
C. RPVST+ has slower convergence than PVST+.
D. Only PVST+ includes Cisco proprietary standards.

Answer: B

Explanation

RPVST+ is the Cisco’s version of RSTP that also uses PVST+ and provides a separate instance of 802.1w per VLAN.

Note: 802.1w is also called Rapid Spanning Tree Protocol (RSTP)

PVST+ is the Cisco proprietary enhancement for STP that provides a separate 802.1d spanning-tree instance for each VLAN.

Question 10

When troubleshooting an issue with an SVI, which three areas do you check? (Choose three)

A. frame size
B. routing
C. interfaces
D. ASIC
E. gateway
F. encapsulation

Answer: B C E

Question 11

Which command do you enter to configure local authentication for PPP on a Cisco device?

A. router(config-if)#ppp authentication chap callin
B. router(config)#username router password password1
C. router(config-if)#ppp authentication chap
D. router(config-if)#ppp chap password password1

Answer: C

Question 12

Which three statements are benefits of using a shadow router as the source of IP SLA measurements? (Choose three)

A. It offsets the resource load from a production router.
B. It can be managed independently of production network traffic.
C. It reduces traffic through existing interfaces by adding another network interface.
D. It provides a better estimation of Layer 2 network traffic.
E. It enables switched traffic to take precedence over local traffic.
F. It adds an NTP synchronization point.

Answer: A B D

Question 13

When a user attempts to authenticate with TACACS+, which three responses from the TACACS+ daemon are possible? (Choose three)

A. PERSIST
B. FAULT
C. CONTINUE
D. ERROR
E. ACCEPT
F. REPEAT

Answer: C D E

Explanation

The network access server will eventually receive one of the following responses from the TACACS+ daemon:
+ ACCEPT – The user is authenticated and service may begin. If the network access server is configured to requite authorization, authorization will begin at this time.
+ REJECT – The user has failed to authenticate. The user may be denied further access, or will be prompted to retry the login sequence depending on the TACACS+ daemon.
+ ERROR – An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the network access server. If an ERROR response is received, the network access server will typically try to use an alternative method for authenticating the user.
+ CONTINUE – The user is prompted for additional authentication information.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/15-mt/sec-usr-tacacs-15-mt-book/sec-cfg-tacacs.html

Question 14

Which three statements about QoS policing are true? (Choose three)

A. It can be applied to outbound traffic only.
B. It avoids queuing delays.
C. It drops excess packets.
D. It can be applied to inbound and outbound traffic.
E. It queues excess traffic.
F. It is configured in bits per second.

Answer: B C D

Explanation

Unlike traffic shaping, QoS policing avoids delays due to queuing.
QoS policing drops (or remarks) excess packets above the committed rates. Does not buffer.
QoS policing is configured in bytes (while QoS traffic shaping is configured in bits per second)
QoS policing can be applied to both inbound and outbound traffic (while QoS shaping can only be applied to outbound traffic)

Reference: https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html

Question 15

Which three states are the HSRP stages for a router? (Choose three)

A. standby
B. speak
C. secondary
D. listen
E. learn
F. primary

Answer: A B D E (?)

Explanation

HSRP consists of 6 states:

State	Description
Initial	This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on
Learn	The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router.
Listen	The router knows both IP and MAC address of the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby state will remain in listen state.
Speak	The router sends periodic HSRP hellos and participates in the election of the active or standby router.
Standby	In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)
Active	The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages

Please notice that not all routers in a HSRP group go through all states above. In a HSRP group, only one router reaches active state and one router reaches standby state. Other routers will stop at listen state.

In this question there are four correct answers so maybe in the exam one correct answer would not exists but you should grasp the concept behind it.

Question 16

Which statement about link-state and distance-vector routing protocols is true?

A. Unlike distance-vector routing protocols, link-state routing protocols can cause routing loops.
B. Distance-vector routing protocols converge more quickly than link-state routing protocols.
C. Distance-vector routing protocols use more memory than link-state routing protocols.
D. Unlike distance-vector routing protocols, link-state routing protocols send routing-table updates to neighbors only after adjacency is established.

Answer: D

Question 17

Which three statements about the ACEs that are matched by a Cisco APIC-EM ACL path are true? (Choose three)

A. If the trace fails to find a matching ACE in an ACL, it is reported as implicitly permitted.
B. If an optional criterion is omitted from the trace, the results include all possible ACE matches.
C. If the trace fails to find a matching ACE in an ACL, it is reported as implicitly denied.
D. ACEs are reported only if they match.
E. All ACEs found by the trace are reported, including those that fail to match.
F. If an optional criterion is omitted from the trace, the results are reported as if the default value was specified.

Answer: B C D

Explanation

The following rules effect the ACL path trace results:
+ Only matching access control entry (ACE) are reported.
+ If you leave out the protocol, source port, or destination port when defining a path trace, the results include ACE matches for all possible values for these fields (-> These are optional criterion and if they are omitted, all possible results are included)
+ If no matching ACEs exists in the ACL, the flow is reported to be implicitly denied (-> It is same as an access-list, which always has an implicit “deny all” statement at the end)

Question 18

Which command do you enter to permit IPv6 functionality on an EIGRPv3 interface?

A. Router1(config)#ipv6 unicast-routing
B. Router1(config-if)#ipv6 router eigrp 1
C. Router1(config-if)#ipv6 enable
D. Router1(config-if)#ipv6 eigrp 1

Answer: D

Explanation

An example of configuring EIGRPv3 is shown as below:

R1(config)#ipv6 router eigrp 1
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#no shutdown
R1(config)#interface GigabitEthernet 0/1
R1(config-if)#ipv6 eigrp 1

This question asks about “on an EIGRPv3 interface” so it is the only command this is required on an EIGRPv3 interface.

Question 19

Which command do you enter to create an SVI?

A. switch(config)#interface vlan 5
B. switch(config)#interface FastEthernet 0/5
C. switch(config)#interface FastEthernet 0/0.5
D. switch(vlan)#interface svi vlan 5

Answer: A

Question 20

Which command do you enter to protect a PortFast-enabled port against unauthorized switches on the network?

A. switch(config)#spanning-tree portfast bpdufilter default
B. switch(config)#spanning-tree portfast bpduguard default
C. switch(config-if)#spanning-tree guard root
D. switch(config-if)#spanning-tree portfast

Answer: B

Explanation

The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

Question 21

Which VTP operating mode enables a switch to forward VTP information while ignoring synchronization?

A. off
B. server
C. transparent
D. client

Answer: C

Question 22

Which switch architecture is scalable, flexible, resilient, and relatively inexpensive?

A. aggregate switch
B. single switch
C. stacked switch
D. modular-chassis switch

Answer: C

Explanation

Some network switches have the ability to be connected to other switches and operate together as a single unit. These configurations are called stacks, and are useful for quickly increasing the capacity of a network.

Stackable switches can be added or removed from a stack as needed without affecting the overall performance of the stack. Depending on its topology, a stack can continue to transfer data even if a link or unit within the stack fails. This makes stacking an effective, flexible, and scalable solution to expand network capacity.

Reference: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350x-series-stackable-managed-switches/smb5252-what-is-stacking.html

Question 23

Which technology can prevent client devices from arbitrarily connecting to the network without state remediation?

A. 802.1x
B. IP Source Guard
C. MAC Authentication Bypass
D. 802.11n

Answer: A

Question 24

Which routing protocol is most appropriate for sending and receiving routes directly to and from the Internet?

A. RIP
B. BGP
C. EIGRP
D. OSPF

Answer: B

Question 25

Which command do you enter to configure client authentication for PPPoE?

A. Dev1(config-if)#ppp pap sent-username cisco password password1
B. Dev1(config)#aaa authentication ppp default local
C. Dev1(config-if)#ppp chap password password1
D. Dev1(config)#username cisco password password1

Answer: D

Question 26

Which two factors can affect the price of leased point-to-point WAN links? (Choose two)

A. amount of bandwidth used
B. type of traffic
C. amount of bandwidth requested
D. number of sites interconnected
E. distance between two points

Answer: A E

Question 27

In which LACP channel mode can the port initiate negotiations with other switch ports?

A. auto
B. active
C. desirable
D. passive

Answer: B

Question 28

To troubleshoot a network connection, you execute the ping utility on a route and it returns the response code Q. Which symptom is a probable root cause?

A. The ICMP time was exceed.
B. The destination is unreachable.
C. The connection timed out awaiting the reply.
D. The destination is receiving too much traffic.

Answer: D

Explanation

The table below lists the possible output characters from the ping facility:

Character	Description
!	Each exclamation point indicates receipt of a reply.
.	Each period indicates the network server timed out while waiting for a reply.
U	A destination unreachable error PDU was received.
Q	Source quench (destination too busy).
M	Could not fragment.
?	Unknown packet type.
&	Packet lifetime exceeded.

Question 29

Which two encapsulation types can use the keepalive command to monitor the link state of a WAN serial interface? (Choose two)

A. PPP
B. LMI
C. Frame Relay
D. HDLC
E. LCP

Answer: A D

Explanation

The keepalive command applies to serial interfaces that use High-Level Data Link Contol (HDLC) or PPP encapsulation. It does not apply to serial interfaces that use Frame Relay encapsulation.

For both PPP and HDLC encapsulation types, a keepalive of zero disables keepalives and is reported in the show running-config command output as keepalive disable.

Reference: https://www.cisco.com/c/en/us/support/docs/content-networking/keepalives/118390-technote-keepalive-00.html

Question 30

Which tool or utility can report whether traffic matching specific criteria can reach a specified destination on the ACLs along the path?

A. Cisco Security Device Manager
B. Cisco Prime
C. APIC-EM
D. Cisco Network Assistant

Answer: C

Explanation

If you performed an ACL trace, the devices show whether the traffic matching your criteria would be permitted or denied based on the ACLs configured on the interfaces.

Question 31

Which type of VPN allows for one endpoint to be learned dynamically during tunnel negotiation?

A. DMVPN
B. site-to-site VPN
C. GRE
D. client VPN

Answer: A

Question 32

Which function is performed by a TACACS+ server?

A. It hosts an access list that permits or denies IP traffic to the control plane of a device.
B. It provides external AAA verification.
C. It filters usernames and passwords for Telnet and SSH.
D. It serves as a database for line passwords.

Answer: B

Question 33

What do SNMPv1 and SNMPv2 have in common?

A. They use the same authentication techniques.
B. They both use the local database to permit username access.
C. They both protect against message tampering in transit.
D. They both encrypt packets.

Answer: A

Explanation

Both SNMPv1 and v2 did not focus much on security and they provide security based on community string only. Community string is really just a clear text password (without encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and interception.

SNMPv3 provides significant enhancements to address the security weaknesses existing in the earlier versions. The concept of community string does not exist in this version. SNMPv3 provides a far more secure communication using entities, users and groups.

Question 34

Which three features are QoS congestion-management tools? (Choose three)

A. PPPoE
B. PQ
C. FIFO
D. PPP
E. PDQ
F. WFQ

Answer: B C F

Explanation

Good reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conmgt/configuration/xe-3s/qos-conmgt-xe-3s-book/qos-conmgt-oview.html

Question 35

Which two statements about exterior gateway routing protocols are true? (Choose two)

A. BGP is considered to be a path-vector protocol.
B. They can be used to connect to another AS across the Internet as a virtual instance.
C. eBGP is considered to be a distance-vector protocol.
D. EGP is considered to be a path-vector protocol.
E. They can be used to connect to the Internet.

Answer: A E

Question 36

Which two characteristics of a link-state routing protocol are true? (Choose two)

A. It sends periodic updates.
B. It has a higher CPU requirement than distance-vector protocols.
C. It supports a hop-count limit.
D. It receives updates on the multicast address.
E. It receives updates on the broadcast address.

Answer: B D

Question 37

Which statement about OSPFv3 configuration is true?

A. You can add networks under the routing process.
B. You must configure neighbors manually.
C. You must individually add interface IP addresses to the OSPFv3 database.
D. You can enable OSPFv3 for a network under the interface configuration mode.

Answer: D

Question 38

In which three circumstances may your organization require a high-bandwidth Internet connection? (Choose three)

A. It uses cloud computing
B. It uses network devices that require frequent IOS upgrades
C. It uses peer-to-peer file sharing
D. It is undergoing a SAN expansion
E. It uses Infrastructure as a Service
F. It uses resource-intensive applications

Answer: A C E

Question 39

After you notice that the SNMP manager is failing to receive traps, your troubleshooting verifies that the engine ID, username, group name, and host values are
set appropriately. Which configuration item is a probable root cause?

A. Traps are disabled.
B. The snmp-server enable traps command is missing from the configuration.
C. The snmp-server host informs command is missing from the configuration.
D. The host is down.

Answer: B

Question 40

In the Software-Defined Networking model, where is the interface between the control plane and the data plane?

A. between the control layer and the infrastructure layer
B. between the collocated layer and the dislocated layer
C. between the control layer and application layer
D. between the application layer and the infrastructure layer

Answer: A

Question 41

Which command do you enter so that a switch configured with Rapid PVST+ listens and learns for a specific time period?

A. switch(config)#spanning-tree vlan 1 max-age 6
B. switch(config)#spanning-tree vlan 1 hello-time 10
C. switch(config)#spanning-tree vlan 1 priority 4096
D. switch(config)#spanning-tree vlan 1 forward-time 20

Answer: D

Explanation

The forward delay is the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/19120-122.html

Question 42

Which three protocols does APIC-EM support with Path Trace? (Choose three)

A. HSRP
B. ECMP
C. WLC
D. SNMP
E. SMTP
F. ECMP/TR

Answer: A B F

Explanation

Path Trace Supported Device Protocols and Network Connections:

Access Control List (ACL)
Border Gateway Protocol (BGP)
Dynamic Multipoint VPN (DMVPN)
Enhanced Interior Gateway Routing Protocol (EIGRP)
Equal Cost Multipath/Trace Route (ECMP/TR)
Equal Cost Multi Path (ECMP)
Hot Standby Router Protocol (HSRP)
Intermediate System-to-Intermediate System (IS-IS) Protocol
…

For more information about these supported protocols and network connections, please visit https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-3-x/config-guide/b_apic-em_config_guide_v_1-3-x/b_apic-em_config_guide_v_1-3-x_chapter_0111.html

Question 43

Which step must you perform first to enable OSPFv3 process 20 for IPv6?

A. Enter the ipv6 router ospf 20 command to enable OSPFv3.
B. Enter the ip routing command to enable IPv4 unicast routing.
C. Enter the router ospf 20 commands to enable OSPF.
D. Enter the ipv6 unicast-routing command to enable IPv6 unicast routing.

Answer: D

Question 44

How can you mitigate VLAN hopping attacks?

A. Configure an unused nondefault VLAN as the native VLAN.
B. Enable dynamic ARP inspection.
C. Configure a used nondefault VLAN as the native VLAN.
D. Configure extended VLANs

Answer: A

Explanation

To mitigate VLAN Hopping, the following things should be done:

1) If no trunking is required, configure port as an access port, this also disables trunking on that interface:

Switch(config-if)# switchport mode access

2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames from being sent.

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate

3) Set the native VLAN to an unused VLAN and don’t use this VLAN for any other purpose (-> Therefore answer A is correct)

Switch(config-if)# switchport trunk native vlan VLAN-ID

4) Force the switch to tag the native VLAN on all its 802.1Q trunks:

Switch(config)# vlan dot1q tag native

Question 45

Which two statements about CHAP are true? (Choose two)

A. The CHAP negotiation phase begins after the LCP phase is complete.
B. Each authenticating router has a unique username and password.
C. It uses a three-way handshake to identify the peer router.
D. The local MD5 secret is transmitted to the peer for authentication.
E. The LCP phase begins after CHAP authentication is complete.

Answer: A C

Explanation

After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.

Reference: https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-chap.html

Question 46

After you configure multiple point-to-point tunnels on one interface, you notice that the interface is suffering from saturation. Which action do you take to correct the problem?

A. set the tunnel mode
B. set the bandwidth value
C. set the tunnel key argument
D. set the keepalive period

Answer: B

Question 47

Which two traffic types must always be transmitted on VLAN 1? (Choose two)

A. UDP
B. DTP
C. NTP
D. CDP
E. TCP

Answer: B D

Explanation

Control plane traffic (like CDP, VTP, STP…) runs on VLAN 1 by default. We cannot move these protocols to another VLAN.

Question 48

Which command can you enter to display the default VLAN?

A. show interface brief
B. show run
C. show ip interface brief
D. show interface f0/2 switchport

Answer: D

Explanation

An example of the “show interface e0/0 switchport” command is shown below:

Name: Et0/0
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none

This command dispalys the default access mode VLAN & native VLAN.

Question 49

Which STP mode supports spanning-tree interoperability between Cisco and non-Cisco switches?

A. MSTP
B. PVST+
C. PVSTP
D. RSTP

Answer: B

Explanation

PVST: Cisco has a proprietary version of STP that offers more flexibility than the CST version. Per-VLAN Spanning Tree (PVST) operates a separate instance of STP for each individual VLAN. This allows the STP on each VLAN to be configured independently, offering better performance and tuning for specific conditions.

Cisco has a second proprietary version of STP that allows devices to interoperate with both PVST and CST. Per-VLAN Spanning Tree Plus (PVST+) effectively supports three groups of STP operating in the same campus network:
+ Catalyst switches running PVST
+ Catalyst switches running PVST+
+ Switches running CST over 802.1Q

To do this, PVST+ acts as a translator between groups of CST switches and groups of PVST switches. PVST+ can communicate directly with PVST by using ISL trunks. To communicate with CST, however, PVST+ exchanges BPDUs with CST as untagged frames over the native VLAN. BPDUs from other instances of STP (other VLANs) are propagated across the CST portions of the network by tunneling. PVST+ sends these BPDUs by using a unique multicast address so that the CST switches forward them on to downstream neighbors without interpreting them first. Eventually, the tunneled BPDUs reach other PVST+ switches where they are understood.

Reference: CCNP SWITCH Official Certification Guide

In short, PVST+ supports interoperability between CST switches (run on non-Cisco devices) and PVST switches (run on Cisco devices)

Question 50

Where must you configure switch-level global features on a switch stack?

A. on the stack master
B. on the stack master and each individual stack member
C. on the stack master or any individual stack member
D. on each individual stack member

Answer: A

Question 51

Which HSRP feature do you configure so that the device with the highest priority immediately becomes the active router?

A. standby timers
B. preemption
C. standby authentication
D. holdtime

Answer: B

Question 52

Which Cisco IOS feature can you use to dynamically identify a connectivity problem between a Cisco device and a designated endpoint?

A. traceroute
B. ICMP Echo IP SLAs
C. IP SLAs threshold monitoring
D. Multi Operation Scheduler IP SLAs

Answer: B

Question 53

Which command must you enter to prepare an interface to carry voice traffic?

A. Switch1(config-if)#switchport mode access
B. Switch1(config-if)#switchport mode trunk
C. Switch1(config-if)#switchport access vlan 10
D. Switch1(config-if)#switchport host

Answer: B (?)

Explanation

In fact only old switches require a trunk to carry voice traffic. Modern switches can carry voice traffic in access mode.

Question 54

Which command do you enter to verify an SVI?

A. show running-configuration | include vlan5
B. show vlan5
C. show interface vlan5
D. show startup-configuration | include vlan5

Answer: C

Explanation

An SVI is nearly the same as an physical interface (except it is virtual and dedicated for a VLAN) so we can check it with the “show interface <vlan-id>” or “show ip interface <vlan-id>” command.

Question 55

What two options are causes of network slowness that can result from inter-VLAN routing problems? (Choose two)

A. Root guard disabled on an EtherChannel
B. Packet loss
C. DTP disabled on a switchport
D. BPDU guard enabled on a switchport
E. Hardware forwarding issues

Answer: B E

Explanation

Causes for Network Slowness
Packet Loss

In most cases, a network is considered slow when higher-layer protocols (applications) require extended time to complete an operation that typically runs faster. That slowness is caused by the loss of some packets on the network, which causes higher-level protocols like TCP or applications to time out and initiate retransmission.

Hardware Forwarding Issues

With another type of slowness, caused by network equipment, forwarding (whether Layer 2 [L2] or L3) is performed slowly. This is due to a deviation from normal (designed) operation and switching to slow path forwarding. An example of this is when Multilayer Switching (MLS) on the switch forwards L3 packets between VLANs in the hardware, but due to misconfiguration, MLS is not functioning properly and forwarding is done by the router in the software (which drops the interVLAN forwarding rate significantly).

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/virtual-lans-vlan-trunking-protocol-vlans-vtp/23637-slow-int-vlan-connect.html#network_slow

Question 56

Which command do you enter to determine the root priority?

A. Show spanning-tree mapping
B. Show spanning-tree summary
C. Show spanning-tree bpdu-filter 1
D. Show spanning-tree backbonefast

Answer: B (?) in fact there is no correct answer

Explanation

The “show spanning-tree summary” command displays all the features that are enabled for STP (which includes PortFast BPDU Guard, Loop Guard, Root Guard); this command also displays the number of blocked, listening, learning, and forwarding interfaces. But it does not show the root priority. Other answers are not correct either.

Question 57

Which two commands debug a PPPoE connection that has failed to establish? (Choose two)

A. Debug ppp compression
B. Debug ppp negotiation
C. Debug dialer events
D. Debug ppp cbcp
E. Debug dialer packet

Answer: B E

Question 58

Which two commands debug a PPPoE connection that has failed to establish? (Choose two)

A. debug ppp compression
B. debug ppp negotiation
C. debug dialer events
D. debug ppp cbcp
E. debug dialer packet

Answer: B E

Explanation

According to this link https://supportforums.cisco.com/t5/network-infrastructure-documents/troubleshooting-for-pppoe-connection-failure-part-1/ta-p/3147204

The following debug commands can be used to troubleshoot PPPoE connection that failed:

+ debug ppp authentication
+ debug ppp negotiation
+ debug pppoe event

The debug ppp negotiation command enables you to view the PPP negotiation transactions, identify the problem or stage when the error occurs, and develop a resolution.

We are not sure about the “debug dialer packet” command but it seems to be the most reasonable answer left.

Question 59

Which command do you enter to verify that a VLAN has been removed from a trunk?

A. Switch(config-if)# switchport trunk allowed vlan none
B. Switch(config-if)# switchport trunk except vlan 10
C. Switch(config-if)# switchport trunk remove vlan 10
D. Switch(config-if)# no switchport trunk allowed vlan add 10

Answer: B (?)

Explanation

The command “switchport trunk allowed vlan none” remove all allowed VLANs on a trunk while the “switchport trunk except vlan <vlan-id>” will remove only the <vlan-id> out of the allowed VLAN list. But the question asks about verification so it is a bit unclear.

Question 60

Which command do you enter to determine whether LACP is in use on a device?

A. Show etherchannel summary
B. Show port-channel summary
C. Show etherchannel load-balance
D. Show ip protocols

Answer: B

Question 61

Which channel mode is available to static EhterChannels?

A. On
B. Passive
C. Active
D. Desirable

Answer: A

Question 62

Which three commands do you use to verify that IPSec over a GRE tunnel is working properly? (Choose three.)

A. Clear Crypto isakmp
B. PPP encrypt mppe auto
C. Show crypto engine connections active
D. Show crypto ipsec sa
E. Show crypto isakmp sa
F. Debug crypto isakmp

Answer: D E F

Question 63

Which combination of values is valid for a router-on-a-stick implementation?

A. IP address 173.15.20.6/20, gateway 173.15.30.1, and VLAN 20
B. FastEhernet interface 0/0.30, IP address 173.15.20.33/27, gateway 173.15.20.1 and VLAN 30
C. IP address 173.15.30.6/26, gateway 173.15.30.62, and VLAN 20
D. FastEthernet interface 0/0.20, IP address 173.15.30.33/27, gateway 173.15.30.1 and VLAN 30

Answer: C

Explanation

The gateway and the IP address of the subinterface must be in the same subnet -> only answer C is correct.

Question 64

Which two types of cloud services may require you to alter the design of your network infrastructure? (Choose two)

A. Sudo as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Software as a Service
E. Business as a Service

Answer: B C

Explanation

These different types of cloud computing services delivery models are called infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

Reference: https://www.cisco.com/en/US/services/ps2961/ps10364/ps10370/ps11104/need-for-cloud-services-catalog_whitepaper.pdf

Question 65

Through which three states does a BGP routing process pass when it establishes a peering session with a neighbor? (Choose three)

A. Open receive
B. Inactive
C. Active
D. Connected
E. Open sent
F. Idle

Answer: C E F

Explanation

BGP forms a TCP session with neighbor routers called peers. The BGP session may report in the following states:

+ Idle
+ Connect
+ Active
+ OpenSent
+ OpenConfirm
+ Established

Reference: http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

Question 66

Which encryption method does CHAP authentication use for the peer response?

A. EAP
B. MD5
C. DES
D. DSS
E. AES
F. 3DES

Answer: B

Question 67

Which two characteristics of stacked switches are true? (Choose two)

A. They reduce management complexity.
B. They are less scalable than modular switches.
C. They can manage multiple IP addresses across multiple switches.
D. They have a single management interface.
E. Each unit in the stack can be assigned its own IP address for administration.

Answer: A D

Question 68

Which option describes a drawback of proxy ARP?

A. It overwrites MAC addresses that were learned with inverse ARP.
B. It can make it more difficult for the administrator to locate device misconfigurations.
C. It dynamically establishes Layer 2 tunneling protocols, which increases network overhead.
D. If proxy ARP is configured on multiple devices, the internal Layer 2 network may become vulnerable to DDoS attacks.

Answer: D

Question 69

Which feature or value must be configured to enable EIGRPv6?

A. Network statement
B. Shutdown feature
C. Router ID
D. Remote AS

Answer: C

Question 70

Which command do you enter to enable local authentication for Multilink PPP on an interface?

A. Router(config-if)# l2tp authentication
B. Router(config)# username router password password1
C. Router(config-if)# ppp chap password password1
D. Router(config)#aaa authentication ppp default local

Answer: B

Question 71

Which options are the two differences between HSRP versions 1 and 2? (Choose two)

A. Only HSRP version 2 can be configured to use authentication.
B. Only HSRP version 2 sends hello packets to 224.0.0.2.
C. Only HSRP version 1 sends hello packets to IPv6 multicast address FF02::66.
D. Only HSRP version 1 can be configured with a group number of 4095.
E. Only HSRP version 2 can be configured with a group number of 4095.
F. Only HSRP version 2 sends hello packets to 224.0.0.102.

Answer: E F

Explanation

In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095 -> E is correct.

HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the multicast address of 224.0.0.2, which is used by version 1 -> F is correct.

Question 72

Which component of an IPv6 OSPFv3 connection must be configured in IPv4 format?

A. Router ID
B. Primary interface
C. Neighbor address
D. Secondary interface

Answer: A

Question 73

Which protocol can be used between administrative domains?

A. IS-IS
B. EIGRP
C. BGP
D. OSPF

Answer: C

Explanation

BGP is an example of an Exterior Gateway Protocol (EGP) which exchanges routing information between different autonomous systems.

BGP is a path vector protocol. Path vector protocol does not rely on the bandwidth of the links (like OSPF) or hop count (like RIP) or a group of parameters (like EIGRP). Path vector protocol relies on the number of autonomous systems it has to go through. In other words, it choose the path with least number of autonomous systems (shortest AS Path) to reach the destination, provided that the path is loop-free.

Question 74

For which reason can a GRE tunnel have an UP/DOWN status?

A. The tunnel source interface is UP.
B. A tunnel destination is undefined.
C. The tunnel destination address is routable via a route that is separate from the tunnel.
D. The tunnel has been shut down.

Answer: B

Explanation

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in recursion.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

Question 75

Which utility do you use to view IP traffic that is switched through the router to locate errors in a TCP stream?

A. Wireshark
B. Packet debugging
C. Ethereal
D. Ping
E. Traceroute

Answer: B

Explanation

Cisco routers provide a basic method of viewing IP traffic switched through the router called packet debugging. Packet debugging enables a user to determine whether traffic is travelling along an expected path in the network or whether there are errors in a particular TCP stream. Although in some cases packet debugging can eliminate the need for a packet analyzer, it should not be considered a replacement for this important tool.

Reference: https://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1907.html

Question 76

Which command do you enter so that a port enters the forwarding state immediately when a PC is connected to it?

A. Switch(config)# spanning-tree portfast bpduguard default
B. Switch(config)# spanning-tree portfast default
C. Switch(config-if)# spanning-tree portfast trunk
D. Switch(config-if)#no spanning-tree portfast

Answer: B

Explanation

If there is a “spanning-tree portfast” answer then it will surely be a correct answer. If not then answer B is the most suitable one even though the “spanning-tree portfast default” command enables PortFast globally on all non-trunking ports, not a single port.

Question 77

Which information is provided by the output of the show snmp engineID command?

A. Information about remote SNMP engines on the network only.
B. Information about the local SNMP engine and remote SNMP engines that are configured on the device.
C. Information about SNMP users and SNMP groups in the network.
D. Information about the local SNMP engine only.

Answer: B

Explanation

The “show snmp engineID” displays the identification of the local SNMP engine and all remote engines that have been configured on the router. The following example specifies 00000009020000000C025808 as the local engineID and 123456789ABCDEF000000000 as the remote engine ID, 171.69.37.61 as the IP address of the remote engine (copy of SNMP) and 162 as the port from which the remote device is connected to the local device:

Router# show snmp engineID
Local SNMP engineID: 00000009020000000C025808
Remote Engine ID           IP-addr          Port
123456789ABCDEF000000000   171.69.37.61     162

Question 78

Which term represents the minimum bandwidth provided in a Metro Ethernet connection?

A. UNI
B. CIR
C. EVC
D. PIR

Answer: B

Explanation

Committed information rate (CIR): The minimum guaranteed data transfer rate agreed to by the routing device.

Question 79

What is the default value of the Read-Write-All-SNMP community string?

A. Secret
B. Private
C. Public
D. Cisco

Answer: A

Explanation

On Catalyst switches such as the 4000, 5000, and 6000 series that run a regular catalyst Operating System (OS), SNMP is enabled by default with the community strings set to:
+ Read-Only: Public
+ Read-Write: Private
+ Read-Write-all: Secret

With these community strings and the IP address of your switch’s management interface, anyone is able to reconfigure the device. You must change the community strings on the Catalyst switch immediately after you set the device on the network. This is very important.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/7282-12.html

Question 80

Which three effects of using local SPAN are true? (Choose three)

A. It doubles the load on the forwarding engine.
B. It prevents SPAN destinations from using port security.
C. It doubles internal switch traffic.
D. It reduces the supervisor engine workload by half.
E. it reduces the load on the switch fabric.

Answer: A B C

Question 81

Refer to the exhibit.

switch#configure terminal
switch(config)#interface ethernet1/0
switch(config-if)#switchport mode trunk
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 10

Which option is the effect of this configuration?

A. It configures the switch port for trunk only.
B. It configures the switch port for voice traffic.
C. It configures the switch port for access and trunk.
D. It configures the switch port for access only.

Answer: D

Explanation

With this configuration, the first switchport command “switchport mode trunk” will be overwritten by the “switchport mode access” command and this port becomes an access port.

Question 82

Which command do you enter to allow a new VLAN across a trunk?

A. Switch(config-if)# switchport trunk except vlan10
B. Switch(config-if)# no switchport trunk remove vlan10
C. Switch(config-if)# switchport trunk allowed vlan add 10
D. Switch(config-if)# switchport trunk allowed vlan10

Answer: C

Explanation

Question 83

Which feature can prevent a rogue device from assuming the role of the root bridge in a switching domain?

A. VTP
B. BPDU Filter
C. DTP
D. Root Guard

Answer: D

Explanation

Root Guard ensures that the port on which root guard is enabled is the designated port. If the bridge receives superior BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state (which is equal to STP listening state). No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Question 84

Which configuration do you apply to an HSRP router so that it is most likely to come up if the active router goes down?

A. Standby 4 preempt
B. Standby 4 priority 110 preempt delay 300
C. Standby 4 priority 115
D. Standby 4 priority 145

Answer: A

Question 85

In which two models can control-plane functionality be implemented? (Choose two)

A. Dispersed
B. Distributed
C. Fragmented
D. Centralized
E. Allocated

Answer: B D

Explanation

In its simplest form, the control plane provides layer-2 MAC reachability and layer-3 routing information to network devices that require this information to make packet forwarding decisions. In the case of firewalls, the control plane would include stateful flow information for inspection. Control plane functionality can implemented as follows:

+ Distributed – Conventional routers and switches operate using distributed protocols for control, i.e. where each device makes its own decisions about what to do, and communicate relevant information to other devices for input into their decision making process. For example, the Spanning Tree Protocol (STP), Fabric Path, and routing protocols such as IS-IS and BGP provide distributed control of packet forwarding functionality to networking devices.

+ Centralized – In this case, a centralized controller provides the necessary information for a network element to make a decision. For example, these controller(s) instruct networking devices on where to forward packets by explicitly programming their MAC and FIBs.

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/SDN/SDN.html

Question 86

Which type of IPv6 ACL is applied first in the order of precedence?

A. TCAM
B. router ACLs
C. Fragmented frames
D. Port ACLs

Answer: D

Explanation

As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
+ When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
+ When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swv6acl.pdf

Question 87

Which three fields can be marked with QoS? (Choose three)

A. Header checksum
B. IP precedence
C. DSCP
D. Total length
E. Discard Class
F. TTL

Answer: B C E

Explanation

For a single class, you can set operations on any two out of the following five fields: CoS, IP Precedence, DSCP, QoS Group, and Discard Class.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/qos/configuration/guide/n1000v_qos/n1000v_qos_3marking.pdf

Question 88

Drag and drop the CSMA components from the left onto the correct descriptions on the right

Answer:

+ 1-persistent: Access mode used for Ethernet network
+ CSMA/CA: Rules that define the system response when a collision occurs on a Wi-fi network
+ CSMA/CD: Rules that define the system response when a collision occurs on an Ethernet network
+ O-peristent: Access mode used in the controlled area network
+ P-persistent: Access mode used for Wi-fi networks

Explanation

1-persistent CSMA is an aggressive transmission algorithm. When the transmitting node is ready to transmit, it senses the transmission medium for idle or busy. If idle, then it transmits immediately. If busy, then it senses the transmission medium continuously until it becomes idle, then transmits the message (a frame) unconditionally (i.e. with probability=1). In case of a collision, the sender waits for a random period of time and attempts the same procedure again. 1-persistent CSMA is used in CSMA/CD systems including Ethernet.

Non persistent CSMA is a non aggressive transmission algorithm. When the transmitting node is ready to transmit data, it senses the transmission medium for idle or busy. If idle, then it transmits immediately. If busy, then it waits for a random period of time (during which it does not sense the transmission medium) before repeating the whole logic cycle (which started with sensing the transmission medium for idle or busy) again. This approach reduces collision, results in overall higher medium throughput but with a penalty of longer initial delay compared to 1–persistent.

P-persistent is an approach between 1-persistent and non-persistent CSMA access modes. [1]When the transmitting node is ready to transmit data, it senses the transmission medium for idle or busy. If idle, then it transmits immediately. If busy, then it senses the transmission medium continuously until it becomes idle, then transmits with probability p. If the node does not transmit (the probability of this event is 1-p), it waits until the next available time slot. If the transmission medium is not busy, it transmits again with the same probability p. This probabilistic hold-off repeats until the frame is finally transmitted or when the medium is found to become busy again (i.e. some other node has already started transmitting). In the latter case the node repeats the whole logic cycle (which started with sensing the transmission medium for idle or busy) again. p-persistent CSMA is used in CSMA/CA systems including Wi-Fi and other packet radio systems.

O-persistent
Each node is assigned a transmission order by a supervisory node. When the transmission medium goes idle, nodes wait for their time slot in accordance with their assigned transmission order. The node assigned to transmit first transmits immediately. The node assigned to transmit second waits one time slot (but by that time the first node has already started transmitting). Nodes monitor the medium for transmissions from other nodes and update their assigned order with each detected transmission (i.e. they move one position closer to the front of the queue).[2] O-persistent CSMA is used by CobraNet, LonWorks and the controller area network.

Reference: https://en.wikipedia.org/wiki/Carrier-sense_multiple_access

Question 89

Drag and drop the PPPoE message types from the left into the sequence in which PPPoE messages are sent on the right.

PADR	1
PADS	2
PADI	3
PADO	4

Answer:

1. PADI
2. PADO
3. PADR
4. PADS

Question 90

Drag drop about characteristics of a cloud environment.

Answer:

+ Multitenancy: One or more clients can be hosted with the same physical or virtual infrastructure
+ Scalability: Resources can be added and removed as needed to support current workload and tasks
+ Workload movement: Tasks can be migrated to different physical locations to increase efficiency or reduce cost
+ On-demand: Resources are dedicated only when necessary instead of on a permanent basis
+ Resiliency: Tasks and data residing on a failed server can be seamlessly migrated to other physical resources

Question 91

Drag and drop the network programmability features from the left onto the correct description on the right.

Answer:

+ HTTPS: call to the APIC-EM API from a library
+ JSON: data-structure format that passes parameters for API calls
+ OpenFlow: southbound API
+ RBAC: token-based security mechanism
+ REST: northbound API

Explanation

What is the data format used to send/receive data when making REST calls for APIC-EM?

Javascript Object Notation (JSON) is used to pass parameters when making API calls and is also the returned data format.

What’s RBAC?

The Role-Based Access Controls (RBAC) mechanism utilizes security tokens that the controller issues upon successful authentication of a user of the APIC-EM controller. All subsequent requests from the authenticated user must provide a valid token.

Reference: https://communities.cisco.com/docs/DOC-60530#q16

Question 92

Drag and drop the descriptions of performing an initial device configuration from the left onto the correct features or components on the right.

Answer:

+ feature that allows remote access to the console: VTY line
+ feature that confirms a user is permitted to access the device: password
+ value that enables routing when the device is unable to locate a specific route on the routing table: default gateway
+ value that uniquely identifies the device: hostname
+ encrypted value that is used to confirm a user is permitted to access the device: enable secret password

Question 93

Drag and drop the BGP components from the left onto the correct descriptions on the right.

Answer:

+ autonomous system number: Value that identifies an administrative domain
+ BGP Speaker: device that is running BGP
+ eBGP: Peer neighbor that located outside of administrative domain of the local device
+ BGP Peer: neighbor device that shares the same AS number as the local device
+ Prefix: value that is advertised with the network keyword

Question 94

Which two QoS tools can provide congestion management? (Choose two)

A. CBWFQ
B. FRTS
C. CAR
D. PQ
E. PBR

Answer: A D

Explanation

This module discusses the types of queueing and queueing-related features (such as bandwidth management) which constitute the congestion management QoS features:

Class-based WFQ (CBWFQ): extends the standard WFQ functionality to provide support for user-defined traffic classes. For CBWFQ, you define traffic classes based on match criteria including protocols, access control lists (ACLs), and input interfaces. Packets satisfying the match criteria for a class constitute the traffic for that class.

Priority queueing (PQ): With PQ, packets belonging to one priority class of traffic are sent before all lower priority traffic to ensure timely delivery of those packets.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conmgt/configuration/xe-3s/qos-conmgt-xe-3s-book/qos-conmgt-oview.html

Note: Committed Access Rate (CAR) is only used for bandwidth limitation by dropping excessive traffic.

Question 95

Which two statements about EIGRP on IPv6 device are true? (Choose two)

A. It is configured on the interface
B. It is globally configured
C. It is configured using a network statement
D. It is vendor agnostic
E. It supports a shutdown feature

Answer: A E

Explanation

This is an example of how to configure EIGRP for IPv6:

interface Serial0/0
no ip address
ipv6 address FE80::1 link-local
ipv6 address 2010:AB8::1/64
ipv6 enable
ipv6 eigrp 1
!
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
no shutdown

As you can see, EIGRP for IPv6 can only be enabled under each interface -> A is correct.

Under EIGRP process there is a shutdown feature where you can turn on or off -> E is correct.

Question 96

In which STP state does MAC address learning take place on a PortFast-enabled port?

A. learning
B. listening
C. discarding
D. forwarding

Answer: D

Explanation

PortFast-enabled port will ignore listening and learning state and jump to forwarding state immediately so it can only learn MAC addresses in this state.

Question 97

Which protocols does the internet layer in the tcp/ip model encapsulation? (Choose two)

A. smtp
B. tcp
C. arp
D. dns
E. icmp
F. udp

Answer: C E

Question 98

You notice that the packets that are sent from a local host to well-know service tcp port 80 of a remote host are sometimes lost you suspect an ACL issue. Which two APIC-EM path trace ACL-analysis options should you use to troubleshoot the problem? (Choose two)

A. protocol
B. debug
C. destination port
D. QoS
E. Performance monitor

Answer: A C

Question 99

Which IOS troubleshooting tool should yo use to direct system messages to your screen?

A. Local SPAN
B. Terminal monitor
C. APIC-EM
D. Log events

Answer: B

Question 100

In CDP environment what happens when the cdp interface on an adjacent device is configured without an IP address?

A. CDP becomes inoperable on that neighbor
B. CDP operates normally but it can cannot provide any information for that neighbor
C. CDP uses the ip address of another interface for that neighbor
D. CDP operates normally but it cannot provide ip address information for that neighbor

Answer: D

Question 101

Which two pieces of information about a Cisco device can Cisco Discovery Protocol communicate? (Choose two)

A. The native VLAN
B. The spanning tree protocol
C. The trunking protocol
D. The spanning tree priority
E. The VTP domain

Answer: A E

Explanation

The information contained in Cisco Discovery Protocol advertisements varies based on the type of device and the installed version of the operating system. Some of the information that Cisco Discovery Protocol can learn includes:
+ Cisco IOS version running on Cisco devices
+ Hardware platform of devices
+ IP addresses of interfaces on devices
+ Locally connected devices advertising Cisco Discovery Protocol
+ Interfaces active on Cisco devices, including encapsulation type
+ Hostname
+ Duplex setting
+ VLAN Trunking Protocol (VTP) domain
+ Native VLAN

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/15-mt/cdp-15-mt-book/nm-cdp-discover.html

Question 102

Drag drop about Administrative Distances of EIGRP and BGP.

Answer:

+ Internal EIGRP – 90
+ External EIGRP – 170
+ Internal BGP – 200
+ External BGP – 20

ICND2v3 – New Questions Part 6

June 7th, 2019 34 comments

Premium Members: You can practice these questions with our quizzes first at:
+ Question 1 to 10
+ Question 11 to 26
+ Question 27 to 50
+ Question 51 to 70
+ Question 71 to 90
+ Question 91 to 100

Question 1

Drag and drop the SPAN terms from the left onto the correct description on the right.

Answer:

+ port that is disabled for local traffic: destination port
+ implements a SPAN session: monitor-session
+ monitored port: source port
+ views the traffic reported in a SPAN session: network analyzer

Question 2

Drag and drop the descriptions of ACLs from the left onto the correct ACL types on the right.

Answer:

Named ACLs:
+ supports the ability to remove individual entries
+ provides greater flexibility than other ACL types

Numbered ACLs:
+ requires the entire list to be recreated when entries are moved
+ supported on vty lines

Named and Numbered ACLs:
+ supports permit and deny statements
+ applies to IP traffic only

Explanation

When you apply an access list to a vty (by using the access-class command), the access list must be a numbered access list, not a named access list.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

With named ACL, we can easily remove an individual entry. For example:

R1# show access-list

Standard IP access list nat_traffic
10 permit 10.1.0.0, wildcard bits 0.0.255.255
20 permit 10.2.0.0, wildcard bits 0.0.255.255
30 permit 10.3.0.0, wildcard bits 0.0.255.255

Then to remove the second statement (the line “20 permit 10.2.0.0, wildcard bits 0.0.255.255”) we just need to type “no 20”:

R1(config)#ip access-list standard nat_traffic
R1(config-std-nacl)#no 20

Question 3

Drag and drop the terms associated with a hub-and-spoke topology from the left onto the correct descriptions on the right.

Answer:

+ central router: hub
+ circuit that connects remote locations: WAN
+ network design that connects all remote sites to a central location: star
+ remote router: spoke

Question 4

Drag and drop the routing protocols from the left onto the correct routing protocol types on the right.

Answer:

Exterior Gateway Protocol:
+ internal BGP
+ external BGP

Interior Gateway Protocol:
+ IS-IS
+ RIP

Question 5

Drag and drop the descriptions of traffic shaping and policing from the left onto the correct categories on the right.

Answer:

Traffic Policing:
+ applies to inbound and outbound traffic
+ by default, drops excess values
+ may rewrite IP precedence values

Traffic Shaping:
+ applies to outbound traffic only
+ uses a queuing mechanism to hold packets for later delivery
+ significantly increases memory usage

Explanation

Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate, excess traffic is dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs. In contrast to policing, traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time. The result of traffic shaping is a smoothed packet output rate.

Shaping implies the existence of a queue and of sufficient memory to buffer delayed packets, while policing does not. Queueing is an outbound concept; packets going out an interface get queued and can be shaped. Only policing can be applied to inbound traffic on an interface.

With policing, the token bucket determines whether a packet exceeds or conforms to the applied rate. In either case, policing implements a configurable action, which includes setting the IP precedence or Differentiated Services Code Point (DSCP).

Reference: https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html

Question 6

Two EIGRP routers have failed to establish a neighbor relationship. Drag and drop the configuration parameters from the left onto the categories on the right.

Answer:

Configuration values may be different between devices:
+ hello timers
+ hold timers
+ router IDs

Configuration values must match between device:
+ authentication password
+ autonomous system number
+ shutdown command status

Question 7

Drag and drop the steps in the process of establishing an OSPFv3 neighbor relationship from the left onto the correct sequence on the right.

Answer:

1: An interface on each router is enabled for OSPFv3
2: The routers send hello messages
3: The routers attempt to identify a common configuration
4: The routers calculate the SPF
5: The routers synchronize their databases
6: The network is converged

Explanation

An OSPFv3 router sends a special message, called a hello packet, out each OSPF-enabled interface to discover other OSPFv3 neighbor routers. Once a neighbor is discovered, the two routers compare information in the Hello packet to determine if the routers have compatible configurations. The neighbor routers attempt to establish adjacency, which means that the routers synchronize their link-state databases to ensure that they have identical OSPFv3 routing information. Adjacent routers share link-state advertisements (LSAs) that include information about the operational state of each link, the cost of the link, and any other neighbor information. The routers then flood these received LSAs out every OSPF-enabled interface so that all OSPFv3 routers eventually have identical link-state databases. When all OSPFv3 routers have identical link-state databases, the network is converged

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_ospfv3.pdf

Question 8

Drag and drop the EIGRP K values from the left onto the correct metric components on the right.

Answer:

K1 – bandwidth
K2 – load
K3 – delay
K4 – Reliability
K5 – MTU

Question 9

You recently configured your enterprise network to use resources in a public cloud. Drag and drop the steps in the end-user process to access the cloud resources from the left onto the correct sequence on the right. Not all steps are used.

Answer:

1: The end user requests access to cloud-based resources
2: The cloud provider initiates custom services
3: Virtualized services are customized
4: The end user access to the services is established

Question 10

Drag and drop the descriptions if EtherChannel protocols from the left onto the correct protocols on the right.

Answer:

LACP:
+ vendor-neutral protocol
+ one end of the Etherchannel can reside on two different switches
+ uses ports operating in active and passive modes

PAgP:
+ Cisco-proprietary protocol
+ uses the multicast address 01-00-0C-CC-CC-CC
+ uses ports operating in desirable and auto modes

Question 11

You are troubleshooting a variety of Layer 3 connectivity issues on your network. Drag and drop the issues from the left onto the location where you will start troubleshooting the issue on the right.

Answer:

ARP Table:
+ missing ARP entry

Interface:
+ misconfigured IP address
+ misconfigured subnet mask

Routing Table:
+ misconfigured gateway
+ missing route

Question 12

Drag and drop the BGP peering states from the left onto the correct statements on the right.

Answer:

+ Routing between the two devices begins: established
+ The local device receives a reply acknowledging BGP parameters from the remote device: open confirm
+ The local device searches for a route to the remote device: idle
+ The local device sends BGP parameters to the remote device: active
+ The two devices perform a TCP handshake: connect

Explanation

Below is the list of BGP states in order, from startup to peering:

1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is waiting for a BGP start event, generally either the establishment of a TCP connection or the re-establishment of a previous connection. Once the connection is established, BGP moves to the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If the TCP connection completes, BGP will move to the OpenSent stage; if the connection cannot complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP session with the BGP speaker it wants to peer with. If this can be done, the BGP state goes to OpenSent state.
4 – OpenSent: the BGP speaker is waiting to receive an OPEN message from the remote BGP speaker
5 – OpenConfirm: Once the BGP speaker receives the OPEN message and no error is detected, the BGP speaker sends a KEEPALIVE message to the remote BGP speaker
6 – Established: All of the neighbor negotiations are complete. You will see a number, which tells us the number of prefixes the router has received from a neighbor or peer group.

Question 13

Drag and drop the components of an inter-switch connection from the left onto the correct descriptions in the right.

Answer:

+ Cisco-proprietary trunking protocol: ISL
+ link that can be traversed by multiple VLANs: trunk
+ vendor-neutral trunking protocol: 802. 1Q
+ default VLAN on a switch: native VLAN
+ VLAN identification information associated with a packet: tag

Question 14

Drag and drop the STP features from the left onto the correct descriptions on the right.

Answer:

+ data message that STP uses to prevent loops: BPDU
+ disables the sending and receiving of BPDUs: BPDU filter
+ enables a port to immediately transition to the forwarding state: PortFast
+ prevents a port from entering the blocking state: Root guard
+ prevents a port from receiving BPDUs: BPDU guard

Explanation

If a BPDU is received on a port where BPDU guard is configured, that port is put into errdisable state (nearly the same as shutdown state) immediately.

When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Question 15

Drag and drop the cloud-based resources from the left onto the correct definitions on the right.

Answer:

cloud-based application: SaaS
cloud-based development platform: PaaS
cloud-based virtual machine: IaaS
suite of tools for developing and testing code: IDE

Explanation

Below are the 3 cloud supporting services cloud providers provide to customer:

+ SaaS (Software as a Service): SaaS uses the web to deliver applications that are managed by a third-party vendor and whose interface is accessed on the clients’ side. Most SaaS applications can be run directly from a web browser without any downloads or installations required, although some require plugins.
+ PaaS (Platform as a Service): are used for applications, and other development, while providing cloud components to software. What developers gain with PaaS is a framework they can build upon to develop or customize applications. PaaS makes the development, testing, and deployment of applications quick, simple, and cost-effective. With this technology, enterprise operations, or a third-party provider, can manage OSes, virtualization, servers, storage, networking, and the PaaS software itself. Developers, however, manage the applications.
+ IaaS (Infrastructure as a Service): self-service models for accessing, monitoring, and managing remote datacenter infrastructures, such as compute (virtualized or bare metal), storage, networking, and networking services (e.g. firewalls). Instead of having to purchase hardware outright, users can purchase IaaS based on consumption, similar to electricity or other utility billing.

Reference: https://apprenda.com/library/paas/iaas-paas-saas-explained-compared/

Question 16

Drag and drop the features of an Ethernet interface from the left onto the correct statements on the right.

Answer:

ID that determines which traffic on the port is dropped: access VLAN
carries traffic for multiple VLANs at one time: trunk port
carries untagged traffic: native VLAN
configures the port to serve only one VLAN: access mode
provides virtual separation of broadcast domains: VLAN

Question 17

Drag and drop the descriptions of AAA device-security protocols from the left onto the correct protocols on the right.

Answer:

RADIUS:
+ performs authentication and authorization together
+ serves as the transport protocol for EAP

TACACS+:
+ operates on TCP port 49
+ separates AAA functions to allow real-time authorization

Explanation

The comparison of two protocols is listed below:

	RADIUS	TACACS+
Transportation & Ports	UDP port 1812/1645 (Authentication) 1813/1646 (Accounting)	TCP port 49
Encryption	only passwords	entire payload of each packet (leaving only the TACACS+ header in cleartext)
Standards	Open standard	Cisco proprietary (but actually now it is an open standard defined by RFC1492)
Operation	Authentication and authorization are combined in one function	authentication, authorization and accounting are separated
Logging	No command logging	Full command logging (commands typed by users can be recorded on the servers)

Note: In fact both RADIUS and TACACS+ support Extensible Authentication Protocol (EAP), which is an authentication framework frequently used in wireless networks and point-to-point connections

Question 18

Which two steps must occur before two routers can become BGP peers? (Choose two)

A. The routers must establish a TCP connection to one another
B. The routers must exchange BGP version information
C. The routers must receive multicast hello packets from one another
D. The routers must receive more than one BGP routing update from one another
E. Each router must reset its BGP timers to their default settings

Answer: A B

Explanation

In order to become BGP peers, the two routers must establish a TCP connection (via a three-way TCP handshake) in the “Connect” state.

In the OpenSent state, an Open message has been sent from the originating router and is awaiting an Open message from the other router. After the originating router receives the OPEN message from the other router, both OPEN messages are checked for errors. The following items are being compared:
+ BGP Versions must match.
+ The source IP address of the OPEN message must match the IP address that is configured for the neighbor.
+ The AS number in the OPEN message must match what is configured for the neighbor.
+ BGP Identifiers (RID) must be unique. If a RID does not exist, this condition is not met.
+ Security Parameters (Password, TTL, and the like).

Reference: http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

Question 19

Which two actions must you take to configure a static EtherChannel between two switches, S1 and S2? (Choose two)

A. Configure the channel-group 1 mode auto command on S2
B. Configure the channel-group 1 mode active command on S2
C. Configure the channel-group 1 mode on command on S1
D. Configure the channel-group 1 mode active command on S1
E. Configure the channel-group 1 mode on command on S2
F. Configure the channel-group 1 mode auto command on S1

Answer: C E

Explanation

To configure a static EtherChannel (not LACP or PAgP mode), the only way we can configure is to configure mode “on” on both ends.

Question 20

Which QoS prioritization method is most appropriate for interactive voice and video?

A. policing
B. low-latency queuing
C. round-robin scheduling
D. expedited forwarding

Answer: D

Explanation

There are three standard service classes defined for DiffServ: the default Best-Effort (BE), Expedited Forwarding (EF) and Assured Forwarding (AF).
EF minimizes delay, jitter and loss, hence making it suitable for real-time services e.g. interactive voice, video etc.

Reference: Next Generation Mobile Networks and Ubiquitous Computing Book

Note: Interactive Video has the same service level requirements as VoIP because a voice call is embedded within the video stream.

Question 21

Which port type is used in a stacked deployment?

A. StackWise ports
B. uplinks
C. Ethernet ports
D. console ports

Answer: A

Explanation

A stack port is a port on the switch that is used to communicate with other switches in the stack. Depending on the model, a switch can have either preconfigured or user-defined stack ports.

Reference: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-350x-series-stackable-managed-switches/smb5252-what-is-stacking.html

Question 22

What is the effect of the switchport access vlan 300 command?

A. It configures the interface to perform Layer 2 switching
B. It displays the VLAN configuration of the interface
C. It configures the interface as an access port
D. It assigns the interface to a VLAN

Answer: D

Explanation

The example below configures a port on a switch to access mode and assign VLAN 300 to it:

Switch(config)#interface fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 300
Switch(config-if)#no shutdown

Question 23

Which two statements about access ports are true? (Choose two)

A. VLANs must be in the VLAN database before they can be assigned to an access port
B. They are configured with 802.1Q encapsulation
C. A device must have at least one access port configured for each trunk port
D. They are assigned to VLAN 1 by default
E. They record all MAC addresses they receive

Answer: A D

Explanation

Answer A is correct but in practical we can assign an access port to a non-existent VLAN because the switch will create it automatically before assign this access port to this VLAN.

By default all access ports belong to VLAN 1. If we want to assign a new VLAN, we have to use the command “switchport access vlan <vlan-id>” under interface mode.

Question 24

Which programming language do you use to script interactions between Cisco devices and network controllers such as APIC-EM?

A. POSIX
B. Python
C. Java
D. C++

Answer: B

Question 25

Which two functions are performed by DHCP snooping? (Choose two)

A. It determines which DHCP messages are valid
B. It hands out DHCP IP addresses to clients requesting access to the network
C. It rate-limits certain traffic
D. It listens to multicast traffic to support packet forwarding
E. It propagates VLAN information between switches
F. It provides DDoS mitigation

Answer: A C

Explanation

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

+ Validates DHCP messages received from untrusted sources and filters out invalid messages.
+ Rate-limits DHCP traffic from trusted and untrusted sources.
+ Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
+ Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html

Question 26

For which two reasons do you implement a PAgP EtherChannel? (Choose two)

A. to dynamically assign VLANs to a trunk port
B. to increase bandwidth
C. to provide redundancy
D. to exchange VLAN information
E. to dynamically determine whether a port is an access port or trunk port

Answer: B C

Question 27

Which three components must you configure to establish a GRE tunnel? (Choose three)

A. BGP autonomous system number
B. authentication mode
C. tunnel destination IP address
D. IGP type at each site
E. tunnel source IP address
F. logical tunnel interface

Answer: C E F

Explanation

The below example shows how to configure a GRE tunnel at one end:

R1
interface tunnel0
ip address 12.12.12.1 255.255.255.252
tunnel mode gre ip //this command can be ignored
tunnel source 192.168.13.1
tunnel destination 192.168.23.2

Question 28

Which two statements about CHAP authentication are true? (Choose two)

A. The called router sends a challenge packet to the calling router
B. It is by definition a one-way authentication method
C. PPP authentication is performed after the CHAP process is complete
D. CHAP authentication can only be used in one direction
E. By default, the calling router authenticates the called router
F. It is by definition a two-way authentication method

Answer: A B

Explanation

CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.

In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off) (-> answer B is correct while answer F is not correct). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication ( -> answer D is not correct). Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.

Reference: https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-chap.html#oneway

With CHAP, the protocol begins with a random text (called a challenge) sent from the Server, which asks the Client to authenticate. After receiving the challenge, the Client uses its password to perform a one-way hash algorithm (MD5) to encrypt the random text received from the server. The result is then sent back to the Server. Therefore even if someone can capture the messages between client and server, he cannot know what the password is. At the Server side, the same algorithm is used to generate its own result. If the two results match, the passwords must match too.

Question 29

Which type of routing protocol uses the Bellman-Ford algorithm?

A. path-vector
B. link-state
C. distance-vector
D. hybrid routing

Answer: C

Explanation

Distance Vector routing protocols use the Bellman-Ford algorithm for exchanging routing information.

Question 30

Which technology supports fast provisioning for cloud resources?

A. static routing
B. IPS
C. DHCP
D. HSRP

Answer: C

Question 31

Which two statements about the PPPoE client physical interface configuration are true? (Choose two)

A. It must be physically connected to an ATM switch
B. It must be linked to a dialer interface
C. It must be in shutdown mode while the PPPoE configuration is enabled
D. It must be configured without an IP address
E. It must be configured as a trunk port

Answer: B D

Explanation

The picture below shows all configuration needed for PPPoE. Notice that under PPPoE client physical interface Ethernet0/1 there is no IP address configured and it is linked to the Dialer pool 1 (with the dialer pool 1 command.)

Question 32

Which result occurs when you configure the standby preempt command on an HSRP router that has the same priority as the active router and a higher IP
address?

A. The router becomes the active router only when the current active router fails
B. The router fails to become the active router under any circumstances
C. The router immediately becomes the active router because it has the highest configured IP address
D. The router becomes the active router only when another router triggers renegotiation of the active router

Answer: A

Explanation

In earlier versions, a standby router with the same priority and higher IP address than the active HSRP router will immediately become the active router. But with newer IOS versions, the standby router only becomes the active router only when the current active router fails.

Reference: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdv91652

Also in an expired Cisco document, it also said “A standby router with equal priority but a higher IP address will not preempt the active router”

Question 33

Which two values can HSRP use to determine the device with the highest priority? (Choose two)

A. highest configured IP address
B. lowest root bridge ID
C. lowest port ID
D. highest configured priority value
E. highest interface MA C address

Answer: A D

Question 34

Which two features are compatible with SPAN sessions? (Choose two)

A. using private VLANs to identify SPAN destination ports
B. source ports configured as routed ports
C. port security
D. using active port channels as source ports
E. destination ports configured as trunk ports

Answer: D E

Question 35

Which two characteristics of eBGP peers are true? (Choose two)

A. They must be directly connected
B. They must reside in different IP subnets
C. They must reside in the same autonomous system
D. They must reside in the same IP subnet
E. They must reside in two different autonomous systems

Answer: A E

Explanation

eBGP (external BGP) requires two peers must belong to two different AS while iBGP (internal BGP) requires two peers must belong to the same AS.

Unlike iBGP, iBGP requires two peers must be directly connected but they can still use their loopback interfaces for the connection

Question 36

Which feature would prevent a workstation from receiving a DHCP address?

A. STP
B. 802.1Q
C. VTP
D. DTP

Answer: A

Explanation

When a host is connected to a switchport, we have to wait about 50 seconds in order to STP to turn on the port. In this time DHCP cannot assign an IP address for the host. If we want STP to transit to forwarding state immediately we need to issue the “switchport portfast” command.

Question 37

What is the effect of the switchport voice vlan 20 command?

A. It assigns the interface to a voice VLAN
B. It displays the voice VLAN configuration of the interface
C. It configures priority tagging for voice traffic on VLAN 20
D. It configures the interface as an access port

Answer: A

Question 38

Refer to the output. Applying this configuration will result in which outcome?

username CISCO secret Str0ng50690847!

aaa authentication login default group tacacs+ group radius local-case 
aaa authorization exec login default group tacacs+ 
aaa authorization network login default group tacacs+ 
aaa accounting exec default start-stop group tacacs+ 
aaa accounting exec network start-stop group tacacs+ 

tacacs server Server1 
   address ipv4 192.168.10.1 
   key TACACSserver 

radius server Server2 
   address ipv4 192.168.20.1 
   key RADIUSserver

A. Command starting with aaa are rejected because the aaa new-model command is missing
B. The user is authenticated against the configured RADIUS server
C. The user is authenticated against the local database
D. When the enable secret password is entered the user will gain access to the device

Answer: A

Question 39

Which two protocols can support trunking? (Choose two)

A. LACP
B. 802.1Q
C. ISL
D. VTP
E. PAgP

Answer: B C

Explanation

Cisco switches support two trunking protocols 802.1q & ISL. 802.1q is an open standard and is thus compatible between most vendors’ equipment while Inter-Switch Link (ISL) is Cisco proprietary.

Question 40

Which two values can a standard IPv6 ACL use to identify traffic? (Choose two)

A. UDP header
B. TCP header
C. source IPv6 address
D. DSCP value for QoS
E. destination IPv6 address

Answer: C E

Explanation

IPv6 supports only extended ACLs so we always have to specify both the source and destination IPv6 addresses. An example of a standard IPv6 ACL is shown below:

ipv6 access-list Deny_Subnet
deny ipv6 2001:DB8:0:12::/64 any
permit ipv6 any any

Question 41

Which QoS feature can change the value of the IPv4 Type of Service and the IPv6 Traffic Class header fields?

A. shaping
B. marking
C. prioritization
D. policing

Answer: B

Explanation

The IPv6 Traffic Class header field is equivalent to the IPv4 Type of Service field.

Traffic marking allows you to mark (that is, set or change) a value (attribute) for the traffic belonging to a specific class. Attributes that can be set and modified include the DSCP value in the type of service (ToS) byte.

Note: Traffic policing is used to control the rate of traffic flowing across an interface. Traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time.

Question 42

On which port type is the spanning-tree portfast command supported without additional configuration?

A. access ports
B. Layer 3 subinterfaces
C. Layer 3 main interfaces
D. trunk ports

Answer: A

Explanation

The “spanning-tree portfast” command has no effect on trunk ports (we have to use “spanning-tree portfast trunk” command instead). It is only effective on access ports. This command cannot be used on a Layer 3 interface.

Question 43

How does an IP SLA ICMP Echo operation measure response time?

A. It checks the timestamp on source and destination ICMP Time Exceeded messages
B. It checks the timestamp on ICMP Echo messages
C. It calculates the time that elapses from when the device sends an ICMP Echo request to when it receives an ICMP Echo reply
D. It checks the one-way delay of each ICMP Echo packet received

Answer: B

Explanation

In ICMP operations, the source IP SLA device sends several ICMP packets to the destination. The destination device, which is any IP device, echoes with replies. The source IP SLA device uses the sent and received time stamps to calculate the response time.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/xr12000/software/xr12k_r4-2/system_monitoring/configuration/guide/b_sysmon_cg42xr12k/b_sysmon_cg42xr12k_chapter_011.html

Question 44

Refer to the exhibit. All three PCs on the network are in different VLANs. If you want to permit PC A to communicate with PC C, but prevent communications from PC B to PC C, where on this network do you place a standard ACL?

A. on interface S0/0 on R2
B. on interface F0/0 on R1
C. on interface F0/0 on R2
D. on interface S0/0 on R1

Answer: A

Explanation

Standard Access Control List (ACL) filters the traffic based on source IP address. Therefore a standard ACL should be placed on the router which is near to the destination network/host where it is denied. If we place the standard ACL near to source of the traffic, there is a chance for denial or other legitimate traffic from the source network to some other network.

Therefore in this case we should place the ACL on R2 which near the destination PC C. We should place on S0/0 interface as the traffic should be checked first before making any routing decision to save R2’s resource.

Another reason we should not place the ACL on R1 is PC A and PC B belong to different VLANs so we may have subinterfaces on Fa0/0 of R1. As the result of this, we have to apply ACL to two subinterfaces and it is not effective. Please notice that ACL applied to the main interface does not affect the traffic of subinterfaces.

Question 45

When you configure a new switch interface, to which VLAN it is automatically assigned?

A. VLAN with the lowest ID
B. default VLAN
C. management VLAN
D. native VLAN

Answer: B

Explanation

If we configure an access port as follows:

Switch(config)#interface fa0/1
Switch(config-if)#switchport mode access

Then this interface, by default, will belong to VLAN 1 (the default VLAN). Of course we can assign another VLAN to this port via the “switchport access vlan {vlan-number}” command.

Question 46

Which two functions of the APIC-EM Path Trace ACL Analysis tool are true? (Choose two)

A. It can identify the path between two specified IP addresses
B. It can determine whether traffic along a specific path will be filtered
C. It can manage access lists in an SDN environment
D. It can create and modify access lists in a private cloud infrastructure
E. It applies the ACLs from a specified path to permit and deny incoming traffic

Answer: A B

Explanation

In the APIC-EM Path Trace ACL Analysis tool, we can identify the path between the source and destination IP addresses.

The APIC-EM Path Trace ACL Analysis Tool can display the ACLs that are using (by downloading the configurations after a specific period of time and shows them when we do a path trace). Therefore it helps verify the ACLs more easily.

Question 47

Which two statements about the BGP network command are true? (Choose two)

A. It must be configured to enable BGP between neighbors
B. It references a connected interface
C. It must match the subnet and mask of a route in the routing table
D. It references the routing table
E. It can specify a different subnet mask than the mask configured on the interface

Answer: C D

Explanation

For example we have the following topology and config in R1:

R1(config)#interface fastethernet0/0
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#no shutdown

With BGP, we must advertise the correct network and subnet mask in the “network” command. (in this case network 11.0.0.0/24). BGP is very strict in the routing advertisements. In other words, BGP only advertises the network which exists exactly in the routing table (in this case network 11.0.0.0/24 exists in the routing table). If you put the command “network 11.0.0.0 mask 255.255.0.0” or “network 11.0.0.0 mask 255.0.0.0” or “network 11.0.0.1 mask 255.255.255.255” then BGP will not advertise anything.

Question 48

Which networking function occurs on the data plane?

A. forwarding remote client/server traffic
B. sending and receiving OSPF Hello packets
C. spanning-tree election
D. processing inbound SSH management traffic

Answer: A

Explanation

The control plane: The control plane is the brain of the router. It consists of dynamic IP routing protocols (that is OSPF, IS-IS, BGP, and so on), the RIB, routing updates, in addition to other protocols such as PIM, IGMP, ICMP, ARP, BFD, LACP, and so on. In short, the control plane is responsible for maintaining sessions and exchanging protocol information with other router or network devices.

The data plane: The data plane is the forwarding plane, which is responsible for the switching of packets through the router (that is, process switching and CEF switching). In the data plane, there could be features that could affect packet forwarding such as quality of service (QoS) and access control lists (ACLs).

Question 49

What is the maximum bandwidth of a T1 point-to-point connection?

A. 1.544 Mbps
B. 2.048 Mbps
C. 34.368 Mbps
D. 43.7 Mbps

Answer: A

Question 50

According to Cisco best practices, which two tasks must you perform to support a voice VLAN? (Choose two)

A. Disable PortFast on the switch
B. Configure the voice VLAN on a private VLAN port
C. Modify the default QoS settings of the port
D. Enable the voice VLAN on the switch
E. Configure the voice VLAN on a normal-range VLAN

Answer: C D

Explanation

Before you enable voice VLAN, we recommend that you enable QoS on the switch by entering the mls qos global configuration command and configure the port trust state to trust by entering the mls qos trust cos interface configuration command -> By default, QoS is disabled on the switch and all ports are untrusted. These command modifies the default QoS settings.

The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/swvoip.pdf

Question 51

Which result occurs when you configure the switchport mode dynamic auto command on the switch ports at both ends of a trunk link?

A. The trunk forms immediately because both switch ports are configured for permanent trunking mode
B. Either switch port can initiate the trunk
C. Both switch ports actively form the trunk
D. The trunk fails to form because both switch ports fail to initiate trunking

Answer: D

Explanation

switchport mode dynamic auto makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default switchport mode for newer Cisco switch Ethernet interfaces is dynamic auto. Note that if two Cisco switches are left to the common default setting of auto, a trunk will never form.

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=8

Note: We just need to remember that in “dynamic auto” mode, the interface does not try to negotiate a trunk. In “trunk”, “dynamic desirable” modes, the interface try to negotiates a trunk link.

Question 52

To which two categories of routing protocols does BGP belong? (Choose two)

A. link-state
B. distance-vector
C. path-vector
D. composite
E. exterior

Answer: C E

Explanation

BGP is an example of an Exterior Gateway Protocol (EGP) which exchanges routing information between different autonomous systems.

Question 53

Drag and drop the HSRP feature from the left onto the correct descriptions on the right.

Answer:

+ automatically reduces the priority of a device when a line protocol goes down: interface tracking
+ enables a router to populate its routing table before assuming the active role: preempt delay
+ enables an HSRP group to operate with a non-HSRP MAC address: use-bia
+ enables the router with the highest priority to assume the active role: preemption
+ increases the ability of the device to perform load sharing: multiple HSRP groups

Question 54

Which purpose of the network command in the BGP configuration of a router is true?

A. It advertises a valid network as local to the autonomous system of a router
B. It enables router advertisement in the BGP routing process on the router
C. It indicates whether a neighbor supports route refresh
D. It advertisers any route in BGP with no additional configuration

Answer: B

Question 55

Refer to the exhibit.

#show ip eigrp events
Ignored route, dup router: 2.2.2.2

Which problem is indicated by this error?

A. Two or more networks have been defined in the OSPF process
B. The same EIGRP process has already been defined on another router
C. Two or more devices on the network have the same router ID
D. Two or more interfaces have been assigned to the same network

Answer: C

Explanation

In Cisco IOS Software Release 12.0(2) and later, Cisco records the duplicate router IDs in the EIGRP events log, which you can view with the show ip eigrp events command.

Question 56

In which configuration can a PPPoE client operate normally?

A. on a dialer interface configured with multilink PPP
B. on a CPE with more than 10 other clients
C. on an Ethernet connection between two endpoints
D. on a dialer interface configured for QoS queuing

Answer: A

Explanation

The following is an example of configuring Multilink PPP over a dialer interface link:

Router(config)# interface dialer 1
Router(config-if)# ip address 10.10.100.1 255.255.255.0
Router(config-if)# encapsulation ppp
Router(config-if)# dialer pool 3
Router(config-if)# service-policy output policy1
Router(config-if)# service-policy input policy1
Router(config-if)# ppp authentication chap
Router(config-if)# ppp chap hostname ISPCorp
Router(config-if)# ppp chap password 7
Router(config-if)# ppp multilink
Router(config-if)# ppp multilink fragment delay 20
Router(config-if)# ppp multilink interleave

Reference: https://www.cisco.com/en/US/docs/ios-xml/ios/qos_latjit/configuration/15-2mt/qos-mlppp-dl.html

According to this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-pppoe-client.html

The PPPoE client does not support the following:
+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can support up to 10 clients so answer B is not correct.
+ Coexistence of the PPPoE client and server on the same device
+ Quality of service (QoS) transmission with queueing on the dialer interface -> answer D is not correct

Answer C is a bit funny as PPPoE cannot operate on a connection. It can only operate on a host/device/router.

Question 57

Which two outcomes are effects of configuring the snmp-server host 10.1.1.1 traps version 3 auth md5 cisco command on router R1? (Choose two)

A. It configures R1 to accept SNMP traffic from the device at 10.1.1.1
B. It configures R1 to send SNMP traps to the device at 10.1.1.1
C. It sets the username cisco on the device at 10.1.1.1
D. It sets the R1 password to cisco
E. It configures R1 to send SNMP informs to the device at 10.1.1.1

Answer: B D

Explanation

In fact, the above command is not correct as we tested it with IOSv15.4:

The correct command should be ” snmp-server host 10.1.1.1 traps version 3 auth cisco”

The syntax of above command is shown below:

snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [udp–port port]

This command specify the recipient of an SNMP trap operation.

+ For host-addr, specify the name or Internet address of the host (the targeted recipient).
+ (Optional) Enter informs to send SNMP informs to the host.
+ (Optional) Enter traps (the default) to send SNMP traps to the host.
+ (Optional) Specify the SNMP version (1, 2c, or 3). Default is version 1. SNMPv1 does not support informs.
+ (Optional) For Version 3, select authentication level auth, noauth, or priv.
Note: The priv keyword is available only when the cryptographic software image is installed.

+ For community-string, when version 1 or version 2c is specified, enter the password-like community string sent with the notification operation. When version 3 is specified, enter the SNMPv3 username.
+ (Optional) For port, specify the UDP port of the notification host. Default is port 162.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/ir910/software/release/1_1/configuration/guide/ir910scg/swsnmp.pdf

Therefore with the above command, “md5” is in fact the SNMPv3 username:

Question 58

Which value is considered first when a stack elects the stack master switch for all stack members powered on within the 20 sec time frame?

A. priority of each switch
B. software feature set of each switch
C. startup time of each switch
D. MAC address of each switch

Answer: A

Explanation

Master Election
The stack master is elected based on one of these factors in the order listed:
1. The switch that is currently the stack master.
2. The switch with the highest stack member priority value.
3. The switch that has the configuration file.
4. The switch with the highest uptime.
5. The switch with the lowest MAC address.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swstack.html

If this is the first time this stack elects a master then it will elect the switch with the highest priority to be the master.

Question 59

Drag and drop the DHCP snooping terms from the left onto the correct descriptions on the right.

Answer:

+ DHCP server: network component that propagates IP addresses to hosts on the network
+ snooping binding database: list of hosts on the network that are unknown to the administrative domain
+ spurious DHCP server: unknown DHCP server within an administrative domain
+ trusted: internal device under the control of the network administrator
+ untrusted: default state of all interfaces

Question 60

Drag and drop the SDN components from the left onto the correct API types on the right.

Answer:

Northbound APIs:
+ Switch Manager
+ Topology Manager

Southbound APIs:
+ Physical interfaces
+ Switches

Question 61

Drag and drop the networking features or functions from the left onto the planes on which they operate on the right.

Answer:

Control Plane:
3. Routing state exchange
4. Establishes telnet session
5. Device access

Data Plane:
1. QoS
2. Filtering
6. Data Encapsulation

Explanation

The control plane: The control plane is the brain of the router. It consists of dynamic IP routing protocols (that is OSPF, IS-IS, BGP, and so on), the RIB, routing updates, in addition to other protocols such as PIM, IGMP, ICMP, ARP, BFD, LACP, and so on. In short, the control plane is responsible for maintaining sessions and exchanging protocol information with other router or network devices.

The data plane: The data plane is the forwarding plane, which is responsible for the switching of packets through the router (that is, process switching and CEF switching). In the data plane, there could be features that could affect packet forwarding such as quality of service (QoS) and access control lists (ACLs).

Reference: http://www.ciscopress.com/articles/article.asp?p=2272154&seqNum=3

Question 62

Drag and drop about QoS.

Answer:

+ CAR: policies traffic based on its bandwidth allocation
+ Best effort: service level that provides basic connectivity without differentiation
+ Soft QoS: service level that provides preferred handling
+ Hard QoS: service level that provides reserved network resources
+ PBR: uses route maps to match traffic criteria
+ NBAR: identification tool ideal for handling web applications

Note:

+ Committed Access Rate (CAR)
+ Network-based application recognition (NBAR)
+ Policy-based routing (PBR)
+ Soft QoS: also known as Differentiated Services (Diffserv), which ensures resources for applications based on available bandwidth
+ Hard QoS: Differentiated Service (DiffServ) is an appropriate example for this type of QoS service

Question 63

In an HSRP failover environment, which two tasks must you perform on the preferred active router so that it always assumes the active role when it comes up? (Choose two)

A. Configure the router with a higher priority than the other routers in the group
B. Configure the router with a higher MAC address than the other routers in the group
C. Configure preemption on the router
D. Configure the router with a higher IP address than the other routers in the group
E. Configure tracking on the router

Answer: A C

Explanation

If a HSRP router with highest priority is booted at the same time with other HSRP router in the same group then it will take the active role. But if it is rebooted without configuring preemption then it will lose the active role so we have to configure preemption in this case.

Question 64

Which two services can the ICMP Echo IP SLA provide? (Choose two)

A. network performance monitoring
B. inventory maintenance
C. asset depreciation reporting
D. hardware information exchange between devices
E. network device availability reporting

Answer: A E

Explanation

The ICMP Echo operation measures end-to-end response time between a Cisco router and any devices using IP. Response time is computed by measuring the time taken between sending an ICMP Echo request message to the destination and receiving an ICMP Echo reply.

With IP SLAs, routers and switches perform periodic measurements. Therefore ICMP Echo IP SLA can be used to monitor network performance and network device availability reporting

Using IP SLAs can provide these benefits:
+ Service-level agreement monitoring, measurement, and verification.
+ Network performance monitoring
– Measures the jitter, latency, or packet loss in the network.
– Provides continuous, reliable, and predictable measurements.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/44sg/configuration/guide/Wrapper-44SG/swipsla.html

Question 65

Which interior routing protocol reduces the size of route tables by advertising default routes for all destinations outside of the default area?

A. OSPF
B. BGP
C. EIGRP
D. RIP

Answer: A

Explanation

This question wants to mention about the Stub/Totally Stubby area of OSPF.

In stub area, the routers do not accept routes belonging to external autonomous systems (AS). In order to reach the outside networks, the routers in the stub area use a default route which is injected into the area by the Area Border Router (ABR)

In totally stubby area, only intra-routes are allowed and the routers use default route to send any traffic outside the area.

Note: Although EIGRP also support stub routing but the router in this area will not advertise routes received from other EIGRP neighbors to the hub router. The stub routers do not receive queries from the hub router any more.

Question 66

Which state does a port with BPDU guard enabled enter when it receives a BPDU?

A. learning
B. err-disabled
C. forwarding
D. disabled

Answer: B

Explanation

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU and put that port into err-disabled state.

Question 67

Which role is used by VLAN 1 by default?

A. to propagate VLAN information between switches
B. to pass management traffic
C. to initialize the STP protocol
D. to pass traffic designated for isolation from other traffic on the switch

Answer: B

Explanation

The default Ethernet VLAN is VLAN 1. It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1. All used ports are associated with VLANs distinct from VLAN 1.

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=11

All control/management traffic (like CDP, VTP, DTP…) is sent on VLAN 1 and we should separate management and user data traffic. Another reason is by default, the native VLAN is also VLAN 1 which is untagged on trunk links so it may cause a security hole.

Question 68

Which two requirements must be met to allow two routers running EIGRP for IPv6 to become neighbors? (Choose two)

A. Both routers must be configured to use the MTU K value for metric calculations.
B. The peering interface on each router must be set to passive.
C. The EIGRP process must be in no shutdown mode on both routers.
D. The autonomous system numbers must match.
E. The routers must be operating on different subnets.

Answer: C D

Explanation

The following requirements must be met to allow EIGRPv4 and EIGRPv6 to establish a neighbor relationship:

Requirement	EIGRPv4	EIGRPv6
Interface is in up/up state	Yes	Yes
Interface addresses are in the same subnet	Yes	No
The same ASN is used on router eigrp/ipv6 router eigrp commands	Yes	Yes
Hello and hold timers have to match	No	No
RIDs (router IDs) have to be unique	No	No
K-values (used in EIGRP metric calculation formula) have to match	Yes	Yes
EIGRP authentication must pass (optional)	Yes	Yes

Question 69

Which two tasks use OSPFv3 hello packets? (Choose two)

A. Beginning neighbor discovery
B. Requesting topology changes
C. Sharing link-state databases
D. Acknowledging message receipt
E. Performing DR election

Answer: A E

Explanation

Hello packets are OSPF packet Type 1. These packets are multicast periodically to 224.0.0.5 multicast address on all interfaces (unicast on virtual-links) enabling dynamic discovery of neighbors and maintain neighbor relationships. On broadcast and NBMA networks, Hello packets are used to elect DR and BDR.

Question 70

Which two statements about LACP are true? (Choose two)

A. A port in active mode initiates an EtherChannel peering
B. A port in passive mode can receive LACP requests
C. A port in on mode attempts to negotiate an EtherChannel peering
D. A port in auto mode accepts EtherChannel requests without making requests of its own
E. A port in desirable mode initiates an EtherChannel peering

Answer: A B

Explanation

In LACP there are only two modes which are “active” and “passive”. “On” belongs to static mode.

Question 71

Which two features are supported only in named access lists? (Choose two)

A. identifying QoS traffic for marking
B. filtering traffic on VTY lines
C. limiting debug output
D. noncontiguous port filtering
E. deleting entries

Answer: D E

Explanation

The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports. For example:

Router(config)#ip access-list extended noncontiguousPorts
Router(config-ext-nacl)# permit tcp any eq telnet ftp any eq 23 45 34

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-data-acl-15-e-book/sec-named-acl-support-for-noncontiguous-ports.html

Only with named ACL, we can easily remove an individual entry. For example:

R1# show access-list

Standard IP access list nat_traffic
10 permit 10.1.0.0, wildcard bits 0.0.255.255
20 permit 10.2.0.0, wildcard bits 0.0.255.255
30 permit 10.3.0.0, wildcard bits 0.0.255.255

Then to remove the second statement (the line “20 permit 10.2.0.0, wildcard bits 0.0.255.255”) we just need to type “no 20”:

R1(config)#ip access-list standard nat_traffic
R1(config-std-nacl)#no 20

But for numbered ACL, we have to recreated the whole ACL when entries are moved.

Question 72

Which statement describes how the EIGRP feasible distance is calculated?

A. It is the best metric along a path that includes the metric to the neighbor advertising the path
B. It is a path with a reported distance less than the current best path
C. It is the sum of all K values in EIGRP process
D. It is the total metric advertised by the upstream neighbor

Answer: A

Explanation

Feasible distance (FD) is the sum of the the cost from the neighbor to the destination (AD) plus the cost between the local router and the next-hop router.

Maybe it’s a bit confused with these terms so below is an example to make it clear.

Suppose you are in NEVADA and want to go to IOWA. From NEVADA you need to specify the best path (smallest cost) to IOWA.

In this topology, suppose router A & B are exchanging their routing tables for the first time. Router B says “Hey, the best metric (cost) from me to IOWA is 50 and the metric from you to IOWA is 90” and advertises it to router A. Router A considers the first metric (50) as the Advertised distance. The second metric (90), which is from NEVADA to IOWA (through IDAHO), is called the Feasible distance.

All of these routes are placed in the topology table of router A:

Route	Advertised distance	Feasible distance
NEVADA -> IDAHO -> IOWA	50	90
NEVADA -> OKLAHOMA -> IOWA	70	130

Router A will select the route to IOWA via IDAHO as it has the lowest Feasible distance and put it into the routing table.

Question 73

Which type of routing protocol relies on the shortest path tree?

A. path-vector
B. hybrid routing
C. link-state
D. distance-vector

Answer: C

Question 74

Which two marking methods are supported with the IPv4 header? (Choose two)

A. DSCP
B. IPP
C. EXP
D. CoS
E. TID

Answer: A B

Explanation

QoS Packet Marking refers to changing a field within a packet either at Layer 2 (802.1Q/pCoS, MPLS EXP) or Layer 3 (IP Precedence, DSCP and/or IP ECN).

At Layer 3, packet marking can be accomplished using the ToS byte in an IPv4 header. Two predominant types of marking mechanisms leverage the ToS byte: IP Precedence (IPP) and Differentiated Services Code Point (DSCP).
IP Precendence is an old approach and has been successively replaced by DSCP for marking IP packets. IP Precedence uses the 3 leftmost bits in the ToS byte.

Reference: CCIE Collaboration Quick Reference

Note: MPLS Experimental (EXP) is a Layer 2 marking technique for IP packet which is encapsulated in MPLS. We cannot mark the DSCP within the IP header as that would require first de-capsulating from MPLS). In this question, it only asks about IPv4 header which is Layer 3 marking.

Question 75

Which two statements about VLAN port assignment are true? (Choose two)

A. By default, all ports are assigned to VLAN 2
B. Ports are assigned to a dynamic VLAN based on the device IP address
C. It can be performed statically or dynamically
D. Static port assignments are based on a preset configuration on a dedicated server.
E. A port in access mode can be assigned to only one VLAN

Answer: C E

Explanation

By default all ports are assigned to VLAN 1, which is the default VLAN.

Ports are assigned to a dynamic VLAN based on its MAC address, not IP address.

The administrator can assign static port on any VLAN and it is not based on any configuration on a server. Only dynamic VLAN assignment requires the configuration from a dedicated server, called the VMPS (VLAN Member Policy Server).

When in access mode, a port can only be assigned to only one VLAN.

This is also a good reference:

VLAN Port Assignments

+ VLANs are assigned to individual switch ports.
+ Ports can be statically assigned to a single VLAN or dynamically assigned to a single VLAN.
+ All ports are assigned to VLAN 1 by default
+ Ports are active only if they are assigned to VLANs that exist on the switch.
+ Static port assignments are performed by the administrator and do not change unless modified by the administrator, whether the VLAN exists on the switch or not.
+ Dynamic VLANs are assigned to a port based on the MAC address of the device plugged into a port.
+ Dynamic VLAN configuration requires a VLAN Membership Policy Server (VMPS) client, server, and database to operate properly.

Reference: http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=2

Question 76

Which two statements identify differences between single-homed and dual-homed WAN topologies? (Choose two)

A. Dual-homed topologies provide greater redundancy than single-homed topologies
B. Only dual-homed connections require dynamic routing to the ISP
C. Single-homed topologies are more costly to an enterprise than dual-homed topologies
D. Only dual-homed connections are connected to the same ISP
E. Single-homed topologies are more appropriate for small-business networks than dual-homed topologies

Answer: A E

Explanation

Single-homed: single connection to only one ISP

In a dual-homed setup, the router in a company is still connected to the outside networks via only one ISP, but with two routers or two connections. When one of the dual-homed connection fails, traffic can still flow via other connection so it can tolerate the loss of a network link.

Question 77

Which two characteristics of extended access lists are true? (Choose two)

A. They can compare source traffic only against a permit or deny statement
B. They must be identified with a number between 100 and 199 or 2000 and 2699
C. They can be identified only with a number between 100 and 199
D. They can be configured to filter only UDP or TCP traffic
E. They can compare source and destination traffic against a permit or deny statement

Answer: B E

Question 78

When you configure VTP on a switch, which VTP mode is enabled by default?

A. transparent
B. server
C. off
D. client

Answer: B

Question 79

Which WAN technology is secure and encrypted by default?

A. VPN
B. VSAT
C. DSL
D. MPLS

Answer: A

Question 80

You attempt to execute the APIC-EM ACL path trace feature without specifying the protocol. How does the ACL path trace respond?

A. It runs normally and reports all possible ACE matches for the protocol field.
B. It runs normally and reports that traffic for all possible protocol matches is denied.
C. It fails to execute the path trace.
D. It runs normally and flags all possible ACE entries as invalid.

Answer: A

Explanation

The following rules effect the ACL path trace results:
+ Only matching access control entry (ACE) are reported.
+ If you leave out the protocol, source port, or destination port when defining a path trace, the results include ACE matches for all possible values for these fields.
+ If no matching ACEs exists in the ACL, the flow is reported to be implicitly denied.

Question 81

Which two statements about traffic shaping are true? (Choose two)

A. It can be applied in the outbound direction only.
B. Packets that exceed the configured threshold are remarked and sent.
C. Packets that exceed the configured threshold are held in a buffer.
D. It can be applied in the inbound and outbound directions.
E. Packets that exceed the configured threshold are dropped

Answer: A C

Explanation

The following diagram illustrates the key difference between traffic policing and traffic shaping. Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate (or committed information rate), excess traffic is dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs. In contrast to policing, traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time. The result of traffic shaping is a smoothed packet output rate.

Traffic shaping is applicable only on outbound interfaces as buffering and queuing happens only on outbound interfaces.

Question 82

Which two values are combined to generate the PVST+ bridge ID on the root switch? (Choose two)

A. the root path cost
B. the switch priority
C. the MAC address
D. the port ID
E. the interface number

Answer: B C

Explanation

The Bridge ID is composed of the bridge priority value (0-65535, 2 bytes) and the bridge MAC address (6 bytes).

Bridge ID = Bridge Priority + MAC Address

Question 83

By default, which two K values does EIGRP for IPv6 use to calculate the metric? (Choose two)

A. reliability
B. bandwidth
C. load
D. MTU
E. delay

Answer: B E

Explanation

First you should learn the formula to calculate the metric. It’s a bit complex conditional formula, I think 🙂

metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] * [K5/(reliability + K4)] if K5 > 0
metric = [K1 * bandwidth + (K2 * bandwidth)/(256 – load) + K3 * delay] if K5 = 0

By default, K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 which means that the default values use only bandwidth & delay parameters while others are ignored. The metric formula is now reduced:

metric = bandwidth + delay

Question 84

What is the minimum level of SNMP that provides encryption?

A. SNMPv3 authPriv
B. SNMPv3 authNoPriv
C. SNMPv3 noAuthNoPriv
D. SNMPv2 noAuthNoPriv

Answer: A

Explanation

+ noAuthNoPriv – Security level that does not provide authentication or encryption.
+ authNoPriv – Security level that provides authentication but does not provide encryption.
+ authPriv – Security level that provides both authentication and encryption.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html

Question 85

Which two statements about interior gateway routing protocols are true? (Choose two)

A. They may use the Dijkstra algorithm.
B. They can be used to connect to another AS across the Internet as a virtual instance.
C. They may use the Bellman-Ford algorithm.
D. They cannot be used when two devices are connected through a firewall.
E. They can be used to connect to the Internet backbone.

Answer: A C

Explanation

Interior gateway routing protocols like OSPF (uses Dijkstra algorithm), RIP (uses Bellman-Ford algorithm) should be used within an organization or ISP.

Question 86

Which two characteristics of a distance-vector routing protocol are true? (Choose two)

A. It may use the Dijkstra algorithm.
B. It has a complete picture of the network.
C. It has a higher CPU requirement than link-state protocols.
D. It sends periodic updates.
E. It may use the Bellman-Ford algorithm.

Answer: D E

Question 87

Which two statements are benefits of stackable switches? (Choose two)

A. They can support dissimilar Cisco IOS features in a single stack.
B. They are less redundant than modular aggregation.
C. They cannot perform switch-to-router aggregation.
D. They can perform link aggregation.
E. They perform unified management from a single switch stack.

Answer: D E

Question 88

Refer to the exhibit.

R1(config)#interface GigabitEthernet 1/1/1
R1(config-if)# no ip address
R1(config-if)#pppoe enable
R1(config-if)#pppoe-client dial-pool-number 1
R1(config-if)#exit

Which effect of this configuration is true?

A. It configures PPP over Ethernet globally for the device.
B. It configures PPP over Ethernet in client mode.
C. It configures PPP over Multilink.
D. It configures PPP over Ethernet in server mode.

Answer: B

Explanation

Question 89

For which reason can OSPFv3 fail to start between two routers?

A. OSPFv3 is configured only under an interface.
B. The interface assigned to OSPFv3 is in NBMA mode with only one neighbor defined.
C. The router is configured with IPv6 addresses only and it is unable to find an OSPFv3 router ID.
D. IPv6 unicast routing is enabled.

Answer: C

Explanation

Although OSPFv3 deals solely with IPv6 addresses, it still uses 32-bit router IDs, which are expressed in dotted-decimal (IPv4) format. This router ID must be manually configured if we don’t have any IPv4 interfaces on our router. For example:

ipv6 router ospf 1
router-id 172.16.1.1

Question 90

Which statement about using the keepalive command on a tunnel interface is true?

A. It can be configured on either side of the tunnel or on both sides.
B. It can be configured only on the downstream side of the tunnel.
C. If it is configured on both sides of the tunnel, the values must match.
D. It can be configured only on the upstream side of the tunnel.

Answer: A

Explanation

GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. A consequence of this is that the local tunnel endpoint router does not have the ability to bring the line protocol of the GRE Tunnel interface down if the remote end of the tunnel is unreachable. Such scenarios would cause data packets that go through the GRE tunnel to be “black holed”. Keepalives on the GRE tunnel interface are used in order to solve this issue in the same way as keepalives are used on physical interfaces. With this feature, the tunnel interface dynamically shuts down if the keepalives fail for a certain period of time.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118370-technote-gre-00.html

Generic routing encapsulation (GRE) keepalive packets may be sent from both sides of a tunnel or from just one side. If they are sent from both sides, the period and retry parameters can be different at each side of the link. If you configure keepalives on only one side of the tunnel, the tunnel interface on the sending side might perceive the tunnel interface on the receiving side to be down because the sending interface is not receiving keepalives. From the receiving side of the tunnel, the link appears normal because no keepalives were enabled on the second side of the link.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sb_gretk.html

Note: GRE tunnel keepalives are only supported on point-to-point GRE tunnels. Tunnel keepalives are configurable on multipoint GRE (mGRE) tunnels but have no effect.

Question 91

Which statement about STP root bridges is true?

A. Each VLAN must have a separate root bridge.
B. An individual switch can be the root bridge for only one VLAN.
C. The switch with the highest root ID is elected as the root bridge.
D. Dynamic root bridge assignment is most efficient.

Answer: A

Explanation

With STP, RSTP or PVST, each VLAN must have its own root bridge.

Question 92

Which statement about the default VLAN is true?

A. It is always the same as the native VLAN.
B. Its name is Default by default.
C. It can be removed without additional configuration.
D. It is always VLAN 1.

Answer: D

Question 93

In which two ways can you isolate the location of a connectivity issue between two devices on your network? (Choose two)

A. Test whether the next hop from the source can reach the destination and work toward the destination.
B. Send an extended ping from the destination to the source.
C. Execute a traceroute from the destination and work toward the source to locate the problematic hop.
D. Send an extended ping from the source to the destination.
E. Execute a traceroute from the source to the destination to locate the problematic hop.

Answer: C E

Explanation

To isolate the connectivity issue location we have to use traceroute to find out the exact location where the trace stops.

Question 94

Which configuration item is the default username for PPP local authentication?

A. the router MAC address
B. the router hostname
C. cisco
D. The router serial number

Answer: B

Explanation

By default for the authentication, CHAP uses the hostname of the router is used to identify itself. If the ppp chap hostname name command is configured, a router uses the name in place of the hostname to identify itself.

With PAP, we have to configure the command “ppp pap sent-username username password password” to match with the local username on the other side (configured with “username username password password” global configuration command)

Question 95

Which three features are supported when you use TACACS+ for device management? (Choose three)

A. It can restrict the commands that individual users are allowed to execute.
B. It can connect disparate networks.
C. It can create network access clients.
D. It can provide additional challenges beyond the username and password.
E. It supports UNIX server functionality.
F. It supports user notifications.

Answer: A D F

Explanation

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism -> Answer A is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

The authentication facility provides the ability to conduct an arbitrary dialog with the user (for example, after a login and password are provided, to challenge a user with a number of questions, like home address, mother’s maiden name, service type, and social security number). In addition, the TACACS+ authentication service supports sending messages to user screens. For example, a message could notify users that their passwords must be changed because of the company’s password aging policy -> Answer F is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-cfg-tacacs.html

Answer F seems to be correct too as “TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation”

Question 96

Which WAN topology has the highest degree of reliability?

A. hub-and-spoke
B. full mesh
C. point-to-point
D. router-on-a-stick

Answer: B

Explanation

Full-mesh is a network topology in which there is a direct link between all pairs of nodes. Below is an example of full-mesh topology.

Question 97

Which command do you enter to determine the status of the SVI for VLAN 10?

A. show ip interface brief
B. show run interface vlan 10
C. show vtp status
D. show interface trunk

Answer: A

Explanation

The Switched Virtual Interface (SVI) can be checked using the same command as physical interfaces like “show ip interface brief”. For example we can see the SVIs of VLANs 10 & 20 here:

L3Switch#show ip interface brief
Interface         IP-Address	OK?  Method Status   Protocol
FastEthernet0/1   10.1.4.6      YES  manual up       up
Vlan10	          10.2.1.1      YES  manual up       up
Vlan20	          10.2.2.2	YES  manual up	     up

Question 98

Which protocol is incompatible with CGMP leave processing?

A. GARP
B. VRRP
C. HSRPv1
D. HSRPv2

Answer: C

Explanation

HSRPv1 uses the multicast address 224.0.0.2 to send hello packets, which can conflict with Cisco Group Management Protocol (CGMP) leave processing. You cannot enable HSRPv1 and CGMP at the same time; they are mutually exclusive.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swhsrp.pdf

Question 99

After you configure a new IP SLA, you notice that it is failing to run or generate statistics. Which step do you take first to identify the problem?

A. Use the debug ip sla trace command on the device to troubleshoot.
B. Add the verify-data command to the IP SLA configuration.
C. Add procative threshold conditions to the IP SLA to facilitate troubleshooting.
D. Use the debug ip sla error command on the device to troubleshoot.

Answer: B

Explanation

The command “debug ip sla error” enables debugging output of Cisco IOS IP Service Level Agreements (SLAs) operation run-time errors

Note: The command “debug ip sla trace” traces the execution of a Cisco IOS IP Service Level Agreements (SLAs) operation, use the debug ip sla trace command

+ If the IP Service Level Agreements (SLAs) operation is not running and not generating statistics, add the verify-data command to the configuration (while configuring in IP SLA configuration mode) to enable data verification. When data verification is enabled, each operation response is checked for corruption. Use the verify-data command with caution during normal operations because it generates unnecessary overhead.

+ Use the debug ip sla trace and debug ip sla error commands to help troubleshoot issues with an IP SLAs operation.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_udp_jitter.html

Therefore we should add the “verify-data” command first before using the “debug ip sla error” or “debug ip sla trace” command.

Question 100

Which statement about GRE tunnels is true?

A. They pass clear-text traffic.
B. They are stateful.
C. They are unable to carry multicast traffic.
D. They use MD5 for encryption.

Answer: A

Explanation

GRE tunnels are completely stateless. This means that each tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. GRE tunnels can carry multicast traffic so they can be used to transport multicast traffic over networks that have no multicast support. GRE support IPSec for encryption.

ICND2v3 – New Questions Part 5

May 22nd, 2019 8 comments

Premium Members: You can practice these questions with our quizzes first here.

Question 1

What protocols are supported by trunking? (Choose two)

A. DTP
B. PagP
C. LACP
D. STP
E. VTP
F. 802.1Q

Answer: A F

Question 2

What can be used to modify ToS field in IPv4 and traffic class on IPv6 header?

A. Shaping
B. Prioritising
C. Policing
D. Marking

Answer: D

Question 3

How would you fix connectivity issue between R1 and R2?
Configurations:

R1: int s0/0
ip add x.x.1.1 255.255.255.0

router bgp 100
network x.x.0.0
neighbor x.x.1.2 remote-as 200

R2: int s0/0
ip add x.x.1.2 255.255.255.0

router bgp 100
network x.x.0.0
neighbor x.x.1.1 remote-as 100

A. add the network mask /24 to the network command
B. configure the serial interface with no shutdown
C. replace the router bgp 100 command on R2 with router bgp 200

Answer: C

Question 4

R1 and R2 are connected via Gigaethernet0/0, R1 loses connectivity to R2, what will be your first step of troubleshooting?

A. make sure the encapsulation on R1 and R2 is set to HDLC
B. verify that g0/0 on R1 is up and line protocol down
C. verify that g0/0 on R2 is up and line protocol down
D. verify that g0/0 on R1 and R2 is up and line protocol up

Answer: D

Question 5

Drag and Drop question. Why router R1 doesn’t form an OSPF link with R2?

Answer:

Configurations must be the same:
+ shutdown status
+ hello time
+ hold time

Configuration may differ:
+ interface status
+ serial configuration
+ <one more option>

=============================== New Updated Questions (added on 2nd-May-2019) ===============================

Question 6

Which version of SNMP first allowed user-based access?

A. SNMPv3 with RBAC
B. SNMPv3
C. SNMPv1
D. SNMPv2

Answer: B

Explanation

The user-based access control implemented by SNMPv3 is based on contexts and user names, rather than on IP addresses and community strings. It is a partial implementation of the view-based access control model (VACM).

Question 7

Drag drop about EIGRP K values.

Answer:

K1 – bandwidth
K2 – load
K3 – delay
K4 – Reliability
K5 – MTU

=============================== New Updated Questions (added on 22nd-May-2019) ===============================

Question 8

What routing protocols are supported on stub routers? (Choose two)

Which routing protocols are compatible with stubs? (Choose two)

A. RIP
B. EIGRP
C. IS-IS
D. OSPF
E. BGP

Answer: B D

Explanation

Both EIGRP and OSPF support stub areas.

In OSPF, stubs remove either external routes and/or inter-area routes and tends to replace them with a default route. The general idea is that if you have 200 routes in your routing table, the branch doesn’t necessarily need that level of detail and if it is a smaller Cisco 800 or such then it may not do well with a ton of routes.

In EIGRP, stubs work similar but its main goal is to optimize the EIGRP network by stopping the branch for being queried when the hub has a route become active so the route doesn’t become stuck in active as the hub asks all the branches that probably don’t have the route anyway.

Question 9

Refer to the exhibit:

C-router is to be used as a “router-on-a-stick” to route between the VLANs. All the interfaces have been properly configured and IP routing is operational. The hosts in the VLANs have been configured with the appropriate default gateway. What can be said about this configuration?

A. These commands need to be added to the configuration:
C-router(config)# router eigrp 123
C-router(config-router)# network 172.19.0.0

B. No further routing configuration is required.

C. These commands need to be added to the configuration:
C-router(config)# router ospf 1
C-router(config-router)# network 172.19.0.0 0.0.3.255 area 0

D. These commands need to be added to the configuration:
C-router(config)# router rip
C-router(config-router)# network 172.19.0.0

Answer: B

Question 10

DHCP can be prevented by which protocol?

A. VTP
B. DTP
C. 802.1q
D. STP

Answer: D

Explanation

When a host is connected to a switchport, we have to wait for about 50 seconds in order to STP to turn on the port. In this time DHCP cannot assign an IP address for the host. If we want STP to transit to forwarding state immediately we need to issue the “switchport portfast” command.

ICND2v3 – New Questions Part 4

November 6th, 2018 35 comments

Note: These new questions have not been classified into specific topics so please practice them separately.

Premium Members: You can practice these questions with our quizzes first at:
+ Question 1 to 20
+ Question 21 to 40
+ Question 41 to 60

Question 1

In the Software-Defined Networking model, where is the interface between the control plane and the data plane?

Answer: A

Question 2

Which function is performed by a TACACS+ server?

Answer: B

Question 3

Which option is the master redundancy scheme for stacked switches?

A. 1:N
B. 1:1
C. N:1
D. 1+N

Answer: A

Question 4

Which Cisco IOS feature can you use to dynamically identify a connectivity problem between a Cisco device and a designated endpoint?

A. traceroute
B. ICMP Echo IP SLAs
C. IP SLAs threshold monitoring
D. Multi Operation Scheduler IP SLAs

Answer: B

Question 5

Drag and drop the SDN components from the left onto the correct API types on the right.

Answer:

Northbound APIs:
+ Switch Manager
+ Topology Manager

Southbound APIs:
+ Physical interfaces
+ Switches

Question 6

Which two benefits of using MPLS for WAN access are true? (Choose two)

A. It supports hub-and-spoke connectivity.
B. It supports CoS.
C. It provides VPN support.
D. It provides payload security with ESP.
E. It supports Authentication Header.

Answer: B C

Question 7

Which two statements about MPLS are true? (Choose two)

A. It encapsulates all traffic in an IPv4 header
B. It provides automatic authentication
C. It uses labels to separate and forward customer traffic
D. It can carry multiple protocols, including IPv4 and IPv6
E. It tags customer traffic using 802.1Q

Answer: C D

Question 8

Which three statements about the ACEs that are matched by a Cisco APIC-EM ACL path are true? (Choose three)

Answer: B C D

Explanation

An ACL path trace shows whether the traffic matching your criteria would be permitted or denied based on the ACLs configured on the path.
The following rules effect the ACL path trace results:
+ Only matching access control entries (ACEs) are reported.
+ If you leave out the protocol, source port, or destination port when defining a path trace, the results include ACE matches for all possible values for these fields.
+ If no matching ACEs exists in the ACL, the flow is reported to be implicitly denied.

Note:

Question 9

Which three protocols does APIC-EM support with Path Trace? (Choose three)

A. HSRP
B. ECMP
C. WLC
D. SNMP
E. SMTP
F. ECMP/TR

Answer: A B F

Explanation

Path Trace Supported Device Protocols and Network Connections:

Question 10

Where must you configure switch-level global features on a switch stack?

A. on the stack master
B. on the stack master and each individual stack member
C. on the stack master or any individual stack member
D. on each individual stack member

Answer: A

Question 11

Which two statements about the Cisco APIC-EM ACL Path Trace feature are true? (Choose two)

Answer: A C

Explanation

Analysis of entries within an individual ACL is cumulative. That is, if a higher priority ACE is a match, lower-priority ACEs are ignored -> A is correct.

Question 12

Which two data integrity algorithms are commonly used in VPN solutions? (Choose two)

A. DH1
B. DH2
C. HMAC-MD5
D. HMAC-SHA-1
E. RSA

Answer: C D

Explanation

Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)

+ HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end.

+ HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end.

Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms.

RSA is also an encryption algorithm, not data integrity algorithm.

Question 13

Which component of VPN technology ensures that data is unaltered between the sender and recipient?

A. encryption
B. authentication
C. key exchange
D. data integrity

Answer: D

Question 14

In which three circumstances may your organization require a high-bandwidth Internet connection? (Choose three)

Answer: A C E

Question 15

Which tool or utility can report whether traffic matching specific criteria can reach a specified destination on the ACLs along the path?

A. Cisco Security Device Manager
B. Cisco Prime
C. APIC-EM
D. Cisco Network Assistant

Answer: C

Explanation

If you performed an ACL trace, the devices show whether the traffic matching your criteria would be permitted or denied based on the ACLs configured on the interfaces.

Question 16

Which three features are QoS congestion-management tools? (Choose three)

A. PPPoE
B. PQ
C. FIFO
D. PPP
E. PDQ
F. WFQ

Answer: B C F

Explanation

Good reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conmgt/configuration/xe-3s/qos-conmgt-xe-3s-book/qos-conmgt-oview.html

Question 17

For which two reasons might you choose chassis aggregation instead of stacking switches? (Choose two)

A. to avoid the use of a centralized configuration manager
B. to avoid relying solely on Ethernet interfaces
C. to allow hot-swapping modules
D. to increase the number of devices in use
E. to increase the maximum port count

Answer: B C

Explanation

Chassis aggregation is a Cisco technology to make multiple switches operate as a single switch. It is similar to stacking but meant for powerful switches (like the 6500 and 6800 series switches). Chassis aggregation is often used in the core layer and distribution layer (while switching stacking is used for access layer). Chassis aggregation refers to a technology implemented on modular switches (like Catalyst 6500 and 4500s). The modules can be hot-swapped on these switches.

With switch stacking, the switches that are added to or removed from the switch stack must be powered off -> Answer C is correct.

A switch stack is a set of up to nine Cisco EtherSwitch service modules or Catalyst 3750 switches connected through their Cisco StackWise ports while Chassis aggregation is a Cisco technology to make two switches operate as a single logical switch. Therefore stacking switches have more ports than chassis aggregation -> Answer E is not correct.

Both chassis aggregation and switch stacking increase the number of devices in use and they also use a centralized conf -> Answer D is not correct.

Switch stacking elects a master switch to control the configuration and administration of the stack. Chassis aggregation also uses a single Supervisor module to control all of the Spanning-Tree protocol running in both switches that were bundled together. Therefore we can consider both of them use a centralized manager -> Answer A is not correct.

Chassis aggregation is used for high-end switches (like cat6500s and Cat4500s) which support many types of linecards/modules other than Ethernet while switch stacking only supports Ethernet interfaces -> Answer B is correct.

Question 18

Which option is the master redundancy scheme for stacked switches?

A. 1:N
B. N:1
C. 1:1
D. 1+N
E. N+1

Answer: A

Explanation

1:N master redundancy: Every switch in the stack can act as the master. If the current master fails, another master is elected from the stack.

1:N master redundancy allows each stack member to serve as a master, providing the highest reliability for forwarding. Each switch in the stack can serve as a master, creating a 1:N availability scheme for network control. In the unlikely event of a single unit failure, all other units continue to forward traffic and maintain operation.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/prod_white_paper09186a00801b096a.html

Note:

N+1 simply means that there is a power backup in place should any single system component fail. The ‘N’ in this equation stands for the number of components necessary to run your system. The ‘+1’ means there is one independent backup should a component of that system fail. An example of “N+1” is your family has 5 members, so you need 5 cups to drink. But you have one extra cup for redundancy (6 cups in total) so that if any cup breaks, you still have enough cups for the family.

Question 19

Which three statements about QoS policing are true? (Choose three)

Answer: B C D

Explanation

Unlike traffic shaping, QoS policing avoids delays due to queuing.

QoS policing drops (or remarks) excess packets above the committed rates. Does not buffer.

QoS policing is configured in bytes (while QoS traffic shaping is configured in bits per second)

QoS policing can be applied to both inbound and outbound traffic (while QoS shaping can only be applied to outbound traffic)

Reference: https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html

Question 20

Which switch architecture is scalable, flexible, resilient, and relatively inexpensive?

A. aggregate switch
B. single switch
C. stacked switch
D. modular-chassis switch

Answer: C

Question 21

Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?

A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance

Answer: D

Explanation

An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Question 22

Which option is the main function of congestion management?

A. discarding excess traffic
B. queuing traffic based on priority
C. classifying traffic
D. providing long-term storage of buffered data

Answer: B

Question 23

Which IPv6 address is the all-router multicast group?

A. FF02::1
B. FF02::2
C. FF02::3
D. FF02::4

Answer: B

Explanation

A packet sent to an all-router multicast group is received and processed by all IPv6 routers on the link or network

Question 24

Which IPv6 routing protocol uses multicast group FF02::9 to send updates?

A. static
B. RIPng
C. OSPFv3
D. IS-IS for IPv6

Answer: B

Explanation

Some special IPv6 addresses:

FF02::5 – OSPFv3 All SPF routers
FF02::6 – OSPFv3 All DR routers
FF02::9 – All routing information protocol (RIP) routers on a link
FF02::A – EIGRP routers

Question 25

Drag and drop the BGP components from the left onto the correct descriptions on the right.

Answer:

+ Device that running BGP: BGP speakers
+ Neighbor that share the same AS number as a local device: iBGP peer
+ Neighbor that located outside of AD domain of the local device: eBGP peer
+ Value that identify an administrative domain: Autonomous system number
+ Value that is advertise with network keyword: Prefix

Question 26

Which two statements about switch stacking are true? (Choose two)

A. The stack is powered by a single power cable
B. The switches are connected in a daisy-chain fashion
C. The first and last switch in the stack must be connected to one another
D. The switches are connected by crossover cables
E. The switches must be fully meshed

Answer: B C

Question 27

Which name describes an IPv6 host-enabled tunneling technique that uses IPv4 UDP, does not require dedicated gateway tunnels, and can pass through existing IPv4 NAT gateways?

A. manual 6to4
B. dual stack
C. dynamic
D. Teredo

Answer: D

Question 28

Which two steps must you perform on each device that is configured for IPv4 routing before you implement OSPFv3? (Choose two)

A. configure an autonomous system number
B. configure a loopback interface
C. configure a router ID
D. enable IPv6 on an interface
E. enable IPv6 unicast routing

Answer: C E

Question 29

What is the alternative notation for the IPV6 address B514:82C3:0000:0000:0029:EC7A:0000:EC72?

A. B514:82C3:0029::EC7A:0000:EC72
B. B514:82C3:0029:EC7A:EC72
C. B514:82C3::0029:EC7A:0:EC72
D. B514:82C3::0029:EC7A:EC72

Answer: C

Question 30

Refer to the exhibit.

R1
ipv6 unicast-routing

interface FastEthernet0/0
no ip address
ipv6 enable
ipv6 address 2001:DB8:12::1/64
ipv6 ospf 1 area 0

ipv6 router ospf 1
router-id 172.16.1.1

R2
ipv6 unicast-routing

interface FastEthernet0/0
no ip address
ipv6 enable
ipv6 address 2001:DB8:12::2/64
ipv6 ospf 1 area 1

ipv6 router ospf 1
router-id 172.16.2.2

After you apply the give configurations to R1 and R2 you notice that OSPFv3 fails to start. Which reason for the problem is most likely true?

A. The area numbers on R1 and R2 are mismatched
B. The IPv6 network addresses on R1 and R2 are mismatched
C. The autonomous system numbers on R1 and R2 are mismatched
D. The router ids on R1 and R2 are mismatched

Answer: A

Question 31

Which two of these statements are true of IPv6 address representation? (Choose two)

A. There are four types of IPv6 addresses: unicast, multicast, anycast, and broadcast
B. A single interface may be assigned multiple IPv6 addresses of any type.
C. Every IPv6 interface contains at least one loopback address.
D. The first 64 bits represent the dynamically created interface ID.
E. Leading zeros in an IPv6 16 bit hexadecimal field are mandatory.

Answer: B C

Explanation

A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, and multicast).

Every IPv6-enabled interface must contain at least one loopback (::1/128) and one link-local address. Optionally, an interface may have multiple unique local and global addresses.

Leading zeros in IPv6 are optional do that 05C7 equals 5C7 and 0000 equals 0 -> E is not correct.

Question 32

Which two statements describe characteristics of IPv6 unicast addressing? (Choose two)

A. Global addresses start with 2000::/3
B. Link-local addresses start with FE00:/12
C. Link-local addresses start with FF00::/10
D. There is only one loopback address and it is ::1
E. If a global address is assigned to an interface, then that is the only allowable address for the interface.

Answer: A D

Explanation

Below is the list of common kinds of IPv6 addresses:

Loopback address	::1
Link-local address	FE80::/10
Site-local address	FEC0::/10
Global address	2000::/3
Multicast address	FF00::/8

From the above table, we learn that A and D are correct while B and C are incorrect. Notice that the IPv6 unicast loopback address is equivalent to the IPv4 loopback address, 127.0.0.1. The IPv6 loopback address is 0:0:0:0:0:0:0:1, or ::1.

E is not correct because of anycast addresses which are indistinguishable from normal unicast addresses. You can think of anycast addresses like this: “send it to nearest one which have this address”. An anycast address can be assigned to many interfaces and the first interface receives the packet destined for this anycast address will proceed the packet. A benefit of anycast addressing is the capability to share load to multiple hosts. An example of this benefit is if you are a Television provider with multiple servers and you want your users to use the nearest server to them then you can use anycast addressing for your servers. When the user initiates a connection to the anycast address, the packet will be routed to the nearest server (the user does not have to specify which server they want to use).

Question 33

Which address is the IPv6 all-RIP-routers multicast group address that is used by RIPng as the destination address for RIP updates?

A. FF02::6
B. FF02::9
C. FF05::101
D. FF02::A

Answer: B

Question 34

Which value must you configure on a device before EIGRP for IPv6 can start running?

A. public IP address
B. loopback interface
C. router ID
D. process ID

Answer: C

Question 35

Which component of an IPv6 OSPFv3 connection must be configured in IPv4 format?

A. Router ID
B. Primary interface
C. Neighbor address
D. Secondary interface

Answer: A

Question 36

Which IPv6 address is the equivalent of the IPv4 interface loopback address 127.0.0.1?

A. ::1
B. ::
C. 2000::/3
D. 0::/10

Answer: A

Question 37

Which three are characteristics of an IPv6 anycast address? (Choose three)

A. one-to-many communication model
B. one-to-nearest communication model
C. any-to-many communication model
D. a unique IPv6 address for each device in the group
E. the same address for multiple devices in the group
F. delivery of packets to the group interface that is closest to the sending device

Answer: B E F

Question 38

You enter the show ipv6 route command on an OSPF device and the device displays a remote route. Which conclusion can you draw about the environment?

A. OSPF is distributing IPv6 routes to BGP.
B. The router is designated as an ABR.
C. The router is designated as totally stubby.
D. OSPFv3 is in use.

Answer: D

Question 39

Which command do you enter to permit IPv6 functionality on an EIGRPv3 interface?

A. Router1(config)#ipv6 unicast-routing
B. Router1(config-rf)#ipv6 router eigrp 1
C. Router1(config-if)#ipv6 enable
D. Router1(config-if)#ipv6 eigrp 1

Answer: D

Question 40

What are three features of the IPv6 protocol? (Choose three)

A. complicated header
B. plug-and-play
C. no broadcasts
D. checksums
E. optional IPsec
F. autoconfiguration

Answer: B C F

Question 41

Which three checks must you perform when troubleshooting EIGRPv6 adjacencies? (Choose three)

A. Verify that IPv6 is enabled.
B. Verify that the network command has been configured.
C. Verify that auto summary is enabled.
D. Verify that the interface is up.
E. Verify that an IPv4 address has been configured.
F. Verify that the router ID has been configured.

Answer: A D F

Question 42

Which of these represents an IPv6 link-local address?

A. FE08::280e:611:a:f14f.3d69
B. FE81::280f.512b:e14f:3d69
C. FE80::380e:611a:e14f:3d69
D. FEFE:0345:5f1b::e14d:3d69

Answer: C

Explanation

The range of IPv6 link-local address (similar to the Windows auto-configuration IP address of 169.254.x.x.) is FE80::/10. For more information about IPv6, please read my IPv6 tutorial.

Question 43

Identify the four valid IPv6 addresses. (Choose four)

A. ::
B. ::192:168:0:1
C. 2000::
D. 2001:3452:4952:2837::
E. 2002:c0a8:101::42
F. 2003:dead:beef:4dad:23:46:bb:101

Answer: A B E F

Explanation

Answers B E F are correct because A and B are the short form of 0:0:0:0:192:168:0:1 and 2002:c0a8:0101:0:0:0:0:0042 while C are normal IPv6 address.

Answer A is correct because “::” is named the “unspecified” address and is typically used in the source field of a datagram that is sent by a device that seeks to have its IP address configured.

Answer C is not correct because a global-unicast IPv6 address is started with binary 001, denoted as 2000::/3 in IPv6 and it also known as an aggregatable global unicast address. The 2000:: (in particular, 2000::/3) is just a prefix and is not a valid IPv6 address.

In fact answer D is acceptable but it is considered the network portion of an IPv6 address so it is a worse choice than others.

The entire global-unicast IPv6 address range is from 2000::/128 to 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/128, resulting in a total usable space of over 42,535,295,865,117,307,932,921,825,928,971,000,000 addresses, which is only 1/8th of the entire IPv6 address space!

Question 44

Which type of IPv6 ACL is applied first in the order of precedence?

A. TCAM
B. router ACLs
C. Fragmented frames
D. Port ACLs

Answer: D

Question 45

Which IPv6 address is valid?

A. 2031:0:130F::9C0:876A:130B
B. 2001:0DB8:0000:130F:0000:0000:08GC:140B
C. 2001:0DB8:0:130H::87C:140B
D. 2031::130F::9C0:876A:130B

Answer: A

Explanation

Answer B is not correct because it has a letter “G”.

Answer C is not correct because it has a letter “H”.

Answer D is not correct because it has two “::”.

Question 46

Which step must you perform first to enable OSPFv3 process 20 for IPv6?

A. Enter the ipv6 router ospf 20 command to enable OSPFv3.
B. Enter the ip routing command to enable IPv4 unicast routing.
C. Enter the router ospf 20 commands to enable OSPF.
D. Enter the ipv6 unicast-routing command to enable IPv6 unicast routing.

Answer: D

Question 47

Which two are features of IPv6? (Choose two)

A. multicast
B. broadcast
C. allcast
D. podcast
E. anycast

Answer: A E

Explanation

Anycast IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces. A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the “nearest” one, according to the routing protocols’ measure of distance)

Question 48

Which BGP command do you enter to allow a device to exchange IPv6 prefixes with its neighbor?

A. neighbor ip-address activate
B. neighbor ip-address remote-as ASN
C. router bgp ASN
D. show ip bgp neighbors

Answer: A

Question 49

Which protocol can be used between administrative domains?

A. IS-IS
B. EIGRP
C. BGP
D. OSPF

Answer: C

Question 50

Which two statements about eBGP neighbor relationships are true? (Choose two)

A. The two devices must reside in different autonomous systems
B. Neighbors must be specifically declared in the configuration of each device
C. They can be created dynamically after the network statement is con-figured.
D. The two devices must reside in the same autonomous system
E. The two devices must have matching timer settings

Answer: A B

Question 51

What does it take for BGP to establish connection? (Choose two)

A. Enable CDP
B. AS number on local router
C. AS number on remote router
D. IGP
E. EGP

Answer: B C

Question 52

A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?

A. Monitor mode
B. High-Security mode
C. Low-impact mode
D. Closed mode

Answer: A

Explanation

There are three authentication and authorization modes for 802.1x:
+ Monitor mode
+ Low impact mode
+ High security mode

Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth

For more information about each mode, please read this article: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html

Question 53

Refer to the exhibit.

R1
interface Loopback0
ip address 172.16.1.33 255.255.255.224
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
router bgp 100
neighbor 192.168.12.2 remote-as 100

Which command do you enter so that R1 advertises the loopback0 interface to the BGP Peers?

A. Network 172.16.1.32 mask 255.255.255.224
B. Network 172.16.1.0 0.0.0.255
C. Network 172.16.1.32 255.255.255.224
D. Network 172.16.1.33 mask 255.255.255.224
E. Network 172.16.1.32 mask 0.0.0.31
F. Network 172.16.1.32 0.0.0.31

Answer: A

Question 54

Drag and drop the DHCP snooping terms from the left onto the correct descriptions on the right.

Answer:

Question 55

Drag and drop the network programmability features from the left onto the correct description on the right.

Answer:

Explanation

What is the data format used to send/receive data when making REST calls for APIC-EM?

Javascript Object Notation (JSON) is used to pass parameters when making API calls and is also the returned data format.

What’s RBAC?

Reference: https://communities.cisco.com/docs/DOC-60530#q16

Question 56

Drag drop about characteristics of a cloud environment.

Answer:

Question 57

Which two statements about exterior gateway routing protocols are true? (Choose two)

Answer: A E

Question 58

Drag and drop the BGP components from the left onto the correct descriptions on the right.

Answer:

Question 59

Which routing protocol is most appropriate for sending and receiving routes directly to and from the Internet?

A. RIP
B. BGP
C. EIGRP
D. OSPF

Answer: B

Question 60

Drag and drop the descriptions of performing an initial device configuration from the left onto the correct features or components on the right.

Answer:

ICND2v3 – New Questions Part 3

June 1st, 2018 34 comments

=========================New Questions added on 1st-Jun-2018============================

Note: These new questions have not been classified into specific topics so please practice them separately. Also in this page we are testing show/hide answer button.

Question 1

What are three reasons a company needs high speed Internet access? (Choose three)

A. SAN upgrade
B. Large network device IOS upgrades
C. Peer2peer
D. IaaS
E. ?

Answer: A D ?

Question 2

How do you configure a voice port?

Answer: Something like this:

Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport voice vlan 20

Question 3

What command do you look to see native VLAN?

A. show interfaces
B. show interface trunk
C. show ip interface brief

Answer: B

Question 4

What are the three things that can cause congestion? (Choose three)

A. Broadcast
B. defective hardward
C. Collision domains
D. ?

Answer: A C ?

Question 5

What are the results of a saturated tunnel?

Answer: Load is 255

Explanation

Load on the interface as a fraction of 255 (255/255 is completely saturated), calculated as an exponential average over 5 minutes.

Question 6

Which utility can you use to identify redundant or shadow rules?

A. The ACL trace tool in Cisco APIC-EM.
B. The ACL analysis tool in Cisco APIC-EM.
C. The Cisco APIC-EM automation scheduler.
D. The Cisco IWAN application.

Answer: B

Explanation

Cisco APIC-EM supports the following policy analysis features:
+ Inspection, interrogation, and analysis of network access control policies.
+ Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas.
+ Enables ACL change management with easy identification of conflicts and shadows -> Maybe B is the most suitable answer.

Reference: http://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-2-x/config-guide/b_apic-em_config_guide_v_1-2-x/b_apic-em_config_guide_v_1-2-x_chapter_01000.pdf

The ACL trace tool can only help us to identify which ACL on which router is blocking or allowing traffic. It cannot help identify redundant/shadow rules.

Note:

Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) is a Cisco Software Defined Networking (SDN) controller, which uses open APIs for policy-based management and security through a single controller, abstracting the network and making network services simpler. APIC-EM provides centralized automation of policy-based application profiles.

Reference: CCNA Routing and Switching Complete Study Guide

Cisco Intelligent WAN (IWAN) application simplifies the provisioning of IWAN network profiles with simple business policies. The IWAN application defines business-level preferences by application or groups of applications in terms of the preferred path for hybrid WAN links. Doing so improves the application experience over any connection and saves telecom costs by leveraging cheaper WAN links.

Shadow rules are the rules that are never matched (usually because of the first rules). For example two access-list statements:

access-list 100 permit ip any any
access-list 100 deny tcp host A host B

Then the second access-list statement would never be matched because all traffic have been already allowed by the first statement. In this case we call statement 1 shadows statement 2.

Question 7

Which two (or three) are effects of local spanning tree? (Choose two)

A. Doubles the load
B. Doubles internal switch traffic
C. Prevents span destination
D. ?

Answer: unknown

Question 8

What is true about the default VLAN?

A. It is VLAN 1
B. It is always the same as Native VLAN

Answer: A

Question 9

Which command to see information about neighbors in OSPFv3?

A. show ipv6 ospf neighbors
B. show ipv6 interface brief

Answer: A

Question 10

Which two actions must you take to configure a LACP between two switches, S1 and S2? (Choose two)

A. Configure mode auto command on S1.
B. Configure mode passive command on S1.
C. Configure mode desirable command on S1.
D. Configure mode auto command on S2.
E. Configure mode desirable command on S2.
F. Configure mode active command on S2.

Answer: B F

Question 11

How can QoS be implemented?

A. Only outbound
B. Only inbound
C. Inbound and outbound

Answer: C

Explanation

On the inbound path, a packet is classified before it is switched. On the outbound path, a packet is classified after it is switched.

At the inbound direction, QoS can do:
+ Input marking (class-based marking or Committed Access Rate (CAR))
+ Input policing (through a class-based policer or CAR)

At the outbound direction, QoS can do:
+ Output marking
+ Output policing (through a class-based policer or CAR)
+ Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)

Reference: https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-packet-marking/22141-qos-orderofop-3.html

Question 12

What do you need to reduce GRE fragmentation (Choose two)?

A. MTU 1360
B. MSS 1360
C. MTU 1400
D. MSS 1400
E. MTU 1500

Answer: B C

Question 13

In OSPF or EIGRP, which of the following IPs will choose as router ID?

A. 192.168.x.x
B. 172.x.x.x
C. 172.x.x.x
D. 172.x.x.x

Answer: A

Question 14

How can you see the PPP authentication?

A. show running-config
B. show interface
C. show ip interface

Answer: A

Question 15

Which is the first step to configure OSPFv3 area 1?

A. (config)#ipv6 unicast-routing
B. (config)#router ospf ipv6 1

Answer: A

Question 16

A topology of host named X and Y connected to a switch and the switch was connected to a router as well. No other information (IP addresses, protocols, etc, nothing just the diagram). Host X cannot communicate with Host Y, why?

A. Host X has a broadcast IP address configured.
B. Host X has an invalid subnet mask.
C. Host Y has a network ID address configured.
D. Host Y has invalid IP and invalid subnet mask.

Answer: B

============================ New Questions added on 14th-July-2018 ============================

Question 17

A question about SVI and how to troubleshoot them (Choose three)

A. ASIC
B. Frame Size
C. IP routing
D. Encapsulation
E. Interfaces
F. ?

Answer: C D E

Question 18

When you use cloud services which service is more “exposed” to the cloud?

A. Desktop as a Service
B. Software as a Service
C. Infrastructure as a Service
D. Platform as a Service

Answer: B

Question 19

Question about Dynamic VPN? (choose three)

A. It can auto create IPSec tunnels
B. It allows dynamic addressing…
C. It does not need additional configuration on the hub for new spokes
D. It allows partial mesh topology

Answer: B C D

Question 20

Question for SNMPv3 what does this do? (choose two)

R1# snmp-server host 1.1.1.1 trap v3 auth md5 cisco

A. Sets the R1 password to cisco
B. Configures host 1.1.1.1 to receive informs
C. Configures host 1.1.1.1 to send informs
D. Configures host 1.1.1.1 to receive traps
E. Sets the host 1.1.1.1 password to cisco

Answer: D and A (although answer A is a bit unclear)

Explanation

The syntax of above command is shown below:

snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [udp–port port]

This command specify the recipient of an SNMP trap operation.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/ir910/software/release/1_1/configuration/guide/ir910scg/swsnmp.pdf

Question 21

What are the differences between link state vs vector routing protocols? (Choose two)

A. Vector routing protocols are faster than link state protocols
B. Link state protocols are faster than vector routing protocols
C. Vector routing protocols take up more memory than link state protocols
D. Link state protocols take up more memory than vector routing protocols

Answer: B D

============================ New Questions added on 18th-Oct-2018 ============================

Question 22

Drag drop question.

Native vlan – Untagged

802.1Q – Trunk

Question 23

Drag drop question about TACACS+ and RADIUS.

Answer:

TACACS+ server:
Encrypts entire packet
Port 49
TCP

RADIUS Server:
Encrypts only password
Port 1812, 1813; 1645,1646
UDP

New ICND2v3 Questions – Part 2

February 24th, 2018 85 comments

=========================New Questions added on 24th-Feb-2018============================

Premium Members: You can practice these questions with our quizzes first here.

Question 1

What two options are causes of network slowness that can result from inter-VLAN routing problem? (Choose two)

A. Root guard disabled on an etherchannel
B. Packet Loss
C. DTP disabled on a switchport
D. BPDU guard enabled on a switchport
E. Hardware forwarding issues

Answer: B E

Explanation

Causes for Network Slowness
Packet Loss

Hardware Forwarding Issues

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/virtual-lans-vlan-trunking-protocol-vlans-vtp/23637-slow-int-vlan-connect.html#network_slow

Question 2

Which two commands debug a PPPoE connection that has failed to establish? (Choose two)

A. debug ppp compression
B. debug ppp negotiation
C. debug dialer events
D. debug ppp cbcp
E. debug dialer packet

Answer: B E

Explanation

According to this link https://supportforums.cisco.com/t5/network-infrastructure-documents/troubleshooting-for-pppoe-connection-failure-part-1/ta-p/3147204

The following debug commands can be used to troubleshoot PPPoE connection that failed:

+ debug ppp authentication
+ debug ppp negotiation
+ debug pppoe event

The debug ppp negotiation command enables you to view the PPP negotiation transactions, identify the problem or stage when the error occurs, and develop a resolution.

We are not sure about the “debug dialer packet” command but it seems to be the most reasonable answer left.

Question 3

Which command do you enter to determine whether LACP is in use on a device?

A. Show port-channel summary
B. Show etherchannel summary

Answer: B

Explanation

In fact both of the answers are correct so maybe there is something wrong with this question. But we choose “show etherchannel summary” as it is the more popular command

Question 4

Which three commands do you use to verify that IPsec over a GRE tunnel is working properly? (Choose three)

A. clear crpto iskamp
B. ppp encrypt mppe auto
C. show crypto engine connections active
D. show crypto ipsec sa
E. show crypto isakmp sa
F. debug crypto isakmp

Answer: D E F

Question 5 (posted at Q.48 of https://www.9tut.net/new-updated-questions/new-icnd2v3-questions)

Which two types of cloud services may require you to alter the design of your network infrastructure? (Choose two)

A. Sudo as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Software as a Service
E. Business as a Service

Answer: B C

Explanation

Reference: https://www.cisco.com/en/US/services/ps2961/ps10364/ps10370/ps11104/need-for-cloud-services-catalog_whitepaper.pdf

+ SaaS (Software as a Service): SaaS uses the web to deliver applications that are managed by a third-party vendor and whose interface is accessed on the clients’ side. Most SaaS applications can be run directly from a web browser without any downloads or installations required, although some require plugins. In other words, SaaS are applications designed for end-users, delivered over web.
+ PaaS (Platform as a Service): are used for applications, and other development, while providing cloud components to software. What developers gain with PaaS is a framework they can build upon to develop or customize applications. PaaS makes the development, testing, and deployment of applications quick, simple, and cost-effective. With this technology, enterprise operations, or a third-party provider, can manage OSes, virtualization, servers, storage, networking, and the PaaS software itself. Developers, however, manage the applications. In other words, PaaS is a set of tools and services designed to make coding and deploying those applications quick and efficient.
+ IaaS (Infrastructure as a Service): self-service models for accessing, monitoring, and managing remote datacenter infrastructures, such as compute (virtualized or bare metal), storage, networking, and networking services (e.g. firewalls). Instead of having to purchase hardware outright, users can purchase IaaS based on consumption, similar to electricity or other utility billing. In other words, IaaS is the hardware and software (servers, storage, networks, operating systems) that powers PaaS & SaaS.

Only the two lower layers services (IaaS, PaaS) may require us to alter the design of the network infrastructure.

Question 6

Which purpose of the network command in the BGP configuration of a router is true?

A. It enables route advertisement in the BGP routing process on the router
B. It advertises any route in BGP with no additional configuration
C. It advertises a valid network as local to the autonomous system of a router
D. It indicates whether a neighbor supports route refresh

Answer: C

Question 7

Through with three states does a BGP routing process pass when it establishes a peering session?

A. open receive
B. inactive
C. active
D. connected
E. open sent
F. idle

Answer: C E F

Explanation

BGP forms a TCP session with neighbor routers called peers. The BGP session may report in the following states:

+ Idle
+ Connect
+ Active
+ OpenSent
+ OpenConfirm
+ Established

Reference: http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

Question 8

Which encryption method does CHAP authentication use for the peer response?

A. EAP
B. MD5
C. DES
D. DSS
E. AES
F. 3DES

Answer: B

Question 9

Which two characteristics of stacked switches are true? (Choose two)

A. They reduce management complexity
B. They are less scalable than modular switches
C. They can manage multiple ip addresses across multiple switches
D. They have a single management interface
E. Each unit in the stack can be assigned its own IP address

Answer: A D

Question 10

Which option describes a drawback of proxy ARP?

A. It overwrites MAC addresses
B. It can make it more difficult for the administrator to locale device misconfigurations
C. It dynamically establishes layer 2 tunneling protocol which increase network overhead
D. If proxy ARP is configured on multiple devices, the internal L2 network may become vulnerable to DDOS

Answer: D

Question 11

Which layer 2 attack is specifically mitigated by changing the native VLAN to an unused VLAN?

A. Double tagging
B. DHCP spoofing
C. VLAN spoofing
D. switch hopping

Answer: A

Explanation

Let us learn about double-tagging attack.

In double-tagging attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

According to this link http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

“The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.” -> Answer A is correct.

Question 12

Which feature or value must be configured to enable EIGRPv6?

A. Network statement
B. Shutdown feature
C. Router ID
D. Remote AS

Answer: C

Question 13

Which command do you enter to enable local authentication for MPPP on an interface?

A. l2tp authentication
B. username router password x1
C. ppp chap password password1
D. aaa authentication ppp default local

Answer: C

Explanation

Multilink PPP (also referred to as MP, MPPP, MLP, or Multilink) provides a method for spreading traffic across multiple physical WAN links while providing packet fragmentation and reassembly, proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic.

Reference: https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/10239-mppp-ddr.html

The command “aaa authentication ppp default local” is used to specify the local username database as the default method for user authentication but this command is configured under global configuration mode only, not on an interface.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

The command “username router password x1” is used under global configuration mode too.

So maybe the “ppp chap password…” command is the best choice here.

Question 14

Which options are the two differences between HSRP V1 and V2? (Choose two)

A. Only HSRPv2 can be configured to use authentication
B. Only HSRPv2 send hello packet to 224.0.0.2
C. Only HSRPv1 send hello packet to FF02:66
D. Only HSRPv1 can be configured with a group number of 4095
E. Only HSRPv2 can be configured with a group number of 4095
F. Only HSRPv2 send hello to 224.0.0.102

Answer: E F

Explanation

In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095 -> E is correct.

HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the multicast address of 224.0.0.2, which is used by version 1 -> F is correct.

Question 15

For which reason can a GRE tunnel have an up/down status?

A. the tunnel source interface is up
B. a tunnel destination is undefined
C. the tunnel destination is routable via a route that is separate from the tunnel
D. tunnel has been shut down

Answer: B

Explanation

Normally, a P2P GRE Tunnel interface comes up as soon as it is configured with a valid tunnel source address or interface which is up and a tunnel destination IP address which is routable -> B is correct.

Question 16

Which utility do you use to view IP traffic that is switched through the router to locate erros in a TCP stream?

A. wireshark
B. packet debugging
C. ethereal
D. ping
E. traceroute

Answer: B

Explanation

Reference: https://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1907.html

Question 17

Which command do you enter so that a port enters the forwarding state immediately when a PC is connected to it ?

A. spanning-tree portfast bpduguard default
B. spanning-tree portfast default
C. spanning-tree portfast trunk
D. no spanning tree portfas

Answer: B

Explanation

Question 18

Which term represents the minimum bandwidth provided in a metro Ethernet connection?

A. UNI
B. CIR
C. EVC
D. PIR

Answer: B

Explanation

Committed information rate (CIR): The minimum guaranteed data transfer rate agreed to by the routing device.

Question 19

Which three effects of using local span are true? (Choose three)

A. It doubles the load on the forwarding engine
B. It prevents span destination from using port security
C. It double internal switch traffic
D. It reduces the supervisor engine
E. It reduces the load on the switch fabric

Answer: A B C

Question 20

Which tree fields can be marked with QoS? (Choose three)

A. Header checksum
B. IP precedence
C. DSCP
D. total length
E. discard class
F. TTL

Answer: B C E

Explanation

For a single class, you can set operations on any two out of the following five fields: CoS, IP Precedence, DSCP, QoS Group, and Discard Class.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/qos/configuration/guide/n1000v_qos/n1000v_qos_3marking.pdf

Question 21

Which two values are needed to run the APIC-EM ACL analysis tool?

A. Destination port
B. Source address
C. Protocol
D. Source port
E. Periodic refresh interval
F. Destination address

Answer: B F

Explanation

We must type the source and destination addresses. Other parameters are just optional.

Question 22

In which two models can control plane functionality be implemented? (Choose two)

A. Dispersed
B. Distributed
C. Fragmented
D. Centralized
E. Allocated

Answer: B D

Explanation

Control Plane Function

In its simplest form, the control plane provides layer-2 MAC reachability and layer-3 routing information to network devices that require this information to make packet forwarding decisions. In the case of firewalls, the control plane would include stateful flow information for inspection. Control plane functionality can implemented as follows:

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/SDN/SDN.html#wp1440878

Question 23

Which PPPoE authentication method is the least secure?

A. CHAP
B. PAP

Answer: B

Question 24

What do you need to reduce with GRE tunnel? (Choose two)

A. PMTUD
B. MSS
C. MTU

Answer: B C

Question 25

Which choice permit congestion management on QOS? (Choose three)

Answer: FIFO CBWFQ PQ

Which two QoS tools can provide congestion management? (Choose two)

A. CBWFQ
B. FRTS
C. CAR
D. PQ
E. PBR

Answer: A D

Explanation

This module discusses the types of queueing and queueing-related features (such as bandwidth management) which constitute the congestion management QoS features:

Priority queueing (PQ): With PQ, packets belonging to one priority class of traffic are sent before all lower priority traffic to ensure timely delivery of those packets.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conmgt/configuration/xe-3s/qos-conmgt-xe-3s-book/qos-conmgt-oview.html

Note: Committed Access Rate (CAR) is only used for bandwidth limitation by dropping excessive traffic.

Question 26

Which three protocols can you use with APIC-EM path trace? (Choose three)

Answer: ECMP SNMP SMTP

Question 27

Drag the term on the left to its definition on the right (not all options are used)

Answer:

+ poison reverse: A router learns from its neighbor that a route is down and the router sends an update back to the neighbor with an infinite metric to that route
+ LSA: The packets flooded when a topology change occurs, causing network routers to update their topological databases and recalculate routes
+ split horizon: This prevents sending information about a route back out the same interface that originally learned about the route
+ holddown timer: For a given period, this causes the router to ignore any updates with poorer metrics to a lost network

Question 28

Which three effects of using local span are true? (Choose three)

Answer: A B C

=========================New Questions added on 29th-Mar-2018============================

Question 29

Which component of the Cisco SDN solution serves as the centralized management system?

A. Cisco OpenDaylight
B. Cisco ACI
C. Cisco APIC
D. Cisco IWAN

Answer: C

Explanation

Cisco Application Policy Infrastructure Controller (APIC)
The infrastructure controller is the main architectural component of the Cisco ACI solution. It is the unified point of automation and management for the Cisco ACI fabric, policy enforcement, and health monitoring. The APIC appliance is a centralized, clustered controller that optimizes performance and unifies operation of physical and virtual environments. The controller manages and operates a scalable multitenant Cisco ACI fabric.

Reference: http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-infrastructure-controller-apic/datasheet-c78-732414.html

Question 30

Which mode are in PAgP? (Choose two)

A. Auto
B. Desirable
C. Active
D. Passive
E. On

Answer: A B

Explanation

There are two PAgP modes:

Auto	Responds to PAgP messages but does not aggressively negotiate a PAgP EtherChannel. A channel is formed only if the port on the other end is set to Desirable. This is the default mode.
Desirable	Port actively negotiates channeling status with the interface on the other end of the link. A channel is formed if the other side is Auto or Desirable.

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP	Desirable	Auto
Desirable	Yes	Yes
Auto	Yes	No

Question 31

Which LACP mode sends offer to connect device?

A. active
B. passive
C. desirable
D. auto

Answer: A

Question 32

Which feature can prevent switch to become Root Bridge?

A. VTP
B. DTP
C. Root Guard
C. BPDU Guard filter

Answer: C

Question 33

what does this monitor session command mean?

monitor session 16 source interface Gi0/11

A. source monitoring session – unidirection
B. destination monitoring session – bi-direction
C. source monitoring session – bi-direction

Answer: C

Question 34

Which IPv6 ACL rules are applied as first?

A. ACL port filter
B. ACL router filter
C. ?
D. ?

Answer: A

=========================New Questions added on 8th-May-2018============================

Question 35

Drag drop about southbound and northbound APIs.

Answer:

Northbound interface:
+ RESTful
+ Ad hoc
+ File Systems

Southbound interface:
+ OpFlex
+ OpenFlow

Explanation

Cisco OpFlex is a southbound protocol in a software-defined network (SDN) designed to facilitate the communications between the SDN Controller and the infrastructure (switches and routers). The goal is to create a standard that enables policies to be applied across physical and virtual switches/routers in a multi-vendor environment.

Question 36

Which command will you use to show the snmp version and collection of users?

Answer: show snmp group

Explanation

To display the names of configured SNMP groups, the security model being used, the status of the different views, and the storage type of each group, use the show snmp group command in privileged EXEC mode.

=========================New Questions added on 15th-May-2018============================

Question 37

Drag and drop the BGP states from the left to the matching definitions on the right.

Answer:

+ OpenSent: wait for an OPEN message
+ OpenConfirm: wait for a KEEPALIVE or NOTIFICATION message
+ Established: UPDATE, NOTIFICATION and KEEPALIVE messages are exchanged with peers
+ Idle: refuse connections
+ Active: listen for and accept connection
+ Connect: wait for the connection to be completed

Explanation

The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm -> Established

+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.

Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3

Question 38

Which three HSRP multicast messages are sent between the devices? (Choose three)

A. Ping
B. Hello
C. Coup
D. Resign

Answer: B C D

Explanation

With HSRP, three types of multicast messages are sent between the devices:

Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=2141271

Question 39

How will HSRP choose the active router? (Choose two)

A. Highest ip add
B. Highest MAC address
C. Configured priority
D. Lowest bridge ID

Answer: A C

Question 40 (similar like this about preempt delay)

You administer a network that uses two routers, R1 and R2, configured as an HSRP group to provide redundancy for the gateway. Router R1 is the active router and has been configured as follows:

R1#configure terminal
R1(config)#interface fa0/0
R1(config-if)#ip address 10.10.0.5 255.255.255.0
R1(config-if)#standby 1 priority 150
R1(config-if)#standby preempt delay minimum 50
R1(config-if)#standby 1 track interface fa0/2 15
R1(config-if)#standby 1 ip 10.10.0.20

Which of the following describes the effect the “standby preempt delay minimum 50” command will have on router R1?

A. The HSRP priority for router R1 will increase to 200.
B. Router R1 will become the standby router if the priority drops below 50.
C. The HSRP priority for router R1 will decrease to 50 points when Fa0/2 goes down.
D. Router R1 will wait 50 seconds before attempting to preempt the active router.

Answer: D

Explanation

If R1, for some reason, loses its active state, the “standby preempt delay minimum 50” command will cause R1 to wait 50 seconds before it tries to get the active state again -> D is correct.

Question 41

Drag drop about Southbound & Northbound

Answer:

Southbound
+ Hardwares
+ Switch interfaces

Northbound
+ Software manager
+ Controllers

New ICND2v3 Questions

January 23rd, 2018 103 comments

Question 1

What is the default read-only (RO) mode of SNMP community string?

A. Public
B. Private
C. Cisco
D. Secret

Answer: A

Question 2

What is the output of the command “show snmp engineID”?

Answer: Local SNMP engineID and remote engineID

Question 3

Which protocol HSRP uses to interchange?

A. PPP
B. PPPoE
C. BPDU
D. Hello

Answer: D

Question 4

When does your enterprise require high-speed broadband internet?

A. P2P file sharing
B. Cloud computing
C. IaaS
D. vSAN expansion
E. upgrade IOS
F. resource-intensive application

Answer: B

Question 5

Responses from the TACACS+ daemon?

Answer: ACCEPT, REJECT, ERROR, CONTINUE

Question 6

What protocol CGMP is NOT compatible with?

A. HSRPv1
B. HSRPv2

Answer: A

Explanation

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swhsrp.pdf

Question 7

Which about GRE tunnel is true?

Answer: sends in plain text

Question 8

Which algorithm routing protocols are using?

Answer:
+ Dijkstra -> OSPF
+ Bellman-Ford -> RIP
+ DUAL -> EIGRP

Question 9

Which command is used to remove VLANs from trunk?

Answer: switchport trunk allowed vlan remove <VLANs>

Question 10

Which command is used to configure IPv6 peer for BGP?

Answer: neighbor xxxx remote-as xxxx

Question 11

Which command is used to verify GRE tunnel connectivity?

Answer: (not sure but maybe) traceroute OR “show tunnel interface tunnel <tunnel-ID>”

=============================New Questions added on 12^nd-Feb-2018=============================

Question 12

Which of the following provide the highest availability?

A. full mesh
B. partial mesh
C. hub and spoke

Answer: A

Question 13

What can MPLS provide? (Choose two)

A. Authentication Header
B. secure payload of packet with ESP
C. VPN
D. CoS

Answer: A C

Question 14

Which ACL rules are applied as first?

A. Port filter
B. Router filter
C. VLAN filter
D. MAC filter

Answer: A

Explanation

In merge mode, the ACLs are applied in the following order:
1. PACL for the ingress port
2. VACL for the ingress VLAN
3. VACL for the egress VLAN

Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended

Reference: http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4

Question 15

Which is true about IGP? (Choose two)

A. May use Bellman-Ford algorithm
B. May use Dijkstra Algorithm
C. Can be used between company and ISP
D. Can be used between router – Firewall – router

Answer: A B

Question 16 (maybe same as Question 9)

Which command will remove vlan 10 from trunk?

A. switchport trunk allowed vlan remove 10
B. switchport trunk allowed vlan add 10
C. switchport trunk allowed vlan except 10

Answer: A

Note: Another command to do this task is switchport trunk allowed vlan {all VLANS except 10}

Question 17

Troubleshooting connectivity between two devices. How will you start? (Choose two)

A. ping
B. extended ping with source
C. traceroute
D. something like connect to source’s next hop and do ping to destination

Answer: A C

Question 18

Which is true about keep-alive interval?
A. if was modified – should be equal on both side
B. have to apply on both side

Answer: A

Explanation

Since HDLC keepalives are ECHOREQ type keepalives, the keepalive frequency is important and it is recommended that they match up exactly on both sides. If the timers are out of sync, the sequence numbers start to get out of order. For example, if you set one side to 10 seconds and the other to 25 seconds, it will still allow the interface to remain up as long as the difference in frequency is not sufficient to cause the sequence numbers to be off by a difference of three.

Reference: https://www.cisco.com/c/en/us/support/docs/content-networking/keepalives/118390-technote-keepalive-00.html

Question 19

Which of the command enable PPP over Ethernet?

A. pppoe-client dial-pool-number
B. ppoe enable

Answer: B

Question 20

Which command immediately put port into forwarding state?

A. spanning-tree portfast default
B. spanning-tree portfast bpduguard default

Answer: A

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to forwarding state immediately without passing the listening and learning state. Therefore it can save about 30 to 45 seconds to transition through these states.

To enable this feature, configure this command under interface mode:

Switch(config-if)#spanning-tree portfast

or we can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports.

Question 21

Which feature can prevent switch to become Root Bridge?

A. VTP
B. DTP
C. Root Guard
C. BPDU Guard filter

Answer: C

Question 22

Which mode of VTP will only forward messages and ignore updates?

A. Client
B. Server
C. Transparent

Answer: C

Question 23

Which is correct about APIC-EM Path trace ACL? (Choose two)

A. It checks only ingress interface
B. It checks only egress interface
C. It checks ingress and egress interface
D. If finds ACL which deny traffic, will stop …

Answer: C and ?

Question 24

If TRAP in SNMP is not working, where can be issue?

A. Trap was not set
B. wasn’t put command “snmp-server enable traps”
C. SNMP server host has not configured inform messages

Answer: B

Explanation

Maybe this question wants to ask why TRAP is not sent after setting the trap.

If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure the router to send these SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, all notification types are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. In order to enable multiple types of notifications, you must issue a separate snmp-server enable traps command for each notification type and notification option.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/13506-snmp-traps.html

Note: For SNMP configuration please read https://www.9tut.com/simple-network-management-protocol-snmp-tutorial

Question 25

Which of the following two things does QOS provide? (Choose two)

Answer: checksum and inspection (not sure)

Question 26

Which of the following is true about Link state protocol?

Answer: (maybe) instant update

Question 27

Which of the following is true about Distance Vector?

Answer: (maybe) periodic update

Question 28

How can BGP advertise routes?

Answer: put command “network prefix mask DDN-mask”

Question 29

What is the default DTP mode?

A. Dynamic Desirable
B. Dynamic Auto
C. On
D. Off

Answer: B

Note: This question is same as Question 4 of https://www.9tut.net/icnd2-200-105/dtp-questions

Explanation

The Dynamic Trunking Protocol (DTP) is used to negotiate forming a trunk between two Cisco devices.

In fact this question is unclear as it does not ask about a specific switch model. The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto while older 3550 switches run Dynamic Desirable as the default mode. So in this question we should follow the “newer” switches (which is “dynamic auto” mode).

New switches are only set to “dynamic auto” mode by default so they are safer as they do not try to form a trunk aggressively.

Therefore in this question “dynamic auto” is the best choice.

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=8

Question 30

Which three options are benefits of using TACACS+ on a device? (Choose three)

A. It ensures that user activity is untraceable.
B. It provides a secure accounting facility on the device.
C. device-administration packets are encrypted in their entirely.
D. It allows the user to remotely access devices from other vendors.
E. It allows the users to be authenticated against a remote server.
F. It supports access-level authorization for commands.

Answer: C E F

Explanation

TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.

TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.

Note:

By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Question 31

What prevents DDOS (Denial-of-service attack) attack?

Answer: DHCP snooping

Question 32

What allows two neighbor to establish EIGRP adjacency?

Answer: (recommended) same AS number, same subnet, same K values, same mask

Question 33

What command to check if a trunk is enable on an interface?

Answer: show int trunk

Question 34

What command will remove IPv6 OSPF address on an interface?

Answer: no ipv6 ospf 1 area x

Question 35

Why security of RADIUS may be compromised?

Answer: only the password is encrypted

Question 36

Which layer is ACL APIC-EM Path running on?

A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4

Answer: D

Question 37

What command will statically configure Etherchannel?

A. Desirable
B. Auto
C. On
D. Passive

Answer: C

Question 38

Which two options describe benefits of aggregated chassis technology? (Choose two)

A. It reduces management overhead
B. Switches can be located anywhere regardless of there physical location
C. It requires only one IP address per VLAN
D. It requires only three IP addresses per VLAN
E. It supports HSRP VRRP GLBP
F. It support redundant configuration files

Answer: A C

Explanation

The books do not mention about the benefits of chassis aggregation but they are the same as switch stacking.

+ The stack would have a single management IP address.
+ The engineer would connect with Telnet or SSH to one switch (with that one management IP address), not multiple switches.
+ One configuration file would include all interfaces in all physical switches.
+ STP, CDP, VTP would run on one switch, not multiple switches.
+ The switch ports would appear as if all are on the same switch.
+ There would be one MAC address table, and it would reference all ports on all physical switches.

Reference: CCNA Routing and Switching ICND2 200-105 Official Cert Guide

VSS is a chassis aggregation technology but it is dedicated for Cisco Catalyst 6500 Series Switches. VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent -> A is correct

Single point of management, IP address, and routing instance for the Cisco Catalyst 6500 virtual switch
+ Single configuration file and node to manage. Removes the need to configure redundant switches twice with identical policies.
+ Only one gateway IP address is required per VLAN, instead of the three IP addresses per VLAN used today -> C is correct while D is not correct.
+ Removes the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP)-> so maybe E is not correct.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

Question 39

When troubleshooting client DNS issues, which two tasks must you perform? (Choose two)

A. Ping a public website IP address.
B. Ping the DNS Server.
C. Determine whether a DHCP address has been assigned.
D. Determine whether the hardware address is correct.
E. Determine whether the name servers have been configured

Answer: B E

Explanation

Complete these steps to troubleshoot this problem:
Ensure the router can reach the DNS server. Ping the DNS server from the router using its IP address, and make sure that the ip name-server command is used to configure the IP address of the DNS server on the router.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html

Question 40

What routing protocol use first-hand information?

A. link-state
B. distance-vector
C. path-vector
D. other

Answer: A

Explanation

The information available to a distance vector router has been compared to the information available from a road sign. Link state routing protocols are like a road map. A link state router cannot be fooled as easily into making bad routing decisions, because it has a complete picture of the network. The reason is that unlike the routing-by-rumor approach of distance vector, link state routers have firsthand information from all their peer routers. Each router originates information about itself, its directly connected links, and the state of those links (hence the name). This information is passed around from router to router, each router making a copy of it, but never changing it. The ultimate objective is that every router has identical information about the internetwork, and each router will independently calculate its own best paths.

Reference: http://www.ciscopress.com/articles/article.asp?p=24090&seqNum=4

Question 41

Two features of the extended ping command? (Choose two)

A. It can send a specific number of packet
B. It can send packet from specified interface of IP address
C. It can resolve the destination host name
D. It can ping multiple host at the same time

Answer: A B

Explanation

There are many options to choose when using extended ping. Below shows the options that we can choose:

In which:

+ Repeat count [5]: Number of ping packets that are sent to the destination address. The default is 5 -> A is correct.
+ Source address or interface: The interface or IP address of the router to use as a source address for the probes -> B is correct.

For more information about extended ping, please read: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html

Question 42

Which statement about IPv6 link-local addresses is true?

A. They must be configured on all IPv6 interface
B. They must be globally unique
C. They must be manually configured
D. They are advertised globally on the network

Answer: A

Explanation

Link-local addresses refer only to a particular physical link and are used for addressing on a single link for purposes such as automatic address configuration and neighbor discovery protocol. Link-local addresses can be used to reach the neighboring nodes attached to the same link. The nodes do not need a globally unique address to communicate. Routers will not forward datagram using link-local addresses. All IPv6 enabled interfaces have a link-local unicast address.

A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format. Link-local addresses are not necessarily bound to the MAC address (configured in a EUI-64 format). Link-local addresses can also be manually configured in the FE80::/10 format using the “ipv6 address link-local” command.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113328-ipv6-lla.html

In summary, if you do not configure a link-local on an IPv6 enabled interface, it will automatically use the FE80::/10 and the interface identifier in the modified EUI-64 format to form a link-local address.

Question 43

Which command can you enter on a switch to determine the current SNMP security model?

A. snmp-server contact
B. show snmp pending
C. show snmp group
D. show snmp engineID

Answer: C

Explanation

Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. The security model combined with the security level determine the security mechanism applied when the SNMP message is processed.

The command “show snmp group” displays the names of groups on the router and the security model, the status of the different views, and the storage type of each group. Below is an example of this command.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_9snmp.html

=========================New Questions added on 24th-Feb-2018============================

Question 44

What two options are causes of network slowness that can result from inter-VLAN routing problem? (Choose two)

A. Root guard disabled on an etherchannel
B. Packet Loss
C. DTP disabled on a switchport
D. BPDU guard enabled on a switchport
E. Hardware forwarding issues

Answer: B E

Explanation

Causes for Network Slowness
Packet Loss

Hardware Forwarding Issues

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/virtual-lans-vlan-trunking-protocol-vlans-vtp/23637-slow-int-vlan-connect.html#network_slow

Question 45

Which two commands debug a PPPoE connection that has failed to establish? (Choose two)

A. debug ppp compression
B. debug ppp negotiation
C. debug dialer events
D. debug ppp cbcp
E. debug dialer packet

Answer: B E

Explanation

According to this link https://supportforums.cisco.com/t5/network-infrastructure-documents/troubleshooting-for-pppoe-connection-failure-part-1/ta-p/3147204

The following debug commands can be used to troubleshoot PPPoE connection that failed:

+ debug ppp authentication
+ debug ppp negotiation
+ debug pppoe event

The debug ppp negotiation command enables you to view the PPP negotiation transactions, identify the problem or stage when the error occurs, and develop a resolution.

We are not sure about the “debug dialer packet” command but it seems to be the most reasonable answer left.

Question 46

Which command do you enter to determine wheter LACP is in use on a device?

A. Show port-channel summary
B. Show etherchannel summary

Answer: B

Question 47

Which three commands do you use to verify that IPsec over a GRE tunnel is working properly? (Choose three)

A. clear crpto iskamp
B. ppp encrypt mppe auto
C. show crypto engine connections active
D. show crypto ipsec sa
E. show crypto isakmp sa
F. debug crypto isakmp

Answer: D E F

Question 48

Which two types of cloud services may require you to alter the design of your network infrastructure? (Choose two)

A. Sudo as a service
B. Platform as a service
C. Infrastructure as a service
D. Software as a service
E. Business as a service

Answer: B C

Explanation

There are only three types of cloud services. These different types of cloud computing services delivery models are called
infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

Reference: https://www.cisco.com/en/US/services/ps2961/ps10364/ps10370/ps11104/need-for-cloud-services-catalog_whitepaper.pdf

Question 49

Which purpose of the network command in the BGP configuration of a router is true?

A. It enables route advertisement in the BGP routing process
B. It advertises any route in BGP with no additional configuration
C. It advertises a valid network as local to the autonomous system of a router

Answer: C

Question 50

Through with three states does a BGP routing process pass when it establishes a peering session?

A. open receive
B. inactive
C. active
D. connected
E. open sent
F. idle

Answer: C E F

Explanation

BGP forms a TCP session with neighbor routers called peers. The BGP session may report in the following states:

+ Idle
+ Connect
+ Active
+ OpenSent
+ OpenConfirm
+ Established

Reference: http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

Question 51

Which encryption method does CHAP authentication use for the peer response?

A. EAP
B. MD5
C. DES
D. DSS
E. AES
F. 3DES

Answer: B

Question 52

Which two characteristics of stacked switches are true? (Choose two)

Answer: A D

Question 53

Which option describes a drawback of proxy ARP?

A. It overwrites MAC addresses
B. It can make it more difficult for the administrator to locale device misconfigurations
C. It dynamically establishes layer 2 tunneling protocol which increase network overhead
D. If proxy ARP is configured on multiple devices , the internal L2 network may become vulnerable to DDOS

Answer: D

Question 54

Which layer 2 attack is specifically mitigated by changing the native VLAN to an unused VLAN?

A. Double tagging
B. DHCP spoofing
C. VLAN spoofing
D. switch hopping

Answer: A

Explanation

Let us learn about double-tagging attack.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

According to this link http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

Question 55

Which feature or value must be configured to enable EIGRPv6?

Answer: Router id

New ICND1v3 Questions

October 2nd, 2017 325 comments

Note (14th-Dec-2018): These new questions were gathered from our candidates so please learn them well before taking the ICND1 exam:

Question 1

Syslog – what does not belong?

A. host name
B. severity
C. timestamp
D. message

Answer: A

Question 2

What does a switch use for communication between VLANs?

A. STP
B. CDP
C. VTP
D. Etherchannel

Answer: C

Question 3

What is the maximum size of an Ethernet frame that uses 802.1Q tagging?

A. 1514 bytes
B. 128 bytes
C. 68 bytes
D. 1522 bytes

Answer: D

Question 4

When configuring a default gateway, should it be ip route 0.0.0.0…. or serial 0/0 0.0.0.0…… – dont know answer

Question 5

Which option does the route 0.0.0.0/0 represent?

A. Route with the lowest administrative distance
B. Gateway of last resort
C. Null route
D. Empty routing table

Answer: B

Explanation

In this question only the “Gateway of last resort” answer is suitable. A Gateway of Last Resort or Default gateway is a route used by the router when no other known route exists to transmit the IP packet. Known routes are present in the routing table. Hence, any route not known by the routing table is forwarded to the default route.

In fact this question is a bit unclear. Maybe it implies “creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router.”

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/16448-default.html

Question 6

What is the purpose of a standard access list?

A. to filter traffic based on destination address
B. to deny traffic
C. to filter traffic based on source address

Answer: C

Question 7

If you are in VLAN 10 and it gets a packet from VLAN 2 with 802.1q enabled, what does it do with the packet?

A. Drops the packet
B. forwards it to VLAN 2
C. configures the port to handle traffic from VLAN 2
D. adds it to the VLAN database

Answer: A

Question 8

Drag drop question about cable types

Answer:

Coaxial <-> TV connection
Twisted <-> 10/100/1000 base
Fiber <-> BASE-5 BX
USB <-> connects two computers
Crossed-over <-> devices of the same type

Question 9

Which forwarding technology stores destination addresses in the cache?

A. MPLS
B. Cisco express forwarding
C. Process switching
D. Fast switching

Answer: B

Question 10

Which type of network topology requires each network node to be connected to one another?

A. Ring
B. Star
C. Mesh
D. Bus

Answer: C

Question 11

A router receives identical prefixes from OSPF, EIGRP, RIP and the same route is configured statically. Which route does the router use to forward traffic?

A. Static route
B. RIP route
C. EIGRP route
D. OSPF route

Answer: A

Question 12

Which route is the most secured : connected route

Question 13

Which syslog severity level logs informational messages?

A. 2
B. 6
C. 4
D. 0

Answer: B

Question 14

Which option describes a standard role that a firewall plays in an enterprise network?

A. It can permit unauthorized packets to pass to less secure segments of the network
B. It can decide which packets can traverse from a less secure segment of the network to a more secure
C. It can forward packets based on rules that are predetermined by IEEE standards
D. It can deny all packets from entering an administrative domain.

Answer: B

Question 15

A question with the mac table on a switch with mac 1111:1111:1111 and port 0/1 and the question was asking : You received a packet with destination mac 1111:1111:1111 on port 0/1 , how does the switch will handle the frame.

Answer: The switch forwards the frame to port 0/1 only.

Question 16

What cable use in star topology? (Choose two)

A.10 base2
B.10 base5
C.100 base2
D.100base5
…

Answer: 10Base-T, 100Base-T and 1000Base-T

Question 17

What is the binary of the IPv6 multicast address

Answer: 11111111

Explanation

IPv6 multicast addresses are distinguished from unicast addresses by the value of the high-order octet of the addresses: a value of 0xFF (binary 11111111) identifies an address as a multicast address; any other value identifies an address as a unicast address

Question 18

What is the lowest AD (IS-IS, IBGP, EIGRP, RIPv2 or OSPF)?

Answer: EIGRP

Explanation

The Administrative Distances (AD) of popular routing protocols is shown below:

Administrative Distances_popular_routing_protocols.jpg

Note: For IS-IS, the AD is 115; Internal BGP (IBGP) is 200

Question 19

Assume all the routing protocol have the same length prefix, what would the router prefer?

A. OSPF
B. EIGRP
C. CONNECTED
D. BGP

Answer: C

Question 20

In which circumstances is static routing most useful?

A. On a stub network
B. On a large network that must share routes quickly between routers
C. On a network that experiences frequent link failures
D. On a network with frequent routing changes

Answers: A

Question 21

Which statement describes the dynamic route correctly?

A. more secure than static
B. high scaling for large network
C. easier to configure than static route
D. build for small network

Answer: B

Question 22

Which statement is correct when comparing dynamic route and static route?

A. static route is more secure

Question 23

What would the router use as metrics when having different routing protocol in the routing table

A. Prefix length

Question 24

Which of the following description is correct about DNS?

A. Host will sends a request to a DNS server…

Question 25

Which statement about standard access list is true?

A. They have an implicit permit statement at the end to allow all traffic
B. They can use either a wildcard mask or a subnet mask to identify host
C. They can be identified by a number from 1 to 99
D. They must be placed close to the source of traffic

Answer: C

Question 26

Which of the following item is used to establish telnet session by having the host name?

A. DNS lookup
B. Ping
C. Syslog
D. ARP

Answer: A

Question 27

Which of the following command can be use to access all the files in a system?

A. syslog
B. IFS
C. ping
D. NTP

Answer: B

Question 28

For which important purpose was IPv6 addressing developed?

A. To reduce the number of public IP addresses on the internet
B. To replace network address translation
C. To remove the need for classless inter-domain routing
D. To relieve the shortage of public IP addresses on the internet

Answer: D

Question 29

What does the 0.0.0.0/0 mean in a routing table?

A. wildcard
B. empty routing table
C. Null table
D. Gateway of last resort

Answer: should be default route

Question 30

A host is attempting to communicate with a server from an application layer. The connection has failed, what would be the first layer to start from the troubleshooting standpoint?

A. network
B. Application
C. physical
D. session

Answer: C

Question 31

[am4show have=’p2;’]The left describes the types of cables, while the right describes the purposes of the cables.
Drag the items on the left to the proper locations. (Not all items can be used.)

Answer:

+ switch access port to router: straight-through
+ switch to switch: crossover
+ PC COM to switch Console port: rollover[/am4show]

Explanation

To remember which type of cable you should use, follow these tips:

– To connect two serial interfaces of 2 routers we use serial cable
– To specify when we use crossover cable or straight-through cable, we should remember:
Group 1: Router, Host, Server
Group 2: Hub, Switch
One device in group 1 + One device in group 2: use straight-through cable
Two devices in the same group: use crossover cable

For example: we use straight-through cable to connect switch to router, switch to host, hub to host, hub to server… and we use crossover cable to connect switch to switch, switch to hub, router to router, host to host… )

Question 32

Which destination IP address can a host use to send one message to multiple devices across …?

A. 239.255.0.1
B. 172.20.1.0
C. 192.168.0.119
D. 127.0.0.1

Answer: A (multicast address)

Question 33

Which value is of primary importance when a router populates its routing table for unique routes?

A. Administrative distance
B. Prefix length
C. Network address
D. Metric

Answer: A

Explanation

Making a forwarding decision actually consists of three sets of processes: the routing protocols, the routing table, and the actual process which makes a forwarding decision and switches packets. The longest prefix match always wins among the routes actually installed in the routing table, while the routing protocol with the lowest administrative distance always wins when installing routes into the routing table.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html

Question 34

Which IPv6 address type is a public address?

A. Global unicast
B. Multicast
C. Link local
D. Unique-local

Answer: A

Question 35

How is the MAC address table of a switch populated?

A. When the switch receives an Ethernet frame with a new destination MAC address, it installs the destination MAC address and the ingress switch port in the MAC address table
B. When the switch receives an Ethernet frame with a new source MAC address, it installs the source MAC address and the ingress switch port in the MAC address table
C. When the switch receives an Ethernet frame with a new destination MAC address, it installs the destination MAC address and the egress switch port in the MAC address table
D. When the switch receives an Ethernet frame in which the source and destination MAC address are new, it installs the destination MAC address and the ingress switch port in the MAC address table

Answer: B

Explanation

A switch only learns (populates) its MAC address table with source MAC addresses only.

Question 36

Which statement describes the effect of exec-timeout 30 command?

A. The router disconnects the user session if it is inactive for 30 minutes
B. The router maintains a user session indefinitely after it is active for 30 mins
C. The router disconnects a user session if it is inactive for 30 seconds
D. The router maintains a user session indefinitely after it is active for 30 seconds.

Answer: A

Explanation

The “exec-timeout” command is used to configure the inactive session timeout on the console port or the virtual terminal. The syntax of this command is:

exec-timeout minutes [seconds]

Therefore we need to use the “exec-timeout 30” command to set the user inactivity timer to 30 minutes. To set the user inactivity timer to 30 seconds we use the “exec-timeout 0 30”.

Question 37

Which statement is true about port-security violations is true?

A. When a violation occurs on a switch port in restrict mode, the switch port continues to accept traffic from unknown MAC address until the administrator manually disables it.
B. When a violation occurs on a switch port in protect mode, it sends a syslog notification message
C. A port In the err-disabled state must be re-enabled manually, if recovery is disabled
D. When a switch port is in protect mode, it allows traffic from unknown MAC address until it has learned the maximum allowable number of MAC addresses

Answer: C

Question 38

Which statement is true about static and dynamic routing is true?

A. Only static routes are shared between connected interfaces
B. Dynamic routing is more scalable than static routing
C. Only dynamic routes are secure
D. Static routing is easier to maintain in a large network than dynamic routing.

Answer: B

Question 39

Which metric or metrics does RIP use to determine the routing table metric for a route?

A. Bandwidth and delay
B. Hop count
C. Bandwidth and hop count
D. Bandwidth

Answer: B

Question 40

Which network configuration allows a switch to send traffic from multiple VLANS over a single link to a router that routes between the VLANs?

A. Port channel
B. Router-on-a-stick
C. Virtual trunking
D. Spanning-tree

Answer: B

Question 41

Which statement about native VLAN traffic over 802.1Q trunk is true?

A. It is discarded by STP
B. It is placed is a high-priority queue
C. It is tagged with a value of 1
D. It is untagged

Answer: D

Question 42

Which feature allows a device to use a switch port that is configured for half-duplex to access the network?

A. Split horizon
B. CSMA/CD
C. IGMP
D. Port security

Answer: B

Explanation

CSMA/CD stands for Carrier Sense Multiple Access with Collision Detection. In an Ethernet LAN, before transmitting, a computer first listens to the network media. If the media is idle, the computer sends its data. If the media is not idle (another station is talking), the computer must wait for some time.

When a station transmits, the signal is referred to as a carrier. Carrier Sense means that before a station can send data onto an Ethernet wire, it have to listen to see if another “carrier” (of another station) is present. If another station is talking, this station will wait until there is no carrier present.

Multiple Access means that stations can access the network at any time. It is opposed to Token-Ring network where a station must have the “token” so that it can send data.

In short, CSMA/CD is the technology used for half-duplex switch port to transmit. CSMA/CD is not necessary for full-duplex switch port.

Question 43

Refer to the exhibit.

If switch-A receives a frame with destination MAC address 0000.0000.0001 on its Fa0/1 interface, how does it process the frame?

A. It forwards the frame back out of interface Fa0/1
B. It floods the frame to all interfaces except Fa0/1
C. It holds the packet until the MAC address timer expires and then drops the frame
D. It drops the frame immediately

Answer: maybe B

Explanation

As the exhibit is missing so we can only guess. But B is the most suitable answer in all cases. If the MAC address 0000.0000.0001 is new to the switch (this MAC have not existed in the MAC address table) then surely the answer is B.

Question 44

When a router makes a routing decision for a packet that is received from one network and destined to another, which portion of the packet does it replace?

A. Layer 4 protocol
B. Layer 3 IP address
C. Layer 2 frame header and trailer
D. Layer 5 session

Answer: C

Explanation

During the transmission of a packet from source to destination, only Layer 2 information is replaced in the path. Layer 3 information remains the same (except when NAT is used).

Question 45

Which protocol can identify connected devices within a mixed-vendor infrastructure?

A. Virtual terminal protocol
B. Network time protocol
C. Link level discovery protocol
D. Cisco discovery protocol

Answer: C

Question 46

Which interface configuration is used with a router-on-a-stick configuration?

A. VRF
B. Subinterfaces
C. PIM sparse mode
D. Passive-interface

Answer: B

Question 47

You have configured the host computers on a campus LAN to receive their DHCP addresses from the local router to be able to browse their corporate site. Which statement about the network environment is true?

A. Two host computers may be assigned manually on each host
B. The DNS server must be configured manually on each host
C. It supports a DNS server for use by DHCP clients
D. The domain name must be configured locally on each host computer

Answer: C

Explanation

DHCP supports configuring a domain name to assign to the DHCP clients. For example:

Router(config)#ip dhcp pool CLIENTS
Router(dhcp-config)#domain-name 9tut.com
…

Question 48

Where is private IPv4 addressing used?

A. On the endpoints of a VPN tunnel that traverses outside an administrator domain
B. At a remote site that connects over public infrastructure to a hub
C. Within an enterprise
D. Over the internet

Answer: C

Question 49

Which protocol allows VLANs to be dynamically configured between multiple switches?

A. IGMP
B. STP
C. VTP
D. 802.1Q

Answer: C

Question 50

Client A cannot reach client B by its hostname. Which reason for the problem is most likely true?

A. The connected router is using the default domain lookup configuration
B. The hostname for client B is missing from the connected router
C. A DNS server has been misconfigured
D. Telnet has been disabled on the connected router.

Answer: C

Question 51

Which first step must a client perform to connect to an internal host when the hostname is known, but the IP address is unknown?

A. The client sends the host name in a DNS reply to a DNS server, and the DNS server responds with the host IP address
B. The client exchanges IP address information with a DNS server on the same LAN
C. The client looks up the hostname in the ARP table to determine the IP address
D. The client sends the host name in a DNS request to a DNS server, and the DNS server responds with the host IP address.

Answer: D

Explanation

When a client knew about the hostname but not the IP address, it needs to resolve the hostname to the IP address by sending a DNS request to its DNS server.

Notice that the ARP table is responsible for resolving IP address to MAC address only. It has nothing to do with the hostname.

==================New Questions added on 9th-Dec-2017==================

Question 52

Which route option can be used to back-up in case of fail?

Answer: floating route

Question 53

Which of the following is true about TCP and UDP?

Answer: only TCP order the transmission packets

Question 54

If a switch received a frame while forwarding others, how frame would be handled?

A. It will interrupt the frames
B. The switch will put the frame in a queue
C. Will be forwarded at the same time with the current frame
D. The new frame will forward first

Answer: C

Question 55

Which of the following true about access point?

A. It used physically to connect network devices
B. It is used as a router
C. Provide full duplex communication
D. It is a layer 2 device used to extend the LAN coverage to wireless devices

Answer: D

Question 56

Which of the following used to identify immediate destination?

A. Administrative distance
B. Metric
C. Next hop
D. Destination network

Answer: C

Question 57

Which of the following options could be used on router to prevent reassign IP address statically?

A. Pool
B. Lease
C. Client ID
D. Exclude address

Answer: D

Question 58

A router with a default setting deployed, how will act if it received mistype command?

A. Disable DNS look up
B. Recognizing the command
C. Try to resolve the command to an IP address
D. Try to correct the command
E. Show error message

Answer: C

Question 59

Which symbol ping of the following is for unknown packet?

A. .
B. *
C. ?
D. U

Answer: C

Explanation

The table below lists the possible output characters from the ping facility:

Character	Description
!	Each exclamation point indicates receipt of a reply.
.	Each period indicates the network server timed out while waiting for a reply.
U	A destination unreachable error PDU was received.
Q	Source quench (destination too busy).
M	Could not fragment.
?	Unknown packet type.
&	Packet lifetime exceeded.

Reference: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html

Question 60

Which cables could be used for star topology? (Choose two)

A. 10 Base T
B. 100 Base T
C. 10 Base 5
D. 10 Base 2

Answer: A B

Question 61

Which of the following is true about dynamic route?

A. Reduce CPU of the network
B. More secure than static
C. Complicate the maintenance
D. Allow fast convergence when fail happen

Answer: D

Question 62

What RIPv2 use to elect of route?

A. Hop count
B. Administrative distance
C. Bandwidth

Answer: A

Question 63

Which of the following are two local host characters?

A. 32/prefix
B. 255.255.255.0
C. The administrative distance is 0
D. Dynamically learned
E. ?

Answer: A C

Question 64

Which attributes change all the path way (Choose two)

A. MAC destination address
B. MAC destination address
C. IP Source address
D. IP Source address

Answer: A B

Question 65

Why a host uses DNS server?

A. DNS client request to server
B. To resolve IP to FQDN
C. To resolve FQDN to IP
D. Assign IP

Answer: C

FQDN (Fully Qualified Domain Name)
E. Verify connection

==================New Questions added on 9th-Aug-2018==================

Question 66

What time zone is set by default on the router?

A. GMT
B. UMT

Answer: A

Explanation

By default, the router uses UTC, also called Coordinated Universal Time. UTC, formerly known as Greenwich Mean Time (GMT), has become the worldwide standard for time and date.

ICND2v3 – New Questions Part 8

ICND1v3 – New Questions Part 3

ICND1v3 – New Questions Part 2

ICND2v3 – New Questions Part 7

ICND2v3 – New Questions Part 6

ICND2v3 – New Questions Part 5

ICND2v3 – New Questions Part 4

ICND2v3 – New Questions Part 3

New ICND2v3 Questions – Part 2

New ICND2v3 Questions

New ICND1v3 Questions

ICND1 100-105

ICND2 200-105

Network Resources