642-832 exam

Cisco 642-832

642-832 Troubleshooting and Maintaining Cisco IP

Switched Networks (TSHOOT)

Practice TestVersion

Actu

alTe

sts.

com

QUESTION NO: 1

Which two statements about the Cisco Aironet Desktop Utility (ADU) are true? (Select two)

A. The Aironet Desktop Utility (ADU) profile manager feature can create and manage only one

profile for the wireless client adapter.

B. The Aironet Desktop Utility (ADU) can support only one wireless client adapter installed and

used at a time.

C. The Aironet Desktop Utility (ADU) can be used to establish the association between the client

adapter and the access point, manage authentication to the wireless network, and enable

encryption.

D. The Aironet Desktop Utility (ADU) and the Microsoft Wireless Configuration Manager can be

used at the same time to configure the wireless client adapter.

Answer: B,C

Explanation:

You can configure your Cisco Aironet Wireless LAN Client Adapter through the Cisco ADU or a

third-party tool, such as the Microsoft Wireless Configuration Manager. Because third-party tools

may not provide all the functionality available in ADU, Cisco recommends that you use ADU.

The Aironet Desktop Utility (ADU) can support only one wireless client adapter as well as Aironet

Desktop Utility establish the association between the client adapter and Access Point, allows to

authenticate wireless client, allows to configure encryption by setting static WEP, WPA/WPA2

passphrase.

Section 3: Perform routine IOS device maintenance (0 Questions)

Section 4: Isolate sub-optimal internetwork operation at the correctly defined OSI Model layer (2

Questions)

QUESTION NO: 2

At which layer of the OSI model does the Spanning Tree Protocol (STP) operate at?

A. Layer 5

Cisco 642-832: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Actu

alTe

sts.

com

B. Layer 4

C. Layer 3

D. Layer 2

E. Layer 1

Answer: D

Explanation:

Spanning-Tree Protocol (STP) is a Layer 2 (L2) protocol designed to run on bridges and switches.

The specification for STP is called 802.1d. The main purpose of STP is to ensure that you do not

run into a loop situation when you have redundant paths in your network. Loops are deadly to a

network.

QUESTION NO: 3

In computer networking a multicast address is an identifier for a group of hosts that have joined a

multicast group. Multicast addressing can be used in the Link Layer (OSI Layer 2), such as

Ethernet Multicast, as well as at the Internet Layer (OSI Layer 3) as IPv4 or IPv6 Multicast. Which

two descriptions are correct regarding multicast addressing?

A. The first 23 bits of the multicast MAC address are 0x01-00-5E. This is a reserved value that

indicates a multicast application.

B. The last 3 bytes (24 bits) of the multicast MAC address are 0x01-00-5E. This is a reserved

value that indicates a multicast application.

C. To calculate the Layer 2 multicast address, the host maps the last 23 bits of the IP address into

the last 24 bits of the MAC address. The high-order bit is set to 0.

D. The first 3 bytes (24 bits) of the multicast MAC address are 0x01-00-5E. This is a reserved

value that indicates a multicast application.

Answer: C,D

Explanation:

The point of this question is the form of multicast MAC address, and the conversion between the

multicast MAC address and IP address.

The multicast MAC address is 6 bytes(48 bits), the first 3 bytes (24 bits) of the multicast MAC

address are 0x01-00-5E, the last 3 bytes(24 bits) of the multicast MAC address =0 + 23 bit(the last

23 bit of the IP address). "0x01-00-5E" is a reserved value that indicates a multicast application.

So option B and D are correct.

QUESTION NO: 4



Actu

alTe

sts.

com

EIGRP is being used as the routing protocol on the company network. While troubleshooting some

network connectivity issues, you notice a large number of EIGRP SIA (Stuck in Active) messages.

What causes these SIA routes? (Select two)

A. The neighboring router stops receiving ACK packets from this router.

B. The neighboring router starts receiving route updates from this router.

C. The neighboring router is too busy to answer the query (generally caused by high CPU

utilization).

D. The neighboring router is having memory problems and cannot allocate the memory to process

the query or build the reply packet.

Answer: C,D

Explanation:

SIA routes are due to the fact that reply packets are not received. This could be caused by a

router which is unable to send reply packets. The router could have reached the limit of its

capacity, or it could be malfunctioning.

Incorrect Answers:

A: Missing replies, not missing ACKs, cause SIA.

B: Routes updates do not cause SIA.Notes: If a router does not receive a reply to all outstanding

queries within 3 minutes, the route goes to the stuck in active (SIA) state. The router then resets

the neighbors that fail to reply by going active on all routes known through that neighbor, and it re-

advertises all routes to that neighbor.Reference: Enhanced Interior Gateway Routing

Protocolhttp://www.cisco.com/warp/public/103/eigrp3.html

QUESTION NO: 5

Part of the routing table of router R1 is displayed below:

S 62.99.153.0/24 [1/0] via 209.177.64.130

172.209.12.0/32 is subnetted, 1 subnets

D EX 172.209.1

[170/2590720] via 209.179.2.114, 06:47:28, Serial0/0/0.1239

62.113.17.0/24 is variably subnetted, 2 subnets, 2 masks

D EX 99.3.215.0/24

[170/27316] via 209.180.96.45, 09:52:10, FastEthernet11/0/0


25.248.17.0/24

[90/1512111] via 209.179.66.25, 10:33:13, Serial0/0/0.1400001

[90/1512111] via 209.179.66.41, 10:33:13, Serial0/0/0.1402001

62.113.1.0/24 is variably subnetted, 12 subnets, 2 masks

D 62.113.1.227/32



Actu

alTe

sts.

com



S* 0.0.0.0/0 [1/0] via 209.180.96.14

From analyzing the above command output, what is the administrative distance of the external

EIGRP routes?

A. 24

B. 32

C. 90

D. 170

E. 27316

F. None of the other alternatives apply

Answer: D

Explanation:

By default an external EIGRP route has a value of 170. By examining the exhibit we see that this

default value of the external EIGRP routes (see D-EX in exhibit) indeed is set to 170. The first

value within the brackets display the AD, so with a value of [170/27316] the AD is 170 and the

metric of the route is 27316.

Incorrect Answers:

A: This is the subnet mask used for some of the routes in the table.

B: This is the subnet mask used for some of the routes in the table.

C: This is the AD of the internal EIGRP routes, which is the default

E: This is the EIGRP metric of the external EIGRP routes.Reference: What Is Administrative

Distance?http://www.cisco.com/warp/public/105/admin_distance.html

QUESTION NO: 6

The network is shown below, along with the relevant router configurations:

R1# show run

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0

ip address 172.29.1.1 255.255.255.0

media-type 10BaseT



Actu

alTe

sts.

com

!

!

router eigrp 999

redistribute connected

network 172.29.0.0

auto-summary

no eigrp log-neighbor-changes

!

ip classless

no ip http server

R2# show run

interface Ethernet0

ip address 172.29.1.2 255.255.255.0

media-type 10BaseT

!

interface Ethernet1

ip address 172.19.2.2 255.255.255.0

media-type 10BaseT

!

router eigrp 999

network 172.19.0.0

network 172.29.0.0

!

ip classless

no ip http server

R3# show run

interface Ethernet1/0

ip address 172.19.2.3 255.255.255.0

!

router eigrp 999

network 172.19.0.0

auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip http server

With the topology found in the graphic, what will the R1 loopback 0 be in the R3 routing table?

A. It will show up in the routing table as D 10.0.0/8.



Actu

alTe

sts.

com

B. It will show up in the routing table as D EX 10.0.0.0/8.

C. It will show up in the routing table as D 10.0.0./24.

D. It will not show up in R3 routing table because there is no network command on R1.

Answer: B

Explanation:

Because router R1 is configured with route redistribution, it will redistribute the connected

loopback network into EIGRP. Because redistributed routes will show up as external EIGRP

routes in the routing table, choice B is correct. Although the loopback interface is using a /24

subnet mask, EIGRP summarizes at network boundaries by default so the network will appear as

the class A network of 10.0.0.0/8 in the routing table of the other routers.

Incorrect Answers:

A: The route will be external, since it was redistributed into EIGRP.

C: It will be external because of redistribution, and it will also be summarized since that is the

default behavior of EIGRP.

D: Although it was not configured under the EIGRP network command, it would be redistributed

because it is a connected route.

QUESTION NO: 7

The EIGRP network is displayed in the following topology diagram:

You work as a network technician. Study the exhibits carefully. If the command "variance 3" was

added to the EIGRP configuration of R5, which path or paths would be chosen to route traffic from

R5 to network X?

A. R5-R2-R1

B. R5-R2-R1 and R5-R3-R1.

C. R5-R3-R1 and R5-R4-R1.



Actu

alTe

sts.

com

D. R5-R2-R1,R5-R3-R1, and R5-R4-R1.

Answer: B

Explanation:

Every routing protocol supports equal cost path load balancing. In addition, Interior Gateway

Routing Protocol (IGRP) and EIGRP also support unequal cost path load balancing. Use the

variance n command in order to instruct the router to include routes with a metric of less than n

times the minimum metric route for that destination. The variable n can take a value between 1

and 128. The default is 1, which means equal cost load balancing. Traffic is also distributed

among the links with unequal costs, proportionately, with respect to the metric.

In this question the variance 3 command is used . In this instance, R5 can get to Net X using the

path R5-R3 = metric of 10, and R3-R1 = 10 as well with the FD between R5 - R1 being 10 + 10 =

20. Therefore, we can load balance on any route that had an FD of 3x the successor, or 3x20,

which is 60

Important Note: If a path does not meet the feasibility condition, the path is not used in load

balancing. This is why chose D is wrong as this path has an Advertised Distance of 25 which is

greater than the successors FD. The link below refers to an example that is nearly identical to the

example in this question, except theirs used a variance of 2 and this question used a variance of

3.

Reference:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009437d.shtml

QUESTION NO: 8

The following command was issued on Router 2:

Given the above output shown above, which statement is true?

A. 192.168.1.0 is a redistributed route into EIGRP.

B. 192.168.1.0 is a summarized route.

C. 192.168.1.0 is a static route.

D. 192.168.1.0 is equal path load balancing with 172.16.1.0.

E. None of the other alternatives apply

Answer: A



Actu

alTe

sts.

com

Explanation:

When EIGRP learns the routing information from the different routing protocol it uses D EX symbol

to indicate that this routing information has learned from other routing protocol.

QUESTION NO: 9

A network administrator is troubleshooting an EIGRP connection between RouterA, IP address

10.1.2.1, and RouterB, IP address 10.1.2.2. Given the debug output on RouterA, which two

statements are true?

A. RouterA received a hello packet with mismatched metric-calculation mechanisms.

B. RouterA received a hello packet with mismatched authentication parameters.

C. RouterA will form an adjacency with RouterB.

D. RouterA received a hello packet with mismatched autonomous system numbers.

E. RouterA received a hello packet with mismatched hello timers.

F. RouterA will not form an adjacency with RouterB.

Answer: A,F

Explanation:

Metrics are the mathematics used to select a route. The higher the metric associated with a route,

the less desirable it is. For EIGRP, the Bellman-Ford algorithm uses the following equation and

creates the overall 24-bit metric assigned to a route:

* metric = [(K1 × bandwidth) + [( K2 × bandwidth) ÷ (256 - load)] + (K3 × delay)] × [K5 ÷

(reliability + K4)]

The elements in this equation are as follows:

* By default, K1 = K3 = 1, K2 = K4 = K5 = 0. Therefore, by default, the metric formula reduces to:

metric = (1 × bandwidth) + (1 × delay)

metric = bandwidth + delay

K Values should be same to become the EIGRP neighbors.

QUESTION NO: 10

Study the exhibit below carefully:



Actu

alTe

sts.

com

If the configuration shown below is added to Router1, which three route entries will EIGRP

advertise to neighboring routers? (Select three)

router eigrp 10

network 10.0.0.0

eigrp stub

A. 192.168.20.0/24

B. 10.1.2.0/24

C. 10.1.1.0/24

D. 10.1.3.0/24

E. 10.0.0.0/8

Answer: C,D,E

Explanation:

The Enhanced Interior Gateway Routing Protocol (EIGRP) Stub Routing feature improves network

stability, reduces resource utilization, and simplifies stub router configuration.

Stub routing is commonly used in a hub and spoke network topology. In a hub and spoke network,

one or more end (stub) networks are connected to a remote router (the spoke) that is connected to

one or more distribution routers (the hub). The remote router is adjacent only to one or more

distribution routers. The only route for IP traffic to follow into the remote router is through a

distribution router. This type of configuration is commonly used in WAN topologies where the

distribution router is directly connected to a WAN. The distribution router can be connected to

many more remote routers. Often, the distribution router will be connected to 100 or more remote

routers. In a hub and spoke topology, the remote router must forward all nonlocal traffic to a

distribution router, so it becomes unnecessary for the remote router to hold a complete routing

table. Generally, the distribution router need not send anything more than a default route to the

remote router.

When using the EIGRP Stub Routing feature, you need to configure the distribution and remote

routers to use EIGRP, and to configure only the remote router as a stub. Only specified routes are

propagated from the remote (stub) router. The router responds to queries for summaries,

connected routes, redistributed static routes, external routes, and internal routes with the message

"inaccessible." A router that is configured as a stub will send a special peer information packet to

all neighboring routers to report its status as a stub router.



Actu

alTe

sts.

com

Any neighbor that receives a packet informing it of the stub status will not query the stub router for

any routes, and a router that has a stub peer will not query that peer. The stub router will depend

on the distribution router to send the proper updates to all peers.

QUESTION NO: 11

Refer to the exhibit. EIGRP has been configured on routers R1 and R2. However, R1 does not

show R2 as a neighbor and does not accept routing updates from R2. What could be the cause of

the problem?

A. The no auto-summary command has not been issued under the EIGRP process on both

routers.

B. Interface E0 on router R1 has not been configured with a secondary IP address of 10.1.2.1/24.

C. EIGRP cannot exchange routing updates with a neighbor's router interface that is configured

with two IP addresses.

D. EIGRP cannot form neighbor relationship and exchange routing updates with a secondary

address.

Answer: D

Explanation:

Remember that simple distance vector routers do not establish any relationship with their

neighbors. RIP and IGRP routers merely broadcast or multicast updates on configured interfaces.

In contrast, EIGRP routers actively establish relationships with their neighbors, much the same

way that OSPF routers do.

EIGRP routers establish adjacencies with neighbor routers by using small hello packets. Hellos



Actu

alTe

sts.

com

are sent by default every five seconds. An EIGRP router assumes that as long as it is receiving

hello packets from known neighbors, those neighbors (and their routes) remain viable. By forming

adjacencies, EIGRP routers do the following: Dynamically learn of new routes that join their

network Identify routers that become either unreachable or inoperable Rediscover routers that had

previously been unreachable

QUESTION NO: 12

While troubleshooting an EIGRP routing problem you notice that one of the company routers have

generated a large number of SIA messages. What are two possible causes for EIGRP Stuck-In-

Active routes? (Select two)

A. Some query or reply packets are lost between the routers.

B. The neighboring router starts receiving route updates from this router.

C. A failure causes traffic on a link between two neighboring routers to flow in only one direction

(unidirectional link).

D. The neighboring router stops receiving ACK packets from this router.

Answer: A,C

Explanation:

The acknowledgement does not reach the destination or they are too delayed. This is normally

due to too many routing topology changes, or a router with insufficient memory.

Note: In some circumstances, it takes a very long time for a query to be answered. So long, in fact,

that the router that issued the query gives up and clears its connection to the router that isn't

answering, effectively restarting the neighbor session. This is known as a stuck in active (SIA)

route. The most basic SIA routes occur when it simply takes too long for a query to reach the other

end of the network and for a reply to travel back.

Incorrect Answers:

B: Does not apply to SIA. This is the normal operation of EIGRP.

D: Ack packets don't reply to Queries, only Reply

do.Reference:http://www.cisco.com/warp/public/103/eigrp3.html

QUESTION NO: 13

EIGRP uses five generic packet types (hello, updates, queries, replies, acknowledgements). If you

wished to view the statistics for these packets, which IOS command should you use?

A. debug eigrp packets

B. show ip eigrp traffic

C. show ip eigrp topology



Actu

alTe

sts.

com

D. show ip eigrp neighbors

Answer: B

Explanation:

The show ip eigrp traffic command displays the number of Enhanced IGRP (EIGRP) packets sent

and received.

Example:

The following is sample output from the show ip eigrp traffic command:

Router# show ip eigrp traffic

IP-EIGRP Traffic Statistics for process 77

Hellos sent/received: 218/205

Updates sent/received: 7/23

Queries sent/received: 2/0

Replies sent/received: 0/2

Acks sent/received: 21/14

Reference

:http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter

09186a00800ca5a9.html#wp1018815

QUESTION NO: 14

While troubleshooting a routing problem on the company EIGRP network you discover that one of

the routers is failing to establish adjacencies with its neighbor. What is a likely cause of this

problem between neighbors? (Select two)

A. The K-values do not match.

B. The hold times do not match.

C. The hello times do not match.

D. The AS numbers do not match.

Answer: A,D

Explanation:

Peer relationships and adjacencies between routers will not be formed between EIGRP routers if

the neighbor resides in a different autonomous system or if the metric-calculation mechanism (K

values) is misaligned for that link.

Incorrect Answers:

B: It is possible for two routers to become EIGRP neighbors even though the hello and hold timers

do not match.Section 2: Troubleshoot OSPF(9 Questions)

C: It is possible for two routers to become EIGRP neighbors even though the hello and hold timers



Actu

alTe

sts.

com

do not match.Section 2: Troubleshoot OSPF(9 Questions)

QUESTION NO: 15

QUESTION NO: 16

Refer to the exhibit. On the basis of the information presented, which statement is true?

A. OSPF router 5.0.0.2 is an ABR.

B. Network 6.0.0.0/8 was learned from an OSPF neighbor within the area.

C. The default route is learned from an OSPF neighbor.

D. A default route is configured on the local router.

Answer: B

Explanation:

In this example, the network 6.0.0.0/8 shows that it was leaned via IA, or Inter-area. Since this

came from a neighbor in a different area, then the neighbor router at 5.0.0.2 must be an ABR.

The various route types used by OSPF are:

QUESTION NO: 17

DR (Designated Router) is for environments where many routers on the same network such as

Ethernet. In the following presented network, all routers are reloaded simultaneously, and DR is

selected as expected. What is the CK-RTC status?



Actu

alTe

sts.

com

A. 2WAY/BDR

B. FULL/BDR

C. 2WAY/DROTHER

D. 2WAY/DR

E. FULL/DROTHER

F. FULL/DR

G. None of the other alternatives apply

Answer: E

Explanation:

How OSPF Forms Its Neighbors :

In this example topology, all routers are running Open Shortest Path First (OSPF) over the

Ethernet network:



Actu

alTe

sts.

com

This is sample output of the show ip ospf neighbor command on R7 and R8:

R7# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

170.170.3.4 1 2WAY/DROTHER 00:00:34 170.170.3.4 Ethernet0

170.170.3.3 1 2WAY/DROTHER 00:00:34 170.170.3.3 Ethernet0

170.170.3.8 1 FULL/DR 00:00:32 170.170.3.8 Ethernet0

170.170.3.2 1 FULL/BDR 00:00:39 170.170.3.2 Ethernet0

Notice that R7 establishes full adjacency only with the Designated Router (DR) and the Backup

Designated Router (BDR). All other routers have a two-way adjacency established. This is normal

behavior for OSPF.

In this case, the "show ip ospf neighbor"is performed on R4. R4 is the DR (due to higher router

ID)so it will have FULL adjacency with all routers including R2. If the "show ip ospf neighbor" had

been performed on R1, then it would show 2way/drother with R2.

Router4# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 1 FULL/DROTHER 00:00:31

192.168.1.1 FastEthernet0/0 192.168.1.2 1 FULL/DROTHER 00:00:31 192.168.1.2

FastEthernet0/0 192.168.1.3 1 FULL/BDR 00:00:31 192.168.1.3 FastEthernet0/0

Router1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 2WAY/DROTHER 00:00:35

192.168.1.2 FastEthernet0/0 192.168.1.3 1 FULL/BDR 00:00:35 192.168.1.3 FastEthernet0/0

192.168.1.4 1 FULL/DR 00:00:35 192.168.1.4 FastEthernet0/0

Reference:

www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a0080094059.shtml

QUESTION NO: 18

While troubleshooting some connectivity issues, you issue the "show ip ospf database" in order to

examine the link state database. Which three of the statements below are true regarding the

OSPF link state database? (Select three)

A. Each router has an identical link state database.

B. External routes are imported into a separate link state database.

C. Synchronization of link state databases is maintained via flooding of LSAs.

D. Information in the link state database is used to build a routing table by calculating a shortest-

path tree.

E. By default, link state databases are refreshed every 10 minutes in the absence of topology

changes.



Actu

alTe

sts.

com

Answer: A,C,D

Explanation:

The Link state database is a collection of link state advertisement for all routers and networks.

Each router in the OSPF network maintains an identical database. LSA flooding occurs whenever

there is a change in the OSPF topology, ensuring that the databases are synchronized. OSPF

also uses the SPF algorithm to build the database tables.

Incorrect Answers:

B: Only one link state database is maintained, and it is used for all OSPF routes.

E: The default refresh time is 30 minutes.Reference: Building Scalable Cisco Networks (Cisco

Press) page 178.

QUESTION NO: 19

Which command should you use to verify what networks are being routed by a given OSPF

process?

A. show ip ospf

B. show ip route

C. show ip protocol

D. show ip ospf database


Answer: C

Explanation:

The information displayed by the show ip protocols command is useful in debugging routing

operations. Information in the Routing Information Sources field of the show ip protocols output

can help you identify a router suspected of delivering bad routing information. For OSPF routers,

this command will display the routed networks.

Incorrect Answers:

A: To display general information about Open Shortest Path First (OSPF) routing processes, use

the show ip ospf command in EXEC mode. This command will display the areas assigned and

other useful information, but not the networks being routed.Example:R1# show ip ospfRouting

Process "ospf 201" with ID 192.42.110.200Supports only single TOS(TOS0) routeIt is an area

border and autonomous system boundary routerRedistributing External Routes from, igrp 200 with

metric mapped to 2, includes subnets in redistribution rip with metric mapped to 2 igrp 2 with

metric mapped to 100 igrp 32 with metric mapped to 1Number of areas in this router is 3Area

192.42.110.0 Number of interfaces in this area is 1 Area has simple password authentication SPF

algorithm executed 6 times

B: This will display the active routing table, but not the networks that are being routed.

D: The OSPF database does not display the networks being routed.



Actu

alTe

sts.

com

QUESTION NO: 20

You have a multi-area OSPF network and you're concerned because one of the sites is having

connectivity problem to resources in a different area. Which IOS privileged mode command would

you enter to confirm that your network: A) has a path to its ABR, B) has a path to its ASBR, and C)

the SPF calculation is functional?

A. show ip protocols

B. show running-config

C. show ip ospf neighbor

D. show ip ospf border-routers

Answer: D

Explanation:

The show ip ospf border-routers command displays the internal OSPF routing table entries to an

area border router (ABR) and autonomous system boundary router (ASBR). The SPF No in the

output is the internal number of SPF calculation that installs this route.

Example: Router R# show ip ospf border-routers

OSPF Process 109 internal Routing Table

Destination Next Hop Cost Type Rte Type Area SPF No

160.89.97.53 144.144.1.53 10 ABR INTRA 0.0.0.3 3

160.89.103.51 160.89.96.51 10 ABR INTRA 0.0.0.3 3

160.89.103.52 160.89.96.51 20 ASBR INTER 0.0.0.3 3

160.89.103.52 144.144.1.53 22 ASBR INTER 0.0.0.3 3

Incorrect Answers:

A: The show ip protocols command only displays routing protocol parameters and current timer

values.

B: The show running-config command displays the currently used configuration mode. The

required information will not be displayed.

C: The show ip ospf neighbor command displays OSPF-neighbor information on a per-interface

basis. It does not include ABR, ASBR or SPF information.

QUESTION NO: 21

An OSPF link can be in multiple states at any given moment (ie. Exstart, exchange, full). Which

two IOS commands let you view the state of the link? (Select two)



Actu

alTe

sts.

com

A. show ip ospf

B. show ip protocols

C. show ip ospf neighbor

D. show ip ospf interface

Answer: C,D

Explanation:

The link state exstart is an OSPF link state (see note below). We need retrieve OSPF link state

information.

C: The output of the show ip ospf neighbor command is used To display OSPF-neighbor

information on a per-interface basis. It includes link state information.

D: The show ip ospf interface command is used to display OSPF-related interface information for

a particular interface. This includes the link state of the specified interface.

Note: exstart state: After two OSPF neighboring routers establish bi-directional communication

and complete DR/BDR election (on multi-access networks), the routers transition to the exstart

state.

Incorrect Answers:

A: The show ip ospf command is used to display general information about OSPF routing

processes. However, it does not include any link state information.B: The command "show ip

protocols" displays the parameters and current state of the active routing protocol process. It does

not show any link state information.

QUESTION NO: 22

Which command would display OSPF parameters such as filters, default metric, maximum paths,

and number of areas configured on a router?

A. show ip protocol

B. show ip route

C. show ip ospf interface

D. show ip ospf

E. show ip interface


Answer: A

Explanation:

The "show ip protocol" command displays values about routing timers and network information

associated with the entire router . This includes, the AS number associated with the routing

process, number of areas configured on the router, the metric, and the maximum paths.



Actu

alTe

sts.

com

QUESTION NO: 23

Exhibit:

You work as a network technician. You trainee shows you the IOS command output displayed in

the exhibit. What command did Tess use to produce this output?

A. show ip RIP

B. show ipv6 ospf

C. show ip ospf

D. show ip ospf interface

E. show ipv6 ospf interface

F. show ipv4 ospf


Answer: B

Explanation:

In this case we can see that OSPFv3 is being used, and since OSPFv3 is used exclusively for

IPv6 networks we know that the correct answer must be "show ipv6 ospf." To display general

information about Open Shortest Path First (OSPF) routing processes, use the show ipv6 ospf

command in user EXEC or privileged EXEC mode.

Example:

The following is sample output from the show ipv6 ospf command:

Router# show ipv6 ospf

Routing Process "ospfv3 1" with ID 10.10.10.1

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs



Actu

alTe

sts.

com

Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs

LSA group pacing timer 240 secs

Interface flood pacing timer 33 msecs

Retransmission pacing timer 66 msecs

Number of external LSA 0. Checksum Sum 0x000000

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Area BACKBONE(0)

Number of interfaces in this area is 1

MD5 Authentication, SPI 1000

SPF algorithm executed 2 times

Number of LSA 5. Checksum Sum 0x02A005

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

Reference: http://www.cisco.com/en/US/docs/ios/12_3t/ipv6/ipv6_15g.html#wp2139460

QUESTION NO: 24

Which IOS command would you use to find out which networks are routed by a particular OSPF

process?

A. show ospf

B. show ip route

C. show ip protocols

D. show ip ospf database


Answer: C

Explanation:

The show ip protocols command display current routing protocols. It displays the parameters and

current state of the active routing protocol process. The output includes a list of the networks

routing for individual ospf processes.

Sample output:

Rt Router # show ip protocols

Routing Protocol is "ospf 200"

Sending updates every 0 seconds

Invalid after 0 seconds, hold down 0, flushed after 0

Outgoing update filter list for all interfaces is not set



Actu

alTe

sts.

com

Incoming update filter list for all interfaces is not set

Redistributing: ospf 200

Routing for Networks:

172.6.31.5/32

Routing Information Sources:

Gateway Distance Last Update

Distance: (default is 110)

Incorrect Answers:

A: The show ospf command displays summary information regarding the global OSPF

configuration.

B: The show ip route command displays the IP routing table.

D: The show ip ospf database command displays the contents of the topological database

maintained by the router. The command also shows the router ID and the OSPF process ID.

However, the output does not include the networks routing for individual ospf processes.Section 3:

Troubleshoot eBGP(21 Questions)

QUESTION NO: 25

A problem was reported that the 10.10.10.0/24 prefix was not injected into the local BGP table on

a Company router named R1. The following information is available from this router:

R1 Configuration:

router bgp 65001

network 10.0.0.0

neighbor 172.16.1.1 remote-as 65002

no auto-summary

Routing table information:

show ip route | include 10

O 10.10.10.0/24 [110/11] via 192.168.1.1, 2d00h, Ethernet0/0

Why is this prefix not in the local BGP table of the R1?

A. The 172.16.1.1 neighbor is down.

B. The prefix 10.10.10.0/24 is not a 'connected' route.

C. This route is not a BGP learned route.

D. The network command is wrong.




Actu

alTe

sts.

com

Answer: D

Explanation:

The network command is used with IGPs, such as RIP, to determine the interfaces on which to

send and receive updates. The command also indicates which directly connected networks to

advertise. However, when configuring BGP, the network command does not affect what interfaces

BGP runs on. Therefore, configuring just a network statement will not establish a BGP neighbor

relationship. This is a major difference between BGP and IGPs. The network statement follows

this syntax:

Router(config-router)# network network-number [ mask network-mask ]

In BGP, the network command tells the BGP process what locally learned networks to advertise.

The networks can be connected routes, static routes, or routes learned by way of a dynamic

routing protocol, such as RIP. These networks must also exist in the routing table of the local

router or they will not be sent out in updates. The mask keyword can be used with the network

command to specify individual subnets. Routes learned by the BGP process are propagated by

default but are often filtered by a routing policy. In this example, the correct syntax should be

"network 10.10.10.0 mask 255.255.255.0" under the BGP routing process. Without the correct

subnet mask specified, the route will not get injected into the BGP routing table, even if it is

learned via an IGP. In this case, the route is known via OSPF.

QUESTION NO: 26

Which IOS command would you enter if you wanted to view a list of IBGP and EBGP neighbor

relationships that are configured?

A. show ip bgp

B. show ip bgp paths

C. show ip bgp peers

D. show ip bgp summary

E. show ip bgp protocols

Answer: D

Explanation:

The show ip bgp summary command displays the status of all BGP connections. Neighbors with

corresponding AS values will be listed; both interior and external.

Incorrect Answers:

A: The show ip bgp command displays routes in the BGP routing table, not the neighbors.

B: The show ip bgp paths command is used to display all the BGP paths in the database.

However, it does not list the neighbors.

C: There is no such

command.Reference:http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1



Actu

alTe

sts.

com

_r/1rprt1/1rbgp.htm

E: There is no such

command.Reference:http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1

_r/1rprt1/1rbgp.htm

QUESTION NO: 27

Which two of the following descriptions are correct according to the displayed output of the

command show ip bgp summary? (Choose two.)

A. The BGP session to the 10.1.1.1 neighbor is established.

B. The router is trying to create a BGP peering session with the 10.1.1.1 neighbor.

C. The BGP session to the 10.3.3.3 neighbor is created, but the router received no BGP routing

updates from the 10.3.3.3 neighbor.

D. The router is attempting to establish a BGP peering session with the 10.2.2.2 neighbor.

Answer: A,D

Explanation:

Show ip bgp summary command displays the summary of all BGP connections.

The six states of the BGP FSM are described as follows:

* Idle - Idle is the first state of a BGP connection. BGP is waiting for a start event. It is normally

initiated by an administrator or a network event. At the start event, BGP initializes its resources

and resets a connect retry timer. Then it starts listening for a TCP notice that BGP can transition

back to Idle from any other state in case of errors.

* Connect - In the Connect state, BGP is waiting for the TCP connection to be completed. If the

TCP connection is successful, the state transitions to OpenSent. If the TCP connection fails, the

state transitions to the Active state, and the router tries to connect again. If the connect retry timer

expires, the state remains in the Connect state, the timer is reset, and a TCP connection is

initiated. In case of any other event, initiated by the system or the administrator, the state returns

to Idle.

* Active - In the Active state, BGP is trying to acquire a peer by initiating a TCP connection. If it

is successful, it transitions to OpenSent. If the connect retry timer expires, BGP restarts the

connect timer and returns to the Connect state. While active, BGP is still listening for a connection



Actu

alTe

sts.

com

that may be initiated from another peer. The state may go back to Idle in case of other events,

such as a stop event initiated by the system or the operator.

In general, a neighbor state that is switching between "Connect" and "Active" is an indication that

something is wrong and that there are problems with the TCP connection. It could be because of

many TCP retransmissions, or the incapability of a neighbor to reach the IP address of its peer.

* OpenSent - In the OpenSent state, BGP is waiting for an open message from its peer. The

open message is checked for correctness. In case of errors, such as an incompatible version

number or an unacceptable AS, the system sends an error notification message and goes back to

idle. If there are no errors, BGP starts sending keepalive messages and resets the keepalive

timer. At this stage, the hold time is negotiated and the smaller value is taken. If the negotiated

hold time is zero (0), the hold timer and the keepalive timer are not restarted.

At the OpenSent state, BGP recognizes whether the peer belongs to the same AS or to a different

AS. BGP does this by comparing its AS number to the AS number of its peer. A same AS is an

IBGP peer and a different AS is an EBGP peer.

When a TCP disconnect is detected, the state falls back to Active. For any other errors, such as

an expiration of the hold timer, BGP sends a notification message with the corresponding error

code. Then it returns to the Idle state.

* OpenConfirm - While in OpenConfirm state, BGP is waiting for a keepalive or notification

message. If a keepalive message is received, the state goes to the Established state, and the

neighbor negotiation is complete. If the system receives an update or keepalive message, it

restarts the hold time, assuming that the negotiated hold time is not zero. If a notification message

is received, the state falls back to Idle. The system sends periodic keepalive messages at the rate

set by the keepalive timer. In the case of any TCP disconnect or in response to any stop event,

initiated by the system or the administrator, the state returns to Idle. In response to any other

event, the system sends a notification message with an FSM error code and returns to the Idle

state.

* Established - Established is the final state in the neighbor negotiation. BGP starts exchanging

update packets with its peers. If it is non-zero, the hold timer is restarted at the receipt of an

update or keepalive message.

QUESTION NO: 28

The "show ip bgp" command was issued on a Router as shown below:

Based on the Router2 output, which statement is true?



Actu

alTe

sts.

com

A. The best path to reach the 192.168.11.0 prefix is via 10.200.200.11.

B. The 192.168.11.0 and 192.168.12.0 prefixes were learned via EBGP from the 10.200.200.11

and 10.200.200.12 EBGP neighbors.

C. The best path to reach the 192.168.11.0 prefix is via both 10.200.200.11 and 10.200.200.12;

BGP will automatically load balance between the two.

D. The best path to reach the 192.168.11.0 prefix is via 10.200.200.12.

E. None of the other alternatives apply.

Answer: D

Explanation:

The best path to any given destination is noted by the ">" in the IP BGP table. In this case, the

best path to 192.168.11.0 is via next hop 10.200.200.12 due to the fact that the weight is higher

(101) than the path via the alternative next hop. Weight is a Cisco proprietary method for path

determination and the weight value is used above all other values. Within a router, the path with

the highest weight will be preferred.

QUESTION NO: 29

While verifying BGP operation on the Company router, you issue the "show ip bgp" command as

shown below:

routerR>show ip bgp

BGP table version is 1046033, local router ID is 198.32.162.100

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e EGP, ? -incomplete

Network Next Hop Metric LocPrf Weight Path

* > 143.16.0.0 128.214.63.2 0 400 0 200 1

* 143.16.0.0 192.208.10.5 0 300 0 300 1

* 143.16.0.0 143.16.63.5 0 100 0 200 1

* 143.16.0.0 203.250.13.41 0 100 0 500 1

From the information above, which path will the network 143.16.0.0 prefer to take to exit the AS?

A. 128.214.63.2

B. 192.208.10.5

C. 128.213.63.5

D. 203.250.13.41

E. All of the above will be used in a round robin fashion.

Answer: A



Actu

alTe

sts.

com

Explanation:

Local preference (LocPref) is a well-known discretionary attribute that provides an indication to

routers in the AS about which path is preferred to exit the AS. A path with a higher local

preference is more preferred. In this scenario the following entry has the highest local preference

value of 400.

Network Next Hop Metric LocPrf Weight Path

* > 128.213.0.0 128.214.63.2 0 400 0 200 1

The preferred exit path of the AS is therefore 128.214.63.2, as noted by the">" which refers to the

best path for this destination.

QUESTION NO: 30

Refer to the exhibit. Router RTR is attempting to establish BGP neighbor relationships with routers

RT1 and RT3. On the basis of the information that is presented in the exhibit, which two

statements are true? (Choose two.)

A. RTR has a BGP password set but neighbor 10.0.0.1 does not.

B. Neighbor 10.0.0.5 has a BGP password set but RTR does not.

C. RTR has a BGP password set but neighbor 10.0.0.5 does not.

D. RTR has a BGP password set but neighbor 10.0.0.1 has an incorrect password set.

E. Neighbor 10.0.0.1 has a BGP password set but RTR does not.

F. RTR has a BGP password set but neighbor 10.0.0.5 has an incorrect password set.

Answer: A,F



Actu

alTe

sts.

com

Explanation:

The above log message means that there is an invalid MD5 password on one neighbor, where the

other neighbor is configured for authentication while the other is not. If both sides were configured

and there was a password mismatch, the error message would indicated "Bad MD5 digest" not

"No MD5 digest."

Only one configuration step is required to use BGP password authentication; that step is enabling

password authentication on a peer-by-peer basis using the neighbor ip-address password

password command.

neighbor {ip-address | peer-group} password [0-7] password-string

QUESTION NO: 31

A company has a BGP network and a BGP route of 196.27.125.0/24 that should be propagated to

all of the devices. The route is not now in any of the routing tables. The administrator determines

that an access list is the cause of the problem. The administrator changes the access list to allow

this route, but the route still does not appear in any of the routing tables. What should be done to

propagate this route?

A. Clear the BGP session.

B. Change both the inbound and outbound policy related to this route.

C. Use the service-policy command to adjust the QOS policy to allow the route to propagate.

D. Use the release BGP routing command.

Answer: A

Explanation:

When configuring BGP, changes made to an existing configuration may not appear immediately.

In order to force BGP to clear its table and reset BGP sessions, use the clear ip bgp * command :

Router# clear ip bgp *

The asterisk (*) is a wildcard that matches all table entries. Therefore, all BGP routes are lost while

the neighbor relationships are reset. This is expedient and very useful in a lab situation, but

caution should be exercised when issuing this command on a production router. On an Internet

backbone router, it may be more appropriate to use this command with a specific IP address, as

shown in the following:

Router# clear ip bgp 192.168.0.0

QUESTION NO: 32

Refer to the exhibit. Routers RTA and RTB are running BGP but the session is active. What

command needs to be added to establish the BGP session?



Actu

alTe

sts.

com

A. ip route 10.10.10.1 255.255.255.255 s0/0

ip route 10.10.10.1 255.255.255.255 s0/1

B. network 10.10.10.0

C. no synchronization

D. neighbor 10.10.10.1 next-hop-self

Answer: A

Explanation:

When BGP is running between routers in different autonomous systems, it is called External BGP

(EBGP). When BGP is running between routers in the same AS, it is called Internal BGP (IBGP).

BGP allows the path that packets take to be manipulated by the AS, as described in this module. It

is important to understand how BGP works to avoid creating problems for your AS as a result of

running BGP. A static route can be used to form an adjacency between EBGP neighbors.

QUESTION NO: 33

Refer to the exhibit. Router RT3 discovers network 202.176.56.0 via BGP. Which one of these

statements is true?



Actu

alTe

sts.

com

A. RT1 advertised network 202.176.50.0/24 with a metric of 782.

B. RT3 is directly connected to RT1 using subnet 192.168.1.0.

C. RT3 has an IGP metric of 782 to reach 192.168.1.1.

D. RT3 has a BGP metric of 782 to reach 192.168.1.1.

E. RT1 advertised network 202.176.50.0/24 with a metric of 1000.

F. RT3 has an IGP metric of 1782 to reach 202.176.56.0/24.

Answer: C

Explanation:

QUESTION NO: 34

Refer to the exhibit. On the basis of the information in the exhibit, which two statements are true?

(Choose two.)



Actu

alTe

sts.

com

A. When traffic is sent from the ISP to autonomous system 64512, the traffic will be forwarded to

SanJose2 because of the higher MED value of SanJose2.

B. The serial 0/0/1 interface on the ISP router has been configured with the set metric 50

command.

C. The output was generated by entering the show ip bgp command on the SanJose1 router.

D. The output was generated by entering the show ip bgp command on the ISP router.

E. The serial 0/0/1 interface on the ISP router has been configured with the set metric 75

command.

F. When traffic is sent from the ISP to autonomous system 64512, the traffic will be forwarded to

SanJose1 because of the lower MED value of SanJose1.

Answer: D,F

Explanation:

The "show ip route bgp" command will display any BGP-learned routes that make it into the IP

routing table, the command "show ip bgp" is required to display the contents of the actual BGP

routing table. This output was seen on ISP because the local router ID is 192.168.100.1 (ISP).

Since we know that this output must have been seen by ISP, we know the serial 0/0/1 interface

has been configured with a metric of 75, as this is the metric to the peer with IP address

192.168.1.2 (the other side of the serial 0/0/1 interface).



Actu

alTe

sts.

com

QUESTION NO: 35

Refer to the exhibit. All routers are configured for BGP. EBGP routes received on router R2 show

up in the BGP table on routers R1 and R3 but not in their IP routing tables. What would cause

this?

A. EBGP multihop is not configured on routers R1 and R3.

B. Routers R1 and R3 do not receive the same routes via an IGP.

C. Synchronization in autonomous system 100 is turned is on.

D. The BGP routers in autonomous system 100 are not logically fully-meshed.

E. Synchronization in autonomous system 100 is turned is off.

Answer: B,C

Explanation:

If your AS passes traffic from another AS to a third AS, BGP should not advertise a route before all

routers in your AS learn about the route via IGP. BGP waits until IGP propagates the route within

the AS and then advertises it to external peers. A BGP router with synchronization enabled does

not install iBGP learned routes into its routing table if it is not able to validate those routes in its

IGP. Issue the no synchronization command under router bgp in order to disable synchronization.

This prevents BGP from validating iBGP routes in IGP. In this scenario, the routers must learn of

the same route via an IGP, or synchronization should be turned off. Since this AS does not

appear to be a transit AS, the best solution would be to disable synchronization.

Reference: BGP Case Studies,

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#synch

QUESTION NO: 36

The network consists of two separate autonomous systems as shown below:



Actu

alTe

sts.

com

You need to configure Router R2 as a BGP route reflector and Router R1 as the client. Assuming

that Router R3 isn't running BGP, which two of the commands below would you enter on R2 to

satisfy your goals? (Select two)

A. neighbor 165.50.12.1 remote-as 65100

B. neighbor 165.50.12.2 remote-as 64000

C. neighbor 165.50.12.1 route-reflector-client

D. neighbor 165.50.12.2 route reflector-client

Answer: B,D

Explanation:

B: RouterR2(config-router)# neighbor 165.50.12.2 remote-as 64000 We configure router R1

(165.50.12.2) as a neighbor in AS 64000.

D: RouterR2(config-router)# neighbor 165.50.12.2 route-reflector-client Configures the router R2

as a BGP route reflector and configures the specified neighbor R1 (165.50.12.2) as its client.

Incorrect Answers:

A: We must specify router R1 as neighbor, not R2 itself (165.50.12.1). Furthermore, we should use

the local AS (64000), not the remote AS 65100.

C: We must specify router R1 as route reflector client, not R2 itself (165.50.12.1).

QUESTION NO: 37

The network consists of a series of routers that are all configured for IBGP. Which one of the

following IBGP characteristics is true?

A. The IBGP routers must always be fully meshed.

B. The IBGP routers can be in a different AS.

C. The IBGP routers must be directly connected.

D. The IBGP routers do not need to be directly connected.

E. None of the other alternatives apply are true.

Answer: D



Actu

alTe

sts.

com

Explanation:

The IBGP routers do not have to be directly connected. The remote IBGP peers need only be

reachable via a TCP connection. For example, if the network is also running an interior routing

protocol such as EIGRP or OSPF, the remote IBGP router could be many hops away, as long as it

is reachable via the IGP that is being used.

Incorrect Answers:

A: Using route reflectors or confederations a full mesh topology is not necessary.

B: The IBGP routers must be placed in the same AS. Peers that are in different autonomous

systems are using EBGP, not IBGP.

C: The IBGP routers do not have to be directly connected.

QUESTION NO: 38

A BGP router is configured as shown below:

interface ethernet 0

ip address 10.10.10.1 255.255.0.0

!

int serial 0

ip address 172.16.1.1 255.255.255.252

!

router bgp 65001


Based on the above configuration, which of the following BGP statements would inject the

10.10.0.0/16 prefix into the BGP routing table?

A. network 10.0.0.0

B. network 10.10.0.0 mask 255.255.0.0

C. network 10.10.10.1 mask 255.255.255.255

D. network 10.10.10.0 mask 255.255.255.0

E. network 10.0.0.0 mask 255.255.0.0

Answer: B

Explanation:

The /16 mask is equal to 255.255.0.0, so answer choice B matches the address and the mask. To

specify the route as classless, the mask keyword should be included or the network will be

summarized at the network boundary.



Actu

alTe

sts.

com

QUESTION NO: 39

Router R-1 is configured for BGP routing as shown below:

router bgp 65300

network 27.0.0.0


From the perspective of router R-1, what kind of router is the router with IP address 192.23.1.1?

A. A peer router running IBGP

B. A peer router running EBGP

C. A community member running IBGP

D. A peer group member running IBGP

E. A peer group member running EBGP

Answer: A

Explanation:

Both the local and remote router is configured with the same autonomous system number so they

are peer routers running IBGP.

QUESTION NO: 40

The BGP routing table consists of the following network routes:

What is the correct command to summarize these prefixes into a single summary prefix of

192.168.12.0/22 while also allowing for the advertisement of the more specific prefixes?

A. network 192.168.12.0 mask 255.255.252.0

B. network 192.168.12.0 mask 0.0.3.255

C. network 192.168.12.0

D. aggregate-address 192.168.12.0 255.255.252.0

E. aggregate-address 192.168.12.0 255.255.252.0 summary-only

F. aggregate-address 192.168.12.0 255.255.252.0 as-set



Actu

alTe

sts.

com

Answer: D

Explanation:

To summarize BGP prefixes into one aggregated route, use the "aggregate-address" command.

When used alone, this will advertise the aggregate route, along with the individual specific routing

entries. To advertise only the aggregated route, use the "summary-only" keyword, as specified in

choice E.

QUESTION NO: 41

Router R1 needs to be configured to advertise a specific network. Which of the following

commands would you use if you wanted to advertise the subnet 154.2.1.0 255.255.255.0 to the

EBGP neighbors on your subnet?

A. Router (config-router)#network 154.2.1.0

B. Router (config-router)#network 164.2.1.0

C. Router (config-router)#network-advertise 154.2.1.0

D. Router (config-router)#network 154.2.1.0 mask 255.255.255.0


Answer: D

Explanation:

The network command is used to specify the networks to be advertised by the Border Gateway

Protocol (BGP) and multiprotocol BGP routing processes.

Syntax: network network-number [ mask network-mask ] [ route-map map-name ]

Mask and route-map are optional. If the mask keyword is configured, then an exact match must

exist in the routing table.

Incorrect Answers:

A: If we do not specify the subnet mask then additional networks are allowed to be advertised. The

classful subnet mask of 154.2.1.0 is 255.255.0.0 - a Class B network.

B: This is using the incorrect IP address, as well as a missing subnet mask.

C: The network-advertise is an invalid command.

QUESTION NO: 42

You are the administrator of a company with BGP connections to multiple ISP's. How could you

configure BGP to make it favor one particular ISP for outbound traffic?

A. Configure weight

B. Enable route reflector



Actu

alTe

sts.

com

C. Create a distribute list

D. Enable the Longer Autonomous System path option.

E. All of the above.

Answer: A

Explanation:

If the router learns about more than one route to the same destination, the route with the highest

weight will be preferred. Weight is a Cisco BGP parameter that is local to the router. When

terminating multiple ISP connections into the same router, weight can be used to affect which path

is chosen for outbound traffic.

Incorrect Answers:

B: A route reflector cannot be used to influence outbound traffic. A route reflector modifies the

BGP split horizon rule by allowing the router configured as the route reflector to propagate routes

learned by IBGP to other IBGP peers. This saves on the number of BGP TCP sessions that must

be maintained, and also reduces the BGP routing traffic.

C: Distribute lists restrict the routing information that the router learns or advertises. By itself a

distribute list cannot make routes from one ISP be preferred to routers from another ISP.

D: This choice describes ASD path pre-pending, which would be used to influence the path that

incoming traffic takes, not outgoing.

QUESTION NO: 43

An ISP is running a large IBPG network with 25 routers. The full mesh topology that is currently in

place is inefficiently using up bandwidth from all of the BGP traffic. What can the administrator

configure to reduce the number of BGP neighbor relationships within the AS?

A. Route reflectors

B. Route maps

C. Route redistribution

D. Peer groups

E. Aggregate addresses

Answer: A

Explanation:

In general, all IBGP peers must be configured to be fully meshed. If they are not, then all of the

IBGP routers will not have the updated information from the external BGP routers. There are two

ways to overcome the scalability issues of a full IBGP mesh: route reflectors and confederations.

With route reflectors, internal BGP routers peer only with the route reflector, and then the route

reflectors connect with each other. This can considerably reduce the number of IBGP sessions.

Another solution to the scalability problem of IBGP is the use of confederations. With

confederations, the AS is broken up into smaller, more manageable sub autonomous systems.



Actu

alTe

sts.

com

QUESTION NO: 44

What are the two reasons for the appearance of 0.0.0.0 as the next hop for a network when using

the "show ip bgp" command? (Choose two)

A. The network was originated via redistribution of an interior gateway protocol into BGP.

B. The network was defined by a static route.

C. The network was learned via IBGP.

D. The network was learned via EBGP.

E. The network was originated via a network or aggregate command.

Answer: A,E

Explanation:

From BGP FAQ on www.cisco.com :

Q. What does a next hop of 0.0.0.0 mean in the show ip bgp command output?

A. A network in the BGP table with a next hop address of 0.0.0.0 means that the network is locally

originated via redistribution of Interior Gateway Protocol (IGP) into BGP, or via a network or

aggregate command in the BGP configuration.

Reference:

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#tw

o

QUESTION NO: 45

Refer to the exhibit diagram and configuration. RTB is summarizing its networks from AS 64100

with the aggregate-address command. However, the show ip route command on RTA reveals the

RTB individual networks as well as its summary route. Which option would ensure that only the

summary route would appear in the routing table of RTA?



Actu

alTe

sts.

com

A. Add a static route with a prefix of 192.168.24.0 255.255.252.0 pointing to the null0 interface.

B. Create a route map permitting only the summary address.

C. Delete the four network statements and leave only the aggregate-address statement in the

BGP configuration.

D. Add the keyword summary-only to the aggregate-address command.

Answer: D

Explanation:

The aggregate-address <address> <netmask> command advertises the summary address as well

as theadvertisement of the more specific routes.

The purpose of aggregate-address <network> <netmask> summary-only command is to suppress

the advertisement of more specific routes.

QUESTION NO: 46

Refer to the exhibit. BGP has been configured on the routers in the network. However, the IBGP

peers in autonomous system 65200 have not converged. In addition, this console message was

generated on router R2:

*Mar 1 03:09:07.729: %TCP-6-BADAUTH No MD5 digest from 10.10.23.2(179) to

10.10.23.3(11002)

On the basis of the information that is provided, what is the cause of the problem?



Actu

alTe

sts.

com

A. OSPF must be configured with the same MD5 authentication.

B. BGP authentication can be used on iBGP peers when the connection is configured between the

loopback interfaces.

C. BGP authentication can be used on eBGP peers only.

D. The password that is used for BGP authentication on both BGP peers in autonomous system

65200 must be the same.

Answer: D

Explanation:

The above log message is relating the invalid MD5 password on neighbor. Both peers need to

use the same password for MD5 authentication.

QUESTION NO: 47

Refer to the exhibit. Which two statements are correct? (Choose two.)

A. All the routes were redistributed into BGP from an IGP.

B. All the routes were originated by BGP with the network command.

C. All six routes will be installed in the routing table.



Actu

alTe

sts.

com

D. Four routes will be installed in the routing table.

E. Two routes will be installed in the routing table.

Answer: A,D

Explanation:

Because the AS paths shown all end with a ? we know that all of the routes had beed redistributed

into BGP. The four best paths, as noted with the > sign, will all be inserted into the routing table.

Section 4: Troubleshoot routing redistribution solution (5 Questions)

QUESTION NO: 48

During a redistribution of routes from OSPF into EIGRP, the administrator notices that none of the

OSPF routes are showing up in EIGRP. What are two possible causes? (Choose two.)

A. Incorrect distribute lists have been configured

B. Missing ip classless command

C. CEF not enabled

D. No default metric configured for EIGRP

Answer: A,D

Explanation:

Possible reasons for OSPF routes not showing up include the use of distribute lists to control

routing and no metric is configured either with the redistribute command or with default-metric.

Remember while redistributing into RIP or EIGRP, you should provide the metric. Here are the

default seed metrics for various protocols:

RIP : Infinity

EIGRP : Infinity

OSPF : 20

IS-IS: 0

QUESTION NO: 49



Actu

alTe

sts.

com

Refer to the exhibit and the partial configuration on router R2. On router R4 all RIP routes are

redistributed into the OSPF domain. A second redistribution is configured on router R2 using a

route map. Based on the configuration on router R2, which EIGRP external routes will be present

in the routing table of R1? Select the best response.

A. There will be no EIGRP external routes in the routing table of R1.

B. The routes originating from the RIP routing domain.

C. Only routes originating in the OSPF routing domain.

D. All routes originating from RIP and OSPF routing domains.


Answer: C

Explanation:

The route-map command is used to configure policy routing, which is often a complicated task. A

route map is defined using the syntax shown in the figure.

Syntax:

RouterA(Config)#route-map map-tag [permit | deny ] <Sequence Number>

RouterA(Config-map-router)#

The map-tag is the name, or ID, of the route map. This map-tag can be set to something easily

recognizable name. The route-map command changes the mode on the router to the route-map

configuration mode, from there conditions can be configured for the route map.

Route maps operate similar to access lists, by examining one line at a time and when a match is

found, action is taken. Route maps are different from numbered access lists because they can be

modified without changing the entire list. Each route map statement is given a number. If a



Actu

alTe

sts.

com

sequence number is not specified, the first route map condition will automatically be numbered as

ten (10). The second condition will automatically be numbered as 20, and so on. The optional

sequence number can be used to indicate the position that a new route map is to have in the list of

route maps already configured with the same name.

In this exhibit an access-list is created to deny from 100.10.0.0 and 200.10.10.0 (RIP Domain) and

that is called by route-map ABC. While redistributing OSPF routes into EIGRP the RED rout-map

is used; and it denies advertising the RIP domain network into EIGRP.

QUESTION NO: 50

Refer to the exhibit. The routing protocols EIGRP and OSPF have been configured as indicated in

the exhibit. Given the partial configuration of router R2, which network will be present in the routing

table of R4?

A. Network B

B. Network A and Network B

C. Network A

D. neither Network A nor Network B



Actu

alTe

sts.

com

Answer: A

Explanation:

In this exhibit the OSPF domain is redistributed into the EIGRP 100 domain so Network B will

present into Router R4. However, the Network A network will not be seen on router R4 (The

bottom router which is improperly labeled Network B) because EIGRP 50 was not redistributed

into EIGRP 100.

QUESTION NO: 51

Refer to the network shown below:

R1 and R2 belong to the RIP routing domain that includes the networks 10.20.0.0/16 and

10.21.0.0/16. R3 and R4 are performing two-way route redistribution between OSPF and RIP. A

network administrator has discovered that R2 is receiving OSPF routes for the networks

10.20.0.0/16 and 10.21.0.0/16 and a routing loop has occurred. Which action will correct this

problem?

A. Set the OSPF default metric to 20.

B. Apply an inbound ACL to the R2 serial interface.

C. Configure distribute-lists on R3 and R4.

D. Change the RIP administrative distance on R3 to 110.

E. Change the OSPF administrative distance on R3 to 110.


Answer: C

Explanation:

Use the distribute-list command to pick and choose which routing updates a router will send or

receive. By referencing an access list, the distribute-list creates a route filter. This is a set of rules

that precisely controls what routes a router will send or receive in a routing update. This command

is available for all IP routing protocols and can be applied to either inbound or outbound routing

updates. When applied to inbound updates, the syntax for configuring a route filter is as follows:

Router(config-router)# distribute-list access-list-number in [ interface-name ]

When applied to outbound updates, the syntax can be more complicated as shown in the

following:



Actu

alTe

sts.

com

Router(config-router)# distribute-list access-list-number out [ interface-name | routing-process |

as-number ]

The routing-process and as-number options are invoked when exchanging routes between

different routing protocols.

QUESTION NO: 52

RIP and OSPF are configured on the routers as shown in the exhibit. R2 is configured with a two-

way redistribution between RIP and OSPF domains. All routers can ping each other, but R1

cannot see any of the OSPF routes in its routing table. What could the problem be?

A. OSPF and RIP use the same major network 172.16.0.0. Therefore, the keyword subnets is not

required to redistribute protocols into OSPF.

B. Because OSPF has a longer mask for the same major network than RIP and because RIP

version 1 is being used, none of the routes learned from OSPF will be advertised into RIP.

C. The metric for the OSPF routes that are redistributed into RIP is too low, a fact that prevents

OSPF routes from being advertised into RIP.

D. The process of redistribution of RIP into OSPF does not require any metric conversion, so there

is no need to define the metric using the default-metric command during the redistribution.

Answer: B

Explanation:

The subnets keyword tells OSPF to redistribute all subnet routes. Without the subnets keyword,

only networks that are not subnetted are redistributed by OSPF.

Example:

Router A(config)# router ospf 109 Router A(config-router)# redistribute rip subnets Router



Actu

alTe

sts.

com

A(config-router)# network 130.10.62.0 0.0.0.255 area 0 Router A(config-router)# network

130.10.63.0 0.0.0.255 area 0

Section 5: Troubleshoot a DHCP client and server solution (13 Questions)

QUESTION NO: 53

What is the purpose of configuring router R1 with the "IP Helper address" command?

A. IP Helper is used to direct BOOTP clients to a BOOTP server.

B. IP Helper is used to prevent the router form forwarding IP broadcasts.

C. IP Helper is used to allow IPX clients to communicate with IP-based servers.

D. IP Helper is used to accommodate compatibility routers using different IP routing protocols.


Answer: A

Explanation:

The ip helper-address command is used to have the Cisco IOS software forward User Datagram

Protocol (UDP) broadcasts, including BOOTP, received on an interface. DHCP protocol

information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set

of clients, configure a helper address on the router interface closest to the client. The helper

address should specify the address of the DHCP server.

Note: A DHCP server can be considered to be a BOOTP server, even though a DHCP server is

more advanced.

Incorrect Answers:

B: Combined with the ip forward-protocol global configuration command, the ip helper-address

command allows you to control which broadcast packets and which protocols are forwarded.

However, the main purpose of the IP helper feature is not to prevent the router from forwarding IP

broadcasts.

C: IP helper does not use IPX.

D: This is false.

QUESTION NO: 54

When you execute the "ip helper-address" command on a router, which three UDP ports get

enabled automatically by default? (Select three)

A. 53 (DNS)



Actu

alTe

sts.

com

B. 69 (TFTP)

C. 515 (LPR)

D. 161 (SNMP)

E. 49 (TACACS)

Answer: A,B,E

Explanation:

To forward the BootP/DHCP request from the client to the DHCP server, the ip helper-address

interface command is used. The IP helper-address can be configured to forward any UDP

broadcast based on UDP port number. By default, the IP helper-address will forward the following

UDP broadcasts: DNS (port 53), time service (port 37) Trivial File Transfer Protocol (TFTP) (port

69) Terminal Access Control Access Control System (TACACS) service (port 49) NetBIOS name

server (port 137) NetBIOS datagram server (port 138) Boot Protocol (DHCP/BootP) client and

server datagrams (ports 67 and 68) IEN-116 name service (port 42)

Reference: Understanding and Troubleshooting DHCP in Catalyst Switch or Enterprise Networks

http://www.cisco.com/warp/public/473/100.html

QUESTION NO: 55

Refer to the exhibit. Router RTA has been configured as a DHCP server. The two debug

commands will generate output on RTA when Host A requests an IP address. Which set of

DHCPD debug messages is in the correct sequence?



Actu

alTe

sts.

com

A. DHCPD: Sending DHCPOFFER to client

DHCPD: DHCPDISCOVER received from client

DHCPD: DHCPREQUEST received from client

DHCPD: Sending DHCPACK to client

B. DHCPD: DHCPDISCOVER received from client


DHCPD: Sending DHCPOFFER to client


C. DHCPD: DHCPDISCOVER received from client




D. DHCPD: DHCPREQUEST received from client




E. DHCPD: Sending DHCPACK to client




F. DHCPD: DHCPDISCOVER received from client




Answer: C

Explanation:

The following example shows a combination of DHCP server events and decoded receptions and

transmissions:

Router# debug ip dhcp server events

Router# debug ip dhcp server packets

DHCPD:DHCPDISCOVER received from client 0b07.1134.a029 through relay 10.1.0.253.

DHCPD:assigned IP address 10.1.0.3 to client 0b07.1134.a029.

DHCPD:Sending DHCPOFFER to client 0b07.1134.a029 (10.1.0.3).

DHCPD:unicasting BOOTREPLY for client 0b07.1134.a029 to relay 10.1.0.253.

DHCPD:DHCPREQUEST received from client 0b07.1134.a029.

DHCPD:Sending DHCPACK to client 0b07.1134.a029 (10.1.0.3).

DHCPD:unicasting BOOTREPLY for client 0b07.1134.a029 to relay 10.1.0.253.

DHCPD:checking for expired leases.

Note that for this question, the correct order of events are highlighted above.



Actu

alTe

sts.

com

Reference:

http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_h1.html#wp1020307

QUESTION NO: 56

Refer to the exhibit. Router RTA has been configured as a DHCP server for router RTC. On the

basis of the information that is provided, which statement about DHCP is true?

A. The VLAN1-POOL argument must be issued for the Fa0/1 interface on router RTA.

B. Router RTA must be configured with the default-router 192.168.3.2 DHCP command.

C. The ip address dhcp interface configuration command must be issued for the Fa0/1 interface of

router RTA.

D. The ip helper-address 192.168.1.2 interface configuration command must be issued for the

Fa0/1 interface on router RTA.

E. Router RTC must be configured with the ip address dhcp global configuration command.

F. The lease 2 0 0 DHCP configuration command would change the default DHCP lease time to

48 hours on router RTA.

Answer: F

Explanation:

Configuring the Address Lease Time:

By default, each IP address assigned by a DHCP server comes with a one-day lease, which is the

amount of time that the address is valid. To change the lease value for an IP address, use the

following command in DHCP pool configuration mode:



Actu

alTe

sts.

com

Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/easyip2.ht

m#22915

QUESTION NO: 57

Refer to the exhibit. Which statement is true about the information that is given?

A. Router R2 will distribute incorrect default router option information to DHCP clients because it is

importing this information from R1.

B. As configured, router R2 will retrieve domain name and other option information from R1.

C. For the import all command to work on router R2, its Fa0/1 interface must be configured as a

DHCP client.

D. The DHCP clients of router R2 will receive the same option information that the clients of R1

receive.



Actu

alTe

sts.

com

Answer: C

Explanation:

DHCP Server Options Import and Autoconfiguration Example:

The following example shows a remote and central server configured to support DHCP options

import and autoconfiguration. The central server is configured to automatically update DHCP

options, such as DNS and WINs addresses, within the DHCP pools. In response to a DHCP

request from a local client behind CPE equipment, the remote server can request or "import" these

option parameters from the centralized server. See below for a diagram of the network topology.

Central Router

!do not assign this range to DHCP clients

ip dhcp-excluded address 10.0.0.1 10.0.0.5

!

ip dhcp pool central

! Specifies network number and mask for DHCP clients

network 10.0.0.0 255.255.255.0

! Specifes the domain name for the client

domain-name central

! Specifies DNS server that will respond to DHCP clients when they need to correlate host

! name to ip address

dns-server 10.0.0.2

!Specifies the NETBIOS WINS server

netbios-name-server 10.0.0.2

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

duplex auto

speed auto

Remote Router

!



Actu

alTe

sts.

com

ip dhcp pool client

! Imports DHCP options parameters into DHCP server database

import all

network 20.0.0.0 255.255.255.0

!

interface FastEthernet0/0

ip address dhcp

duplex auto

speed auto

In our example, Router R 1 is acting as the central router, and R 2 is acting as the remote router.

As shown in the example, interface Fa0/1 needs to have the "ip address dhcp" command applied,

making it a DHCP client.

Reference:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0

9186a00800ca75c.html#wp1009276

QUESTION NO: 58

Refer to the exhibit. A network administrator consoles into the ASw1 switch and attempts to save

the switch configuration to the TFTP server that is located at IP address 10.1.2.10/24. However,

whenever the copy running-config tftp command is issued with default options on switch ASw1, an

error is produced. Which configuration would correct this situation?

A. ASw1(config)# interface range fastethernet 0/1 - 24

ASw1(config-if-range)# ip forward-protocol udp 69

B. RTA(config)# interface fastethernet0/1

RTA(config-if)# ip forward-protocol udp 69

C. RTA(config)# interface fastethernet0/0

RTA(config-if)# ip helper-address 10.1.2.10

D. RTA(config)# interface fastethernet0/1

RTA(config-if)# ip helper-address 10.1.2.10



Actu

alTe

sts.

com

E. RTA(config)# interface fastethernet0/0

RTA(config-if)# ip forward-protocol udp 69

F. ASw1# copy tftp running-config

Answer: C

Explanation:

DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices might

use broadcasts to locate TFTP servers. Some clients might need to broadcast to locate a

TACACS security server. In a complex hierarchical network, clients might not reside on the same

subnet as key servers. Such remote clients broadcast to locate these servers, but routers, by

default, do not forward client broadcasts beyond their subnet. Some clients are unable to make a

connection without services such as DHCP. For this reason, the administrator must provide DHCP

and DNS servers on all subnets or use the Cisco IOS software helper address feature. Running

services such as DHCP or DNS on several computers creates overhead and administrative

problems, so the first option is not very appealing. When possible, administrators use the ip

helper-address command to relay broadcast requests for these key User Datagram Protocol

(UDP) services.

By using the ip helper-address command, a router can be configured to accept a broadcast

request for a UDP service and then forward it as a unicast to a specific IP address

By default, the ip helper-address command will forward these 8 UDP ports:

Reference: http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9

QUESTION NO: 59

Refer to the exhibit. Based upon the information in the exhibit, which statement is true?



Actu

alTe

sts.

com

A. DHCP requests from the host will be rebroadcasted to R2.

B. To complete this configuration, the R1 fa0/0 interface must be configured with the ip helper-

addresses command.

C. To complete this configuration, the R2 fa0/0 interface must be configured with the ip helper-

addresses command.

D. R1 will forward all DHCP requests to both 192.168.100.1 and 192.168.200.1 as unicast

messages.

E. R1 will forward DHCP requests to 192.168.100.1. If there is no response, R1 will then forward

the requests to 192.168.200.1.

Answer: D

Explanation:

A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay

agents receive DHCP messages and then generate a new DHCP message to send out on another

interface. The agents forward requests and replies between clients and servers when they are not

on the same physical subnet.

The Cisco IOS DHCP relay agent is enabled on an interface only when the ip helper-address is

configured.

If multiple helper-addresses are configured, it tries to get response from first, if no response got

from the first helper address then sends the request to second one.

QUESTION NO: 60

Refer to the exhibit. Which two statements are true? (Choose two)



Actu

alTe

sts.

com

A. DHCPDISCOVER packets will reach the DHCP server.

B. The router will not forward DHCPDISCOVER packets because it has not been configured to do

so.

C. This configuration is applied to interface Fa0/1.

D. DHCPDISCOVER packets will not reach the DHCP server because DHCPDISCOVER packets

are broadcasts.

E. DHCPDISCOVER packets will not reach the DHCP server because ports 67 and 68 have not

been explicitly allowed by the ip forward-protocol command.

F. This configuration is applied to interface Fa0/0.

Answer: A,E

Explanation:

While routers accept and generate broadcasts, they do not forward them. This can be quite a

problem when a broadcast needs to get to a device such as a DHCP or TFTP server that's on one

side of a router with other subnets on the other side.



Actu

alTe

sts.

com

If this PC attempts to locate a DNS server with a broadcast, the broadcast will be stopped by the

router and will never get to the DNS server. By configuring the ip helper-address command on the

router, UDP broadcasts such as this will be translated into a unicast by the router, making the

communication possible. The command should be configured on the interface that will be

receiving the broadcasts.

R1(config)#int e0 R1(config-if)#ip helper-address ? A.B.C.D IP destination address

R1(config-if)#ip helper-address 10.1.1.1

This command does forward eight common UDP service broadcasts by default. TIME, port 37

TACACS, port 49 DNS, port 53 BOOTP/DHCP Server, port 67 BOOTP/DHCP Client, port 68

TFTP, port 69 NetBIOS name service, port 137 NetBIOS datagram service, port 138

That's going to cover most scenarios where the ip helper-address command will be useful, but

what about those situations where the broadcast you need forwarded is not on this list? You can

use the ip forward-protocol command to add any UDP port number to the list. In this particular

case, ports 67 and 68 were not included, so the BOOTP packets will not be sent to the DHCP

server.

QUESTION NO: 61

On router R1, which three of the following protocols will be forwarded to a host specified by the "ip

helper-address" interface configuration command if the configuration has not been modified by the

"ip forward-protocol udp" global configuration command? (Choose three)



Actu

alTe

sts.

com

A. BOOTP

B. TFTP

C. ARP

D. DNS

E. proxy-ARP

F. FTP

G. CDP

Answer: A,B,D

Explanation:

To forward the BootP/DHCP request from the client to the DHCP server, the ip helper-address

interface command is used. The IP helper-address can be configured to forward any UDP

broadcast based on UDP port number. By default, the IP helper-address will forward the following

UDP broadcasts: DNS (port 53), time service (port 37) Trivial File Transfer Protocol (TFTP) (port

69) Terminal Access Control Access Control System (TACACS) service (port 49) NetBIOS name

server (port 137) NetBIOS datagram server (port 138) Boot Protocol (DHCP/BootP) client and

server datagrams (ports 67 and 68) IEN-116 name service (port 42)

Reference: Understanding and Troubleshooting DHCP in Catalyst Switch or Enterprise Networks


QUESTION NO: 62

Refer to the exhibit. Which statement is true about the configuration?



Actu

alTe

sts.

com

A. Hosts belonging to DHCP pool 1 and pool 2 will retain their IP settings for 30 hours before they

must renew.

B. Hosts will receive IP settings from pool 1 until the addresses run out, and then hosts will receive

the settings from pool 2.

C. Hosts in the 10.10.20.0/24 subnet will use 10.10.20.50 as its DNS server.

D. DHCP pool 0 needs to have the ip dhcp excluded-address command to exclude the default

router and DNS servers.

Answer: C

Explanation:

When configuring the Router as a DHCP server you should follow these steps:

Define the pool using ip dhcp pool <poolname>

Define the network to assign to client to the pool using : network network/mask

Define the lease time using lease days

Define the DNS server to resolve name/ip using: dns-server <ip address>

Define the Default Gateway to assign to the client: degault-router <router ip add>

In exhibit there is no dns-server in pool 1 and pool 2. If a dns server is not defined in the pool, it

takes from the previous pool, same thing will happen here, pool 1 and pool 2 use the 10.10.20.50

as the DNS server from the pool 0.



Actu

alTe

sts.

com

QUESTION NO: 63

Refer to the exhibit. The DHCP configuration that is shown is configured on a Cisco router. Which

statement is true?

A. The router will distribute IP addresses from pool 1 until its addresses are exhausted. Then the

router will begin distributing addresses from pool 2.

B. The configuration is invalid because the DHCP options are global configuration commands.

C. The configuration is incomplete until the DHCP pools are bound to the appropriate interface or

interfaces.

D. The router will choose which pool to use based upon the interface the DHCP request was

received on.

Answer: D

Explanation:

There are two pools with different networks. Pool 1 has 172.16.1.0/24 and pool 2 has

172.16.2.0/24. Suppose that the router has fa0/0 interface with IP address 172.16.1.1 and fa0/1

with IP address 172.16.2.1. When a client sends the DHCP request on fa0/0 the router will assign

the IP address from pool 1 and when a client sends the DHCP request on fa0/1 Router will assign

IP address from pool 2 because the pool selection is based on the network address of the

associated interface IP address.

QUESTION NO: 64

Refer to the exhibit. A network administrator has configured DHCP services on the router as

shown. DHCP clients connected to the FastEthernet0/0 interface are working properly. DHCP

clients connected to the FastEthernet0/1 interface are not receiving addresses. Which two

statements contain recommendations that will solve the problem? (Choose two.)



Actu

alTe

sts.

com

A. The network shown in the output under the ip dhcp pool Central command should be changed

to network 10.10.0.0 with a mask of 255.255.255.0.

B. A second DHCP pool for network 10.10.0.0/24 should be configured.

C. An ip dhcp excluded-address global configuration command for network 10.10.0.0/24 should be

issued.

D. The ip helper-address 10.0.0.1 command should be issued so that the address can be added to

the FastEthernet0/0 configuration.

E. The ip helper-address 10.0.0.1 command should be issued so that the address can be added to

the FastEthernet0/1 configuration.

Answer: B,C

Explanation:

In the exhibit, the DHCP pool has been configured for the 10.0.0.0 255.255.255.0 network so

clients connected to fa0/0 are receiving an IP address but clients connected to fa0/1 are not

receiving an IP address because the DHCP pool for 10.10.0.0/24 network has not been

configured. So to assign an IP address to clients connected to fa0/1 interface you should configure

the DHCP pool for 10.10.0.0/24 network.



Actu

alTe

sts.

com

QUESTION NO: 65

Refer to the exhibit. Which two statements are true about the partial configuration that is shown?

(Choose two.)

A. Hosts connected to the FastEthernet0/1 interface will not receive DHCP replies from the router.

B. The first DHCP client to connect to the FastEthernet 0/1 interface will receive the IP address

10.10.0.1.

C. The first DHCP client to connect to the FastEthernet 0/0 interface will receive the IP address

10.0.0.1

D. DHCP requests received on the FastEthernet 0/1 interface will be forwarded to 10.0.0.2.

E. The first DHCP client to connect to the FastEthernet 0/0 interface will receive the IP address

10.0.0.6.

Answer: A,E

Explanation:

In the exhibit, the DHCP pool has been configured for the 10.0.0.0 255.255.255.0 network so

clients connected to fa0/0 are receiving an IP address but clients connected to fa0/1 are not

receiving IP address because the DHCP pool for the 10.10.0.0/24 network has not been

configured. So to assign IP addresses to clients connected to fa0/1 interface you should configure



Actu

alTe

sts.

com

the DHCP pool for 10.10.0.0/24 network.

Section 6: Troubleshoot NAT (0 Questions)

Section 7: Troubleshoot first hop redundancy protocols (18 Questions)

QUESTION NO: 66

Refer to the exhibit. Which two statements are true about the output from the show standby vlan

50 command? (Choose two.)

A. The command standby 1 preempt was added to Catalyst_A.

B. Catalyst_A is load sharing traffic in VLAN 50.

C. Hosts using the default gateway address of 192.168.1.1 will have their traffic sent to

192.168.1.11 even after Catalyst_A becomes available again.

D. Hosts using the default gateway address of 192.168.1.2 will have their traffic sent to

Catalyst_A.

Answer: A,B

Explanation:



Actu

alTe

sts.

com

HSRP uses a priority scheme to determine which HSRP-configured router is to be the default

active router. To configure a router as the active router, you assign it a priority that is higher than

the priority of all the other HSRP-configured routers. The default priority is 100, so if you configure

just one router to have a higher priority, that router will be the default active router.

HSRP works by the exchange of multicast messages that advertise priority among HSRP-

configured routers. When the active router fails to send a hello message within a configurable

period of time, the standby router with the highest priority becomes the active router. The transition

of packet- forwarding functions between routers is completely transparent to all hosts on the

network.

HSRP-configured routers exchange three types of multicast messages:

Hello -The hello message conveys to other HSRP routers the router's HSRP priority and state

information. By default, an HSRP router sends hello messages every three seconds.

Coup -When a standby router assumes the function of the active router, it sends a coup message.

Resign -A router that is the active router sends this message when it is about to shut down or

when a router that has a higher priority sends a hello message.

At any time, HSRP-configured routers are in one of the following states:

Active -The router is performing packet-transfer functions.

Standby -The router is prepared to assume packet-transfer functions if the active router fails.

Speaking and listening -The router is sending and receiving hello messages.

Listening -The router is receiving hello messages.

The standby preempt interface configuration command allows the router to become the active

router when its priority is higher than all other HSRP-configured routers in this Hot Standby group.

The configurations of both routers include this command so that each router can be the standby

router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If

you do not use the standby preempt command in the configuration for a router, that router cannot

become the active router.

QUESTION NO: 67



Actu

alTe

sts.

com

Refer to the exhibit. Based upon the debug output that is shown, which three statements about

HSRP are true? (Choose three.)

A. The router with IP address 172.16.11.112 is using default HSRP priority.

B. The IP address 172.16.11.115 is the virtual HSRP IP address.

C. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP

address 172.16.11.111.

D. The router with IP address 172.16.11.111 has preempt configured.

E. The final active router is the router with IP address 172.16.11.111.

F. The router with IP address 172.16.11.112 has nonpreempt configured.

Answer: B,D,E

Explanation:

Each router in an HSRP group has its own unique IP address assigned to an interface. This

address is used for all routing protocol and management traffic initiated by or destined to the

router. In addition, each router has a common gateway IP address, the virtual router address, that

is kept alive by HSRP. This address is also referred to as the HSRP address or the standby

address . Clients can point to that virtual router address as their default gateway, knowing that a

router always keeps that address active. Keep in mind that the actual interface address and the

virtual (standby) address must be configured to be in the same IP subnet. You can assign the

HSRP address with the following interface command:

Switch(config-if)# standby group ip ip-address [secondary]

When HSRP is used on an interface that has secondary IP addresses, you can add the secondary

keyword so that HSRP can provide a redundant secondary gateway address.

You can configure a router to preempt or immediately take over the active role if its priority is the

highest at any time. Use the following interface configuration command to allow preemption:

Switch(config-if)# standby group preempt [delay seconds]

By default, the router can preempt another immediately, without delay. You can use the delay

keyword to force it to wait for seconds before becoming active. This is usually done if there are



Actu

alTe

sts.

com

routing protocols that need time to converge.

QUESTION NO: 68

What can be determined about the HSRP relationship from the displayed debug output?

A. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router

172.16.11.112.

B. The IP address 172.16.11.112 is the virtual HSRP router IP address.

C. The nonpreempt feature is enabled on the 172.16.11.112 router.

D. The IP address 172.16.11.111 is the virtual HSRP router IP address.

E. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router

172.16.11.111.

F. The preempt feature is not enabled on the 172.16.11.111 router.

Answer: F

Explanation:







QUESTION NO: 69

Examine the router output above. Which two items are correct? (Choose two.)



Actu

alTe

sts.

com

A. If Ethernet 0/2 goes down, the standby router will take over.

B. The local IP address of Router A is 10.1.0.6.

C. When Ethernet 0/3 of RouterA comes back up, the priority will become 105.

D. Router A will assume the active state if its priority is the highest.

E. The local IP address of Router A is 10.1.0.20.

Answer: C,D

Explanation:

Since preemption has been configured, we know that when any router comes back up, it will

become the active router as long as it has a higher priority value.

In this example, the current priority shows it to be 95. If the interface were to come up, it would

now be 95 + 10 (which is the default value) so the total value would then become 105. If fast0/2

were to come up as well, it would then be 105 + 15 (special override as seen in the command) =

120.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/confi

guration/guide/swhsrp.html

QUESTION NO: 70

Refer to the exhibit. Which two problems are the most likely cause of the exhibited output?

(Choose two.)



Actu

alTe

sts.

com

A. VRRP misconfiguration

B. spanning tree issues

C. transport layer issues

D. physical layer issues

E. HSRP misconfiguration

Answer: D,E

Explanation:



router. In addition, each router has a common gateway IP address, the virtual router address that









QUESTION NO: 71

Refer to the exhibit. Based upon the debug output that is shown, which three statements about

HSRP are true? (Choose three.)



Actu

alTe

sts.

com

A. The router with IP address 172.16.11.112 is using default HSRP priority.

B. The IP address 172.16.11.115 is the virtual HSRP IP address.

C. The priority of the router with IP address 172.16.11.112 is preferred over the router with IP

address 172.16.11.111.

D. The router with IP address 172.16.11.111 has preempt configured.

E. The final active router is the router with IP address 172.16.11.111.

F. The router with IP address 172.16.11.112 has nonpreempt configured.

Answer: B,D,E

Explanation:



router. In addition, each router has a common gateway IP address, the virtual router address, that









You can configure a router to preempt or immediately take over the active role if its priority is the

highest at any time. Use the following interface configuration command to allow preemption:

Switch(config-if)# standby group preempt [delay seconds]

By default, the router can preempt another immediately, without delay. You can use the delay

keyword to force it to wait for seconds before becoming active. This is usually done if there are

routing protocols that need time to converge.



Actu

alTe

sts.

com

QUESTION NO: 72

Examine the router output above. Which two items are correct? (Choose two.)

A. If Ethernet 0/2 goes down, the standby router will take over.

B. The local IP address of Router A is 10.1.0.6.

C. When Ethernet 0/3 of RouterA comes back up, the priority will become 105.

D. Router A will assume the active state if its priority is the highest.

E. The local IP address of Router A is 10.1.0.20.

Answer: C,D

Explanation:

Since preemption has been configured, we know that when any router comes back up, it will

become the active router as long as it has a higher priority value.

In this example, the current priority shows it to be 95. If the interface were to come up, it would

now be 95 + 10 (which is the default value) so the total value would then become 105. If fast0/2

were to come up as well, it would then be 105 + 15 (special override as seen in the command) =

120.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/confi

guration/guide/swhsrp.html

HSRP election is based on a priority value (0 to 255) that is configured on each router in the

group. By default, the priority is 100. The router with the highest priority value (255 is highest)

becomes the active router for the group. If all router priorities are equal or set to the default value,

the router with the highest IP address on the HSRP interface becomes the active router. To set the

priority, use the following interface configuration command:

Switch(config-if)# standby group priority priority

When HSRP is configured on an interface, the router progresses through a series of states before



Actu

alTe

sts.

com

becoming active. This forces a router to listen for others in a group and see where it fits into the

pecking order. The HSRP state sequence is Disabled, Init, Listen, Speak, Standby, and, finally,

Active.

QUESTION NO: 73

What can be determined about the HSRP relationship from the displayed debug output?

A. Router 172.16.11.111 will be the active router because its HSRP priority is preferred over router

172.16.11.112.

B. The IP address 172.16.11.112 is the virtual HSRP router IP address.

C. The nonpreempt feature is enabled on the 172.16.11.112 router.

D. The IP address 172.16.11.111 is the virtual HSRP router IP address.

E. Router 172.16.11.112 will be the active router because its HSRP priority is preferred over router

172.16.11.111.

F. The preempt feature is not enabled on the 172.16.11.111 router.

Answer: F

Explanation:









Actu

alTe

sts.

com

QUESTION NO: 74

Which three of the following network features are methods used to achieve high availability?

(Select all that apply.)

A. Spanning Tree Protocol (STP)

B. Delay reduction

C. Hot Standby Routing Protocol (HSRP)

D. Dynamic routing protocols

E. Quality of Service (QoS)

F. Jitter management

Answer: A,C,D

Explanation:

Because the importance of high availability networks is increasingly being recognized, many

organizations are beginning to make reliability/availability features a key selection criteria for

network infrastructure products. With this in mind, Cisco Systems engaged ZD Tag to observe and

confirm the results of a series of tests demonstrating the high availability features of Cisco Catalyst

Layer 2/Layer 3 switches. In order to maximize the relevance of the results, the demonstration was

based on a model of a "real world" campus (in one of Cisco's Enterprise Solution Center labs in

San Jose , California ).

This switched internetwork consisted of wiring closet, wiring center, and backbone switches and

conformed to Cisco's modular three-tier (Access/Distribution/Core) design philosophy. The testing

demonstrated the following high availability and resilience features of Catalyst switches: per-VLAN

Spanning Tree (PVST) using Cisco's InterSwitch Link (ISL) and 802.1Q VLAN Trunking Cisco

Spanning Tree Enhancements, including UplinkFast and PortFast Cisco Hot Standby Router

Protocol (HSRP) and HSRP Track Cisco IOS per-destination load balancing over equal cost

OSPF paths Cisco IOS fast convergence for OSPF

Reference: http://www.cisco.com/warp/public/779/largeent/learn/technologies/campuslan.pdf

QUESTION NO: 75

Network topology exhibit:



Actu

alTe

sts.

com

R1 configuration exhibit:

R2 configuration exhibit:

You work as a network technician. Please study the exhibit carefully.

In this scenario the following are true:

* Host A can ping the headquarter office

* HSRP is configured on R1

* First R1 and then R2 are configured and reloaded

Based on this information, what can be said of this network?

A. R1 will be the standby router because it has the lower IP address.

B. R2 will be the standby router because it has the higher IP address.

C. R1 will be the active router because it booted first.

D. R2 will be the active router because it booted last.

E. R1 will be the active router because it has the lower priority that is configured.

F. R2 will be the active router because it has the higher priority that is configured.

Answer: C

Explanation:

Even though router R2 has a higher priority, it will not become the active router because the HSRP

preemption was not configured. Since the "standby 62 preempt" command was not configured,



Actu

alTe

sts.

com

the first HSRP router to boot up will become the active router and remain the active router even

when another device with a higher priority is added.

QUESTION NO: 76

Exhibit:

You are troubleshooting a redundancy issue with the network. Based on the R3 "debug standby"

output in the exhibit, which HSRP statement is true?

A. R3 is the active router because the standby timer has been incorrectly configured.

B. R3 is the active router because it has a lower priority on that VLAN.

C. R3 is the active router and is advertising the virtual IP address 10.110.10.111 on VLAN 11.

D. R3 is the active router because it has a lower IP address then the tying priority router on that

VLAN.

E. R3 is the active router because it is the only HSRP-enabled router on that segment


Answer: E

Explanation:

In the output shown, it can be seen that the standby router is unknown, and the active timer is

expired meaning that this router was unable to locate any other HSRP enabled routers on the

LAN. It then became the active router, with no standby router.

QUESTION NO: 77

Refer to the exhibit. Host A has sent an ARP message to the default gateway IP address

10.10.10.1. Which statement is true?



Actu

alTe

sts.

comA. DSw1 will reply with the MAC address of the next AVF.

B. DSw2 will reply with the MAC address of the next AVF.

C. Because of the invalid timers that are configured, DSw1 will not reply.

D. Because of the invalid timers that are configured, DSw2 will not reply.

E. DSw1 will reply with the IP address of the next AVF.

F. DSw2 will reply with the IP address of the next AVF.

Answer: B

Explanation:

The Gateway Load Balancing Protocol (GLBP) is a Cisco-proprietary protocol designed to

overcome the limitations of existing redundant router protocols. Some of the concepts are the

same as with HSRP/VRRP, but the terminology is different and the behavior is much more

dynamic and robust.

The trick behind this load balancing lies in the GLBP group. One router is elected the active virtual

gateway (AVG). This router has the highest priority value, or the highest IP address in the group, if

there is no highest priority. The AVG answers all ARP requests for the virtual router address.

Which MAC address it returns depends on which load-balancing algorithm it is configured to use.

In any event, the virtual MAC address supported by one of the routers in the group is returned.

According to exhibit, Router DSW2 is the Active Virtual Gateway (AVG) router because it has

highest IP address even having equal priority. When router DSW1 sends the ARP message to

10.10.10.1 Router DSW 2 will reply to DSW 1 as a Active Virtual Router.

QUESTION NO: 78

Exhibit:



Actu

alTe

sts.

com

You have configured HSRP on router R5 as shown. Based on the "debug standby" output in the

exhibit, which HSRP statement is true?

A. R5 is the active router because it is the only HRSP-enabled router on that segment.

B. R5 is the active router because the standby timer has been incorrectly configured.

C. R5 is the active router because it has a lower priority on that VLAN.

D. R5 is the active router because it has a lower IP address than the tying priority router on that

VLAN.

E. R5 is the active router and is advertising the virtual IP address 10.10.10.111 on VLAN 11.


Answer: A

Explanation:

Answer A is correct because there is no response from the HSRP neighbor. As we can see from

the exhibit, the neighbor discovery timer has expired and the standby router is unknown.

QUESTION NO: 79

Routers R1 and R2 are configured for HSRP as shown below:

Router R1:


ip address 20.6.2.1 255.255.255.0

standby 35 ip 20.6.2.21

standby 35 priority 100


ip address 20.6.1.1.2 255.255.255.0

standby 34 ip 20.6.1.21



Actu

alTe

sts.

com

Router R2:


ip address 20.6.2.2 255.255.255.0

standby 35 ip 20.6.2.21


ip address 20.6.1.1.1 255.255.255.0

standby 34 ip 20.6.1.21


You have configured the routers R1 & R2 with HSRP. While debugging router R2 you notice very

frequent HSRP group state transitions. What is the most likely cause of this?

A. physical layer issues

B. no spanning tree loops

C. use of non-default HSRP timers

D. failure to set the command standby 35 preempt

Answer: A

Explanation:

R2 is not able to from the standby state to reach the active state. This could be caused by missing

HSRP hello messages. There are several possible causes for HSRP packets to get lost between

the peers. The most common problems are Physical Layer Problems or excessive network traffic

caused by Spanning-Tree Issues.

Note:

Hot Standby Routing Protocol (HSRP) is a Cisco proprietary protocol used for allowing redundant

connections. It can keep core connectivity if the primary routing process fails.

HSRP defines six states in which an HSRP router may run: initial, learn, listen, speak, standby,

and active.

Incorrect Answers:

B: Spanning tree loops does not affect this problem.

C: Not a likely cause. Besides, in the example here the default values were indeed used.

QUESTION NO: 80

Refer to the exhibit. Which three statements accurately describe this GLBP topology? (Choose

three.)



Actu

alTe

sts.

comA. Router A is responsible for answering ARP requests sent to the virtual IP address.

B. If Router A becomes unavailable, Router B will forward packets sent to the virtual MAC address

of Router A.

C. If another router were added to this GLBP group, there would be two backup AVGs.

D. Router B is in GLBP listen state.

E. Router A alternately responds to ARP requests with different virtual MAC addresses.

F. Router B will transition from blocking state to forwarding state when it becomes the AVG.

Answer: A,B,E

Explanation:

With GLBP the following is true:

With GLB, there is 1 AVG and 1 standby VG. In this case R1 is the AVG and R2 is the standby.

R2 would act as a VRF and would already be forwarding and routing packets. Any additional

routers would be in a listen state.

As the role of the Active VG and load balancing, R1 responds to ARP requests with different

virtual MAC addresses.

In this scenario, R2 is the Standby VFfor the VMAC 0008.b400.0101 and would become the Active

VF if R1 were down.

As the role of the Active VG, the primary responsibility is to answer ARP requests to the virtual IP

address.

As an AVF router R2 is already forwarding/routing packets

QUESTION NO: 81




Actu

alTe

sts.

com

In this network segment, the two routers on the network are configured for GLBP (Gateway Load

Balancing Protocol). What can be said about this?

A. The hosts will have different default gateway IP addresses and different MAC addresses for

each rtouter.

B. The default gateway address of each host should be set to the virtual IP address.

C. The hosts will learn the proper default gateway IP address from Router R1.

D. The default gateway address of each host should be set to the real IP address of the router.


Answer: B

Explanation:

GLBP performs a similar, but not identical, function for the user as the HSRP and VRRP. Both

HSRP and VRRP protocols allow multiple routers to participate in a virtual router group configured

with a virtual IP address. One member is elected to be the active router to forward packets sent to

the virtual IP address for the group. The other routers in the group are redundant until the active

router fails. With standard HSRP and VRRP, these standby routers pass no traffic in normal

operation - which is wasteful. Therefore the concept cam about for using multiple virtual router

groups, which are configured for the same set of routers. But to share the load, the hosts must be

configured for different default gateways, which results in an extra administrative burden of going

around and configuring every host and creating 2 or more groups of hosts that each use a different

default gateway.

GLBP is similar in that it provides load balancing over multiple routers (gateways) - but it can do

this using only ONE virtual IP address!!! Underneath that one virtual IP address is multiple virtual

MAC addresses, and this is how the load is balanced between the routers. Instead of the hassle of

configuring all the hosts with a static Default Gateway, you can lket them use ARP's to find their

own. Multiple gateways in a "GLBP redundancy group" respond to client Address Resolution

Protocol (ARP) requests in a shared and ordered fashion, each with their own unique virtual MAC

addresses. As such, workstation traffic is divided across all possible gateways. Each host is

configured with the same virtual IP address, and all routers in the virtual router group participate in

forwarding packets

Reference: http://www.infocellar.com/networks/Routers/HSRP-GLBP-VRRP.htm



Actu

alTe

sts.

com

QUESTION NO: 82

Refer to the exhibit. Assume that Switch_A is active for the standby group and the standby device

has only the default HSRP configuration. What conclusion is valid?

A. If port Fa1/1 on Switch_A goes down, the standby device will take over as active.

B. If the current standby device were to have the higher priority value, it would take over the role of

active for the HSRP group.

C. If Switch_A had the highest priority number, it would not take over as active router.

D. If port Fa1/1 on Switch_A goes down, the new priority value for the switch would be 190.

Answer: D

Explanation:

HSRP has a mechanism for detecting link failures and swaying the election, giving another router

an opportunity to take over the active role. When a specific interface is tracked, HSRP reduces the

router's priority by a configurable amount as soon as the interface goes down.

Switch(config-if)# standby group track type mod/num [decrementvalue]

By default, the decrement value for an interface is 10. So, when fa1/1 on Switch_A goes down, the

priority will be decreased by 10 from 200 to 190.

Section 8: Troubleshoot IPv6 routing (3 Questions)

QUESTION NO: 83

Refer to the output. What IOS command produces this output?



Actu

alTe

sts.

com

A. show ip ospf

B. show ip ospf interface

C. show ipv6 ospf interface

D. show ipv6 ospf

Answer: D

Explanation:

Sample Output for the show ipv6 ospf Command

The following is sample output from the show ipv6 ospf command:

Router# show ipv6 ospf

Routing Process "ospfv3 1" with ID 172.16.3.3

It is an autonomous system boundary router

Redistributing External Routes from,

static

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs

Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs

LSA group pacing timer 240 secs

Interface flood pacing timer 33 msecs

Retransmission pacing timer 66 msecs

Number of external LSA 1. Checksum Sum 0x218D

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Area 1

Number of interfaces in this area is 2

SPF algorithm executed 9 times

Number of LSA 15. Checksum Sum 0x67581

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0



Actu

alTe

sts.

com

Flood list length 0

Reference: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-

ospf.html#wp1071056

QUESTION NO: 84

Refer to the exhibit. What two statements are true? (Choose two.)

A. The IP address of the backup designated router (BDR) is FE80::205:5FFF:FED3:5808.

B. This is the designated router (DR) on the FastEthernet 0/0 link.

C. Interface FastEthernet 0/0 was configured with the ipv6 ospf 1 area 1 command.

D. OSPF version 2 has been enabled to support IPv6.

E. The output was generated by the show ip interface command.

F. The router was configured with the commands:

router ospf 1

network 172.16.6.0 0.0.0.255 area 1

Answer: A,C

Explanation:

OSPFv3 supports IPv6. The configuration of OSPFv3 is not a subcommand mode of the router

ospf command as it is in OSPFv2 configuration. For example, instead of using the network area

command to identify networks that are part of the OSPFv3 network, the interfaces are directly

configured to specify that IPv6 networks are part of the OSPFv3 network.

The following describes the steps to configure OSPF for IPv6:



Actu

alTe

sts.

com

There are several commonly used OSPFv3 show commands, including the show ipv6 ospf [

process-id ] [ area-id ] interfacee [ interface ] command.

QUESTION NO: 85

The command "clear ipv6 ospf process" was issued on a router. What does this command

accomplish?

A. The route table is cleared. Then the OSPF neighbors are reformed.

B. The OSPF adjacencies are cleared and initiated again.

C. The OSPF database is repopulated and then the shortest path first (SPF) algorithm is

performed.

D. The shortest path first (SPF) algorithm is performed on the LSA database.


Answer: C

Explanation:

When the process keyword is used with the clear ipv6 ospf command, the OSPF database is

cleared and repopulated, and then the SPF algorithm is performed. When the force-spf keyword is

used with the clear ipv6 ospf command, the OSPF database is not cleared before the SPF

algorithm is performed.

Reference: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-

ospf_support_TSD_Island_of_Content_Chapter.html

Section 9: Troubleshoot IPv6 and IPv4 interoperability (4 Questions)

QUESTION NO: 86

To enable BGP tunneling over the IPv4 backbone, the IPv4 address 192.168.30.1 is converted

into a valid IPv6 address. Which three IPv6 addresses are acceptable formats for the IPv4

address? (Choose three.)

A. 192.168.30.1:0:0:0:0:0:0

B. 0:0:0:0:0:0:192.168.30.1

C. ::192.168.30.1

D. C0A8:1E01::

E. 192.168.30.1::

F. ::C0A8:1E01



Actu

alTe

sts.

com

Answer: B,C,F

Explanation:

Many transition strategies have been developed for IPv4 networks to migrate to IPv6 service and

for IPv6 networks to intercommunicate over IPv4 networks. Most of these strategies involve

tunneling, dual stack, IPv4 Compatible IPv6 Address. A mechanism exists for creating IPv6

addresses that are compatible with IPv4. These addresses use 0s in the first 96 bits of the

address and one of the two formats for the remaining portion of the address.

Here is the example of IPv4 10.10.100.16 address acceptable for IPv6 format:

0:0:0:0:0:10:10:100:16

or

::10:10:100:16

or

::A:A:64:10

So Answer B, C, F are the correct answers.

QUESTION NO: 87

Company network is implemting IPv6 into their existing IPv4 netwrok. Which statement is true

about incorporating IPv6 into an already existing IPv4 network?

A. Only OSPF version 3 can be utilized for routing IPv4 and IPv6.

B. IPv4 and IPv6 networks can be routed simultaneously.

C. IPv6 can be routed using the same routing protocol versions as IPv4

D. A router routing for IPv6 and IPv4 must convert IPv4 packets to IPv6 packets to route them.


Answer: B

Explanation:

The transition from IPv4 to IPv6 does not require an upgrade on all nodes at the same time. Many

transition mechanisms like dual stack, tunneling etc enable smooth integration of IPv4 to IPv6.

You can configure IPv4 as well as IPv6 Address on same router's same interface, so you can

route IPv4 route and IPv6 route simultaneously.

Here is the example to configure IPv4 and IPv6 address on the same interface:

Router(Config)#int s0/0

Router(Config-if)#ip address 1.1.1.1 255.255.255.0

Router(Config-if)#ipv6 address affe::1/64



Actu

alTe

sts.

com

QUESTION NO: 88

A company is using 6to4 tunneling within their IPv6 network. Which two statements about this kind

of tunneling are accurate? (Choose two)

A. 6to4 is a manual tunnel method.

B. Prepending a reserved IPv6 code to the hexadecimal representation of 192.168.0.1 facilitates

6to4 tunneling.

C. Each 6to4 site receives a /48 prefix in a 6to4 tunnel.

D. 2002::/48 is the address range specifically assigned to 6to4.

E. Prepending 0x2002 with the IPv4 address creates an IPv6 address that is used in 6to4

tunneling.

Answer: C,E

Explanation:

The 6to4 transition mechanism provides a solution to the complexity problem of building manually

configured tunnels to an ISP by advertising a site's IPv4 tunnel endpoint (to be used for a dynamic

tunnel) in a special external routing prefix for that site.

The specification of a 48-bit external routing prefix in the IPv6 Aggregatable Global Unicast

Address Format that provides just enough space to hold the 32 bits required for the 32-bit IPv4

tunnel endpoint address (called V4ADDR in Figure 3) makes this setup possible.

Sending and Receiving Rules for 6to4 Routers

When the requesting site's 6to4 router sees that it must send a packet to another site (that is,

there is a nonlocal destination), and that the next hop destination prefix contains the special 6to4

Top Level Aggregation (TLA) value of 2002::/16, the IPv6 packet is encapsulated in an IPv4

packet using an IPv4 protocol type of 41, as defined in the Transition Mechanisms RFC.

Reference: Routing IPv6 over IPv4

www.cisco.com/web/about/ac123/ac147/ac174/ac197/about_cisco_ipj_archive_article09186a0080

0c830a.html

QUESTION NO: 89

A Company is using 6to4 tunnels in their IPv6 network. Which two statements are true about these

tunnels? (Choose two)

A. In a 6to4 tunnel, the first two bytes of the IPv6 address will be 0x2002 and the next four bytes

will be the hexadecimal equivalent of the IPv4 address.

B. In a 6to4 tunnel, the IPv4 address 192.168.99.1 would be converted to the

2002:1315:4463:1::/64 IPv6 address.



Actu

alTe

sts.

com

C. In a 6to4 tunnel, the IPv4 address 192.168.99.1 would be converted to the 2002:c0a8:6301::/48

IPv6 address.

D. In a 6to4 tunnel, the first two bytes of the IPv6 address will be locally derived and the next two

bytes will be the hexadecimal equivalent of the IPv4 address.

E. In a 6to4 tunnel, the IPv4 address 192.168.99.1 would be converted to the 2002:c0a8:6301::/16

IPv6 address.

Answer: A,C

Explanation:

The 6to4 method uses the reserved prefix 2002::/16 concatenated with the hexadecimal

equivalent of the IPv4 address to allow an IPv4 site to create and use a /48 IPv6 prefix based on a

single Globally routable reachable IPv4 address. For example, in a 6to4 tunnel, the first two bytes

of the IPv6 address will be locally derived and the next two bytes will be the hexadecimal

equivalent of the IPv4 address.

Reference: BSCI study guide volume 2, Cisco Press, page 8-75.

Section 10: Troubleshoot switch-to-switch connectivity for the VLAN based solution (9 Questions)

QUESTION NO: 90

On the basis of the following exhibit, can you tell me why VLAN updates from switch CK-P2S1 are

not applied to switch CK-P1S1? (Choose three.)



Actu

alTe

sts.

com

A. The MD5 digests do not match.

B. Switch CK-P1S1 is in transparent mode.

C. The passwords do not match.

D. The VTP domains are different.

Answer: B,C,D

Explanation:

Determine the VTP mode of operation of the switch and include the mode when setting the VTP

domain name information on the switch. If you leave the switch in server mode, be sure to verify

that the configuration revision number is set to 0 before adding the switch to the VTP domain. It is

generally recommended that you have several servers in the domain, with all other switches set to

client mode for purposes of controlling VTP information.

It is also highly recommended that you use secure mode in your VTP domain. Assigning a

password to the domain will accomplish this. This will prevent unauthorized switches from

participating in the VTP domain. From the privileged mode or VLAN configuration mode, use the

vtp password password command.



Actu

alTe

sts.

com

QUESTION NO: 91

Two switches connect multiple VLANs as shown below:

SW1 configuration exhibit:


Refer to the exhibits and the show interfaces fastethernet0/1 switchport outputs. Users in VLAN 5

on switch SW1 complain that they do not have connectivity to the users in VLAN 5 on switch SW2.

What should be done to fix the problem?



Actu

alTe

sts.

com

A. Define VLAN5 in the allowed list for the trunk port on SW2

B. Configure the same number of VLANs on both switches.

C. Disable pruning for all VLANs in both switches.

D. Define VLAN5 in the allowed list for the trunk port on SW1.

E. Create switch virtual interfaces (SVI) on both switches to route the traffic.

F. None of the other alternatives apply.

Answer: D

Explanation:

switchport trunk allowed vlan , defines which VLANs can be trunked over the link. By default, a

switch transports all active VLANs (1 to 4094) over a trunk link. There might be times when the

trunk link should not carry all VLANs. For example, broadcasts are forwarded to every switch port

on a VLAN-including the trunk link because it, too, is a member of the VLAN.

If the VLAN does not extend past the far end of the trunk link, propagating broadcasts across the

trunk makes no sense.

QUESTION NO: 92

In the network, VLAN Trunking Protocol (VTP) is running with a domain name of R1. VLANs 1, 2,

3, 4, 5, 10, 20 are active on the network. Suddenly the whole network goes down. No traffic is

being passed on VLANs 2, 3, 4, 5, 10, 20. However, traffic passes on VLAN 1 and indicates all

switches are operational. Right before the network problem occurred; a switch named SW13 was

taken out of the lab and added to the network. What three configuration issues on SW13 could be

causing the network outage? (Select three)

A. SW13 has a higher VTP configuration revision than the current VTP revision.

B. SW13 is configured as a VTP server with a different domain name.

C. SW13 is configured as a VTP server with the domain name R1.

D. SW13 has a lower VTP configuration revision than the current VTP revision.

E. SW13 is not configured to participate in VTP.

F. SW13 is configured with only VLAN1.

Answer: A,C,F

Explanation:

VTP Modes:

1. Server

By default, a Catalyst switch is in the VTP server mode and in the "no management domain" state

until the switch receives an advertisement for a domain over a trunk link or a VLAN management

domain is configured. A switch that has been put in VTP server mode and had a domain name

specified can create, modify, and delete VLANs. VTP servers can also specify other configuration

parameters such as VTP version and VTP pruning for the entire VTP domain. VTP information is



Actu

alTe

sts.

com

stored in NVRAM.

2. Client

The VTP client maintains a full list of all VLANs within the VTP domain, but it does not store the

information in NVRAM. VTP clients behave the same way as VTP servers, but it is not possible to

create, change, or delete VLANs on a VTP client. Any changes made must be received from a

VTP server advertisement. Client will make contact with the VTP server in between 5 minutes, it

copies the advertisements from that VTP server having highest Revision number. So, before

connecting any switch into LAN verify that new switch is in which mode, what is the revision

number, is that highest than other switch operated in server mode?

3. Transparent

VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise

its VLAN configuration, and does not synchronize its VLAN configuration based on received

advertisements. However, in VTP Version 2, transparent switches do forward VTP advertisements

that the switches receive out their trunk ports. VLANs can be configured on a switch in the VTP

transparent mode, but the information is local to the switch (VLAN information is not propagated to

other switches) and is stored in NVRAM

QUESTION NO: 93

You're a network administer and you issue the command (show port 3/1) on an Ethernet port. To

your surprise you notice a non-zero entry in the 'Giants' column. What could be the cause of this?

A. IEEE 802.1Q

B. IEEE 802.10

C. Misconfigured NIC

D. User configuration

E. All of the above

Answer: A

Explanation:

The 802.1Q standard can create an interesting scenario on the network. Recalling that the

maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a

maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that

violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup

called 802.3ac to extend the maximum Ethernet size to 1522 bytes.

Note: The show port command is used to display port status and counters. Giants denote the

number of received giant frames (frames that exceed the maximum IEEE 802.3 frame size) on the

port.

Reference: Trunking between Catalyst 4000, 5000, and 6000 Family Switches Using 802.1q

Encapsulation



Actu

alTe

sts.

com


QUESTION NO: 94

You have a trunk link operating between two switches and you're experiencing problems with

frames leaking between the two VLANs. Each switch has identical modules, software revisions

and VLAN configuration information. Spanning tree protocol is disabled on all VLANs. What is

probably causing this problem? (Select all that apply)?

A. The link is using IEEE 802.1Q protocol

B. The link is using IEEE 802.1E protocol

C. Spanning tree is disabled

D. Not enough information to determine.

E. The native VLAN information is identical at each end of the link.

F. The native VLAN information is different at each end of the link.

Answer: A,F

Explanation:

While internal to a switch, VLAN numbers and identification are carried in a special extended

format that allows the forwarding path to maintain VLAN isolation from end to end without any loss

of information. Instead, outside of a switch, the tagging rules are dictated by standards such as

ISL or 802.1Q.

ISL is a Cisco proprietary technology and is in a sense a compact form of the extended packet

header used inside the device: since every packet always gets a tag, there is no risk of identity

loss and therefore of security weaknesses.

On the other hand, the IEEE committee that defined 802.1Q decided that because of backward

compatibility it was desirable to support the so-called native VLAN, that is to say, a VLAN that is

not associated explicitly to any tag on an 802.1Q link. This VLAN is implicitly used for all the

untagged traffic received on an 802.1Q capable port.

This capability is desirable because it allows 802.1Q capable ports to talk to old 802.3 ports

directly by sending and receiving untagged traffic. However, in all other cases, it may be very

detrimental because packets associated with the native VLAN lose their tags, for example, their

identity enforcement, as well as their Class of Service (802.1p bits) when transmitted over an

802.1Q link.

For these sole reasons-loss of means of identification and loss of classification-the use of the

native VLAN should be avoided.

Reference :

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315

9f.shtml



Actu

alTe

sts.

com

QUESTION NO: 95 CORRECT TEXT

What command could you enter to display the trunking status of a module/port in the switch?

(Type in the answer below):

Answer: show trunk

QUESTION NO: 96

You are troubleshooting a Catalyst 5000 trunk in the network. What should you do if there's a

disagreement about the VLANs configured to use the trunk?

A. Reload the active VLAN configuration

B. Clear the affected port and bring it up again.

C. Explicitly set the trunk for the VLAN to be on.

D. Remove all the VLANs set

Answer: B

Explanation:

In this situation you may want to set or clear the VLANS on both ends. A trunk is a point-to-point

link between one or more Ethernet switch interfaces and another networking device such as a

router or a switch. Trunks carry the traffic of multiple VLANs over a single link and allow you to

extend VLANs across an entire network. Two trunking encapsulations are available on all Ethernet

interfaces:

Inter-Switch Link (ISL)-ISL is a Cisco-proprietary trunking encapsulation

802.1Q-802.1Q is an industry-standard trunking encapsulation

When a trunk is first brought up using either of these methods, it may be beneficial to clear the

port immediately after.

QUESTION NO: 97

Which kind of management can be performed from the console port of a Cisco 6500 switch?

A. Physical management of the switch.

B. Logical management of the switch.

C. In-band management of the switch.

D. Out-of-band management of the switch.

Answer: D



Actu

alTe

sts.

com

Explanation:

When you configure a switch or a router from the console, it is considered 'out of band' because

you don't get in there from any of the paths that the network device is a part of. Modems are often

attached to the console port, providing for remote out of band management of the device.

QUESTION NO: 98

A VTP domain has six active VLANs. Without notice, all VLANs except VLAN1 fail. Just prior to

the failure, Switch2 was added to the network.

Which three issues on Switch2 could be the cause? Select three.

A. Switch2 is configured for only VLAN1.

B. Switch2 is a VTP server in a different domain.

C. Switch2 is a VTP server in the Company domain.

D. Switch2 is not a VTP domain.

E. Switch2 has a lower VTP configuration revision number than the current VTP revision.

F. Switch2 has a higher VTP configuration revision number than the current VTP revision.

Answer: A,C,F

Explanation:

: A VTP server in a given domain with the highest revision number will overwrite the VTP

configuration of all other switch in the same VTP domain. Cisco best practices advises one to

configure the correct VTP domain, VTP password, VTP mode, (server, client, transparent), and

VTP revision number before adding any new switch to a network. The default VTP mode is server.

A network can have more than one VTP domain. Each VTP domain has it own server(s) that do

not influence clients in other VTP domains.

Section 11: Troubleshoot loop prevention for the VLAN based solution (18 Questions)

QUESTION NO: 99

You need to troubleshoot an issue on the switched LAN. When you issue a command "show port

3/1" on a switch, you observe the Giants column has a non-zero entry. What could cause this?

A. IEEE 802.10

B. Misconfigured NIC



Actu

alTe

sts.

com

C. User configuration

D. IEEE 802.1Q


Answer: D

Explanation:

802.1Q uses an internal tagging mechanism. Internal means that a tag is inserted within the

frame:

Note:With ISL, the frame is encapsulated instead.

The tagging mechanism implies a modification of the frame; the trunking device inserts a 4-byte

tag and recomputes the frame check sequence (FCS):

The EtherType field that identifies the 802.1Q frame is 0x8100. In addition to the 12-bit VLAN-ID, 3

bits are reserved for IEEE 802.1p priority tagging.

Note: Inserting a tag into a frame that already has the maximum Ethernet size creates a 1522-byte

frame that can be considered a "baby giant" by the receiving equipment. The IEEE 802.3

committee is extending the maximum standard frame size in order to address this issue.

Reference:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3.

shtml#basic_char



Actu

alTe

sts.

com

QUESTION NO: 100




Study the exhibits carefully. Based on the information shown above, which statement is true?

A. The port on switch SW3 is forwarding and receiving BPDUs correctly.

B. The port on switch SW1 is forwarding and sending BPDUs correctly.

C. The port on switch SW1 is blocking and sending BPDUs correctly.

D. The port on switch SW2 is blocking and sending BPDUs correctly.

E. The port on switch SW2 is forwarding and receiving BPDUs correctly.

F. The port on switch SW3 is forwarding, sending, and receiving BPDUs correctly.

G. None of the other alternatives apply.



Actu

alTe

sts.

com

Answer: B

Explanation:

STP States

To participate in STP, each port of a switch must progress through several states. A port begins its

life in a Disabled state, moving through several passive states and, finally, into an active state if

allowed to forward traffic. The STP port states are as follows: Disabled -Ports that are

administratively shut down by the network administrator, or by the system due to a fault condition,

are in the Disabled state. This state is special and is not part of the normal STP progression for a

port. Blocking -After a port initializes, it begins in the Blocking state so that no bridging loops can

form. In the Blocking state, a port cannot receive or transmit data and cannot add MAC addresses

to its address table. Instead, a port is allowed to receive only BPDUs so that the switch can hear

from other neighboring switches. In addition, ports that are put into standby mode to remove a

bridging loop enter the Blocking state. Listening -The port will be moved from Blocking to Listening

if the switch thinks that the port can be selected as a Root Port or Designated Port. In other

words, the port is on its way to begin forwarding traffic. In the Listening state, the port still cannot

send or receive data frames. However, the port is allowed to receive and send BPDUs so that it

can actively participate in the Spanning Tree topology process. Here, the port is finally allowed to

become a Root Port or Designated Port because the switch can advertise the port by sending

BPDUs to other switches. Should the port lose its Root Port or Designated Port status, it returns

to the Blocking state. Learning -After a period of time called the Forward Delay in the Listening

state, the port is allowed to move into the Learning state. The port still sends and receives BPDUs

as before. In addition, the switch can now learn new MAC addresses to add to its address table.

This gives the port an extra period of silent participation and allows the switch to assemble at least

some address table information. Forwarding -After another Forward Delay period of time in the

Learning state, the port is allowed to move into the Forwarding state. The port can now send and

receive data frames, collect MAC addresses in its address table, and send and receive BPDUs.

The port is now a fullyfunctioning switch port within the Spanning Tree topology.

QUESTION NO: 101

The switched LAN is shown below:



Actu

alTe

sts.

com

Study the exhibit above carefully. Switch SW5 is configured as the root switch for VLAN 10 but not

for VLAN 20. If the STP configuration is correct, what will be true about Switch SW5?

A. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in standby

mode.

B. All ports will be in forwarding mode.

C. All ports in VLAN 10 will be in forwarding mode and all ports in VLAN 20 will be in blocking

mode.

D. All ports in VLAN 10 will be in forwarding mode.


Answer: D

Explanation:

STP States














Actu

alTe

sts.

com













The port is now a fullyfunctioning switch port within the Spanning Tree topology.

QUESTION NO: 102

The following output was shown on switch SW1:

Based on the "show spanning-tree vlan 200" output shown in the exhibit, which two statements

about the STP process for VLAN 200 are true? (Select two)

A. This switch is the root bridge for VLAN 200.

B. The maximum length of time that the BPDU information will be saved is 30 seconds.

C. BPDUs will be sent out every 10 seconds.

D. The time spent in the listening state will be 30 seconds.

E. BPDUs will be sent out every two seconds.

F. The time spent in the learning state will be 15 seconds.

Answer: C,D

Explanation:

STP operation is controlled by three timers. The Hello Time is the amount of time between the

sending of Configuration BPDUs. The 802.1D standard specifies a default value of 2 seconds.



Actu

alTe

sts.

com

This value controls Configuration BPDUs as the Root Bridge generates them. Other bridges

propagate BPDUs from the Root Bridge as they are received.

If BPDUs stop arriving for the time interval ranging from 2 to 20 seconds because of a network

disturbance, or if the Root Bridges stop sending periodic BPDUs during this time, the timer will

expire. 2 to 20 seconds is the range between the expected receipt of a BPDU and the expiration of

the Max Age time. If the outage lasts for more than 20 seconds, the default Max Age time, the

bridge invalidates the saved BPDUs and begins looking for a new Root Port.

Forward Delay is the amount of time the bridge spends in the Listening and Learning states. This

is a single value that controls both states. The default value of 15 seconds was originally derived

assuming a maximum network size of seven bridge hops, a maximum of three lost BPDUs, and a

Hello Time of 2 seconds. The Forward Delay timer also controls the bridge table age-out period

after a change in the active topology.

Max Age is the STP timer that controls how long a bridge stores a BPDU before discarding it. Max

Age is only an issue when the link failure is not on a directly connected link. When a failure occurs

on a directly connected link, the switch knows there will not be any BPDUs coming in on that link,

so Max Age is not considered in transitioning the port to Forwarding mode. Recall that each port

saves a copy of the best BPDU it has seen. As long as the bridge receives a continuous stream of

BPDUs every 2 seconds, the receiving bridge maintains a continuous copy of the BPDU values.

However, if the device sending this best BPDU fails, a mechanism must exist to allow other

bridges to take over.

QUESTION NO: 103

Refer to the following network exhibits:



Actu

alTe

sts.

com



Refer to the network topology exhibit and the partial configuration exhibits of switch SW1 and

SW2. STP is configured on all switches in the network. SW2 receives this error message on the

console port:

00:06:34: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/5 (not

half duplex), with SW1 FastEthernet0/4 (half duplex) ,with TBA05071417(Cat6K-B) 0/4 (half

duplex).

What would be the possible outcome of the problem shown in this message?

A. The root port on switch SW2 will fallback to full-duplex mode.

B. Interface Fa 0/6 on switch SW2 will transition to a forwarding state and create a bridging loop.

C. The interfaces between switches SW1 and SW2 will transition to a blocking state.

D. The root port on switch SW1 will automatically transition to full-duplex mode.


Answer: B

Explanation:

STP States








Actu

alTe

sts.

com



















The port is now a fully functioning switch port within the Spanning Tree topology.

QUESTION NO: 104

The following "show" command was issued on a switch:

Study the exhibit carefully. Based on the output shown above, which statement is true?

A. Switch 6 has been configured with the "spanning-tree vlan 1 hello-time2" global configuration

command.



Actu

alTe

sts.

com

B. The root bridge has been configured with the "spanning-tree vlan 1 root secondary" global

configuration command.

C. Switch SW6 has been configured with the "spanning-tree vlan 1 priority24577" global


D. Switch SW6 has been configured with the "spanning-tree vlan 1 root primary" global


E. Switch SW6 has been configured with the "spanning-tree vlan 1 root secondary" global



Answer: E

Explanation:

To configure a Catalyst switch to become the Root Bridge , use one of the following methods:

* Directly modify the Bridge Priority value so that a switch can be given a lower-than-default

Bridge ID value to win a Root Bridge election:

Switch (config)# spanning-tree vlan vlan-id priority bridge-priority

The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to 65,535.

Remember that Catalyst switches run one instance of STP for each VLAN (PVST+), so the VLAN

ID must always be given. You should designate an appropriate Root Bridge for each VLAN.

* Let the switch become the Root by automatically choosing a Bridge Priority value:

Switch(config)# spanning-tree vlan vlan-id root {primary | secondary}

[diameter diameter]

This command is actually a macro on the Catalyst that executes several other commands. The

result is a more direct and automatic way to force one switch to become the Root Bridge . Actual

Bridge Priorities are not given in the command. Rather, the switch modifies STP values according

to the current values in use within the active network. These values are modified only once, when

the macro command is issued.

Use the primary keyword to make the switch attempt to become the primary Root Bridge . This

command modifies the switch's Bridge Priority value to become less than the Bridge Priority of the

current Root Bridge . If the current Root Priority is more than 24,576, the local switch sets its

priority to 24,576. If the current Root Priority is less than that, the local switch sets its priority to

4096 less than the current Root. For the secondary Root Bridge , the Root Priority is set to

28,672. There is no way to query or listen to the network to find another potential secondary Root,

so this priority is used under the assumption that it is less than the default priorities (32,768) that

might be used elsewhere.

QUESTION NO: 105

The switched LAN is displayed below:



Actu

alTe

sts.

com

In this network, STP has been implemented. Switch SW1 is the root switch for the default VLAN.

To reduce the broadcast domain, the network administrator decides to split users on the network

into VLAN 2 and VLAN 10. The administrator issues the command spanning-tree vlan 2 root

primary on switch SW1. What will happen as a result of this change?

A. Switch SW1 will change its spanning tree priority to become root for VLAN 2 only.

B. All ports of the root switch SW1 will remain in forwarding mode throughout the reconvergence

of the spanning tree domain.

C. No other switch in the network will be able to become root as long as switch SW1 is up and

running.

D. Switch SW1 will remain root for the default VLAN and will become root for VLAN 2.


Answer: D

Explanation:

By default, switches with Cisco PVST and PVST+ maintain a separate spanning-tree instance for

each active VLAN configured on it. A bridge ID, consisting of the switch priority and the switch

MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge

ID becomes the root switch for that VLAN.

To configure a switch to become the root for the specified VLAN, use the spanning-tree vlan vlan-

id root primary global configuration command to modify the switch priority from the default value

(32768) to a significantly lower value. When this command is entered, the switch checks the

switch priority of the root switches for each VLAN. Because of the extended system ID support,

the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to

become the root for the specified VLAN.

If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its

own priority for the specified VLAN to 4096 less than the lowest switch priority. 4096 is the value of

the least-significant bit of a 4-bit switch priority value.

QUESTION NO: 106



Actu

alTe

sts.

com

Refer to the exhibit. All network links are FastEthernet. Although there is complete connectivity

throughout the network, Front Line users have been complaining that they experience slower

network performance when accessing the server farm than the Reception office experiences.

Based on the exhibit, which two statements are true? (Choose two.)

A. Disabling the Spanning Tree Protocol would improve network performance.

B. Changing the bridge priority of S1 to 36864 would improve network performance.

C. Changing the bridge priority of S1 to 4096 would improve network performance.

D. Changing the bridge priority of S3 to 4096 would improve network performance.

E. Upgrading the link between S2 and S3 to Gigabit Ethernet would improve performance.

F. Changing the bridge priority of S2 to 36864 would improve network performance.

Answer: B,D

Explanation:

An algorithm is a formula or set of steps for solving a particular problem. Algorithms rely on a set

of rules. They have a clear beginning and end. The spanning-tree algorithm is no exception.

The spanning-tree algorithm is defined in the IEEE 802.1D standard. The parameters used by the

algorithm, including the Bridge ID, are explored here. The remaining parameters, Path Cost and

Port ID, will be covered in the following two topics.

The spanning-tree algorithm characterizes STP. The spanning-tree Algorithm relies on a set of

parameters to make decisions. The Bridge ID (BID) is the first parameter used by the spanning-

tree algorithm. The Bridge ID (BID) is used by STP to determine the center of the bridged network,

known as the Root Bridge . The Bridge ID (BID) parameter is an 8-byte field consisting of an

ordered pair of numbers. The first is a 2-byte decimal number called the Bridge Priority, and the

second is a 6-byte (hexadecimal) MAC address. The Bridge Priority is a decimal number used to

measure the preference of a bridge in the spanning-tree Algorithm. The possible values range

between 0 and 65,535. The default setting is 32,768.



Actu

alTe

sts.

com

The MAC address in the BID is one of the MAC addresses of the switch. Each switch has a pool of

MAC addresses, one for each instance of STP, used as BIDs for the VLAN spanning-tree

instances (one per VLAN). For example, Catalyst 6000 switches each have a pool of 1024 MAC

addresses assigned to the supervisor module or backplane for this purpose.

QUESTION NO: 107

Exhibit

Assuming that VLAN 1 and VLAN 2 traffic is enabled on the above network, what effect will the

following command have when entered on port 0/2 on switch SWA?

spanning-tree vlan 1 port-priority 16

A. VLAN 1 traffic will be blocked on Switch SWB port 1/1.

B. VLAN 2 traffic will be blocked on Switch SWB port 1/1.

C. VLAN 2 traffic will be blocked on Switch SWA port 0/2.

D. VLAN 1 and 2 traffic will be blocked on Switch SWA port 0/1.

E. VLAN 1 and 2 traffic will be blocked on Switch SWA port 0/2.

Answer: A

Explanation:

Load Sharing Using STP Port Priorities

When two ports on the same switch form a loop, the STP port priority setting determines which

port is enabled and which port is in a blocking state. The priorities on a parallel trunk port can be

set so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority

(lower values) for a VLAN is forwarding traffic for that VLAN. The trunk port with the lower priority

(higher values) for the same VLAN remains in a Blocking state for that VLAN. One trunk port

sends or receives all traffic for the VLAN.



Actu

alTe

sts.

com


Refer to the output shown on switch SW1 below:

VLAN 1 bridge priority set to 8192.

VLAN 1 bridge max aging time set to 20.

VLAN 1 bridge hello time set to 2.

VLAN 1 bridge forward delay set to 15.

Switch is now the root switch for active VLAN 1.

What command would you enter to reproduce this output? (Type in answer below)

Answer: set spantree root 1


Refer to the output shown on switch SW1 below:

Warning: Spantree port fast start should only be enabled on ports connected to a single host.

Connecting hubs, concentrators, switches, bridges, etc. to a fast start port can cause temporary

spanning tree loops. Use with caution.

Spantree ports 4/1-24 fast start enabled.

What command could you enter to reproduce this output? (Type in answer below)



Actu

alTe

sts.

com

Answer: set spantree portfast 4/1-24 enable

QUESTION NO: 110

Given the above diagram and assuming that STP is enabled on all switch devices, which two


A. DSW11will be elected the root bridge.

B. DSW12 will be elected the root bridge.

C. ASW13 will be elected the root bridge.

D. P3/1 will be elected the nondesignated port.

E. P2/2 will be elected the nondesignated port.

F. P3/2 will be elected the nondesignated port.

Answer: A,D

Explanation:

The root bridge should be placed as close to the core as possible and should be the most centrally

located. By default, the switch with the lowest bridge ID will become the root bridge, assuming all

other parameters are left as default. This makes DSW11 the root bridge. Also, all ports directly

connected to the root bridge will become designated ports, since they are closest to the root

bridge. In this case, port F3/2 will become the non-designated port.

QUESTION NO: 111

If the root bridge fails, configuration BPDUs will no longer be sent. Which STP timer will have to

expire before the other switches can actively restore connectivity with topology change procedure

of STP?

A. hello timer

B. BPDU timer



Actu

alTe

sts.

com

C. Forward_delay timer

D. Max_age timer

E. Dead timer

F. Wait timer

Answer: D

Explanation:

Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge

Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a

predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This

bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a

valid network topology.

Max age takes into account that the switch at the periphery of the network should not time out the

root information under stable condition (that is, if the root is still alive). This is the value that max

age needs to take into account the total BPDU propagation delay and the message age

overestimate. As such, the formula for max age is as follows:

Max_age

= End-to-end_BPDU_propa_delay + Message_age_overestimate

= 14 + 6

= 20 sec

This explains how IEEE reaches the default recommended value for max age.

Reference: http://www.zyxel.com/support/supportnote/ves1012/app/stp.htm

QUESTION NO: 112

Exhibit

SW1#show spanning-tree vlan 200

VLAN200

Spanning tree enabled protocol ieee

Root ID Priority 32968

Address 000c.ce29.ef00

Cost 19

Port 2 (FastEthernet0/2)

Hello time 10 Sec Max Age 20 sec Forward Delay 30 sec

Bridge ID Priority 32968 (priority 32768 sys-id-ext 200)

Address 000c.ce2a.4180

Hello Time 2 sec Max Age 20 Sec Forward Delay 15 sec

Interface Role Sts Cost PrioNbr Type



Actu

alTe

sts.

com

---------------------------------------------------------------------------------------

Fa0/2 Root FWD 19 128.2 P2p

Fa0/3 Altn BLK 19 128.3 P2p

Based on the show spanning-tree vlan 200 output shown in the exhibit, which two statements

about the STP process for VLAN 200 are true? (Choose two)

A. BDPUs will be sent out every two seconds.

B. The time spent in the listening state will be 30 seconds

C. The time spent in the learning state will be 15 seconds

D. The maximum length of time that the BPDU information will be saved is 30 seconds.

E. This switch is the root bridge for VLAN 200.

F. BPDUs will be sent out every 10 seconds.

Answer: B,F

Explanation:

Changing the Spanning Tree Protocol Timers T he STP timers (hello, forward delay, and max

age) are included in each BPDU. An IEEE bridge is not concerned about its local configuration of

the timers value. It will consider the value of the timers contained in the BPDU that it is receiving.

Effectively, that means only a timer configured on the root bridge of the STP is important.

Obviously, in case you would lose the root, the new root would start to impose its local timer value

to the entire network. So, even if it is not required to configure the same timer value in the entire

network, it is at least mandatory to configure any timer changes on the root bridge and on the

backup root bridge.

QUESTION NO: 113

What should you do to reduce spanning-tree protocol BPDU traffic during extended periods of

instability in your VLANs?

A. Combine all the VLAN spanning trees into a single spanning tree.

B. Set forward delay and max-age timers to the maximum possible values.

C. None of the choices.

D. Change the router VTP server mode.

E. Disable the root bridge

Answer: B

Explanation:

There are several STP timers, as listed below: hello: the hello time is the time between each

Bridge Protocol Data Unit (BPDU) that is sent on a port. This is equal to two seconds by default,



Actu

alTe

sts.

com

but can be tuned to be between one and ten seconds. forward delay: the forward delay is the time

spent in the listening and learning state. This is by default equal to 15 seconds, but can be tuned

to be between four and 30 seconds. max age : the max age timer controls the maximum length of

time a bridge port saves its configuration BPDU information. This is 20 seconds by default and can

be tuned to be between six and 40 seconds.

The STP timers (hello, forward delay, and max age) are included in each BPDU. An IEEE bridge is

not concerned about its local configuration of the timers value. It will consider the value of the

timers contained in the BPDU that it is receiving. Effectively, that means only a timer configured on

the root bridge of the STP is important. Obviously, in case you would lose the root, the new root

would start to impose its local timer value to the entire network. So, even if it is not required to

configure the same timer value in the entire network, it is at least mandatory to configure any timer

changes on the root bridge and on the backup root bridge.

In order to reduce the number of BPDU's in the spanning tree topology, the forward delay and

max-age timers should be increased. This will reduce the BPDU traffic, but it will also increase the

convergence time during a topology change.

QUESTION NO: 114

The network is displayed in the diagram below:

You use the following information for switch SWA:

Port Mode Encapsulation Status Native VLAN

fa0/1 desirable n-802.1q trunking 5



Actu

alTe

sts.

com

Port VLANs is allowed on trunk

fa0/ 1 1-100, 102-1005

Port VLANs is owned and active in management domain

fa0/1 1-6. 8-100, 102-115, 197-999, 1002-1005

Port VLANs in spanning tree forwarding state and not pruned

fa0/1 1-6, 8-100, 102-105, 108-999, 1002-1005

SW users in VLAN 107 complain that they are unable to gain access to the resources through the

SW1 router.

What is the cause of this problem?

A. VLAN 107 is not configured on the trunk.

B. VLAN 107 does not exist on switch SWA.

C. VTP is pruning VLAN 107.

D. Spanning tree is not enabled on VLAN 107.


Answer: C

Explanation:

In this example, VLAN 7, 101, 106, and 107 are being pruned. VLAN 107 is being pruned

incorrectly in this case. By disabling VTP pruning, VLAN 107 should be able to once again gain

access to the network resources.

Incorrect Answers:

A: Based on the output shown above, VLAN 107 is known and active within the management

domain. Therefore, it must have been configured and the VLAN is indeed allowed to traverse the

trunk. Only VLAN 101 has been configured to not pass along this trunk.

B: Based on the output shown above, VLAN 107 is known and active within the management

domain. Therefore, it must have been configured and the VLAN is indeed allowed to traverse the

trunk. Only VLAN 101 has been configured to not pass along this trunk.

D: By default, STP is enabled on all VLANs.

QUESTION NO: 115

Which of the following commands would you enter if you wanted to display spanning tree

statistical information?

A. show spantree backbonefast

B. show spantree statistics



Actu

alTe

sts.

com

C. show spantree uplinkfast

D. show spantree blockedports

E. show spantree portstate

F. show spantree portvlancost

Answer: B

Explanation:

The command 'show spantree statistics' is the correct IOS command to show spanning tree

statistical information and is obviously the correct answer choice.

The following list various commands to use for troubleshooting Catalyst switches:

show spantree vlan_id - Shows the current state of the spanning tree for the "vlan_id" entered

from the perspective of the switch on which it is entered.

show spantree summary - Provides a summary of connected spanning tree ports by VLAN.

show spantree statistics - Shows spanning tree statistical information.

show spantree backbonefast - Displays whether the spanning tree Backbone Fast Convergence

feature is enabled.

show spantree blockedports - Displays only the blocked ports.

show spantree portstate - Determines the current spanning tree state of a Token Ring port within a

spanning tree.

show spantree portvlancost - Shows the path cost for the VLANs on a port.

show spantree uplinkfast - Shows the uplinkfast settings.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/command/reference/sh_sp_

te.html

QUESTION NO: 116

Is the following statement True or False?

The "show spanning-tree" command only shows information about ports with their red or amber

lights on.

A. True

B. There is not enough information to determine

C. False

Answer: C

Explanation:

The show spanning-tree command only displays information for ports with an active link (green

light is on). If these conditions are not met, you can issue a show running-configuration command



Actu

alTe

sts.

com

to confirm the configuration.

Section 12: Troubleshoot Access Ports for the VLAN based solution (6 Questions)

QUESTION NO: 117

Refer to the show interface Gi0/1 switchport command output shown in the exhibit. Which two

statements are true about this interface? (Choose two.)

A. This interface is a member of a voice VLAN.

B. This interface is a dot1q trunk passing all configured VLANs.

C. This interface is a member of VLAN7.

D. This interface is configured for access mode.

E. This interface is a member of VLAN1.



Actu

alTe

sts.

com

Answer: C,D

Explanation:

In Exhibit, Operation mode is in static access and Access mode VLAN is 7 so it means this port is

operating on access mode as a member of VLAN 7.

QUESTION NO: 118

Refer to the exhibit. Based upon the output of show vlan on switch CAT2, what can we conclude

about interfaces Fa0/13 and Fa0/14?

A. that interfaces Fa0/13 and Fa0/14 are in VLAN 1

B. that interfaces Fa0/13 and Fa0/14 are down

C. that interfaces Fa0/13 and Fa0/14 are trunk interfaces

D. that interfaces Fa0/13 and Fa0/14 have a domain mismatch with another switch

E. that interfaces Fa0/13 and Fa0/14 have a duplex mismatch with another switch

Answer: C

Explanation:

trunk -This setting places the port in permanent trunking mode. The corresponding switch port at

the other end of the trunk should be similarly configured because negotiation is not allowed. You

should also manually configure the encapsulation mode.

show vlan: This commands shows the vlan, ports belonging to VLAN means that port on access

mode. It doesn't shows the port on trunk mode.

QUESTION NO: 119

Refer to the exhibit. On the basis of the output generated by the show commands, which two




Actu

alTe

sts.

com

A. All interfaces on the switch have been configured as access ports.

B. Because it has not been assigned to any VLAN, interface gigabitethernet 0/1 does not appear

in the show vlan output.

C. Because it is configured as a trunk interface, interface gigabitethernet 0/1 does not appear in

the show vlan output.

D. There are no native VLANs configured on the trunk.

E. VLAN 1 will not be encapsulated with an 802.1q header.

F. VLAN 2 will not be encapsulated with an 802.1q header.

Answer: C,E

Explanation:

The IEEE 802.1Q protocol can also carry VLAN associations over trunk links. However, this frame

identification method is standardized, allowing VLAN trunks to exist and operate between

equipment from multiple vendors.

In particular, the IEEE 802.1Q standard defines an architecture for VLAN use, services provided

with VLANs, and protocols and algorithms used to provide VLAN services.



Actu

alTe

sts.

com

Like Cisco ISL, IEEE 802.1Q can be used for VLAN identification with Ethernet trunks. Instead of

encapsulating each frame with a VLAN ID header and trailer, 802.1Q embeds its tagging

information within the Layer 2 frame. This method is referred to as single-tagging or internal

tagging .

802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN

are not encapsulated with any tagging information. In the event that an end station is connected to

an 802.1Q trunk link, the end station can receive and understand only the native VLAN frames.

This provides a simple way to offer full trunk encapsulation to the devices that can understand it,

while giving normal access stations some inherent connectivity over the trunk.

show vlan: This commands shows the vlan, ports belonging to VLAN means that port on access

mode. It doesn't show the port on trunk mode.

QUESTION NO: 120

The administrator has issue the "show vlan id 5" command. What will this command display?

(Select two)

A. Ports in VLAN 5

B. Utilization

C. VLAN information on port 0/5

D. Filters

E. MTU and type

Answer: A,E

Explanation:

#show vlan id 5 : Shows all ports belonging to VLAN 5 and MTU of ports and type.

QUESTION NO: 121

You work as a network Technician. A new workstation has consistently been unable to obtain an

IP address from the DHCP server when the workstation boots. Older workstations function

normally, and the new workstation obtains an address when manually forced to renew its address.

What should be configured on the switch to allow the workstation to obtain an IP address at boot?

A. UplinkFast on the switch port connected to the server

B. BackboneFast on the switch port connected to the server

C. PortFast on the switch port connected to the workstation

D. trunking on the switch



Actu

alTe

sts.

com

Answer: C

Explanation:

Spanning tree PortFast is a Catalyst feature that causes a switch or trunk port to enter the

spanning tree Forwarding state immediately, bypassing the Listening and Learning states. IOS-

based switches only use PortFast on access ports connected to end stations.

When a device is connected to a port, the port normally enters the spanning tree Listening state.

When the Forward Delay timer expires, the port enters the Learning state. When the Forward

Delay timer expires a second time, the port is transitioned to the Forwarding or Blocking state.

When PortFast is enabled on a switch or trunk port, the port is immediately transitioned to the

Forwarding state. As soon as the switch detects the link, the port is transitioned to the Forwarding

state (less than 2 seconds after the cable is plugged in).

QUESTION NO: 122

Refer to the exhibit. The user who is connected to interface FastEthernet 0/1 is on VLAN 10 and

cannot access network resources. On the basis of the information in the exhibit, which command

sequence would correct the problem?

A. SW1(config)# interface fastethernet 0/1

SW1(config-if)# no shut



Actu

alTe

sts.

com

B. SW1(config)# interface fastethernet 0/1

SW1(config-if)# switchport mode access

SW1(config-if)# switchport access vlan 10

C. SW1(config)# vlan 10

SW1(config-vlan)# state active

D. SW1(config)# interface fastethernet 0/1

SW1(config-if)# switchport mode access

E. SW1(config)# vlan 10

SW1(config-vlan)# no shut

Answer: A

Explanation:

In Exhibit Operation Mode is down, it means interface is in down state. Just bring into up state

using no shutdown command

Section 13: Troubleshoot private VLANS (1 Question)

QUESTION NO: 123

Switch SW1 has been configured with Private VLANs. With that type of PVLAN port should the

default gateway be configured?

A. Trunk

B. Isolated

C. Primary

D. Community

E. Promiscuous


Answer: E

Explanation:

Promiscuous: The switch port connects to a router, firewall, or other common gateway device.

This port can communicate with anything else connected to the primary or any secondary VLAN.

In other words, the port is in promiscuous mode, in which the rules of private VLANs are ignored.



Actu

alTe

sts.

com

Section 14: Troubleshoot port security (4 Questions)

QUESTION NO: 124

A PC host is connected to a switch in the network shown below:

Configuration exhibit:

Study the exhibits carefully. The "show port-security interface fa0/1" command was issued on

switch SW1. Given the output that was generated, which security statement is true?

A. When the number of secure IP addresses reaches 10, the interface will immediately shut down.

B. Interface FastEthernet 0/1 was configured with the switchport port-security aging command.

C. Interface FastEthernet 0/1 was configured with the switchport port-security violation restrict

command.

D. When the number of secure MAC addresses reaches 10, the interface will immediately shut

down and an SNMP trap notification will be sent.

E. Interface FastEthernet 0/1 was configured with the switchport port-security protect command.


Answer: D,E

Explanation:

Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a

specific set or number of MAC addresses. Those addresses can be learned dynamically or



Actu

alTe

sts.

com

configured statically. The port will then provide access to frames from only those addresses. If,

however, the number of addresses is limited to four but no specific MAC addresses are

configured, the port will allow any four MAC addresses to be learned dynamically, and port access

will be limited to those four dynamically learned addresses.

Port Security Implementation:

When Switch port security rules violate different action can be applied:

1. Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.

2. Restrict: Frames from the nonallowed address are dropped, a log message is created, and a

Simple Network Management Protocol (SNMP) trap is sent.

3. Shutdown: If any frames are seen from a nonallowed address, the interface is errdisabled, a log

entry is made, an SNMP trap is sent, and manual intervention or errdisable recovery must be used

to make the interface usable.

The port will not be shutdown, because it is in protect mode -- not shutdown.

QUESTION NO: 125

The following show command was issued on switch SW1:



Actu

alTe

sts.

com

Based on the output shown, what will happen when one additional user is connected to interface

FastEthernet 5/1?

A. The interface will be placed into the error-disabled state immediately, and an SNMP trap

notification will be sent.

B. The packets with the new source addresses will be dropped until a sufficient number of secure

MAC addresses are removed from the secure address list.

C. All secure addresses will age out and be removed from the secure address list. This will cause

the security violation counter to increment.

D. The first address learned on the port will be removed from the secure address list and be

replaced with the new address.


Answer: A

Explanation:

Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a

specific set or number of MAC addresses. Those addresses can be learned dynamically or

configured statically. The port will then provide access to frames from only those addresses. If,

however, the number of addresses is limited to four but no specific MAC addresses are

configured, the port will allow any four MAC addresses to be learned dynamically, and port access

will be limited to those four dynamically learned addresses.

Port Security Implementation:



Actu

alTe

sts.

comWhen Switch port security rules violate different action can be applied:

1. Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.

2. Restrict: Frames from the nonallowed address are dropped, a log message is created, and a

Simple Network Management Protocol (SNMP) trap is sent.

3. Shutdown: If any frames are seen from a nonallowed address, the interface is errdisabled, a

log entry is made, an SNMP trap is sent, and manual intervention or errdisable recovery must be

used to make the interface usable.

Section 15: Troubleshoot general switch security (3 Questions)

QUESTION NO: 126

Exhibit:



Actu

alTe

sts.

com

You issue the "show ip dhcp snooping" command on SW3 as shown in the exhibit. What type of

attack is being defended against?

A. Snooping attack

B. Rogue device attack

C. STP attack

D. VLAN attack

E. Spoofing attack

F. MAC flooding attack


Answer: E

Explanation:

When DHCP snooping is configured, you can display its status with the following command:

Switch#show ip dhcp snooping [binding]

You can use the binding keyword to display all the known DHCP bindings that have been

overheard. The switch maintains these in its own database.

A switch can use the DHCP snooping bindings to prevent IP and MAC address spoofing attacks.

MAC spoofing attacks consist of malicious clients generating traffic by using MAC addresses that

do not belong to them. IP spoofing attacks are exactly like MAC spoofing attacks, except that the

client uses an IP address that isn't his.

Reference: LAN Switch Security: What Hackers Know About Your Switches, by Eric Vyncke -

CCIE No. 2659; Christopher Paggen - CCIE No. 2659, Cisco Press, Chapter 5.



Actu

alTe

sts.

com

QUESTION NO: 127

The following "show" command was issued on SW1:

Study the exhibit carefully. What will happen to traffic within VLAN 14 with a source address of

172.16.10.5?

A. The traffic will be dropped.

B. The traffic will be forwarded to the router processor for further processing.

C. The traffic will be forwarded without further processing.

D. The traffic will be forwarded to the TCAM for further processing.


Answer: A

Explanation:

VLAN maps, also known as VLAN ACLs or VACLs, can filter all traffic traversing a switch. VLAN

maps can be configured on the switch to filter all packets that are routed into or out of a VLAN, or

are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router

ACLs, VLAN maps are not defined by direction (input or output).

To create a VLAN map and apply it to one or more VLANs, perform these steps: Create the

standard or extended IP ACLs or named MAC extended ACLs to be applied to the VLAN. This

access-list will select the traffic that will be either forwarded or dropped by the access-map. Only

traffic matching the 'permit' condition in an access-list will be passed to the access-map for further

processing. Enter the vlan access-map access-map-name [ sequence ] global configuration

command to create a VLAN ACL map entry. Each access-map can have multiple entries. The

order of these entries is determined by the sequence . If no sequence number is entered, access-

map entries are added with sequence numbers in increments of 10. In access map configuration

mode, optionally enter an action forward or action drop . The default is to forward traffic. Also enter

the match command to specify an IP packet or a non-IP packet (with only a known MAC address),

and to match the packet against one or more ACLs (standard or extended). Use the vlan filter

access-map-name vlan-list vlan-list global configuration command to apply a VLAN map to one



Actu

alTe

sts.

com

or more VLANs. A single access-map can be used on multiple VLANs.

Section 16: Troubleshoot VACL and PACL (3 Questions)

QUESTION NO: 128

What is true about access control on bridged and routed VLAN traffic? (Select three)

A. Router ACLs can be applied to the input and output directions of a VLAN interface.

B. Bridged ACLs can be applied to the input and output directions of a VLAN interface.

C. Only router ACLs can be applied to a VLAN interface.

D. VLAN maps and router ACLs can be used in combination.

E. VLAN maps can be applied to a VLAN interface

Answer: A,B,D

Explanation:

Router ACLs are applied on interfaces as either inbound or outbound.

To filter both bridged and routed traffic, VLAN maps can be used by themselves or in conjunction

with router ACLs.

VLAN ACLs, also called VLAN maps, which filter both bridged and routed packets. VLAN maps

can be used to filter packets exchanged between devices in the same VLAN.

QUESTION NO: 129

Switch SW1 has been configured with Private VLANs. With that type of PVLAN port should the

default gateway be configured?

A. Trunk

B. Isolated

C. Primary

D. Community

E. Promiscuous


Answer: E

Explanation:

Promiscuous: The switch port connects to a router, firewall, or other common gateway device.

This port can communicate with anything else connected to the primary or any secondary VLAN.



Actu

alTe

sts.

com

In other words, the port is in promiscuous mode, in which the rules of private VLANs are ignored.

QUESTION NO: 130

In the event that two devices need access to a common server, but they cannot communicate with

each other, which security feature should be configured to mitigate attacks between these

devices?

A. private VLANs

B. port security

C. BPDU guard

D. dynamic ARP inspection

E. DHCP snooping

Answer: A

Explanation:

Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN

pairs, one for each subdomain. A subdomain is represented by a primary VLAN and a secondary

VLAN. All secondary (private vlan) share the same primary VLANs.

There are two types of secondary VLANs:

* Isolated VLANs-Ports within an isolated VLAN cannot communicate with each other at the Layer

2 level.

* Community VLANs-Ports within a community VLAN can communicate with each other but

cannot communicate with ports in other communities at the Layer 2 level.

Section 17: Troubleshoot switch virtual interfaces (SVIs) (1 Question)

QUESTION NO: 131

An SVI has been configured on a device. Which two statements are true about a switched virtual

interface (SVI)? (Select two)

A. An SVI is normally created for the default VLAN (VLAN1) to permit remote switch

administration.

B. Multiple SVIs can be associated with a VLAN.

C. SVI is another name for a routed port.

D. An SVI is created by entering the no switchport command in interface configuration mode.



Actu

alTe

sts.

com

E. An SVI provides a default gateway for a VLAN.

Answer: A,E

Explanation:

On a multilayer switch, you can also enable Layer 3 functionality for an entire VLAN on the switch.

This allows a network address to be assigned to a logical interface-that of the VLAN itself. This is

useful when the switch has many ports assigned to a common VLAN, and routing is needed in and

out of that VLAN.

The logical Layer 3 interface is known as an SVI . However, when it is configured, it uses the

much more intuitive interface name vlan vlan-id , as if the VLAN itself is a physical interface. First,

define or identify the VLAN interface, and then assign any Layer 3 functionality to it with the

following configuration commands:

Switch(config)# interface vlan vlan-id

Switch(config-if)# ip address ip-address mask [secondary]

The VLAN must be defined and active on the switch before the SVI can be used. Make sure the

new VLAN interface is also enabled with the no shutdown interface configuration command

Section 18: Troubleshoot switch supervisor redundancy (3 Questions)

QUESTION NO: 132

Company has a Catalyst 6500 and you need to configure redundancy between the supervisor

modules. With route processor redundancy (RPR+), the redundant supervisor engine is fully

initialized and configured, which shortens the switchover time if the active supervisor engine fails.

Which three statements are true about the RPR + operations when the redundant supervisor

engine switched over the failed primary supervisor engine? (Choose three)

A. Static IP routes are maintained across a switchover because they are configured from entries in

the configuration file.

B. Information about dynamic routing states, maintained on the active supervisor engine, is

synchronized to the redundant supervisor engine and is transferred during the switchover.

C. Information about dynamic routing states, maintained on the active supervisor engine, is not

synchronized to the redundant supervisor engine and is lost on switchover.

D. The Forwarding Information Base (FIB) tables are cleared on a switchover. As a result, routed

traffic is interrupted until route tables reconverge.

E. Static IP routes are cleared across a switchover and recreated from entries in the configuration

file on the redundant supervisor engine.



Actu

alTe

sts.

com

F. The Forwarding Information Base (FIB) tables are maintained during the switchover. As a

result, routed traffic continues without any interruption when the failover occurs.

Answer: A,C,D

Explanation:

The following guidelines and restrictions apply to RPR+:

RPR+ redundancy does not support configuration entered in VLAN database mode. Use global

configuration mode with RPR+ redundancy.

Configuration changes made through SNMP are not synchronized to the redundant supervisor

engine. Enter a " copy running-config startup-config " command to synchronize the configuration

on the redundant supervisor engine.

Supervisor engine redundancy does not provide supervisor engine mirroring or supervisor engine

load balancing. Only one supervisor engine is active. Network services are disrupted until the

redundant supervisor engine takes over and the switch recovers.

With RPR+, both supervisor engines must run the same version of Cisco IOS software. If the

supervisor engines are not running the same version of Cisco IOS software, the redundant

supervisor engine comes online in RPR mode.

The Forwarding Information Base (FIB) tables are cleared on a switchover. As a result, routed

traffic is interrupted until route tables reconverge.

Static IP routes are maintained across a switchover because they are configured from entries in

the configuration file.

Information about dynamic states maintained on the active supervisor engine is not synchronized

to the redundant supervisor engine and is lost on switchover.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/r

edund.html

QUESTION NO: 133



Actu

alTe

sts.

com

Which two characteristics apply to Cisco Catalyst 6500 Series Switch supervisor redundancy

using NSF? (Choose two.)

A. independent of SSO

B. NSF combined with SSO enables supervisor engine load balancing

C. supported by RIPv2, OSPF, IS-IS, and EIGRP

D. supports IPv4 and IPv6 multicast

E. prevents route flapping

F. dependent on FIB tables

Answer: E,F

Explanation:

The purpose of NSF is to enable the Layer 3 switch to continue forwarding packets from an NSF-

capable neighboring router when the primary route processor (RP) is failing and the backup RP is

taking over. So it prevents the route flapping and it depends on FIB (Forwarding Information Base)

table.

QUESTION NO: 134

Which statement best describes Cisco supervisor engine redundancy using Stateful Switchover?

A. Switchover ensures that Layer 2 through Layer 4 traffic is not interrupted.

B. Redundancy requires BGP, OSPF, EIGRP, or IS-IS.

C. Redundancy provides fast supervisor switchover for all Cisco Catalyst 6500 series switches.

D. Switchover can be caused by clock synchronization failure between supervisors.

Answer: D

Explanation:

Section 19: Troubleshoot switch support of advanced services (i.e., Wireless, VOIP and Video) (8

Questions)

QUESTION NO: 135

Exhibit:



Actu

alTe

sts.

com

You work as a network technician. Please study the exhibit carefully. In this wireless network, the

LAP (lightweight access point) attempts to register to a WLC (Wireless LAN Controller). What kind

of message is transmitted?

A. The lightweight access point will send Layer 2 and Layer 3 Lightweight Access Point (LWAPP)

mode discovery request messages at the same time.

B. The lightweight access point will send Layer 3 Lightweight Access Point (LWAPP) mode

discovery request messages only.

C. The lightweight access point will send Layer 2 Lightweight Access Point (LWAPP) mode

discovery request messages. If the attempt fails, the LAP will try Layer 3 LWAPP WLC discovery.

D. The lightweight access point will send Layer 2 Lightweight Access Point (LWAPP) mode

discovery request messages only.

Answer: C

Explanation:

This procedure for a LAP to register with a WLC is: The LAP issues a DHCP request to a DHCP

server in order to get an IP address, unless an assignment was made previously with a static IP

address. If Layer 2 LWAPP mode is supported on the LAP, the LAP broadcasts an LWAPP

discovery message in a Layer 2 LWAPP frame. Any WLC that is connected to the network and

that is configured for Layer 2 LWAPP mode responds with a Layer 2 discovery response. If the

LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP

discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP proceeds to

step 3. If step 1 fails, or if the LAP or the WLC does not support Layer 2 LWAPP mode, the LAP

attempts a Layer 3 LWAPP WLC discovery. If step 3 fails, the LAP resets and returns to step 1.

Reference:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml

QUESTION NO: 136

Exhibit:



Actu

alTe

sts.

com

In this scenario the signal transmitted from the AP is reflected off a wall, resulting in multipath

interference at the client end (ClientA). Which of the following statements is true?

A. The transmitted signal from the AP arrives at the client at slightly different times resulting in

phase shifting.

B. Multipath interference can be solved by using dual antennas.

C. If signal 2 is close to 360 degrees out of phase with signal 1, the result is essentially zero signal

or a dead spot in the WLAN.

D. Multipath interference is less of an issue when using a DSSS technology because multipath is

frequency selective.

E. If signal 1 is in phase with signal 2, the result is essentially zero signal or a dead spot in the

WLAN.


Answer: B

Explanation:

In order to understand diversity using dual antenna's, you must understand multipath distortion.

When a radio frequency (RF) signal is transmitted towards the receiver, the general behavior of

the RF signal is to grow wider as it is transmitted further. On its way, the RF signal encounters

objects that reflect, refract, diffract or interfere with the signal. When an RF signal is reflected off

an object, multiple wavefronts are created. As a result of these new duplicate wavefronts, there

are multiple wavefronts that reach the receiver.

Diversity is the use of two antennas for each radio, to increase the odds that you receive a better

signal on either of the antennas. The antennas used to provide a diversity solution can be in the

same physical housing or must be two separate but equal antennas in the same location. Diversity

provides relief to a wireless network in a multipath scenario. Diversity antennas are physically

separated from the radio and each other, to ensure that one encounters less multipath

propagation effects than the other. Dual antennas typically ensure that if one antenna is in an RF

null then the other is not, which provides better performance in multipath environments. You can

move the antenna to get it out of the null point and provide a way to receive the signal correctly.

Reference:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008019f646.shtml



Actu

alTe

sts.

com

QUESTION NO: 137

On the wireless LAN, A client is searching for an access point (AP). What is the correct process

order that this client and access point goes through in order to create a connection?

A. association request/response, probe request/response, authentication request/response

B. association request/response, authentication request/response, probe request/response

C. probe request/response, authentication request/response, association request/response

D. probe request/response, association request/response, authentication request/response


Answer: C

Explanation:

From the Cisco FAQ on Cisco Aironet Wireless Security:

What steps does Open Authentication involve for a client to associate with the AP? The client

sends a probe request to the APs. The APs send back probe responses. The client evaluates the

AP responses and selects the best AP. The client sends an authentication request to the AP. The

AP confirms authentication and registers the client. The client then sends an association request

to the AP. The AP confirms the association and registers the client.

Reference:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.sht

ml

QUESTION NO: 138




Actu

alTe

sts.

com

In this WLAN segment, what are three requirements for configuring these Aironet access points

(APs) that will allow for all wireless clients to work without service interruption while roaming from

access point to access point? (Select three)

All access points should be configured....

A. ...with a unique IP subnet range.

B. ... with identical SSIDs.

C. ...within the same IP subnet.

D. ...with the same guest mode SSID.

E. ...only with the native VLAN.

F. ...with the native VLAN.

Answer: B,C,E

Explanation:

This question shows an example of layer 2 roaming. A L2 roam occurs when a WLAN client

moves from one access point to another within the same subnet. If the client moves to a new

access point on a different IP subnet, L3 roaming occurs after the L2 roam has completed.

Roaming is always a client station decision. The client station is responsible for detecting,

evaluating, and roaming to an alternative access point. Figure 3 Sequence of Events for L2 Roam

illustrates a L2 roam.

Figure: Sequence of Events for L2 Roam



Actu

alTe

sts.

com

The arrows in the figure indicate the following events:

1.

A client moves from access point A coverage area into access point B coverage area ( with both

access points in the same subnet ). As the client moves out of the range of access point A, a

roaming event (for example, maximum retries) is triggered.

2.

The client scans all IEEE 802.11 channels for alternative access points. In this case, the client

discovers access point B and reauthenticates and reassociates to it. After associating to the new

access point B, if it is configured for 802.1X, the client begins IEEE 802.1X authentication.

3.

Access point B sends a null media access control (MAC) multicast, on the client's virtual local area

network (VLAN), using the source address of the client. This updates the content addressable

memory ( CAM ) tables of the upstream switch and directs further LAN traffic for the client to

access point B and not access point A.

4.

Using its own source address, access point B sends a MAC multicast, on the native VLAN , telling

access point A that access point B now has the client associated to it. Access point A receives this

multicast and removes the client MAC address from its association table.

When a roaming event occurs, the client station scans each 802.11 channel. 2 On each channel

the client station sends a probe, and waits for a probe responses or beacons from access points

on that channel. The probe responses and beacons received from access points are discarded

unless they have matching Service Set Identifier (SSID) and encryption settings.

Reference:

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801c

5223.html

QUESTION NO: 139



Actu

alTe

sts.

com

Which three statements are true about implementing wireless LANs in the network using Cisco

devices? (Select three)

A. Antenna power is a relative value reference to dBi.

B. LWAPP allows encrypted communications between lightweight access points and WLAN

controllers.

C. Characteristics of antennas are directionality, gain, and polarization.

D. Power over Ethernet (PoE) is only available when a WLAN controller is integrated into the

network.

E. The WLAN solution Engine (WLSE) is used to control lightweight access points.

F. One of the advantages of the lightweight WLAN solution is that the devices act indepently.

Answer: A,B,C

Explanation:

DBi is a unit measuring the gain of an antenna. The reference level or dBi is the strength of the

signal that would be transmitted by a non-directional isotropic antenna i.e.radiates equally in all

directions. This antenna exists as a mathematical concept used only as a known reference to

measure antenna gain per dBi. In electronics, the term "gain" is often repeated but misunderstood.

Gain implies increase e.g 20 dBi but without respect to where the increase originated.

LWAPP is a draft Internet Engineering Task Force (IETF) standard, authored by Cisco Systems,

that standardizes the communications protocol between lightweight access points and WLAN

systems such as controllers, switches, and routers. Its goals are to:

Reduce the amount of processing within access points, freeing up their computing resources to

focus exclusively on wireless access instead offiltering and policy enforcement

Enable centralized traffic handling, authentication, encryption , and policy enforcement for an

entire WLAN system

Provide a generic encapsulation and transport mechanism for multivendor access point

interoperability, using either a Layer 2 infrastructure oranIP-routed network

When a Cisco LWAPP-enabled access point boots up, it immediately looks for a wireless LAN

controller within the network. After it finds a wireless LAN controller, the LWAPP-enabled access

point sends out encrypted "neighbor" messages.

An antenna gives the wireless system three fundamental properties: gain, direction and

polarization. Gain is a measure of increase in power. Gain is the amount of increase in energy that

an antenna adds to a radio frequency (RF) signal. Direction is the shape of the transmission

pattern. Polarization is the physical orientation of the element on the antenna that actually emits

the RF energy. An omnidirectional antenna, for example, is usually a vertical polarized antenna.

References:

http://wireless-network.wireless-computer-networking.com/dBi.htm

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807f34d3.shtml



Actu

alTe

sts.

com

QUESTION NO: 140

An IP phone connects a user to a switch as shown below:

Based on the diagram shown above, which statement is true about the voice traffic coming to the

switch access port that is connected to the IP phone?

A. A PC connected to a switch port via an IP phone is unaware of the presence of the phone.

B. The traffic on the voice VLAN must be tagged with 802.1p encapsulation in order to coexist on

the same LAN segment with a PC.

C. To improve the quality of the voice traffic, no other devices should be attached to the IP phone.

D. The voice VLAN must be configured as a native VLAN on the switch.

E. A PC connected to a switch port via an IP phone must support a trunking encapsulation.

Answer: A

Explanation:

The new voice VLAN is called an auxiliary VLAN in the Catalyst software command-line interface

(CLI). In the traditional switched world, data devices reside in a data VLAN. The new auxiliary

VLAN is used to represent other types of devices collectively. Today those devices are IP phones

(hence the notion of a voice VLAN), but, in the future, other types of non-data devices will also be

part of the auxiliary VLAN. Just as data devices come up and reside in the native VLAN (default

VLAN), IP phones come up and reside in the auxiliary VLAN, if one has been configured on the

switch.

When the IP phone powers up, it communicates with the switch using CDP. The switch then

provides the phone with its configured VLAN ID (voice subnet), also known as the voice VLAN ID

or VVID. Meanwhile, data devices continue to reside in the native VLAN (or default VLAN) of the

switch. A data device VLAN (data subnet) is referred to as a port VLAN ID or PVID.

QUESTION NO: 141

Look at the graphic below, the connectivity between Cisco IP phone access port and the

workstation CK-PC has been established, how to manage the traffic?



Actu

alTe

sts.

com

A. The IP phone access port will override the priority of the frames received from the CK-PC.

B. The IP phone access port would trust the priority of the frames received from the CK-PC.

C. The switch port FaO/4 would neglect the priority of the frames received from the CK-PC.

D. The switch port FaO/4 would trust the priority for the frames received from the CK-PC.

Answer: A

Explanation:

The CK-PC connected to the phone, however, should normally be untrusted and have all inbound

CoS values set to 0. This is mentioned here to show how trust boundaries also exist at any

connected IP Phones.

Example:

interface fastethernet 0/1

switchport voice vlan 200

switchport priority extend cos 0

A switch instructs an attached IP Phone through CDP messages as to how it should extend QoS

trust to its own user data switch port. To configure the trust extension, use the following interface

configuration command:

Switch(config-if)# switchport priority extend {cos value | trust}

Normally, the QoS information from a PC connected to an IP Phone should not be trusted. This is

because the PC's applications might try to spoof CoS or Differentiated Services Code Point

(DSCP)

settings to gain premium network service. In this case, use the cos keyword so that the CoS bits

are

overwritten to value by the IP Phone as packets are forwarded to the switch. If CoS values from

the

PC cannot be trusted, they should be overwritten to a value of 0.



Actu

alTe

sts.

com

QUESTION NO: 142

You need to configure a new Cisco router to be installed in the VOIP network. Which three

interface commands will configure the switch port to support a connected Cisco phone and to trust

the CoS values received on the port if CDP discovers that a Cisco phone is attached? (Select

three)

A. switchport voice vlan vlan-id

B. mls qos trust device cisco-phone

C. switchport priority extend cos_value

D. mls qos trust cos

E. mls qos trust override cos

Answer: A,B,D

Explanation:

1. To configure the IP Phone uplink, just configure the switch port where it connects. The switch

instructs the phone to follow the mode that is selected. In addition, the switch port does not need

any special trunking configuration commands if a trunk is wanted. If an 802.1Q trunk is needed, a

special-case trunk is negotiated by Dynamic Trunking Protocol (DTP) and CDP. Use the following

interface configuration command to select the voice VLAN mode that will be used:

Switch(config-if)# switchport voice vlan { vlan-id | dot1p | untagged | none}

2. mls qos trust [ cos ] : Configure the port trust state.

By default, the port is not trusted. All traffic is sent through one egress queue. Use the cos

keyword to classify ingress packets with the packet CoS values. The egress queue assigned to

the packet is based on the packet CoS value

3. mls qos trust device cisco-phone : Configure the Cisco IP Phone as a trusted device on the

interface.

Section 20: Troubleshoot a VoIP support solution (7 Questions)

QUESTION NO: 143

Based on the graphic below, which Catalyst switch interface command should be issued in order

for the switch to instruct the phone to override the incoming CoS from the CK-PC before sending

the packet to the switch?



Actu

alTe

sts.

com

A. switchport priority extend cos 11

B. switchport priority extend cos 2

C. mis qos cos 2

D. mis qos cos 2 override

Answer: B

Explanation:

Overriding the CoS Priority of Incoming Data Frames

You can connect a PC or other data device to a Cisco7960 IP Phone port. The PC can generate

packets with an assigned CoS value. You can configure the switch to override the priority of

frames arriving on the IP phone port from connected devices.

Beginning in privileged EXEC mode, follow these steps to override the CoS priority received from

the nonvoice port on the Cisco7960 IP Phone:

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_14_ea1/config

uration/guide/swvoip.html

QUESTION NO: 144

Refer to the exhibit. What is the effect when the switchport priority extend cos 3 command is

configured on the switch port interface connected to the IP phone?

A. Effectively, the trust boundary has been moved to the PC attached to the IP phone.

B. The computer is now establishing theCoS value and has effectively become the trust boundary.

C. The IP phone is enabled to override with aCoS value of 3 the existing CoS marking of the PC

attached to the IP phone.

D. The switch will no longer tag incoming voice packets and will extend the trust boundary to the

distribution layer switch.

E. RTP will be used to negotiate aCoS value based upon bandwidth utilization on the link.



Actu

alTe

sts.

com

Answer: C

Explanation:

The "switchport priority extend cos <priority>" is used to set the IP phone access port to override

the priority received from the PC or the attached device. The CoS value is a number from 0 to 7.

Seven is the highest priority. The default is 0. In this case, it has been set to mark all traffic with a

class of service value of 3.

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_14_ea1/config

uration/guide/swvoip.html

QUESTION NO: 145

VOIP is being implemented in the network and you need to assess the need for QoS. Which of the

following network problems would indicate a need to implement QoS features? (Select three)

A. Mis-routed packets

B. Excess jitter

C. Delay of critical traffic

D. Packet loss due to congestion

E. Data link layer broadcast storms

F. FTP connections unsuccessful

Answer: B,C,D

Explanation:

Loss, jitter, and delay are the three reasons for implementing QoS features on modern networks.

Loss is when a packet disappears on a network. Jitter is a timing mismatch between two way

traffic, and delay is when a packet takes too long to get somewhere.

Incorrect Answers:

A: This would indicate a routing problem, or packets being "black-holed." QoS would not help in

this situation.

E: Broadcast storms indicate a problem on a LAN segment, such as a babbling host, too many

hosts, a segment that is too large, a bad application, etc. QoS would not help in this situation.

F: If only FTP sessions were having issues, then the FTP application or FTP server should be

corrected. Normally, FTP sessions are not delay sensitive due to the re-transmission nature of

TCP and do not require QoS.

QUESTION NO: 146

Jitter is causing problems with the VOIP application in the network. What causes network jitter?



Actu

alTe

sts.

com

A. Variable queue delays

B. Packet drops

C. Transmitting too many small packets

D. Compression

Answer: A

Explanation:

Delay variation or jitter is the difference in the delay times of consecutive packets. A jitter buffer is

often used to smooth out arrival times, but there are instantaneous and total limits on buffering

ability. Any type of buffering used to reduce jitter directly increases total network delay. In general,

traffic requiring low latency also requires a minimum variation in latency.

Note: Jitter in Packet Voice Networks :

Jitter is defined as a variation in the delay of received packets. At the sending side, packets are

sent in a continuous stream with the packets being spaced evenly apart. Due to network

congestion, improper queuing, or configuration errors, this steady stream can become lumpy, or

the delay between each packet can vary instead of remaining constant.

QUESTION NO: 147

According to the information presented in the following exhibit, can you tell me the reason that the

trust state of interface FastEthernet 0/3 displays "not trusted"?



Actu

alTe

sts.

com



Actu

alTe

sts.

com

A. The command mis qos needs to be turned on in global configuration mode.

B. DSCP map needs to be configured for VOIP.

C. ToS has not been configured.

D. There is not a Cisco Phone attached to the interface.

Answer: D

Explanation:

CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-

manufactured devices (routers, bridges, access servers, and switches) and allows network

management applications to discover Cisco devices that are neighbors of already known devices.

With CDP, network management applications can learn the device type and the Simple Network

Management Protocol (SNMP) agent address of neighboring devices running lower-layer,

transparent protocols. This feature enables applications to send SNMP queries to neighboring

devices.

CDP runs on all media that support Subnetwork Access Protocol ( SNAP). Because CDP runs

over the data-link layer only, two systems that support different network-layer protocols can learn

about each other.

Communication between Switch and IP Phone is performed by CDP protocol. There is no CDP

neighbor and trusted state also no trusted.



Actu

alTe

sts.

com

QUESTION NO: 148

You are a network administrator of a large investor relations company that uses a switched

network to carry both data and IP telephony services. Why should you carry voice traffic on a

separate VLAN?

A. IP phones require inline power and must be in separate VLAN to receive inline power.

B. IP telephony applications require prioritization over other traffic as they are more delay

sensitive.

C. IP phones can only receive IP addresses through DHCP if they are in separate VLAN.

D. The CDP frames from the IP phone can only be recognized by the switch if the phone is in an

auxiliary vlan.

Answer: B

Explanation:

Voice conversations don't take up a lot of bandwidth, but the bandwidth they do is very delicate. If

anything happens with the connection or the integrity of the data transfer in either direction the

conversation won't seam natural. To ensure the highest degree of integrity you should put voice

traffic on its own separate VLAN and give that VLAN the highest priority.

QUESTION NO: 149

Which QoS mechanisms can you use on a converged network to improve VoIP quality? (Select

three)

A. The use of a queuing method that will give VoIP traffic strict priority over other traffic.

B. The use of RTP header compression for the VoIP traffic.

C. The proper classification and marking of the traffic as close to the source as possible.

D. The use of 802.1QinQ trunking for VoIP traffic.

E. The use of WRED.

Answer: A,C,E

Explanation:

In order to optimize the quality of VOIP calls, QoS should be implemented to ensure that VOIP

traffic is prioritized over other traffic types.

By providing a strict queue for VOIP traffic, you will ensure that voice calls take precedence over

the other traffic types.

In order to properly provide for QoS across the network, the voice traffic should be marked to give

priority as close to the source as possible. This will ensure that the traffic is prioritized end to end.

Finally, WRED (Weighted Random Early Detection) could be configured to prevent congestion.

WRED can be used to selectively drop less important traffic types, instead of dropping the voice

packets when links become busy.



Actu

alTe

sts.

com

Incorrect Answers:

B: Compression can be used to lower the bandwidth required to transmit VOIP calls, but it will not

help with improving the voice quality. In general, compression of any kind lowers the quality of

VOIP.

D: The trunking method used will have no bearing on the VOIP quality.Section 21: Troubleshoot a

video support solution(3 Questions)

QUESTION NO: 150

The Company is rolling out Cisco's Architecture for Voice, Video and Integrated Data (AVVID).

Which of the following choices represent the fundamental intelligent network services in Cisco's

AVVID? (Select all that apply.)

A. Quality of Service (QoS)

B. Intelligent platforms

C. Mobility and scalability

D. Security

E. High availability

Answer: A,C,D,E

Explanation:

By creating a robust foundation of basic connectivity and protocol implementation, Cisco AVVID

Network Infrastructure addresses five primary concerns of network deployment: High availability

Quality of service (QoS) Security Mobility and Scalability

Reference:

http://www.cisco.com/en/US/netsol/netwarch/ns19/ns24/networking_solutions_audience_business

_benefit09186a008009d678.html

QUESTION NO: 151

Which of the characteristics below is associated with the (QoS) Integrated Services Model?

A. QoS classified at layer 3 using IP precedence or DSCP.

B. Guaranteed rate service.

C. Implemented using FIFO queues.

D. All traffic has an equal chance of being dropped.

Answer: B

Explanation:

Cisco IOS QoS includes the following features that provide controlled load service, which is a kind

of integrated service:



Actu

alTe

sts.

com

Resource Reservation Protocol (RSVP) can be used by applications to signal their QoS

requirements to the router.

Intelligent queuing mechanisms can be used with RSVP to provide the following kinds of services:

Ø Guaranteed Rate Service, which allows applications to reserve bandwidth to meet their

requirements. For example, a Voice over IP (VoIP) application can reserve 32 Mbps end to end

using this kind of service. Cisco IOS QoS uses weighted fair queuing (WFQ) with RSVP to provide

this kind of service.

Ø Controlled Load Service, which allows applications to have low delay and high throughput even

during times of congestion. For example, adaptive real-time applications such as playback of a

recorded conference can use this kind of service. Cisco IOS QoS uses RSVP with Weighted

Random Early Detection (WRED) to provide this kind of service.

Reference:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter0

9186a008007ff07.html#1000946

QUESTION NO: 152

You work as a network technician. Your boss is interested in the QoS technology in the context of

video traffic. What can be said of application of this technology in this type of network? (Select

three)

A. The access layer is the initial point at which traffic enters the network. Traffic is marked (or

remarked) at Layers 2 and 3 by the access switch as it enters the network, or is "trusted" that it is

entering the network with the appropriate tag.

B. No traffic marking occurs at the core layer. Layer 2/3 QoS tags are trusted from distribution

layer switches and used to prioritize and queue the traffic as it traverses the core.

C. Traffic inbound from the access layer to the distribution layer can be trusted or reset depending

upon the ability of the access layer switches. Priority access into the core is provided based on

Layer 3 QoS tags.

D. IP precedence, DSCP, QoS group, IP address, and ingress interface are Layer 2

characteristics that are set by the access layer as it passes traffic to the distribution layer. The

distribution layer, once it has made a switching decision to the core layer, strips these off.

E. MAC address, Multiprotocol Label Switching (MPLS); the ATM cell loss priority (CLP) bit, the

Frame Relay discard eligible (DE) bit, and ingress interface are established by the voice

submodule (distribution layer) as traffic passes to the core layer.

F. The distribution layer inspects a frame to see if it has exceeded a predefined rate of traffic

within a certain time frame, which is typically a fixed number internal to the switch. If a frame is

determined to be in excess of the predefined rate limit, the CoS value can be marked up in a way

that results in the packet being dropped.



Actu

alTe

sts.

com

Answer: A,B,C

Explanation:

Three main types of QoS policies are required within the Campus:

1)Classification and Marking

2)Policing and Markdown

3)Queuing

Classification, marking, and policing should be performed as close to the traffic-sources as

possible, specifically at the Campus Access-Edge. Queuing, on the other hand, needs to be

provisioned at all Campus Layers (Access, Distribution, Core) due to oversubscription ratios.

Distribution and edge switches can be configured to trust the COS markings of incoming traffic,

rest the COS value to 0, or reset the COS value to a different value. These switches also perform

the necessary functions to map the layer 2 COS values to a layer 3 TOS or DSCP value when

sending traffic into the cloud.

Section 22: Troubleshoot Layer 3 Security (4 Questions)

QUESTION NO: 153

Refer to the exhibit. Host A and Host B are connected to the Catalyst 3550 switch and have been

assigned to their respective VLANs. The rest of the 3550 configuration is the default configuration.

Host A is able to ping its default gateway, 10.10.10.1, but is unable to ping Host B. Given the

output displayed in the exhibit, which statement is true?



Actu

alTe

sts.

com

A. HSRP must be configured on SW1.

B. A separate router is required to support interVLAN routing.

C. Interface VLAN 10 must be configured on the SW1 switch.

D. The global config command ip routing must be configured on the SW1 switch.

E. VLANs 10 and 15 must be created in the VLAN database mode.

F. VTP must be configured to support interVLAN routing.

Answer: D

Explanation:

To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been

a router's function. The router must have a physical or logical connection to each VLAN so that it

can forward packets between them. This is known as interVLAN routing .

Multilayer switches can perform both Layer 2 switching and interVLAN routing, as appropriate.

Layer 2 switching occurs between interfaces that are assigned to Layer 2 VLANs or Layer 2

trunks. Layer 3 switching can occur between any type of interface, as long as the interface can

have a Layer 3 address assigned to it.

Switch(config)# ip routing command enables the routing on Layer 3 Swtich



Actu

alTe

sts.

com

QUESTION NO: 154

Refer to the exhibit. VLAN2, VLAN3, and VLAN10 are configured on the switch D-SW1.

Host computers are on VLAN 2 (10.1.2.0), servers are on VLAN 3 (10.1.3.0), and the

management VLAN is on VLAN10 (10.1.10.0). Hosts are able to ping each other but are unable to

reach the servers. On the basis of the exhibited output, which configuration solution could rectify

the problem?

A. Enable IP routing on the switch D-SW1.

B. Configure a default route that points toward network 200.1.1.0/24.

C. Assign an IP address of 10.1.3.1/24 to VLAN3.

D. Configure default gateways to IP address 10.1.2.1 on each host.

E. Configure default gateways to IP address 10.1.10.1 on each host.

F. Configure default gateways to IP address 200.1.1.2 on each host.

Answer: C

Explanation:

Although a routed port is configured for connectivity with an external router, Inter-VLAN routing

would most likely be achieved through the use of a virtual interface.

Example:

To route between VLANs 10 and 20 which have been configured on the multilayer switch use the

following configuration:

RouteSwitch(config)# interface vlan 10 RouteSwitch(config-if)# ip address 10.0.10.1

255.255.255.0 RouteSwitch(config)# interface vlan 20 RouteSwitch(config-if)# ip address

10.0.20.1 255.255.255.0



Actu

alTe

sts.

com

QUESTION NO: 155

The network is displayed in the following network topology exhibit:

Router configuration exhibit:

Based on the network diagram and routing table output in the exhibit, which of these statements is

true?

A. Although interVLAN routing is not enabled, both workstations will have connectivity to each

other.

B. Although interVLAN routing is enabled, the workstations will not have connectivity to each

other.

C. InterVLAN routing has been configured properly, and the workstations have connectivity to

each other.

D. InterVLAN routing will not occur since no routing protocol has been configured.


Answer: C

Explanation:



Actu

alTe

sts.

com

A Layer 2 network can also exist as a VLAN inside one or more switches. VLANs are essentially

isolated from each other so that packets in one VLAN cannot cross into another VLAN.

To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been

a router's function. The router must have a physical or logical connection to each VLAN so that it

can forward packets between them. This is known as interVLAN routing . InterVLAN routing can

be performed by an external router that connects to each of the VLANs on a switch. Separate

physical connections can be used, or the router can access each of the VLANs through a single

trunk link.

The Switch Port which is connected with Router should be trunk link, You need to configure like:

Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)#

switchport trunk encapsulation dot1q

In Router you need to configure like:

Router(config)# interface fa 0/0 Router(config-if)# description VLAN 1 Router(config-if)# ip address

192.168.10.1 255.255.255.0

Router(config)# interface fa 0/0.10 Router(config-subif)# description Management VLAN 10

Router(config-subif)# encapsulation dot1q 10 Router(config-subif)# ip address 192.168.91.1

255.255.255.0

Router(config)# interface fa 0/0.20 Router(config-subif)# description Engineering VLAN 20

Router(config-subif)# encapsulation dot1q 20 Router(config-subif)# ip address 192.168.20.1

255.255.255.0

QUESTION NO: 156

Study the following graphic carefully Host1 and Host2, which belong to different VLANs, are in the

same subnet. According to the information displayed, which description is correct when trying to

ping from host to host?

A. A trunk port should be configured on the link between CK-SW1 and CK-SW2 to ping

successfully.



Actu

alTe

sts.

com

B. The two hosts should be in the same VLAN in order to ping successfully.

C. A Layer 3 device is a must in order for the ping command to be successful.

D. The ping command will be successful without any further configuration changes.

Answer: D

Explanation:

Normally, to transport packets between VLANs, you must use a Layer 3 device. However, in this

case the "switchport mode access" command has been used for these ports so the VLAN

information will be sent along untagged. Devices that are in different VLANs can ping each other

as long as they are in the same subnet when the VLAN information is untagged.

Section 23: Troubleshoot issues related to ACLs used to secure access to Cisco routers (2

Questions)

QUESTION NO: 157

The following "show" command was issued on R1:

Study the exhibit carefully. What will happen to traffic within VLAN 14 with a source address of

172.16.10.5?

A. The traffic will be dropped.

B. The traffic will be forwarded to the router processor for further processing.

C. The traffic will be forwarded without further processing.

D. The traffic will be forwarded to the TCAM for further processing.


Answer: A



Actu

alTe

sts.

com

Explanation:

VLAN maps, also known as VLAN ACLs or VACLs, can filter all traffic traversing a switch. VLAN

maps can be configured on the switch to filter all packets that are routed into or out of a VLAN, or

are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router

ACLs, VLAN maps are not defined by direction (input or output).

To create a VLAN map and apply it to one or more VLANs, perform these steps: Create the

standard or extended IP ACLs or named MAC extended ACLs to be applied to the VLAN. This

access-list will select the traffic that will be either forwarded or dropped by the access-map. Only

traffic matching the 'permit' condition in an access-list will be passed to the access-map for further

processing. Enter the vlan access-map access-map-name [ sequence ] global configuration

command to create a VLAN ACL map entry. Each access-map can have multiple entries. The

order of these entries is determined by the sequence . If no sequence number is entered, access-

map entries are added with sequence numbers in increments of 10. In access map configuration

mode, optionally enter an action forward or action drop . The default is to forward traffic. Also enter

the match command to specify an IP packet or a non-IP packet (with only a known MAC address),

and to match the packet against one or more ACLs (standard or extended). Use the vlan filter

access-map-name vlan-list vlan-list global configuration command to apply a VLAN map to one

or more VLANs. A single access-map can be used on multiple VLANs.

QUESTION NO: 158

Refer to the exhibit. Based upon the configuration, you need to understand why the policy routing

match counts are not increasing. Which would be the first logical step to take? Select the best

response.

A. Confirm if there are other problematic route-map statements that precede divert.

B. Check the access list for log hits.

C. Check the routing table for 212.50.185.126.

D. Remove any two of the set clauses. (Multiple set clause entries will cause PBR to use the

routing table.)

Answer: B



Actu

alTe

sts.

com

Explanation:

Section 24: Troubleshoot configuration issues related to accessing the AAA server for

authentication purposes (1 Questions)

QUESTION NO: 159

Exhibit:

You work as a network administrator. You study the exhibit carefully. What is the function of this

configuration?

A. mitigates the risk of rogue devices gaining unauthorized access to the network

B. sets the port state to authorized

C. sets the maximum number of retries to supplicant for EAP-request frames of types other than

EAP-Request/Identify

D. sets the port state to unauthorized

E. configures a guest VLAN on this interface

Answer: A



Actu

alTe

sts.

com

Explanation:

Cisco switches supports port-based authentication with combination of AAA, which is known as

dot1x authentication. When it is enabled, a switch port will not pass any traffic until a user has

authenticated with the switch. If the authentication is successful, the user can use the port

normally.

Section 25: Troubleshoot security issues related to IOS services (i.e.,finger, NTP, HTTP, FTP,

RCP etc.) (4 Questions)

QUESTION NO: 160

You want to enhance the security within the LAN and prevent VLAN hopping. What two steps can

be taken to help prevent this? (Select two)

A. Enable BPD guard

B. Disable CDP on ports where it is not necessary

C. Place unused ports in a common unrouted VLAN

D. Prevent automatic trunk configuration

E. Implement port security

Answer: C,D

Explanation:

To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN, or a

separate unrouted VLAN. By not granting connectivity or by placing a device into a VLAN not in

use, unauthorized access can be thwarted through fundamental physical and logical barriers.

Another method used to prevent VLAN hopping is to prevent automatic trunk configuration.

Hackers used 802.1Q and ISL tagging attacks, which are malicious schemes that allow a user on

a VLAN to get unauthorized access to another VLAN. For example, if a switch port were

configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and

it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start

communicating with other VLANs through that compromised port.

Reference: VLAN Security White Paper, Cisco Systems

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315

9f.shtml



Actu

alTe

sts.

com

QUESTION NO: 161

The network is being flooded with invalid Layer 2 addresses, causing switch CAM tables to be

filled and forcing unicast traffic to be transmitted out all switch ports. Which type of Layer 2 attack

is being used here?

A. MAC spoofing

B. VLAN hopping

C. MAC address flooding

D. DHCP flooding

E. Session hijacking

Answer: C

Explanation:

Port security is especially useful in the face of MAC address flooding attacks. In these attacks, an

attacker tries to fill up a switch's CAM tables by sending a large number of frames to it with source

MAC addresses that the switch is unaware of at that time. The switch learns about these MAC

addresses and puts them in its CAM table, thinking that these MAC addresses actually exist on

the port on which it is receiving them. In reality, this port is under the attacker's control and a

machine connected to this port is being used to send frames with spoofed MAC addresses to the

switch. If the attacker keeps sending these frames in a large-enough quantity, and the switch

continues to learn of them, eventually the switch's CAM table becomes filled with entries for these

bogus MAC addresses mapped to the compromised port.

Under normal operations, when a machine receiving a frame responds to it, the switch learns that

the MAC address associated with that machine sits on the port on which it has received the

response frame. It puts this mapping in its CAM table, allowing it to send any future frames

destined for this MAC address directly to this port rather than flood all the ports on the VLAN.

However, in a situation where the CAM table is filled up, the switch is unable to create this CAM

entry. At this point, when the switch receives a legitimate frame for which it does not know which

port to forward the frame to, the switch floods all the connected ports belonging to the VLAN on

which it has received the frame. The switch continues to flood the frames with destination

addresses that do not have an entry in the CAM tables to all the ports on the VLAN associated

with the port it is receiving the frame on.

Reference: http://book.soundonair.ru/cisco/ch05lev1sec2.html

QUESTION NO: 162

A MAC address flood attack is occurring on the LAN. During this attack, numerous frames are

forwarded to a switch which causes the CAM table to fill to capacity. How does this action benefit

the attacker?



Actu

alTe

sts.

com

A. All traffic is tagged with a specific VLAN ID from the VLAN of the attacker and is now viewable.

B. Clients will forward packets to the attacking device, which will in turn send them to the desired

destination but not before recording the traffic patterns.

C. All traffic is redirected to the VLAN that the attacker used to flood the CAM table.

D. All traffic is flooded out all ports and an attacker is able to capture all data.


Answer: D

Explanation:

MAC flooding basically involves bombarding the switch with spoofed ARP requests in the hope of

making the switch "fail open". This, in essence, makes the switch display the characteristics of a

hub, where it sends packets to all ports. A MAC flooding attack looks like traffic from thousands or

computers moving into one port, but it's actually the attacker spoofing the MAC address of

thousands of non-existent hosts. The goal is to flood the switches CAM (content addressable

memory) table, or port/MAC table with these bogus requests, and once flooded, the switch will

broadcast openly onto a LAN, allowing the attacker to start sniffing. The success of this attack is

almost completely dependant on the model and manufacturer of the switch.

Reference: http://www.governmentsecurity.org/archive/t2605.html

QUESTION NO: 163

Which of the following characteristics describe the BPDU Guard feature? (Choose all that apply.)

A. A BPDU Guard port should only be configured on ports with PortFast enabled.

B. BPDU Guard and PortFast should not be enabled on the same port.

C. BPDU Guard is used to ensure that superior BPDUs are not received on a switch port.

D. A BPDU Guard port receiving a BPDU will go into err-disable state.

E. A BPDU Guard port receiving a BPDU will be disabled.

F. BPDU Guard can be enabled on any switch port.

Answer: A,E

QUESTION NO: 164

Which of the following are valid modes of accessing the data plane? (Choose all that apply.)

A. Serial connection

B. Secure Shell

C. RADIUS

D. Simple Network Management Protocol



Actu

alTe

sts.

com

E. HTTP

F. Telnet

Answer: A,B,D,E,F

QUESTION NO: 165

Which of the following is not an essential prerequisite for AutoQoS to be correctly applied to an

interface? (Choose all that apply.)

A. The interface must be configured as a Multilink PPP interface.

B. The correct bandwidth should be configured on the interface.

C. A QoS policy must not be currently attached to the interface.

D. CEF must be enabled.

E. AutoQoS must be enabled globally before it can be enabled on the interface.

F. An IP address must be configured on the interface if its speed is equal to or less than 768 kbps.

Answer: A,E

QUESTION NO: 166

Which of the following topology situations would be a qood candidate for configuring DMVPN?

A. Extranet VPN

B. Managed overlay VPN topology

C. Hub-and-spoke VPN topology

D. Central-site VPN topology

E. Full mesh VPN topology

F. Remote-access VPN topology

Answer: E

QUESTION NO: 167

Which of the following is not considered a common approach to narrow the field of potential

problem causes? (Choose the best answer.)

A. Following the traffic path

B. Top-down

C. Comparing configurations

D. Bottom-up



Actu

alTe

sts.

com

E. Divide and conquer

F. Examine SLAs

Answer: F

QUESTION NO: 168

Which of the following best describes the following command: ip flow-export destination

192.168.1.50 1500?

A. it is not a valid NetFlow command.

B. it is an SNMP command that exports 1500-byte packets to IP address 192.168.1.50.

C. it is a NetFlov/ command that v/ill export 1500-byte packets to IP address 192.168.1.50.

D. it is a NetFlov/ command that allows IP address 192.168.1.50 to send traffic to port 1500.

E. It is a NetFlov/ command that v/ill specify that the NetFlov/ collector's IP address is

192.168.1.50 over UDP port 1500.

F. It is an SNMP command that exports flows to destination address 1Q2.168.1.50 for packets up

to an MTU of 1500.

Answer: E

QUESTION NO: 169

Which of the following are valid methods of providing a router with information concerning the

location of the RP? (Choose all that apply.)

A. Statically defined RP

B. Bootstrap Router

C. Auto-RP

D. RP Discovery Protocol (RDP)

E. RP Helios

F. RPARP(RARP)

Answer: A,B,C

QUESTION NO: 170

Which of the following are shared distribution tree characteristics? (Choose all that apply.)

A. Memory requirements are higher for shared distribution tree than for source distribution tree.

B. Creates a tree from a central RP to all last-hop routers.



Actu

alTe

sts.

com

C. Uses a rendezvous point.

D. An optimal path is created between each source router and each last-hop router.

E. Place (S,G) entry in each router's multicast routing table.

F. Place (*,G) entry in a router's multicast routing to table.

Answer: C,F

QUESTION NO: 171

Given the multicast IP address of 224.193.5.10, what would the corresponding multicast MAC

address be?

A. 00-00-0c-c0-05-0a

B. 00-00-0c-cl-05-0a

C. 01-00-5e-00-00-0c

D. 01-00-5e-41-05-0a

E. 00-00-0c-01-00-5e

F. 01-00-5e-cl-05-0a

Answer: D

QUESTION NO: 172

Which of the following is an accurate description of the command copy startup-config

ftp://kevin:[email protected]?

A. The configuration on the FTP server is copied to RAM.

B. The command is not valid on a Cisco router.

C. The configuration file in RAM is copied to an FTP server.

D. The configuration file in NVRAM is copied to an FTP server.

E. The configuration on the FTP server is copied to NVRAM.

F. The configuration will be copied from NVRAM to an FTP server with a filename of Kevin.

Answer: D

QUESTION NO: 173

Which of the following commands can be used to gather information about the AS-PATH of a BGP

route? (Choose all that apply.)

A. show ip bgp neighbors



Actu

alTe

sts.

com

B. debug ip bgp updates

C. show ip route bgp

D. show ip bgp

E. show ip bgp summary

F. sh ip bgp database

Answer: B,D,E

QUESTION NO: 174

How long will a port remain in the listening state by default?

A. Depends on the number of switches in the spanning tree domain

B. 50 seconds

C. 15 seconds

D. Until the root directs it to start forwarding

E. 20 seconds

F. Depends on the pott speed

Answer: C

QUESTION NO: 175

A new router is added to an existing HSRP standby group. One of the existing routers is in an

active state, the other is in a standby state. Under what circumstance will the new router become

the active router?

A. The new router will become active immediately because it's the newest router introduced into

the group.

B. The new router can become active only when the existing active router and the existing standby

router become unavailable.

C. The new router has a lower priority value.

D. The new router will never become active unless the existing active router becomes unavailable.

E. The new router has preempt configured and a higher priority

F. The new router has a higher priority value.

Answer: E

QUESTION NO: 176

Which of the following is not a valid reason for a packet to be punted?



Actu

alTe

sts.

com

A. The TCAM has reached capacity

B. An unknown destination MAC address

C. A packet being discarded due to a security violation

D. A Telnet packet from a session being initiated with the switch

E. Routing protocols sending broadcast traffic

F. A packet belonging to a GRE tunnel

Answer: B,C

QUESTION NO: 177

Which of the following are not true OSPF LSA rules?

A. OSPF LSA type 5 triggers an LSA type 7 at an ABR between an NSSA and the backbone area.

B. OSPF LSA type 1 triggers an LSA type 3 at an ABR.

C. OSPF LSA type 7 triggers an LSA type 5 at an ABR between an NSSA and the backbone area.

D. OSPF LSA type 3 triggers an LSA type 4 at an ABR.

E. OSPF LSA type 5 triggers an LSA type 7 at an A5BR but only in N5SAs.

F. OSFP LSA type 2 triggers an LSA type 3 at an ABR.

Answer: A,D,E

QUESTION NO: 178

Several troubleshooters are about to work on the same problem. Which of the following

troubleshooting methods would be most appropriate to make the best use of the troubleshooters1

time?

A. Bottom up

B. Component swapping

C. Top down

D. Shoot from the hip

E. Divide and conquer

F. Follow the traffic path

Answer: E

QUESTION NO: 179

Which of the following are not BGRP data structures? (Choose all that apply.)



Actu

alTe

sts.

com

A. EIGRP database table

B. EIGRP CEF table

C. EIGRP neighbor table

D. EIGRP adjacency table

E. EIGRP interface table

F. EIGRP topology table

Answer: A,B,D

QUESTION NO: 180

Which of the following is a valid host IPv6 address? (Choose all that apply.)

A. ff02:a:b:c::l/64

B. 2001:aaaa: 1234:456c: 1/64

C. 2001:000a:lb2c::/64

D. 2fff:f:f:f::f/64

E. ff02:33ab:l:32::2/128

F. 2001:bad:2345:a:b::cef/128

Answer: B,D,F

QUESTION NO: 181

You examine the port statistics on a Cisco Catalyst switch and notice an excessive number of

frames are being dropped. Which of the following are possible reasons for the drops?

A. Unknown destination MAC address

B. Bad cabling

C. MAC forwarding table is full

D. Port configured for half duplex

E. Port configured for full duplex

F. Network congestion

Answer: B,F

QUESTION NO: 182

Which of the following would be considered reasonable network maintenance tasks? (Choose all

that apply.)



Actu

alTe

sts.

com

A. Ensuring compliance with legal regulations and corporate policies

B. Troubleshooting problem reports

C. Planning for network expansion

D. Providing support to sales and marketing

E. Giving presentations to management

F. Monitoring and tuning network performance

Answer: A,B,C,F

QUESTION NO: 183

Which of the following options represents the correct sequence of DHCP messages after a client

initially boots?

A. DHCPREQUEST, DHCPOFFER, DHCPDISCOVER, DHCPACK

B. DHCPDISCOVER, DHCPOFER, DHCPREQUEST, DHCPACK

C. DHCPOFFER, DHCPACK, DHCPREQUEST, DHCPDISCOVER

D. DHCPDISCOVER, DHCPREQUEST, DHCPOFFER, DHCPACK

E. DHCPREQUE5T, DHCPDISCOVER, DHCPOFFER, DHCPACK

F. DHCPDISCOVER, DHCPACK, DHCPREQUEST, DHCPOFFER

Answer: B

QUESTION NO: 184

Which of the following statements regarding documentation would not be considered a helpful step

in the troubleshooting process?

A. Use the Cisco Auto Configuration tool.

B. Use the Cisco Rollback feature.

C. Automate documentation.

D. Schedule documentation checks.

E. Use the Cisco Configuration Archive tool.

F. Require documentation prior to a ticket being closed out.

Answer: A

QUESTION NO: 185

Which of the following statements are true concerning the command ip sla monitor responder type

tcpconnect ipaddress 10.1.1.1 port 23? (Choose all that apply.)



Actu

alTe

sts.

com

A. The command will initiate a probe with a destination IP address of 10.1.1.1.

B. The command is used on the IP SLA responder and the IP SLA source.

C. The command will allow only source address 10.1.1.1 to source probes.

D. The command will initiate a probe with a destination Telnet port.

E. The command is used to make the router a responder.

F. The command will initiate a probe with a source port of 23.

Answer: A,D

QUESTION NO: 186

In what situation would the command ip helper-address be required? (Choose the best answer.)

A. Only when there is a duplicate IP address caused by a combination of static and dynamic IP

address allocations

B. On each router that exists between the client and the server

C. Only when a router separates the client from the server

D. Only if the DHCP sever issues a DHCPNAK to the initial request

E. Only when the client is on the same subnet as the server

F. Only when the DHCP pool is out of IP addresses

Answer: C

QUESTION NO: 187

Which of the following commands will restore a previously archived configuration by replacing the

running configuration with the archived configuration?

A. configure archive running-config

B. configure replace

C. copy archive running config

D. copy startup-config running-config

E. copy tftp running-config

F. configure tftp running-config

Answer: B

QUESTION NO: 188

Which of the following is not a characteristic of fast switching?



Actu

alTe

sts.

com

A. Fast switching reduces a routers CPU utilization, compared to process switching.

B. All packets of a flow, except for the first packet, use the information in the fast cache.

C. It can be enabled with the interface command ip route-cache.

D. Fast switching uses a fast cache maintained in a router's control plane.

E. The fast cache contains information about how traffic from different data flows should be

forwarded.

F. Even though the fast switching is enabled, the first packet of a flow is still process switched.

Answer: D

QUESTION NO: 189

Which of the following commands will display a router's crypto map IPsec security association

settings?

A. show crypto map ipsec sa

B. show crypto map

C. show crypto engine connections active

D. show ipsec crypto map

E. show crypto map sa

F. show ipsec crypto map sa

Answer: A

QUESTION NO: 190

Which of the following pieces of information will the command show interface provide? (Choose all

that apply.)

A. Layer 1 status

B. Output queue drops

C. Interface CPU utilization

D. Cable type connected to interface

E. Layer 2 status

F. Input queue drops

Answer: A,B,E,F

QUESTION NO: 191

Which of the following statements concerning IGMP are correct? (Choose all that apply.)



Actu

alTe

sts.

com

A. With IGMPvl, queries are sent to a specific group.

B. Hosts issuing IGMPvl requests will be correctly interpreted by IGMPv2 hosts due to backward

compatibility.

C. An IGMPv2 router will ignore IGMPv2 leave messages when IGMFVl hosts are present.

D. With IGMFV2, a leave message is supported.

E. An IGMPv2 host will send an IGMFVl report on an IGMFVl router.

F. An IGMPv2 router can only allow IGMPv2 hosts to execute a join request.

Answer: C,D,E

QUESTION NO: 192

Which of the following are byproducts of a structured maintenance plan? (Choose all that apply.)

A. Predictable security vulnerabilities

B. Economies of scale

C. Improved expenditure forecasts

D. Increased downtime

E. Predictable equipment obsolescence

F. Consumption of fewer resources

Answer: A,B,C,E,F

QUESTION NO: 193

Which of the following are correct statements?

A. EIGRP advertises the best routes to its neighbor.

B. EIGRP uses "cost" to determine best path.

C. EIGRP allows unequal cost load balancing.

D. OSPF requires neighbor adjacencies before updates are sent.

E. EIGRP advertises all routes to its neighbor.

F. OSPF allows unequal cost load balancing.

Answer: A,C,D

QUESTION NO: 194

Which of the following commands will remove all dynamic entries for a router's NAT table?

A. clear nat translations



Actu

alTe

sts.

com

B. clear ip nat translations*

C. clear ip nat statistics

D. clear ip nat transactions *

E. clear ip nat translations

F. clear ip nat translations all

Answer: B

QUESTION NO: 195

Which of the following are TACACS+ characteristics? (Choose all that apply.)

A. Cisco proprietary

B. Standards-based protocol

C. Provides separate services for authentication, authorization, and accounting

D. Encrypts only the password

E. Uses UDP for a transport layer

F. Encrypts the entire packet

Answer: A,C,F

QUESTION NO: 196

Which of the following are common issues that should be considered when establishing or

troubleshooting site-to-site VPNs? (Choose all that apply.)

A. User authentication

B. Overlapping IP address space

C. GRE or IPsec configuration

D. MTU size

E. VPN client software

F. Authentication server configured ly

Answer: B,C,D

QUESTION NO: 197

Which of the following would provide good baseline documentation to have on hand when

analyzing potential problems? (Choose all that apply.)

A. User authentication ID and password



Actu

alTe

sts.

com

B. User profile

C. Output of debug

D. Output of show interface

E. Result of ping

F. Output of show process cpu

Answer: C,D,E,F

QUESTION NO: 198

Which of the following characteristics describe the Root Guard feature? (Choose all that apply.)

A. The port must be put into forwarding state manually after root-inconsistent state has been

corrected.

B. A Root Guard port receiving superior BPDU goes into a root-inconsistent state.

C. A Root Guard port receiving inferior BPDU goes into a root-inconsistent state.

D. While the port is in a root-inconsistent state no user data is sent across that port.

E. The port returns to a forwarding state if inferior BPDUs stop.

F. It should be applied to all switch ports.

Answer: B,D

QUESTION NO: 199

Which of the following commands provides data plane information required to forward a packet to

a specific ip address?

A. sh ip route

B. sh ip cef <ip_address>

C. sh adjacency <ip_address>

D. sh ip route <ip_addres$>

E. sh ip adjacency </p_address>

F. sh ip cef <mac_addrQss> <ip_address>

Answer: B

QUESTION NO: 200

Which of the following management types can be used to deploy appropriate quality-of-service

solutions to make the most efficient use of bandwidth?



Actu

alTe

sts.

com

A. Fault management

B. Accounting management

C. Operations management

D. Performance management

E. Security management

F. Configuration management

Answer: D

QUESTION NO: 201

Whichof the following are valid modes of packet switching on most routers? (Choose all that

apply.)

A. Cisco Express Fonvarding

B. FIB switching

C. Cache switching

D. Optimized switching

E. Process switching

F. Fast switching

Answer: A,E,F

QUESTION NO: 202

Which of the following is an unlikely reason for the ARP process to fail?

A. CEF switching is disabled on the switch

B. The source device and destination device are in different VLANs

C. The VLAN is excluded from the trunk

D. The host is connected to the switch through an IP phone

E. A faulty cable from host to switch or between switches

F. The trunking encapsulation type is inconsistent on the two ends of the link

Answer: A,D

QUESTION NO: 203

Which of the following is not a characteristic of Cisco Express Forwarding?

A. The adjacency table is populated from a router's ARP cache.



Actu

alTe

sts.

com

B. CEF does not require the first packet of a data flow to be process switched.

C. CEF maintains the Forward Information Base and the adjacency table.

D. CEF can be enabled with the interface command ip cef.

E. The FIB is populated from a router's IP routing table.

F. On most router platforms CEF is enabled by default.

Answer: D

QUESTION NO: 204

Which of the following are considered subcomponents of the problem diagnosis step of the

troubleshooting flow? (Choose all that apply.)

A. Eliminate potential causes

B. Collect information

C. Document causes

D. Hypothesize underlying causes

E. Verif/ hypothesis

F. Examine collected information

Answer: A,B,D,E,F

QUESTION NO: 205

Which of the following virtual MAC addresses is correct for the HSRP group 22?

A. 0000.0c70.ac22

B. 0000.0c07.22ac

C. 0000.0c07.acl6

D. 0000.0c07.ac22

E. 0000.0c70.cala

F. 0000.0d22.ac07

Answer: C

QUESTION NO: 206

Which of the following procedures are involved in the recommended three-step troubleshooting

flow? (Choose the best three answers.)

A. Problem report



Actu

alTe

sts.

com

B. Problem collaboration

C. Problem diagnosis

D. Problem resolution

E. Problem documentation

F. Probiem authentication

Answer: A,C,D

QUESTION NO: 207

Which of the following data structures exist on a router for the OSPF routing protocol?

A. OSPF topology table

B. OSPF interface table

C. OSPF routing information base

D. OSPF link-state database

E. OSPF adjacency table

F. OSPF neighbor table

Answer: B,C,D,F

QUESTION NO: 208

A router simultaneously receives all the following routes in various routing updates. Which of the

following routes would end up in the routing table? (Choose all that apply.)

A. RIP route 10.1.2.0/24

B. EIGRP route 10.1.2.0/24

C. RIP route 10.1.0.0/16

D. OSPF route 10.1.0.0/16

E. RIP route 10.0.0.0/16

F. OSPF route 10.1.2.0/24

Answer: B,D,E

QUESTION NO: 209

Which of the following commands would result in the following output: M.M.M

A. Ping 10.1.1.1 Data Pattern M.

B. Ping 10.1.1.1 timeout 0



Actu

alTe

sts.

com

C. Ping 10.1.1.1 size 1500 df-bit

D. Ping 10.1.1.1 source loopback 0

E. Ping 10.1.1.1 size 1500

F. Ping 10.1.1.1 size 1500 Strict

Answer: C

QUESTION NO: 210

Which of the following commands will cause RIPng to originate a default route advertisement while

suppressing all other routes?

A. Rl(config-if)#ipv6 default-information originate

B. Rl(config-router)#ipv6 rip <process-name> default-information only

C. Rl(config)#ipv6 route ::/0 null 0

D. Rl(config-if)#ipv6 rip <process-name> default-information only

E. Rl(config-router)#ipv6 rip route ;:/0 originate

F. Rl(config-router)#aggregate-address ::/0 summarize-routes

Answer: D

QUESTION NO: 211

The 0SPFv3 process will send hello packets to which of the follov/ing well-known addresses?

A. 255.255.255.255

B. 224.0.0.6

C. FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFF:FFF

D. FF02::10

E. 224.0.0.10

F. FF02::5

Answer: F

QUESTION NO: 212

Which of the following commands shows all routes learned via EIGRP? (Choose all that apply.)

A. show ip eigrp topology

B. show ip eigrp adjacency

C. show ip eigrp routes



Actu

alTe

sts.

com

D. show ip eigrp database

E. show ip route eigrp

F. show ip eigrp forwarding

Answer: A

QUESTION NO: 213

Which of the following three port types are valid Spanning Tree port types? (Choose the best three

answers.)

A. Designated port

B. Nonswitch port

C. Switch port

D. Nonroot port

E. Nondesignated port

F. Root port

Answer: A,E,F

QUESTION NO: 214

Which of the following is a valid method for defining a seed metric? (Choose all that apply.)

A. The default-metric command configured under the appropriate interface

B. The metric parameter in the network command of a routing process

C. The metric parameter in the redistribute command

D. The default-metric command

E. A route-map containing a seed command

F. A route map containing a metric command

Answer: C,D,F

QUESTION NO: 215

Which of the following characteristics are common to both RIPv2 and RIPng? (Choose all that

apply.)

A. Link-local address used for next-hop addresses

B. Interface can be added to RIP routing process in either interface configuration mode or in router

configuration mode



Actu

alTe

sts.

com

C. Uses a multicast to send routing updates

D. Use hop count as a metric

E. Distance-vector routing protocol

F. Maximum hop count is 15 with 16 being "unreachable"

Answer: C,D,E,F

QUESTION NO: 216

Which of the following commands will enable you to see the contents of the IP routing table and

send the output to a TFTP server at the same time?

A. show ip route | to tftp://192.168.1.1/route.txt

B. show ip route | tee tftp://192.168.1.1/route.txt

C show ip route | include tftp://192.168.1.1/route.txt

D. show ip route ft include tJtp://19Z168.1.1/route.txt

E. show ip route | redirect tftp://192.168.1.1/route.txt

Answer: B

QUESTION NO: 217

Which of the following solutions will encapsulate IPv6 packets with IPv4 headers?

A. Create an IPv4 tunnel and assign the tunnel IPv6 addresses.

B. Create IPv4 interfaces on both ends of the network, and use either static routes or a routing

process to direct IPv6 packets through those interfaces.

C. IPv6 packets cannot be encapsulated with IPv4 headers because the addresses are not

compatible.

D. Create IFV6 interfaces on both ends of the network, and use static routes to point the IPv4

address to those interfaces.

E. Use an IPv6 routing protocol like OSPFv3 and assign IPv4 packets to that process.

F. Create an IPv4 tunnel and use the tunnel mode ipv6ip command.

Answer: F

QUESTION NO: 218

Which of the following is not a typical wireless troubleshooting target?

A. Quality of Service



Actu

alTe

sts.

com

B. Trunk configuration

C. Access lists

D. Routing protocol configuration

E. Power over Ethernet

F. DHCP configuration

Answer: D

QUESTION NO: 219

Which of the following is a valid representation of the following IPv6 address:

2001:0000:0000:0abc:0000:0000:000a:000b? Choose the answer with the least number of digits.

A. 2001:0000:0:abc:0000:0000:a:b

B. 2001::abc::a:b

C. 2001::abc:0:0:000a:000b

D. 2001::0abc:0000:0000:a:b

E. 2001:0000:0000:abc::a:b

F. 2001::abc:0:0:a:b

Answer: F

QUESTION NO: 220

Which of the following are troubleshooting targets common to both site-to-site and remote-access

VPNs? (Choose all that apply.)

A. Routing loops

B. Misconfiguration of VPN end points

C. Overiapping IP address space

D. DMVPN

E. User profiles

F. MTU

Answer: A,B,F

QUESTION NO: 221

You are using NBAR to get a statistical baseline for the applications running on your network but

discover that some applications are not being recognized. Which of the following are possible

solutions? (Choose all that apply.)



Actu

alTe

sts.

com

A. Use the ip nbar pdlm command to allow NBAR to reference a new PDLM in flash memory.

B. If NBAR doesn't recognize certain applications you must contact Cisco and ask them to email

you a new PDLM for that application.

C. Use the ip nbar port-map command to allow NBAR to recognize certain applications with anev/

port number.

D. The applications not being recognized can be rerouted to an NBAR collector, which has a more

complete list of applications.

E. Use the copy nbar flash: command to download a new PDLM file to flash.

F. Use the ip nbar pdlm command to download a new NBAR reference file from the Cisco website.

Answer: A,C

QUESTION NO: 222

Which of the following statements are true for routers but not true for Layer 3 Ethernet switches?

(Choose all that apply.)

A. May have Ethernet as well as non-Ethernet interfaces

B. Traditionally used as a standalone device for inter-VLAN communication

C. Makes use of TCAMs

D. Uses subinterfaces to define trunks

E. Can use both Layer 2 and Layer 3 to make forwarding decisions

F. Allows the definition of Switched Virtual Interfaces (SVI)

Answer: A,B,D

QUESTION NO: 223

Which of the following events would not explain excessive CPU utilization?

A. A large number of BGP sessions.

B. A large BGP table.

C. A router is configured with the following command: ip route 0.0.0.0 0.0.0.0 fa 0/1.

D. All interface buffers are continually in use.

E. A flapping interface.

F. The router sends a large number of ARP requests.

Answer: B

QUESTION NO: 224



Actu

alTe

sts.

com

Which of the following correctly fills in the missing words of this sentence: An ARP request uses a

address, whereas an ARP reply uses a address.

A. broadcast, multicast

B. unicast, broadcast

C. broadcast, unicast

D. multicast, unicast

E. broadcast, broadcast

F. unicast, multicast

Answer: C

QUESTION NO: 225

Which of the following is not a typical maintenance task within a network maintenance model?

A. Providing technical customer support

B. Changing configurations

C. Updating software

D. Monitoring network performance

E. Replacing hardware

F. Scheduling backups

Answer: A

QUESTION NO: 226

Which of the following router models will support 1000 tunnels?

A. 2811

B. 2801

C. 2851

D. 2821

E. 1841

F. 3825

Answer: A,B,C,D,F

QUESTION NO: 227

A network administrator enters the command clear ip route * and as a result he sees the message,

"Please update the network documentation to record why the ip routing table was cleared." Which



Actu

alTe

sts.

com

router feature was used in this case?

A. NetFlow

B. SNMP

C. Debug

D. SysLog

E. EEM

F. CEF

Answer: E

QUESTION NO: 228

Which of the following types of attacks does DHCP snooping prevent? (Choose all that apply.)

A. Attacker sends multiple DHCP requests flooding DHCP server

B. Attacker connects rogue server initiating DHCP requests

C. Attacker connects rogue server replying to DHCP requests

D. Attacker sends DHCP jam signal causing DHCP server to crash

E. Attacker sends gratuitous ARP replies, thereby jamming the DHCP server

F. Attacker sends unsolicited DHCP replies, thereby jamming the DHCP server

Answer: A,C

QUESTION NO: 229

You issue the command show process memory | include BGP and notice that BGP is consuming a

large percentage of the router's memory. Which of the following steps would result in lowering the

amount of memory being consumed by BGP? (Choose all that apply.)

A. Filter unneeded BGP routes.

B. Run BGP on a different platform that already has more memory.

C. Upgrade the router memory.

D. Increase the BGP update timer.

E. Compress the BGP table.

F. Use a default route instead of maintaining a full BGP table.

Answer: A,C,F

QUESTION NO: 230



Actu

alTe

sts.

com

Which of the following characteristics applies only to OSPFv3 and not to OSPFv2?

A. Several processes can exist simultaneously

B. Requires direct connectivity from the backbone area to all other areas

C. Has the same packet types

D. Can support multiple subnets on a single link

E. Uses a hierarchical structure divided into areas

F. Adjacencies formed with neighbors

Answer: D

QUESTION NO: 231

A router has been configured with an EIGRP variance of 3. Which of the following statements is

true?

A. An error will result because a router cannot be configured with an EIGRP variance of 3 because

the maximum variance number is 2.

B. The successor route will end up in the routing table, and so will any route with a metric at most

three times greater than the value of the successor's metric.

C. EIGRP will only advertise routes that are within three hops of the current router.

D. The successor route will end up in the routing table, and so will any route with a metric at least

one third the value of the successor's metric.

E. The best three routes with equal cost paths will end up in the routing table.

F. The successor route will be any route with three times the value of the advertised distance.

Answer: B

QUESTION NO: 232

Which of the following statements is correct?

A. A route's feasible distance is the sum of the router's metric to reach the neighbor, plus the

advertised distance.

B. A route's feasible distance is calculated as the advertised distance plus the feasible successor's

distance.

C. A route's successor route is the feasible distance plus the advertised distance.

D. A route's feasible distance is the sum of the advertised distance and the successor distance.

E. A route's feasible successor is calculated as the successor plus the feasible distance.

F. A route's feasible successor is the sum of the router's metric to reach the neighbor, plus the

advertised distance.



Actu

alTe

sts.

com

Answer: A

QUESTION NO: 233

Which of the following are considered common elements found in a set of network documents?

(Choose all that apply.)

A. Building schematic

B. IGP community elements

C. Listing of interconnections

D. Physical topology diagram

E. Logical topology diagram

F. Inventory of network equipment

Answer: C,D,E,F

QUESTION NO: 234

Which of the following troubleshooting targets is considered to be a Layer 2 issue? (Choose all

that apply.)

A. Spanning Tree Protocol

B. Cabling

C. Frame forwarding

D. Packet forwarding

E. EtherChannel

F. Routing protocols

Answer: A,C,E

QUESTION NO: 235

You are using AutoQoS Enterprise and realize that the results are not what you expected. Which

of the following are possible reasons for AutoQoS not functioning correctly? (Choose all that

apply.)

A. The interface you configured for AutoQoS is set to half-duplex.

B. AutoQoS was configured on only one end of the link.

C. The interface you configured for AutoQoS has no IP address.

D. The interface's bandwidth is not correctly configured.

E. CEF is not enabled on the interface.



Actu

alTe

sts.

com

F. You enabled AutoQoS on the interface but forgot to enable globally first.

Answer: B,C,D,E

QUESTION NO: 236

Which of the following statements are true regarding Layer 3 switches? (Choose all that apply.)

A. A routed port does not run STP or DTP.

B. A routed port is considered to be in a down state if it is not operational at both Layer 1 and

Layer 2.

C. An SVI is considered to be in a down state if it is not operational at both Layer 1 and Layer 2.

D. An SVI is considered to be in a down state only when none of the ports in the corresponding

VLAN are active.

E. An SVI port does not run 5TP or DTP.

F. To create a trunk, an SVI can be logically divided into subinterfaces.

Answer: A,B,D

QUESTION NO: 237

Which of the following characteristics are true assuming you are troubleshooting a network

currently enabled for VRRP? (Choose all that apply.)

A. The network is load balancing among different members of the VRRP group.

B. The default hello timers are 1 second.

C. The interface IP address is being used as the virtual IP address.

D. There are several routers in the group simultaneously forwarding traffic for the group.

E. It is a Cisco Proprietary protocol.

F. The default hello timers are 3 seconds.

Answer: B,C

QUESTION NO: 238

Which of the following types of NAT allows multiple private internal IP addresses to use a single

public external IP address?

A. NAT mapping

B. NAT overloading

C. NAT caching



Actu

alTe

sts.

com

D. Static NAT

E. Dynamic NAT

F. Overlapping NAT

Answer: B

QUESTION NO: 239

Which of the following scenarios are likely reasons for an EtherChannel to fail?

A. Mismatched EtherChannel protocol

B. Mismatched EtherChannel port selection

C. Mismatched EtherChannel distribution algorithm

D. Mismatched trunk mode

E. Mismatched native VLAN

F. Mismatched link speed

Answer: A,D,E,F

QUESTION NO: 240

Which of the following NTP command specifies that a router is in the Eastern time zone, which is

five hours behind GMT?

A. timezone EST -5

B. clock timezone GMT -5

C. dock GMT -5

D. clock EST-5

E. NTP timezone EST -5

F. dock timezone EST -5

Answer: F

Explanation:

Topi 4: More Questions (50 Questions)

QUESTION NO: 241



Actu

alTe

sts.

com

You are working as a network technician, study the exhibit carefully. Your boss has informed you

that there have been problems with the WAN that is using EIGRP routing protocol. You are

required to troubleshoot these problems.

Before going to the questions of this sim, we should have a quick review about GRE tunneling:

GRE Quick Summary The picture below shows how to configure a GRE Tunnel between two

routers, notice that the "tunnel destination" must be the IP address of the interface, not of the

opposite tunnel.

Notice: The tunnel source on one router must be specified as the tunnel destination on the other

router.

Below are the questions of this lab-sim.

What is preventing the 192.168.1.150 network from appearing in the HQ router's routing table?

A. The default route is missing from the Branch4 router.

B. The IP address on the E0/0 interface for the Branch4 router has the wrong IP mask. It should

be 255.255.255.252.



Actu

alTe

sts.

com

C. The network statement under router EIGRP on the Branch4 router is incorrect. It should be

network 192.168.1.0 0.0.0.255.

D. When running EIGRP over GRE tunnels, you must manually configure the neighbor address

using the eigrp neighbor ipaddress command.

E. The IP address on the tunnel interface on P4S-Branch4 is incorrect. It should be 192.168.1.12

255.255.255.252.

Answer: C

Explanation:

As you can guess, you will need to use the show running-config command on Branch4 router

From the



Actu

alTe

sts.

com

From the show running-config output of Branch4, we learn that the EIGRP network was wrongly

configured on this router. By configuring "network 192.168.1.14 0.0.0.0" the Branch4 will only

advertise host 192.168.1.14 to HQ so HQ router will not know about the existence of

192.168.1.150 network.

QUESTION NO: 242





GRE Quick Summary

The picture below shows how to configure a GRE Tunnel between two routers, notice that the

"tunnel destination" must be the IP address of the interface, not of the opposite tunnel.



Actu

alTe

sts.

com


router.


What is the reason that tunnel 5 on the HQ router is down when its companion tunnel on the

Branch5 router is up?

A. The IP address on the tunnel interface on Branch5 is incorrect. It should be 192.168.1.16

255.255.255.252.

B. The tunnel source for tunnel 5 is incorrect on the HQ router. It should be serial 2/0.

C. The tunnel numbers for tunnel between the HQ router and the Branch5 router do not match.

D. The tunnel destination address for tunnel 5 is incorrect on the HQ router. It should be 10.2.5.1

to match the interface address of the Branch5 router.

E. The tunnel interface for tunnel 5 on the HQ router is in the administrative down state.

Answer: B

Explanation:

Section: (none)

Use the show running-config command on HQ router, we learn that the tunnel source configured

on HQ is Serial1/0 but HQ router connects to the Internet via Serial2/0 interface -> the tunnel

source configured on HQ router was incorrect.

QUESTION NO: 243



Actu

alTe

sts.

com





GRE Quick Summary




router.


What is preventing the HQ router and the Branch1 router from building up an EIGRP neighbor

relationship?

A. When running EIGRP over GRE tunnels, you must manually configure the neighbor address

using the eigrp neighbor ipaddress command.



Actu

alTe

sts.

com

B. The tunnel destination address is incorrect on the HQ router. It should be 10.2.1.1 to match the

interface address of the Branch1 router.

C. The tunnel source is incorrect on the Branch1 router. It should be serial 2/0.

D. The default route is missing from the Branch1 router.

E. The tunnel interface numbers for the tunnel between the HQ router and Branch1 router do not

match.

Answer: B

Explanation:

Use the show running-config command on HQ and Branch1 routers and we will see the tunnel

destination address was wrongly configured on HQ router.



Actu

alTe

sts.

com

QUESTION NO: 244



Actu

alTe

sts.

com





GRE Quick Summary




router.


For the following statements, what is preventing a successful ping between the HQ router and the

192.168.1.10 interface on the Branch3 router?


B. The tunnel interface numbers for the tunnel between the HQ router and the Branch3 router do

not match



Actu

alTe

sts.

com

C. The tunnel source is incorrect on the Branch3 router. It should be serial 2/0.

D. The IP address on the tunnel interface for the Branch3 router has wrong IP mask. It should be

255.255.255.252

E. The network statement under router EIGRP on the Branch3 router is incorrect. It should be

network 192.168.2.0.0.0.0.255.

Answer: A

Explanation:

The Branch3 router is missing the default route to HQ router's interface (Serial2/0) so the ping

command will not work.



Actu

alTe

sts.

com

QUESTION NO: 245





GRE Quick Summary




Actu

alTe

sts.

com



router.


What is the reason for the ping between the HQ router and the 192.168.1.193 interface on the

Branch2 router failing?


B. When running EIGRP over GRE tunnels, you must manually configure the neighbor address

using the eigrp neighbor ip address command.

C. The tunnel numbers for the tunnel between the HQ router and the Branch2 router do not match.

D. The tunnel source is incorrect on the Branch2 router. It should be serial 2/0.

E. The AS number for the EIGRP process on Branch2 should be 1 and not 11.

Answer: E

Explanation:

First we should check the configuration of both HQ and Branch 2 routers by using the show

running-config command

On HQ router:



Actu

alTe

sts.

com

On Branch2 router



Actu

alTe

sts.

com

From the outputs we learn that the AS numbers in two routers are not the same. They therefore do

not become EIGRP neighbors and the ping between two routers should fail.

QUESTION NO: 246

This item contains several questions that you must answer. You can view these questions by

clicking on the Questions button to the left. Changing questions can be accomplished by clicking

the numbers to the left of each question. In order to complete the questions, you will need to refer

to the SDM and the topology, neither of which is currently visible.

To gain access to either the topology or the SDK click on the button to left side of the screen that



Actu

alTe

sts.

com

corresponds to the section you wish to access. When you have finished viewing the topology the

SDK you can return to your questions by clicking on the Questions button to the left.

Which peer authentication method and which IPSEC mode is used to connect to the branch

locations? (Choose two)

A. Digital Certificate

B. Pre-Shared Key

C. Transport Mode

D. Tunnel Mode

E. GRE/IPSEC Transport Mode

F. GRE/IPSEC Tunnel Mode

Answer: B,D

Explanation:



Actu

alTe

sts.

com

QUESTION NO: 247




to the SDM and the topology, neither of which is currently visible. To gain access to either the

topology or the SDK click on the button to left side of the screen that corresponds to the section

you wish to access. When you have finished viewing the topology the SDK you can return to your

questions by clicking on the Questions button to the left.

Which algorithm as defined by the transform set is used for providing data confidentiality when

connected to Tyre?



Actu

alTe

sts.

com

A. ESP-3DES-SHA

B. ESP-3DES-SHA1

C. ESP-3DES-SHA2

D. ESP-3DES

E. ESP-SHA-HMAC

Answer: D

Explanation:

In the site-to-site VPN branch we see something like this

so the answer should be ESP-3DES-SHA2 or ESP-3DES?

To answer this question, we should review the concept:

"Data confidentiality is the use of encryption to scramble data as it travels across an insecure

media". Data confidentiality therefore means encryption.

"The transform set is a group of attributes that are exchanged together, which eliminates the need

to coordinate and negotiate individual parameters". In the picture above, we can see 3 parts of the

transform-set ESP-3DES-SHA2:

IPsec protocol: ESP

IPsec encryption type: 3DES

IPsec authentication: SHA2

The question wants to ask which algorithm is used for providing data confidentiality (encryption),

therefore the answer should be D - ESP-3DES.

QUESTION NO: 248





Actu

alTe

sts.

com


to the SDM and the topology, neither of which is currently visible.

To gain access to either the topology or the SDK click on the button to left side of the screen that

corresponds to the section you wish to access. When you have finished viewing the topology the

SDK you can return to your questions by clicking on the Questions button to the left.

Which defined peer IP address an local subnet belong to Crete? (Choose two)

A. peer address 192.168.55.159

B. peer address 192.168.89.192

C. peer address 192.168.195.23

D. subnet 10.5.15.0/24

E. subnet 10.7.23.0/24

F. subnet 10.4.38.0/24

Answer: A,D

Explanation:



Actu

alTe

sts.

com

QUESTION NO: 249





topology or the SDK click on the button to left side of the screen that corresponds to the section

you wish to access. When you have finished viewing the topology the SDK you can return to your


Which IPSec rule is used for the Olympia branch and what does it define? (Choose two)

A. 102



Actu

alTe

sts.

com

B. 116

C. 127

D. IP traffic sourced from 10.10.10.0/24 destined to 10.5.15.0/24 will use the VPN

E. IP traffic sourced from 10.10.10.0/24 destined to 10.8.28.0/24 will use the VPN.

F. IP traffic sourced from 10.10.10.0/24 destined to 10.5.33.0/24 will use the VPN.

Answer: B,E

Explanation:

From the output above, we learn that the IPSec Rule is 116. Next click on "IPSec Rules" and

select the Name/Number of 116 to view the rule applied to it. You will see a "permit" rule for traffic

from 10.10.10.0/24 to 10.8.28.0/24 (notice that the picture shown the wildcard which are inverse

subnet masks)



Actu

alTe

sts.

com

QUESTION NO: 250





topology or the SDM, click on the button to left side of the screen that corresponds to the section

you wish to access. When you have finished viewing the topology the SDM, you can return to your


Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its

Internet connectivity. As a recent addition to the network engineering team, you have been tasked

with documenting the active Firewall configurations on the Annapolis router using the Cisco Router

and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks

under the Configure tab, answer the following questions:

Which two options would be correct for a permissible incoming TCP packet on an untrusted

interface in this configuration? (Choose two)

A. The packet has a source address of 172.16.29.12

B. The packet has a source address of 10.94.61.29

C. The session originated from a trusted interface

D. The application is not specified within the inspection rule SDM_LOW

E. The packet has a source address of 198.133.219.144

Answer: C,E

Explanation:

The "incoming TCP packet on an untrusted interface" refers to the traffic sent from the outside to

the outer interface of the router.



Actu

alTe

sts.

com

(Notice: In the real exam, there may be more filter rules than the ones shown above) The access

list denies traffic from 172.16.29.12/30 and 10.0.0.0/8 networks so A and B are not correct. D is

obviously incorrect because the SDM_LOW did specify the filter rule. The access list 101 only filter

packets from "returning traffic" and it does not proceed traffic originated from a trusted (inside)

interface so C is correct. E is correct because the IP address of 198.133.219.144 is not in the

"deny" lists so it satisfies the "permit any" line.

QUESTION NO: 251










Actu

alTe

sts.

com




and Security Device Manager (SDM) utility.

Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following

questions:

Which two statements would specify a permissible incoming TCP packet on a trusted interface in

this configuration? (Choose two)

A. The packet has a source address of 10.79.233.107

B. The packet has a source address of 172.16.81.108

C. The packet has a source address of 198.133.219.40

D. The destination address is not specified within the inspection rule SDM_LOW.

Answer: A,C

Explanation:

The "incoming TCP packet on a trusted packet" refers to the packet originates from the inside

(trusted) interface.

The configured access list denies packets in the 172.16.81.108/30 subnetwork so it will only drop

packets that have a source address of 172.16.81.108 while allow other packets to go through

(except 255.255.255.255 and 127.0.0.0/8)

QUESTION NO: 252










Actu

alTe

sts.

com




and Security Device Manager (SDM) utility. Using the SDM output from Firewall and ACL Tasks

under the Configure tab, answer the following questions:

Which statement is true?

A. Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface.

B. Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interfaces.

C. FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface

D. FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface.

Answer: C

Explanation:

The trusted interface is the inside interface and the untrusted interface is the outside interface.

Moreover, from the above picture we see that the "Originating traffic" starts from FastEthernet0/0

to Serial0/0/0. So Fa0/0 is the inside interface and S0/0/0 is the outside interface.



Actu

alTe

sts.

com

QUESTION NO: 253

Which three statements accurately describe IOS Firewall configurations? (Choose three)

A. The IP inspection rule can be applied in the inbound direction on the secured interface.

B. The IP inspection rule can be applied in the outbound direction on the unsecured interface.

C. The ACL applied in the inbound direction on the unsecured interface should be an extended

ACL.

D. For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the

returning traffic must be a standard ACL.

Answer: A,B,C

QUESTION NO: 254

Study this exhibit carefully. What information can be derived from the SDM firewall configuration

displayed?

A. Access-list 101 was configured for the trusted interface, and access-list 100 was configured for

the untrusted interface



Actu

alTe

sts.

com

B. Access-list 100 was configured for the trusted interface, and access-list 101 was configured for

the untrusted interface.

C. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for

the outbound direction on the trusted interface.

D. Access-list 100 was configured for the inbound direction, and access-list 101 was configured for

the outbound direction on the untrusted interface.

Answer: B

Explanation:

The last line of access-list 100 is used to "permit" all the traffic so it is the inside (trusted) interface.

The last line of access-list 101 is used to "deny" all traffic so it is the outside (untrusted) interface.

QUESTION NO: 255

Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? (Choose two)

A. It can be used to block bulk encryption attacks.

B. It can be used to protect against denial of service attacks

C. Traffic originating from the router is considered trusted, so it is not inspected.

D. Based upon the custom firewall rules, an ACL entry is statically created and added to the

existing ACL permanently.

E. Temporary ACL entries that allow selected traffic to pass are created and persist for the

duration of the communication session.

Answer: B,E

QUESTION NO: 256

Which two encapsulation methods require that an 827 ADSL router be configured with a PPP

username and CHAP password? (Choose two)

A. PPPoE with the 827 configured as a bridge

B. PPPoE with the 827 configured as the PPPoE client

C. PPPoA

D. RFC 1483 Bridged with the 827 configured as the PPPoE client

E. RFC 1482 Bridged with the 827 configured as a bridge

Answer: B,C

Explanation:

When configuring PPPoE (as the PPPoE client) and PPPoA, we need a username and password

to match with those configured at the Internet Service Provider (ISP).



Actu

alTe

sts.

com

QUESTION NO: 257

Router NetworkTut is configured as shown below:

Given the above configuration, which statement is true?

A. This device is configured as a PPPoE client

B. This device is configured as a PPPoA client

C. This device is configured as RFC 1483/2684 bridge

D. This device is configured an an aggregation router

Answer: B

Explanation:

Notice that the command "encapsulation aaa15mux ppp dialer" is configured under interface

ATM0/0. This configuration is used for PPPoA client.

QUESTION NO: 258

As a network engineer, study the exhibit carefully. Router Net is unable to establish an ADSL

connection with its provider. Which action would correct this problem?



Actu

alTe

sts.

com

A. On the Dialer0 interface, add the pppoe enable command

B. On the Dialer0 Interface, add the ip mtu 1496 command

C. On the ATM0/0 interface, add the dialer pool-member 1 command

D. On the ATM0/0 interface, add the dialer pool-member 0 command.

Answer: C

QUESTION NO: 259

Which statement about PPPoA configuration is correct?

A. The dsl operating-mode auto command is required if the default mode has been changed.

B. The ip mtu 1496 command must be applied on the dialer interface

C. The encapsulation ppp command is required

D. The ip mtu 1492 command must be applied on the dialer interface

Answer: A

QUESTION NO: 260



Actu

alTe

sts.

com

Network Topology Exhibit:

Configuration Exhibit:

NET(config)# access-list 112 deny icmp any any echo log

NET(config)# access-list 112 deny imp any any redirect log

NET(config)# access-list 112 deny icmp any any mask-request log

NET(config)# access-list 112 permit icmp any 10.1.1.0 0.0.0.255

NET(config)# interface Fa0/1

NET(config-if)# ip access-group 112 in

You work as a network administrator at networkTut.com, study the exhibit carefully. The

configuration has been applied to router NET to mitigate the threat of certain types of ICMPbased

attacks while allowing some ICMP traffic to the corporate LAN to work. However, the configuration

is incorrect. On the basis of the information in the exhibit, which configuration option would

correctly configure router NET?

A. The first three statements of ACL 112 should have permitted the ICMP traffic and the last

statement should deny the identified traffic.

B. The last statement of ACL 112 should have been "access-list 112 deny icmp any 10.2.1.0

0.0.0.255".

C. The last statement of ACL 112 should have been "access-list 112 permit icmp any 10.2.1.0

0.0.0.255".

D. ACL 112 should have been applied to interface Fa0/0 in an inbound direction.

E. The last statement of ACL 112 should have been "access-list 112 deny icmp any 10.1.1.0

0.0.0.255".

F. ACL 112 should have been applied to interface Fa0/1 in an outbound direction

G. None of the above.

Answer: C

Explanation:

The network 10.2.1.0 is the internal LAN network. If the last statement is "access-list 112 permit

icmp any 10.1.1.0 0.0.0.255", it will allow ICMP traffic sent from the Internet to work and thus

makes the router vulnerable to ICMP-based attacks

QUESTION NO: 261



Actu

alTe

sts.

com

As a network technician, do you know what is a recommended practice for secure configuration

management?

A. Disable post scan

B. Use SSH or SSL

C. Enable trust levels

D. Deny echo replies on all edge routers

Answer: B

QUESTION NO: 262

As a network engineer, do you know for what purpose SDM uses Security Device Event Exchange

(SDEE)?

A. to provide a keepalive mechanism

B. to pull event logs from the router

C. to extract relevant SNMP information

D. to perform application-level accounting

Answer: B

QUESTION NO: 263

Authentication is the process of determining if a user or identity is who they claim to be. Refer to

the exhibit. Which statement about the authentication process is correct?

A. The LIST1 list will disable authentication on the console port.



Actu

alTe

sts.

com

B. All login requests will be authenticated using the group tacacs+ method

C. The default login authentication will automatically be applied to all login connections

D. Because no method list is specified, the LIST1 list will not authenticate anyone on the console

port.

Answer: A

Explanation:

The command "aaa authentication login LIST1 none" tells the router not to use any authentication

method for the LIST1. The command "login authentication LIST1" under console mode applies the

LIST1 for the logging using console port.

QUESTION NO: 264

In computer security, AAA stands for authentication, authorization and accounting. Which option

about the AAA authentication enable default group radius enable command is correct?

A. If the radius server returns an error, the enable password will be used.

B. If the radius server returns a 'failed' message, the enable password will be used.

C. The command login authentication group will associate the AM authentication to a specified

interface.

D. If the group database is unavailable, the radius server will be used.

Answer: A

QUESTION NO: 265

Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two)

A. A good security practice is to have the none parameter configured as the final method used to

ensure that no other authentication method will be used.

B. If a TACACS+ server is not available, then a user connecting via the console port would not be

able to gain access since no other authentication method has been defined.

C. If a TACACS+ server is not available, then the user Bob could be able to enter privileged mode

as long as the proper enable password is entered.

D. The aaa new-model command forces the router to override every other authentication method

previously configured for the router lines.

E. To increase security, group radius should be used instead of group tacacs+.

F. Two authentication options are prescribed by the displayed aaa authentication command

Answer: D,F



Actu

alTe

sts.

com

Explanation:

The aaa new-model command will override previously configured authentication method -> D is

correct.

Two authentication options are prescribed by the above command. They are tacacs+ and none

QUESTION NO: 266

You need to configure a GRE tunnel on a IPSec router. When you are using the SDM to configure

a GRE tunnel over IPsec, which two parameters are required when defining the tunnel interface

information? (Select two)

A. The crypto ACL number

B. The IPSEC mode (tunnel or transport)

C. The GRE tunnel interface IP address

D. The GRE tunnel source interface or IP address, and tunnel destination IP address

E. The MTU size of the GRE tunnel interface

Answer: C,D

QUESTION NO: 267

Which statement correctly describes IPsec VPN backup technology?

A. The cypto isakmp keepalive command is used to configure the Stateful Switchover (SSO)

protocol.

B. Reverse Route Injection (RRI) is configured on at the remote site to inject the central site

networks

C. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC

addresses and a virtual IP address.

D. The cypto isakmp keepalive command is used to configure stateless failover

Answer: D

QUESTION NO: 268

IPSec VPN is a widely-acknowledged solution for enterprise network. What are the four steps to

setup an IPsec VPN?

A. Step 1: Interesting traffic initiates the IPsec process.

Step 2: ESP authenticates IPsec peers and negotiates IKE SAs.

Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.

Step 4: Data is securely transferred between IPsec peers.



Actu

alTe

sts.

com

B. Step 1: Interesting traffic initiates the IPsec process.

Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.

Step 3: IKE authenticates IPsec peers and negotiates IKE SAs.


C. Step 1: Interesting traffic initiates the IPsec process.

Step 2: IKE authenticates IPsec peers and negotiates IKE SAs.

Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.


D. Step 1: Interesting traffic initiates the IPsec process.

Step 2: AH authenticates IPsec peers and negotiates IKE SAs.

Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers.


Answer: C

QUESTION NO: 269

Study the exhibit carefully. The Cisco IOS IPsec High Availability (IPsec HA) Enhancements

feature provides an infrastructure for reliable and secure networks to provide transparent

availability of the VPN gateways - that is, Cisco IOS Software-based routers. What are the two

options that are used to provide High Availability IPsec? (Choose two)

A. HSRP

B. Dual Router Mode (DRM) IPsec

C. IPsec Backup Peerings

D. RRI

Answer: A,D



Actu

alTe

sts.

com

Explanation:

The "standby ip" command specifies HSRP is being used (and it establishes 192.168.0.3 as the IP

of the virtual router).

The "crypto map" and "reverse-route" lines specify Reverse Route Injection (RRI) is being used.

Reverse Route Injection (RRI) is the process of injecting a static route into the Interior Gateway

Protocol (IGP) routing table.

To configure RRI under a static crypto map, we perform the following steps:

1. configure terminal

2. crypto map {map-name} {seq-name} ipsec-isakmp (creates or modifies a crypto map entry and

enters crypto map configuration mode)

3. reverse-route [static | tag tag-id [static] | remote-peer [static] | remote-peer ip-address [static]]

(creates source proxy information for a crypto map entry)

QUESTION NO: 270

IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPN

statements are true? (Choose three)

A. IKE keepalives are unidirectional and sent every ten seconds

B. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH)

protocol for exchanging keys.

C. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three

packets.

D. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.

Answer: A,C,D

QUESTION NO: 271

A new router was configured with the following commands:



Actu

alTe

sts.

com

The configuration above was found on an Internet Service Provider's (ISP) Multiprotocol Label

Switching (MPLS) network. What is its purpose?

A. To prevent customers from running TDP with the ISP routers

B. To prevent customers from running LDP with the ISP routers

C. To prevent other ISPs from running LDP with the ISP routers

D. To prevent man-in-the-middle attacks

E. To use CBAC to shut down Distributed Denial of Service attacks

F. To use IPS to protect against session-replay attacks

G. None of the above

Answer: A

Explanation:

The 711 port is used for Tag Distribution Protocol (TDP) and the administrator usually wants to

block this type of traffic between the ISP and customer routers due to security reason. By doing

this, the TDP neighbor session between the customer and ISP routers will not be formed.

QUESTION NO: 272

Study the exhibit carefully.

Routers A and B are customer routers. Routers 1, 2, 3 and 4 are provider routers. The routers are

operating with various IOS versions. Which frame mode MPLS configuration statement is true?

A. Before MPLS is enabled, the ip cef command is only requited on routers 1 and 4.

B. After MPLS is enabled, the ip cef command is only required on routers 1 and 4.

C. Before MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of

routers 1 and 4.

D. After MPLS is enabled, the ip cef command is only required on the Ethernet 0 interfaces of

routers 1 and 4.

E. Before MPLS is enabled, the ip cef command must be applied to all provider routers.

Answer: E

Explanation:



Actu

alTe

sts.

com

CEF is the fundamental requirement of the MPLS architecture and must be enabled globally on all

routers that want to use MPLS.

QUESTION NO: 273 DRAG DROP

Drag each type of attack on the left to the description on the left.

Answer:

Explanation:

1) Trojan horse: Programs that appear desirable but actually contain something harmful.

2) Virus: Malicious software attached to other programs and which execute a particular unwanted

function on a user workstation.

3) Port redirection: Compromised system that is used as a jump-off point for attacks against other

targets.

4) Worm: Executes arbitrary code and installs copies of itself in the memory of the Infected

computer



Actu

alTe

sts.

com


Drag and drop question. The upper gives the MPLS functions, the bottom describes the planes.

Drag the above items to the proper location at the below

Answer:

Explanation:

Control Plane:

Exchange routing updates between neighboring devices

Exchanges labels between peer devices

Compiles a list of all labels advertised and received

Data Plane:

Performs label swapping



Actu

alTe

sts.

com

Performs packet forwarding

Builds a mapping of destination networks to active labels


Drag the protocols that are used to distribute MPLS labels from the above to the target area on the

below.(Not all options will be used)

Answer:

Explanation:



Actu

alTe

sts.

com

1) LDP

2) RSVP

3) BGPv4


Drag each element of the Cisco IOS Firewall Feature Set from the above and drop onto its

description on the below.

Answer:



Actu

alTe

sts.

com

Explanation:


Match the xDSL type on the above to the most appropriate implementation on the below.



Actu

alTe

sts.

com

Answer:

Explanation:



Actu

alTe

sts.

com


Drag and drop the xDSL type on the above to the appropriate xDSL description on the below.

Answer:



Actu

alTe

sts.

com

Explanation:


Identify the recommended steps for worm attack mitigation by dragging and dropping them into the

target area in the correct order.



Actu

alTe

sts.

com

Answer:



Actu

alTe

sts.

com

Explanation:



Actu

alTe

sts.

com

1) Containment - stop the spread of the worm inside your network and within your network

2) Inoculation - upgrade all systems to the lastest operating system code version

3) Quarantine - track down each infected machine inside your network

4) Treatment - clean and patch each infected system


Drag the IOS commands from the left that would be used to implement a GRE tunnel using the

10.1.1.0.30 network on interface serial 0/0 to the correct target area on the right.



Actu

alTe

sts.

com

Answer:

Explanation:



Actu

alTe

sts.

com

Global-level commands:

1) interface tunnel 0

Interface-level commands:

1) ip address 10.1.1.1 255.255.255.252

2) tunnel source serial 0/0

3) tunnel destination 10.1.1.2

4) tunnel mode gre ip


Drag the DSL local loop topic on the left to the correct descriptions on the right.



Actu

alTe

sts.

comAnswer:


Drag the DSL technologies on the left to their maximum(down/up) data rate values on the below.



Actu

alTe

sts.

com

Answer:

Explanation:



Actu

alTe

sts.

com


Drag and drop each function on the above to the hybrid fiber-coaxial architecture component that it

describes on the below.



Actu

alTe

sts.

com

Answer:

Explanation:



Actu

alTe

sts.

com


Drag and drop each management protocol on the above to the correct category on the below.

Answer:



Actu

alTe

sts.

com

Explanation:



Actu

alTe

sts.

com

Secure:

1) SSH

2) SSL

3) IPSec

4) SNMPv3

Unsecure:

1) NTP

2) Telnet

3) Syslog

4) SNMPv2


Drag the IPsec protocol description from the above to the correct protocol type on the below.(Not

all descriptions will be used)



Actu

alTe

sts.

com

Drag and Drop question, drag each item to its proper location.

Answer:

Explanation:



Actu

alTe

sts.

com

1) AH: Provides a framework for authenticating and securing data.

2) ESP: Provides a framework for encrypting, authenticating and securing data.

3) IKE: Provides a framework for the negotiation on security parameters and establishes

authenticated keys.


Drag and drop the steps in the process for provisioning a cable modem to connect to a headend

on the above to the below in the order defined by the DOCSIS standard.

Answer:



Actu

alTe

sts.

com

Explanation:



Actu

alTe

sts.

com

1) Scan and lock the downstream frequency: At power-on, the cable modem scans and locks the

downstream path for the allocated RF data channel in order for physical and data link layers to be

established.

2) Obtain upstream parameters: The cable modem listens to the management messages arriving

via the downstream path. These include information regarding how and when to communicate in

the upstream path. These are used to establish the upstream physical and data link layers.

3) Establish Layer 1 and 2 communications: Connection established from Cable modem (CM) to

Cable modem termination system (CMTS) to build physical and data link layers.

4) Acquire IP configuration parameters via DHCP: After Layer 1 and 2 are established, Layer

3 can be allocated as well. This is done by the DHCP server.

5) Register and ensure QoS settings with the CMTS: The CM negotiates traffic types and QoS

settings with the CMTS.

6) IP network initialization: Once Layers 1, 2, and 3 are established and the configuration file is

pulled from the TFTP server, the CM provides routing services for hosts on the subscriber side of



Actu

alTe

sts.

com

the CM. It also performs some Network Address Translation (NAT) functions so that multiple hosts

might be represented by a single public IP address.


Drag the correct statements about MPLS-based VPN on the left to the boxes on the right .(Not all

statements will be used)

Answer:



Actu

alTe

sts.

com

Explanation:



Actu

alTe

sts.

com

1) The VPN routers are contained in the IPv4 routing tables of the PE routers

2) RT are attributes attached to VPNv4 BGP routes to indicate their VPN memberships

3) RD are attributes attached to VPNv4 BGP routes to allow overlapping VPN address spaces


cisco ios command to interface dialer 0



Actu

alTe

sts.

comAnswer:

Explanation:



Actu

alTe

sts.

com

The dialer interface indicates how to handle traffic from the clients. For example, default routing

information, the encapsulation protocol, the dialer pool to use. Notice that we have to use the "ip

nat outside", not "ip nat inside" because the dialer 0 interface is the logical interface connecting to

the Internet.

QUESTION NO: 289



Actu

alTe

sts.

com

NetworkTut is a small export company .This firm has an existing enterprise network that is made

up exclusively of routers that are using EIGRP as the IGP. Its network is up and operating

normally. As part of its network expansion, NetworkTut has decided to connect to the internet by a

broadband cable ISP. Your task is to enable this connection by use of the information below.

Connection Encapsulation: PPP

Connection Type: PPPoE client

Connection Authentication: None

Connection MTU: 1492 bytes

Address: Dynamically assigned by the ISP

Outbound Interface: E0/0

You will know that the connection has been successfully enabled when you can ping the simulated

Internet address of 172.16.1.1

Note: Routing to the ISP: Manually configured default route

Explanation:

Enter the outbound e0/0 interface to enable PPPoE and bind the dialer profile 1 to this interface:

R3(config)#interface e0/0

R3(config-if)#pppoe enable

R3(config-if)#pppoe-client dial-pool-number 1 (interface E0/0 is bound to the logical dialer 1

interface)

R3(config-if)#no shutdown

R3(config-if)#exit

Create and configure the dialer interface of the router R3 for PPPoE with a maximum transmission

unit (MTU) size of 1492 bytes and a negotiated IP address (dynamically assigned)

R3(config)#interface dialer 1 (define a dialer rotary group and enters interface configuration mode)

R3(config-if)#ip address negotiated

R3(config-if)#ip mtu 1492



Actu

alTe

sts.

com

R3(config-if)#encapsulation ppp

R3(config-if)#dialer pool 1

R3(config-if)#exit

The "ip address negotiated" command instructs the client to use an IP address provided by the

PPPoE server (using DHCP).

The "dialer pool 1" command associates the dialer back to the "pppoe-client dialpool-number 1" on

the Ethernet interface. Notice that the pool numbers must match on the Ethernet interface and the

dialer interface for the configuration to operate.

Manually configured a default route on router R3

R3(config)#ip route 0.0.0.0 0.0.0.0 dialer 1

R3(config)#exit

Try pinging the simulated Internet address

R3#ping 172.16.1.1

The ping should work well and you will receive replies from the simulated Internet address.

Save the configuration

R3#copy running-config startup-config

QUESTION NO: 290

You are a network support specialist for NetworkTut, an IT training firm. They have just installed a

new router (R1) into their network. The router was successfully installed and is passing traffic.

However, your manager is concerned about security and has tasked you with implementing

access security for the new router R1.

The portion of NetworkTut's security policy related to router access states:

# The default user access authentication scheme requires that the user be authenticated using the

router's local database.

# User console access should be authenticated using the default authentication scheme.

# User aux port access should be authenticated using the default authentication scheme.

# User vty access should be protected via a password that is validated using only the corporate

Tacacs server.

For this router installation:

# The corporate Tacacs server has an IP address of 10.6.6.254 and uses a shared key of

Training.

# The enable password for R1 is New1

You have successfully completed your task when you have verified that you can login into:

# R1's console using the local user's ID of Net1 with a password of Sel

# R2's console using the username of Net2 with a password of Loc and establish a SSH session

from R2 to R1 using the test Tacacs user's ID of cisco with a password ofcisco123



Actu

alTe

sts.

com

Explanation:

R1>enable

password: New1

R1#configure terminal

R1(config)#aaa new-model (enable the AAA security services)

R1(config)#tacacs-server host 10.6.6.254 key Training (notice that the key is case sensitive)

The default user access authentication scheme requires that the user be authenticated using the

router's local database

R1(config)#aaa authentication login default local (verify login authentication using the local user

database. The "aaa authentication login" specifies the authentication will take place at login.

Because we used the list "default", login authentication is automatically applied for all login

connections, such as tty, vty, console and aux).

Define the MY_VTY_LIST (or another name) group to use the corporate Tacacs server for the

authentication

R1(config)#aaa authentication login MY_VTY_LIST group tacacs+

Configure user console access using the default authentication scheme

R1(config)#line console 0

R1(config-line)#login authentication default

R1(config-line)#exit

Configure user aux port access using the default authentication scheme

R1(config)#line aux 0

R1(config-line)#login authentication default

R1(config-line)#exit

Configure vty access using TACACS server by applying MY_VTY_LIST to the vty lines



Actu

alTe

sts.

com

R1(config)#line vty 0 15

R1(config-line)#login authentication MY_VTY_LIST

R1(config-line)#end

R1#copy running-config startup-config

Logout R1 to test the console password of R1

R1#exit

Press RETURN to get started.

(Press Enter here)

Username: Net1

Password: Sel

R1> (Now you see you are in User Mode, that means you configured the console password

correctly! If you wish to continue entering privileged EXEC mode again, use the password New1).

Login to R1 using SSH from R2

R2>enable

username: Net2

password: Loc

R2#ssh 10.2.1.1 (10.2.1.1 is the IP address of R1 shown in the picture)

You will be asked for the user ID(cisco) and password (cisco123).

QUESTION NO: 291

The following commands are issued on a Cisco Router:

Router(configuration)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1

Router(configuration)#access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1

Router(configuration)#exit

Router#debug ip packet 199

What will the debug output on the console show?

A. All IP packets passing through the router

B. Only IP packets with the source address of 10.1.1.1

C. All IP packets from 10.1.1.1 to 172.16.1.1

D. All IP Packets between 10.1.1.1 and 172.16.1.1

Answer: D

QUESTION NO: 292

What level of logging is enabled on a Router where the following logs are seen?



Actu

alTe

sts.

com

%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

A. alerts

B. critical

C. errors

D. notifications

Answer: D

QUESTION NO: 293

You have the followings commands on your Cisco Router:

ip ftp username admin

ip ftp password backup

You have been asked to switch from FTP to HTTP. Which two commands will you use to replace

the existing commands?

A. ip http username admin

B. ip http client username admin

C. ip http password backup

D. ip http client password backup

E. ip http server username admin

F. ip http server password backup

Answer: B,D

QUESTION NO: 294

You have 2 NTP servers in your network - 10.1.1.1 and 10.1.1.2. You want to configurationure a

Cisco router to use 10.1.1.2 as its NTP server before falling back to 10.1.1.1. Which commands

will you use to configurationure the router?

A. ntp server 10.1.1.1

ntp server 10.1.1.2

B. ntp server 10.1.1.1

ntp server 10.1.1.2 primary

C. ntp server 10.1.1.1

ntp server 10.1.1.2 prefer



Actu

alTe

sts.

com

D. ntp server 10.1.1.1 fallback

ntp server 10.1.1.2

Answer: C

QUESTION NO: 295

The following command is issued on a Cisco Router:

Router(configuration)#logging console warnings

Which alerts will be seen on the console?

A. Warnings only

B. debugging, informational, notifications, warnings

C. warnings, errors, critical, alerts, emergencies

D. notifications, warnings, errors

E. warnings, errors, critical, alerts

Answers: C

warnings, errors, critical, alerts

Answers: C

QUESTION NO: 296

Which two of the following options are categories of Network Maintenance tasks?

A. warnings, errors, critical, alerts

Answers: C

warnings, errors, critical, alerts

Answers: C

B. Firefighting

C. Interrupt-driven

D. Policy-based

E. Structured

F. Foundational

Answers: B, D

Foundational



Actu

alTe

sts.

com

Answers: B, D

QUESTION NO: 297

You enabled CDP on two Cisco Routers which are connected to each other. The Line and

Protocol status for the interfaces on both routers show as UP but the routers do not see each

other a CDP neighbors. Which layer of the OSI model does the problem most likely exist?

A. Foundational

Answers: B, D

Foundational

Answers: B, D

B. Physical

C. Session

D. Application

E. Data-Link

F. Network

Answer: D

QUESTION NO: 298

FCAPS is a network maintenance model defined by ISO. It stands for which of the following ?

A. Fault Management

B. Action Management

C. Configurationuration Management

D. Protocol Management

E. Security Management

Answer: A,C,E


FCAPS is a network maintenance model defined by ISO. FCAPS stands for:



Actu

alTe

sts.

com

Answer:

Explanation:

F-> Fault Management

C-> Configurationuration Management

A -> Accounting Management


There are many Network Maintenance models. Match the model names on the left to the options

on the right:

Answer:



Actu

alTe

sts.

com

Explanation:

FCAPS -> Fault, Configurationuration, Accounting, Performance and Security (ISO)

ITIL -> A collection of best practice recommendations

Cisco Lifecycle -> Often referred to as the PPDIOO model

TMN -> Telecommunications Management Network


Match the items on the left to their purpose on the right

Answer:

Explanation:

EEM -> CLI based Management and Monitoring

SDM -> Provides a GUI for Administration

FTP -> Used for Backup and Restore



Actu

alTe

sts.

com

QUESTION NO: 302

Following ticket consists of a problem description and existing configuration on the device.

Figure 1

Figure 2



Actu

alTe

sts.

com

Trouble Ticket Statement:

Client 1 is able to ping 10.1.1.2 but not 10.1.1.1. Initial troubleshooting shows that R1 does not

have any OSPF neighbors or any OSPF routes

Configuration on R1:

router ospf 1

log-adjacency-changes

network 10.1.1.0 0.0.0.3 area 12

default-information originate always

!

interface Serial0/0/0/0.12 point-to-point

ip address 10.1.1.1 255.255.255.252

ip nat inside

ip ospf message-digest-key 1 md5 TSHOOT


router ospf 1


network 10.1.1.0 0.0.0.3 area 12

!


ip address 10.1.1.2 255.255.255.252

ip ospf authentication message-digest


On which device is the fault condition located?

A. R1

B. R2

C. DSW1

D. Client1

Answer: A

QUESTION NO: 303



Actu

alTe

sts.

com


Figure 1

Figure 2




Actu

alTe

sts.

com




router ospf 1


network 10.1.1.0 0.0.0.3 area 12


!


ip address 10.1.1.1 255.255.255.252

ip nat inside



router ospf 1


network 10.1.1.0 0.0.0.3 area 12

!


ip address 10.1.1.2 255.255.255.252



Fault Condition is related to which technology?

A. NAT

B. OSPF

C. Static Routing

D. Switch to Switch Connectivity

Answer: B

QUESTION NO: 304




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com


router ospf 1


network 10.1.1.0 0.0.0.3 area 12


!


ip address 10.1.1.1 255.255.255.252

ip nat inside



router ospf 1


network 10.1.1.0 0.0.0.3 area 12

!


ip address 10.1.1.2 255.255.255.252



What is the solution of the fault condition?

A. ip ospf authentication message-digest command has to be added on S0/0/0/0.12

B. ip ospf authentication message-digest command has to be added under the OSPF routing

process

C. A static route to 10.1.1.4 must be added on R1

D. ip nat outside must be added on S0/0/0/0.12

Answer: A

QUESTION NO: 305




Actu

alTe

sts.

com

Figure 1

Figure 2

Trouble Ticket Statement

HSRP has been configurationured between DSW1 and DSW2. DSW1 is configurationured to be

active router but it never becomes active even though the HSRP communication between DSW1



Actu

alTe

sts.

com

and DSW2 is working.

Configuration on DSW1

track 1 ip route 10.1.21.128 255.255.0.0 metric threshold

threshold metric up 1 down 2

!



!

interface Vlan10

ip address 10.2.1.1 255.255.255.0

standby 10 ip 10.2.1.254


standby 10 preempt

standby 10 track 1 decrement 60

Configuration on R4

interface loopback0

ip address 10.2.21.128 255.255.255.0


A. R4

B. DSW2

C. DSW1

D. R3

Answer: C

QUESTION NO: 306




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com





!



!

interface Vlan10

ip address 10.2.1.1 255.255.255.0

standby 10 ip 10.2.1.254


standby 10 preempt


Configuration on R4

interface loopback0

ip address 10.2.21.128 255.255.255.0

Fault Condition is related to which technology?

A. GLBP

B. HSRP

C. OSPF


Answer: B

QUESTION NO: 307




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com





!



!

interface Vlan10

ip address 10.2.1.1 255.255.255.0

standby 10 ip 10.2.1.254


standby 10 preempt


Configuration on R4

interface loopback0

ip address 10.2.21.128 255.255.255.0

What is the solution of fault condition?

A. Change standby priority to 140

B. Change standby priority to 260

C. Change standby 10 track 1 decrement 60 to standby 10 track 10 decrement 60

D. Change standby 10 track 1 decrement 60 to standby 10 track 1 decrement 100

Answer: C

QUESTION NO: 308




Actu

alTe

sts.

com

Figure 1

Figure 2


Client 1 is able to ping 209.65.200.226 but not the Web Server at 209.65.200.241. Initial

troubleshooting shows and R1 does not have any BGP routes. R1 also does not show any active



Actu

alTe

sts.

com

BGP neighbor

Configuration on R1

router bgp 65001

no synchronization

bgp log-neighbor-changes

network 209.65.200.224 mask 255.255.255.252


no auto-summary


A. R1

B. DSW1

C. R4

D. R2

Answer: A

QUESTION NO: 309




Actu

alTe

sts.

com

Figure 1

Figure 2




BGP neighbor

Configuration on R1

router bgp 65001

no synchronization


network 209.65.200.224 mask 255.255.255.252


no auto-summary

The Fault Condition is related to which technology?

A. EIGRP

B. HSRP

C. BGP



Actu

alTe

sts.

com

D. OSPF

Answer: C

Explanation:

:

QUESTION NO: 310


Figure 1



Actu

alTe

sts.

com

Figure 2




BGP neighbor

Configuration on R1

router bgp 65001

no synchronization


network 209.65.200.224 mask 255.255.255.252


no auto-summary


A. Enable BGP synchronization

B. Change neighbor 209.56.200.226 remote-as 65002 statement to neighbor 209.56.200.226

remote-as 65001

C. Change neighbor 209.56.200.226 remote-as 65002 statement to neighbor 209.65.200.226

remote-as 65002



Actu

alTe

sts.

com

D. Change neighbor 209.56.200.226 remote-as 65002 statement to neighbor 209.65.200.226

remote-as 65001

Answer: C

QUESTION NO: 311


Figure 1



Actu

alTe

sts.

com

Figure 2


Client 1 and Client 2 are not able to reach the WebServer at 209.65.200.241. Initial

troubleshooting shows that DSW1, DSW2 and all the routers are able to reach the WebServer

Configuration on R1

ip nat inside source list nat_pool interface Serial0/0/0/1 overload

!

ip access-list standard nat_pool

permit 10.1.0.0

!

interface Serial0/0/0/1

ip address 209.65.200.224 255.255.255.252

ip nat outside

!

interface Serial0/0/0/0.12

ip address 10.1.1.1 255.255.255.252

ip nat inside


ip ospd authentication message-digest

On Which device is the fault condition located?



Actu

alTe

sts.

com

A. R1

B. DSW1

C. R4

D. R2

Answer: A

QUESTION NO: 312


Figure 1



Actu

alTe

sts.

com

Figure 2




Configuration on R1


!


permit 10.1.0.0

!


ip address 209.65.200.224 255.255.255.252

ip nat outside

!


ip address 10.1.1.1 255.255.255.252

ip nat inside






Actu

alTe

sts.

com

A. EIGRP

B. HSRP

C. BGP

D. NAT

Answer: D

QUESTION NO: 313


Figure 1



Actu

alTe

sts.

com

Figure 2




Configuration on R1


!


permit 10.1.0.0

!


ip address 209.65.200.224 255.255.255.252

ip nat outside

!


ip address 10.1.1.1 255.255.255.252

ip nat inside






Actu

alTe

sts.

com

A. Add permit 10.2.0.0 statement in nat_pool access-list

B. Remove permit 10.1.0.0 statement from nat_pool access-list

C. Change ip nat inside source list nat_pool interface Serial0/0/0/1 overload to ip nat inside source

list nat_pool interface Serial0/0/0/0.12 overload

D. Change ip nat outside statement under Serial0/0/0/1 configuration to ip nat inside

Answer: A

QUESTION NO: 314


Figure 1



Actu

alTe

sts.

com

Figure 2


Client 1 is not able to reach the WebServer at 209.65.200.241. Initial troubleshooting shows that

R1 is also not able to reach the WebServer. R1 also does not have any active BGP neighbor.

Config on R1

router bgp 65001

no synchronization


network 209.65.200.224 mask 255.255.255.252


no auto-summary

!

access-list 30 permit host 209.65.200.241

access-list 30 deny 10.1.0.0 0.0.255.255

access-list 30 deny 10.2.0.0 0.0.255.255

!


ip address 209.65.200.224 255.255.255.252

ip nat outside

ip access-group 30 in



Actu

alTe

sts.

com


A. R1

B. DSW1

C. R4

D. R2

Answer: A

QUESTION NO: 315


Figure 1



Actu

alTe

sts.

com

Figure 2




Config on R1

router bgp 65001

no synchronization


network 209.65.200.224 mask 255.255.255.252


no auto-summary

!


access-list 30 deny 10.1.0.0 0.0.255.255

access-list 30 deny 10.2.0.0 0.0.255.255

!


ip address 209.65.200.224 255.255.255.252

ip nat outside




Actu

alTe

sts.

com


A. IP Access

B. IP NAT

C. BGP

D. IP Access List

Answer: D

QUESTION NO: 316


Figure 1



Actu

alTe

sts.

com

Figure 2




Config on R1

router bgp 65001

no synchronization


network 209.65.200.224 mask 255.255.255.252


no auto-summary

!


access-list 30 deny 10.1.0.0 0.0.255.255

access-list 30 deny 10.2.0.0 0.0.255.255

!


ip address 209.65.200.224 255.255.255.252

ip nat outside




Actu

alTe

sts.

com


A. Add permit statement for 209.65.200.224/30 network in access list 30

B. Remove Deny Statements from access-list 30

C. Change neighbor 209.65.200.226 remote-as 65002 statement to neighbor 209.65.200.226

remote-as 65001

D. Use extended access-list instead of standard access-list

Answer: A

QUESTION NO: 317


Figure 1



Actu

alTe

sts.

com

Figure 2


Client 1 is getting an IP address from the DHCP server but is not able to ping DSW1 or the FTP

Server


vlan access-map test1 10

drop

match ip address 10

!

vlan filter test1 vlan-list 10

!

ip access-list standard 10

permit 10.2.0.0 0.0.255.255

!

Interface VLAN10

ip address 10.2.1.1 255.255.255.0

!




Actu

alTe

sts.

com

A. R4

B. DSW1

C. Client 1

D. FTP Server

Answer: B

QUESTION NO: 318


Figure 1



Actu

alTe

sts.

com

Figure 2



Server



drop

match ip address 10

!


!


permit 10.2.0.0 0.0.255.255

!

Interface VLAN10

ip address 10.2.1.1 255.255.255.0

!




Actu

alTe

sts.

com

A. VLAN Access Map

B. InterVLAN communication

C. DHCP

D. IP Access List

Answer: A

QUESTION NO: 319


Figure 1



Actu

alTe

sts.

com

Figure 2



Server



drop

match ip address 10

!


!


permit 10.2.0.0 0.0.255.255

!

Interface VLAN10

ip address 10.2.1.1 255.255.255.0

!



Actu

alTe

sts.

com


A. Configurationure Static IP Address on Client 1

B. Change the IP Address of VLAN 10 on DSW1

C. Add Permit any statement to access-list 10

D. Remove VLAN filter test1 from DSW1

Answer: D

QUESTION NO: 320


Figure 1



Actu

alTe

sts.

com

Figure 2


Client one is getting a 169.x.x.x IP address and is not able to ping Client 2 or DSW1. Inital

troubleshooting shows that port Fa1/0/1 on ASW1 is in errdisable state.

Configuration on ASW1

Interface FastEthernet1/0/1

switchport mode access

switchport port-security

switchport port-security mac-address 0000.0000.0001


A. DSW1

B. ASW1

C. Client 1

D. FTP Server

Answer: B



Actu

alTe

sts.

com

QUESTION NO: 321


Figure 1

Figure 2




Actu

alTe

sts.

com









A. VLAN Access Map


C. DHCP

D. Port Security

Answer: D

QUESTION NO: 322




Actu

alTe

sts.

com

Figure 1

Figure 2










A. Configurationure Static IP Address on Client 1


C. Issue shutdown command followed by no shutdown command on port fa1/0/1 on ASW1

D. Issue no switchport port-security mac-address 0000.0000.0001 command followed by

shutdown and no shutdown command on port fa1/0/1 on ASW1

E. Issue no switchport port-security mac-address 0000.0000.0001 command on port fa1/0/1 on

ASW1



Actu

alTe

sts.

com

Answer: D

QUESTION NO: 323


Figure 1



Actu

alTe

sts.

com

Figure 2


Client 1 and Client 2 are getting a 169.x.x.x IP address and are not able to ping DSW1 or the FTP

Server. They are able to ping each other.




switchport access vlan 1

!





A. DSW1

B. ASW1

C. Client 1

D. FTP Server

Answer: B

QUESTION NO: 324




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com





!





A. VLAN


C. DHCP

D. Port Security

Answer: A

QUESTION NO: 325




Actu

alTe

sts.

com

Figure 1

Figure 2








!





A. Given an IP address to VLAN 1 on DSW1


C. Issue switchport access vlan 10 command on interfaces fa1/0/1 and fa1/0/2 on ASW1

D. Give static IP addresses to Client 1 and Client 2



Actu

alTe

sts.

com

Answer: C

QUESTION NO: 326


Figure 1



Actu

alTe

sts.

com

Figure 2





Interface PortChannel13

switchport mode trunk

switchport trunk allowed vlan 1-9

!




!




!




!


A. ASW1

B. DSW1

C. Client 1

D. FTP Server

Answer: A

QUESTION NO: 327




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com





!




!




!




!


A. VLAN


C. DHCP


Answer: D

QUESTION NO: 328




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com





!




!




!




!


A. Change the VLAN assignment on fa1/0/1 and fa1/0/2 on ASW1 to VLAN 1


C. Issue switchport trunk allowed vlan 10,200 on interface portchannel13 and portchannel23 on

ASW1

D. Issue switchport trunk allowed vlan none on interface portchannel13 and portchanngel23 on

ASW1

Answer: C

QUESTION NO: 329




Actu

alTe

sts.

com

Figure 1

Figure 2


Client 1 is not able to reach the WebServer. Initial troubleshooting shows that DSW1 can ping the

Fa0/1 interface of R4 but not the s0/0/0/0.34 interface.



Actu

alTe

sts.

com


router eigrp 10

network 10.1.4.4 0.0.0.0

network 10.2.1.1 0.0.0.0

network 10.2.4.13 0.0.0.0

no auto-summary


router eigrp 10

network 10.1.4.8 0.0.0.0

network 10.2.2.1 0.0.0.0

network 10.2.4.14 0.0.0.0

no auto-summary

Configuration on R4

router eigrp 1

network 10.1.4.5 0.0.0.0

no auto-summary

redistribute ospf 1


A. DSW1

B. DSW2

C. Client 1

D. R4

Answer: D

QUESTION NO: 330




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com


router eigrp 10

network 10.1.4.4 0.0.0.0

network 10.2.1.1 0.0.0.0

network 10.2.4.13 0.0.0.0

no auto-summary


router eigrp 10

network 10.1.4.8 0.0.0.0

network 10.2.2.1 0.0.0.0

network 10.2.4.14 0.0.0.0

no auto-summary

Configuration on R4

router eigrp 1

network 10.1.4.5 0.0.0.0

no auto-summary

redistribute ospf 1


A. EIGRP


C. OSPF


Answer: A

QUESTION NO: 331




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com


router eigrp 10

network 10.1.4.4 0.0.0.0

network 10.2.1.1 0.0.0.0

network 10.2.4.13 0.0.0.0

no auto-summary


router eigrp 10

network 10.1.4.8 0.0.0.0

network 10.2.2.1 0.0.0.0

network 10.2.4.14 0.0.0.0

no auto-summary

Configuration on R4

router eigrp 1

network 10.1.4.5 0.0.0.0

no auto-summary

redistribute ospf 1


A. Change the EIGRP AS to 1 on DSW1

B. Change the routing protocol on DSW1 and DSW2 to OSPF

C. Change the EIGRP AS to 10 on R4

D. Advertise 10.1.1.8/30 network in EIGRP on R4

Answer: C

QUESTION NO: 332




Actu

alTe

sts.

com

Figure 1

Figure 2






Actu

alTe

sts.

com


router eigrp 10

network 10.1.4.4 0.0.0.0

network 10.2.1.1 0.0.0.0

network 10.2.4.13 0.0.0.0

no auto-summary


router eigrp 10

network 10.1.4.8 0.0.0.0

network 10.2.2.1 0.0.0.0

network 10.2.4.14 0.0.0.0

no auto-summary

Configuration on R4

router eigrp 10

network 10.1.4.5 0.0.0.0

no auto-summary

redistribute ospf 1 metric 100 10 255 1 1500 route-map EIGRP_to_OSPF

!

router ospf 1

network 10.1.1.8 0.0.0.0 area 34

redistribute eigrp 10 subnets

!

route-map EIGRP->OSPF

match ip address 1

!

access-list 1 permit 10.0.0.0 0.255.255.255



A. EIGRP

B. Route Redistribution

C. OSPF

D. IP Addressing

Answer: B



Actu

alTe

sts.

com

QUESTION NO: 333


Figure 1

Figure 2




Actu

alTe

sts.

com




router eigrp 10

network 10.1.4.4 0.0.0.0

network 10.2.1.1 0.0.0.0

network 10.2.4.13 0.0.0.0

no auto-summary


router eigrp 10

network 10.1.4.8 0.0.0.0

network 10.2.2.1 0.0.0.0

network 10.2.4.14 0.0.0.0

no auto-summary

Configuration on R4

router eigrp 10

network 10.1.4.5 0.0.0.0

no auto-summary


!

router ospf 1

network 10.1.1.8 0.0.0.0 area 34


!


match ip address 1

!




A. Remove the redistribute command from OSPF process on R4

B. Change the route-map name in the redistribute command under OSPF process to EIGRP-

>OSPF on R4



Actu

alTe

sts.

com

C. Change EIGRP AS to 1 on R4

D. Advertise 10.1.1.8/30 network in EIGRP on R4

Answer: B

QUESTION NO: 334


Figure 1



Actu

alTe

sts.

com

Figure 2





router eigrp 10

network 10.1.4.4 0.0.0.0

network 10.2.1.1 0.0.0.0

network 10.2.4.13 0.0.0.0

no auto-summary


router eigrp 10

network 10.1.4.8 0.0.0.0

network 10.2.2.1 0.0.0.0

network 10.2.4.14 0.0.0.0

no auto-summary

Configuration on R4

router eigrp 10



Actu

alTe

sts.

com

network 10.1.4.5 0.0.0.0

no auto-summary


!

router ospf 1

network 10.1.1.8 0.0.0.0 area 34


!


match ip address 1

!




A. DSW1

B. DSW2

C. Client 1

D. R4

Answer: D

QUESTION NO: 335

The network setup for this trouble ticket is shown in Figure 3.


DSW1 and R4 cannot ping R2's loopback or R2's s0/0/0/0.12 IPv6 address. Initial troubleshooting

shows and R2 is not an OSPFv3 neighbor on R3.

Configuration on R2

ipv6 unicast-routing

!

ipv6 router ospf 6

router-id 2.2.2.2

!

interface s0/0/0/0.23

ipv6 address 2026::1:1/122



Actu

alTe

sts.

com

Configuration R3


!

ipv6 router ospf 6

router-id 3.3.3.3

!


ipv6 address 2026::1:2/122

ipv6 ospf 6 area 0

Figure 3


A. DSW1

B. DSW2

C. R2

D. R3

Answer: C



Actu

alTe

sts.

com

QUESTION NO: 336





Configuration on R2


!

ipv6 router ospf 6

router-id 2.2.2.2

!


ipv6 address 2026::1:1/122

Configuration R3


!

ipv6 router ospf 6

router-id 3.3.3.3

!


ipv6 address 2026::1:2/122

ipv6 ospf 6 area 0



Actu

alTe

sts.

com

Figure 3


A. IPv6 Addressing

B. Route Redistribution

C. OSPFv3

D. RIPng

Answer: C

QUESTION NO: 337





Configuration on R2



Actu

alTe

sts.

com


!

ipv6 router ospf 6

router-id 2.2.2.2

!


ipv6 address 2026::1:1/122

Configuration R3


!

ipv6 router ospf 6

router-id 3.3.3.3

!


ipv6 address 2026::1:2/122

ipv6 ospf 6 area 0

Figure 3




Actu

alTe

sts.

com

A. Add ipv6 ospf 6 area 0 under S0/0/0/0.23 on R2

B. Add ipv6 ospf 6 area 6 under s0/0/0/0.23 on R2

C. Remove IPv6 address from s0/0/0/0.23 on R2

D. Enable IPv6 routing on s0/0/0/0.23 on R2

Answer: A



642-832 exam

Documents

show spantree

show spantree

redundant

negotiates

aironet desktop

multiprotocol

show spantree

interface