Question 1

What is the task you must perform when configuring SSH? (Choose two)

A. Configure TACACS+
B. Configure hostname
C. Generate RSA key
D. Disable telnet

Answer: B C

Explanation

The following are the prerequisites for configuring the switch for secure shell (SSH):
– For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key
pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure
transport.
– Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the
switch.
– Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and
Adelman (RSA) key pair.
– SCP relies on SSH for security.
– SCP requires that authentication, authorization, and accounting (AAA) authorization be
configured so the router can determine whether the user has the correct privilege level.
– A user must have appropriate authorization to use SCP.
– A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File
System (IFS) to and from a switch by using the copy command. An authorized administrator can
also do this from a workstation.
– The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES)
encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software
image.)
– Configure a hostname and host domain for your device by using the hostname and “ip domain-
name” commands in global configuration mode.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-
0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-
x_cg_chapter_01001.html

Question 2

Which two pieces of information can you determine from the output of the show ntp
status command? (Choose two)

A. The NTP version number of the peer

B. The configured NTP servers
C. The IP address of the peer to which the clock is synchronized
D. Where the clock is synchronized

Answer: C D

Explanation

Below is an example of the “show ntp status” command:

R1#show ntp status

Clock is synchronized, stratum 10, reference is 10.1.2.1
nominal freq is 250.0000 Hz, actual freq is 249.9987 Hz, precision is 2**18
reference time is D5E492E9.98ACB4CF (13:00:25.596 CST Wed Sep 18 2013)
clock offset is 15.4356 msec, root delay is 52.17 msec
 root dispersion is 67.61 msec, peer dispersion is 28.12 msec

First we can see if the local device has been synchronized or not by the line “Clock is
synchronized” (or “Clock is unsynchronized”) -> Answer D is correct.

Also in the same line, we see the line “reference is 10.1.2.1” which is the IP address of the peer to
which the clock is synchronized. For example in this case R1 has been configured with the
command “R1(config)#ntp server 10.1.2.1” -> Answer C is correct.

Question 3

You are implementing WAN access for an enterprise network while running applications that
require a fully meshed network, which two design standards are appropriate for such an
environment? (Choose two)

A. A centralized DMVPN solution to simplify connectivity for the enterprise

B. A dedicated WAN distribution layer to consolidate connectivity to remote sites
C. A collapsed core and distribution layer to minimize costs
D. Multiple MPLS VPN connections with static routing
E. Multiple MPLS VPN connections with dynamic routing

Answer: A B

Explanation

With DMVPN phase 2 and 3, spokes can speak with each other directly like they are directly
connected in a meshed network. This simplifies the connectivity for the enterprise -> Answer A is
correct.

Another way to run applications that require a fully meshed network is through a WAN distribution
layer that is connected to all remote sites. Therefore these sites can communicate with each other
via this WAN distribution layer.

Question 4

Which task do you need to perform first when you configure IP SLA to troubleshoot a network
connectivity issue?

A. Specify the test frequency

B. Enable the ICMP echo operation
C. Schedule the ICMP echo operation
D. Verify the ICMP echo operation

Answer: B

Explanation

This question is a bit unclear but answer B is still the best choice here. Maybe “Enable the ICMP
echo operation” here means “Configure the ICMP echo operation” which requires the following
commands:

configure terminal
ip sla operation-number
icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-
address | hostname} | source-interface interface-name]
frequency seconds

Note: The “frequency” is just an optional command.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-
mt-book/sla_icmp_echo.html

For example:

R1(config)#ip sla 1
 R1(config-ip-sla)#icmp-echo 172.20.20.2 source-interface FastEthernet0/0
R1(config-ip-sla-echo)#frequency 10

After that we can schedule the above ICMP echo operation with the command (for example):

R1(config)#ip sla schedule 1 life forever start-time now

Then we can verify the ICMP echo operation at the end with the command “show ip sla group
schedule” and “show ip sla configuration”.

Question 5

Which technology can combine multiple physical switches into one logical switch?

A. HSRP
B. VSS
C. VRRP
D. NHRP

Answer: B

Question 6

Which two features are compatible with port security? (Choose two)

A. Voice VLAN
B. SPAN source port
C. DTP

Answer: A B

Explanation

Table 3 of the following link lists which features are compatible with port security
feature: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se
/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011111.html

Question 7

Which fallback method can you configure to allow all AAA authorization requests to be granted if
the other methods do not respond or return an error?

A. Radius
B. Enable
C. TACACS+
D. NONE

Answer: D

Explanation

The following examples show how to use a TACACS+ server to authorize the use of network
services. If the TACACS+ server is not available or an error occurs during the authorization
process, the fallback method (none) is to grant all authorization requests:

aaa authorization network default group tacacs+ none

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-
3s/sec-usr-aaa-xe-3s-book/sec-cfg-authorizatn.html

Question 8

By default what is the maximum number of equal metric path BGP uses for load balancing?
A. 1
B. 2
C. 4
D. 6

Answer: A

Explanation

By default, BGP chooses one best path among the possible equal-cost paths that are
learned from one AS. However, you can change the maximum number of parallel equal-cost
paths that are allowed. In order to make this change, include the maximum-
paths paths command under the BGP configuration. Use a number between 1 and 6 for the paths
argument.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-
40.html

Question 9

The track objects in IP SLA and make sure that it is only up if all track objects are up, which
method achieves that goal?

A. AND
B. OR
C. XOR
D. NOT

Answer: A

Explanation

track track-number list boolen {and | or}

This command configures a tracked list object, and enter tracking configuration mode. The track-
number can be from 1 to 500.

+ boolean – Specify the state of the tracked list based on a Boolean calculation.
+ and – Specify that the list is up if all objects are up or down if one or more objects are down.
+ or – Specify that the list is up if one object is up or down if all objects are down

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/re
lease/12-2_55_se/configuration/guide/3750xscg/sweot.pdf

Question 10

With PCA and PCB and there are three routers between them and a different MTU value and they
want a PCA to run an application with PCB and DF is set so we have to choose?

A. MSS
B. PMTUD
C. GRE
D. ?

Answer: B

Explanation

It is important to note that the “don’t fragment” (DF) bit plays a central role in PMTUD because it
determines whether or not a packet is allowed to be fragmented.

Packets with this flag are never fragmented, but rather dropped when a router sees that the
packet does not fit outgoing link’s MTU. When dropping the packet, the router should signal back
to the sending host with a special ICMP unreachable message, telling that the packet has been
dropped due to the large size and suggesting the new MTU value.

Note: The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is
willing to accept in a single TCP/IPv4 datagram. The MSS value is sent as a TCP header option only
in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side.
Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is
required to limit the size of data in a single TCP segment to a value less than or equal to the MSS
reported by the receiving host.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html

Question 11

Drag and Drop

Answer:

TLL – when reaches ‘0’ drops packets

ICMP Redirect – indicate to host that another route is available for a specific destination
ICMP unreachable – when destination is unreachable when IP is unable to give a packet to
destination host due to some problem or issue
Proxy ARP – now wants to send traffic to 10.0.1.10 which is in another subnet but the PC believes
they are connected to the same network
Fragmentation – … larger packet (maybe “breaks packets into smaller pieces when the packets are
larger than the MTU of the link”

Question 12

How to implement local authentication using a list for case insensitive usernames?

A. aaa authentication login default local

B. aaa authentication login default local-case

Answer: A

Explanation

Use the aaa authentication login command with the local method keyword to specify that the Cisco
router or access server will use the local username database for authentication. For example, to
specify the local username database as the method of user authentication at login when no other
method list has been defined, enter the following command:

aaa authentication login default local

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c
/scfathen.html
Note: The difference between the last keyword “local” and “local-case” is the first one uses the
case-insensitive local username database while the second keyword uses case-sensitive local
username for authentication.

Question 13 (incomplete question)

Drag drop about NHRP.

Answer:

+ ip nhrp shortcut – configured on the spoke which is responsible to rewrite the CEF entry after
getting the redirect message from hub
+ ip nhrp network-id – (?)
+ ip nhrp map – (?)
+ ip redirects – are disabled by default on a tunnel interface
+ ip nhrp responder – Specifies which interface the Next Hop Server uses for the NHRP
responder IP address
+ ip nhrp nhs – Statically configures a Next Hop Server

Two left choices (at the right-side column) are:

+ Enables NHRP shortcut switching on the interface
+ designates router XXX as the Next-hop server

But they cannot be matched with two rest options on the left.

Explanation

In fact the “ip nhrp shortcut” should be both “configured on the spoke which is responsible to
rewrite the CEF entry after getting the redirect message from hub” and “Enables NHRP shortcut
switching on the interface” so maybe there is something missing in this question.

Note: “ip redirects” (not “ip nhrp redirects”) are disabled by default on a tunnel interface

Question 14

Question about IP SLA deployment cycle. Chose best IP SLA deployment cycle that reduce
deployment (Choose four)

A. baseline (network performance)

B. understand (network performance baseline)
C. Understand Quality results
D. quantify (results)
E. fine tune and optimize
F. Update Understanding

Answer: A B D E

Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_pa
per0900aecd8017f8c9.html

========================== New Updated Questions (added on 20th-May-

2019) ==========================

Question 15

What are two differences between SNMP traps and SNMP informs? (Choose two)

A. Only informs provide a confirmation of receipt

B. Traps are more reliable than informs because they generate PDUs from the network manager
C. Only informs are discarded after delivery
D. Only traps are discarded after delivery
E. Informs are more reliable than traps because they require TCP three-way handshake.

Answer: A D

Explanation
Traps are messages alerting the SNMP manager to a condition on the network. Informs are traps
that include a request for confirmation of receipt from the SNMP manager -> Answer A is correct.

Traps are often preferred even though they are less reliable because informs consume more
resources in the router and the network. Unlike a trap, which is discarded as soon as it is
sent, an inform must be held in memory until a response is received or the request times out ->
Answer D is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/12-4t/snmp-
12-4t-book/nm-snmp-cfg-snmp-support.html

Question 16

Which protocol sort out of order packet at the receiving end?

A. UDP
B. TCP
C. IP

Answer: B

Question 17

A router in an EVN environment is choosing a route. Which value is given the highest selection
priority?

A. IGP administrative distance of the route.

B. Replication status of the route
C. Vnet tag of the route
D. Default administrative distance of a route
E. Lexical value of the source VRF name

Answer: A

Question 18

Which two effects of asymmetric routing are true? (Choose two)

A. unicast flooding
B. uRPF failure
C. errdisabling of ports
D. port security violations
E. excessive STP reconvergence

Answer: A B

Explanation

The very cause of unicast flooding is that destination MAC address of the packet is not in the L2
forwarding table of the switch. In this case the packet will be flooded out of all forwarding ports in
its VLAN (except the port it was received on). Below case studies display most common reasons
for destination MAC address not being known to the switch.

Cause 1: Asymmetric Routing (-> Therefore answer “unicast flooding” is correct)

…

For more information about three cases above please

visit: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-
143.html

Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface
that was not the router’s choice for sending return traffic. Dropping this legitimate traffic could
occur when asymmetric routing paths are present in the network (-> Therefore answer “uRPF
failure” is correct)
Reference: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-
forwarding.html

Question 19

Which difference in the packet fragmentation feature between IPv4 and IPv6 devices is true?

A. Unlike IPv4 routers, IPv6 routers cannot fragment packets by default.

B. Only IPv6 packets can be fragmented at the destination.
C. Only IPv4 headers support the more fragments bit.
D. Only IPv6 headers support the DF bit

Answer: A

Explanation

With IPv4, every router can fragment packets, if needed. If a router cannot forward a packet
because the MTU of the next link is smaller than the packet it has to send, the router fragments
the packet. It cuts it into slices that fit the smaller MTU and sends it out as a set of fragments. The
packet is then reassembled at the final destination. Depending on the network design, an IPv4
packet may be fragmented more than once during its travel through the network.

With IPv6, routers do not fragment packets anymore; the sender takes care of it. Path MTU
discovery tries to ensure that a packet is sent using the largest possible size that is supported on a
certain route. The Path MTU is the smallest link MTU of all links from a source to a destination.

Reference: https://www.oreilly.com/library/view/ipv6-essentials/0596001258/ch04s08.html

Question 20

What are limitations of Stateful NAT64? (Choose two)

A. No requirement on the nature of IPv6 address assignment

B. Lacks in end-to-end address transparency
C. Assures end-to-end address transparency and scalability
D. No state or bindings created on the translation

Answer: A B

Explanation

The two answers here are listed in the “differences between Stateless NAT64 and Stateful NAT64
at (https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-
solution/white_paper_c11-676277.html)

========================== New Updated Questions (added on 20th-May-

2019) ==========================

Question 21

What happens when a router receives a packet with a TTL of 0?

A. The router attempts to forward the packet along an alternate path in the route table
B. The router sends an ICMP Time Exceeded Message to the host that sent the packet
C. The router sends an ICMP Destination Unreachable Message to the host that sent the packet
D. The router flags the packet and forwards it to the next hop

Answer: B

Explanation

RFC 791 requires that a router destroy any datagram with a TTL value of zero. Packets that have
been dropped due to the expiration of their TTL value are known as TTL expiry packets. When an
IP packet is received with a TTL less than or equal to one and is expected to be forwarded by the
router, the router is required to drop the packet and reply back to the source with an ICMPv4
Type 11, Code 0 Time Exceeded message. In theory, upon receipt of this message, the
originating device should detect an issue—such as a routing problem when sending to that
particular destination, or an initial TTL value that is too low—and react to overcome the problem.

Reference: https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html

Question 22

Which purpose of the AAA accounting feature is true when you use TACACS+ authentication?

A. It prompts users to change their passwords when they expire

B. It saves a timestamped record of user activity
C. It controls the activities that the user is permitted to perform
D. It verifies the user identity

Answer: B

========================== New Updated Questions (added on 11th-Jun-

2019) ==========================

Question 23

Refer to the exhibit.

Routing Protocol is "ospf 1"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.1.1.1
It is an area border and autonomous system boundary router
Redistributing External Routes from,
bgp 800, includes subnets in redistribution
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.1.1.0 0.0.0.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)

Based on the output from the show ip protocols vrf RED command, what is happening with the
routing processes?

A. OSPF 1 is redistributing into BGP 800

B. Static routes are redistributed into OSPF 1
C. BGP 800 is redistributing into OSPF 1
D. Static routes are redistributed into BGP 800

Answer: C

Explanation
From the output we notice the line “Redistributing External Routes from bgp 800, includes subnets
in redistribution” so that means BGP 800 is redistributed into OSPF 1 (with the “redistribute bgp
800 subnets” under “router ospf 1”).

Question 24

Which limitation is introduced when you deploy RIPv2 on a network that uses supernet
advertisement?

A. RIPv2 supports only classful supernet networks

B. RIPv2 supports only supernet component networks that use VLSM
C. Supernets are not supported in a RIPv2 environment
D. RIPv2 supports only classless supernet networks

Answer: A

Explanation

Supernet advertisement (advertising anynetwork prefix less than its classful major network) is not
allowed in RIP route summarization. For example , the following supernet summarization is invalid:
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#ip summary-address rip 10.0.0.0 252.0.0.0
-> We can only summarize to the classful supernet networks.

Question 25

When configuring DHCP on a Cisco router what is the function of DHCP Option 82?

A. wireless access point registration to the DHCP server

B. to be an IP DHCP relay agent
C. dynamic DHCP ARP inspection
D. IP DHCP snooping
E. Cisco phone registration to the DHCP server

Answer: B

Explanation

DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It
enables the controller to act as a DHCP relay agent to prevent DHCP client requests from
untrusted sources

Question 26

Which feature is not supported when fast-switched PBR is in use?

A. the set ip next-hop interface command

B. matching IP addresses to a named ACL
C. matching IP addresses to a prefix list
D. the set ip default next-hop command

Answer: D

Explanation

IP PBR can now be fast-switched. Prior to Cisco IOS Release 12.0, PBR could only be process-
switched, which meant that on most platforms the switching rate was approximately 1000 to
10,000 packets per second. This speed was not fast enough for many applications. Users that need
PBR to occur at faster speeds can now implement PBR without slowing down the router. Fast-
switched PBR supports all of the match commands and most of the set with the following
restrictions:
+ The set ip default next-hop and set default interface commands are not supported.
+ The set interface command is supported only over point-to-point links, unless a route cache
entry exists using the same interface specified in the set interface command in the route map.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpb
r.pdf

Question 27

Which type of Cisco Express Forwarding adjacency is created when the next hop is directly
connected, but its MAC header rewrite information is missing?

A. punt
B. discard
C. null
D. glean

Answer: D

Explanation

Glean adjacency – in short when the router is directly connected to hosts the FIB table on the
router will maintain a prefix for the subnet rather than for the individual host prefix. This subnet
prefix points to a GLEAN adjacency. A glean adjacency entry indicates that a particular next hop
should be directly connected, but there is no MAC header rewrite information available. When the
device needs to forward packets to a specific host on a subnet, Cisco Express Forwarding requests
an ARP entry for the specific prefix, ARP sends the MAC address, and the adjacency entry for the
host is built. 
Punt adjacency – When packets to a destination prefix can’t be CEF Switched, or the feature is
not supported in the CEF Switching path, the router will then use the next slower switching
mechanism configured on the router.

========================== New Updated Questions (added on 14th-Jun-

2019) ==========================

Question 28

Which protocol will stop listening and advertising updates, when using passive-interface
command? (Choose two)

A. OSPF
B. EIGRP
C. BGP
D. RIP
E. IS-IS

Answer: A B

Explanation

The “passive-interface…” command in EIGRP or OSPF will shut down the neighbor relationship of
these two routers (no hello packets are exchanged).

In RIP, this command will not allow sending multicast updates via a specific interface but will allow
listening to incoming updates from other RIP speaking neighbors. This means that the router will
still be able to receive updates on that passive interface and use them in its routing table.

There is no “passive-interface” command in BGP and IS-IS.

Question 29

Place the BGP commands to the proper locations

Answer:

+ show ip bgp: path selection values

+ show ip bgp summary: Memory usage
+ show ip route bgp: AD of BGP
+ show ip bgp neighbor: Notification, update…

Question 30

Which two statements about configuring OSPFv3 are true? (Choose two)

A. The OSPFv3 routing process must be explicitly configured and enabled

B. You can configure only one OSPFv3 instance per link
C. OSPFv3 requires network statements for IPv6 prefixes
D. OSPFv3 neighbors must be explicitly identified on NBMA interfaces
E. OSPFv3 interfaces must be explicitly configured and enabled

Answer: A D

Explanation

When using NBMA in OSPFv3, you cannot automatically detect neighbors. On an NBMA interface,
you must configure your neighbors manually using interface configuration mode.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-
1sg/ip6-route-ospfv3.html

Cisco IOS routers offer two OSPF configuration methods for IPv6:

+ Using the traditional “ipv6 router ospf” global configuration command. For example:

R1(config)# ipv6 router ospf 1

R1(config-rtr)# router-id 1.1.1.1
R1(config)# interface Ethernet0/0
R1(config-if)# ipv6 ospf 1 area 0

+ Using the new-style “router ospfv3” global configuration command. For example:

R1(config)# router ospfv3 1

R1(config-router)# router-id 1.1.1.1
R1(config)# interface Ethernet0/0
R1(config-if)# ospfv3 1 ipv4 area 0

Answer C is not correct as OSPFv3 does not require “network” statement like OSPFv2.

Answer E seems to be correct too.

Question 31

Refer to the exhibit.

access-list 1 permit 1.0.0.0

0.255.255.255
router rip
  default-metric 1
 redistribute eigrp 20
 distribute-list 1 out eigrp 20

Which routes will be injected into the routing protocol?

A. the EIGRP 20 routes into RIP that match access-list 1

B. any routing update with a metric of 1
C. all RIP routes into EIGRP 20
D. the RIP routes into EIGRP 20 that match access-list 1

Answer: A

Explanation

The command “distribute-list 1 out eigrp 20” creates an outbound distribute-list to filter routes
being redistributed from EIGRP AS 20 into RIP according to ACL 1.

Question 32

What is the range for private AS numbers?

A. 64512 to 65535
B. 1 to 64511
C. 1024 to 65535
D. 1 to 1024

Answer: A

Explanation

BGP AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511

Question 33

Which routing protocol searches for a better route through other autonomous systems to achieve
convergence?

A. Link-state
B. Hybrid
C. Path vector
D. Distance vector

Answer: C

Explanation

Path vector routing protocol (like BGP) can get information from other BGP autonomous systems
to find the best route.
 ========================== New Questions (added on 28th-Nov-2019)
==========================

Question 34

What DHCP Option must be set to allow static routes assigned?

A. Option 13
B. Option 33
C. Option 66
D. Option 67

Answer: B

Explanation

DHCP Option 33 lists static routes that the client should install in its routing table.

Reference: https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/network_registrar/8-
0/user/guide/User_Guide_for_CNR_8-0/UGB_Opts.pdf

Question 35

Which type of Netflow information is displayed when the show ip flow export command is

executed?

A. sent status and statistics

B. top talkers
C. export interface configurations
D. local status and statistics

Answer: D

Explanation

The “show ip flow export” command is used to display the status and the statistics for NetFlow
accounting data export, including the main cache and all other enabled caches. An example of the
output of this command is shown below:

Router# show ip flow export

Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
Version 5 flow records
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops

Question 36

What is the function of the snmp-server enable traps and snmp-server host 192.168.1.3

trap version 1c public commands?

A. to allow only 192.168.1.3 to access the system using the community-string public
B. to allow private communications between the router and the host.
C. to collect information about the system on a network management server
D. to disable all SNMP informs that are on the system
 

Answer: C

Explanation

The snmp-server host global configuration command is used to specify the recipient of an SNMP

notification operation, in this case 192.168.1.3. In other words, traps of the local router will be
sent to 192.168.1.3. Therefore this command is often used to manage the device.

Question 37

Features of Netflow version 9? (Choose two)

A. IEEE standard
B. IETF standard
C. ingress
D. egress
E. ingress/egress
F. Cisco proprietary

Answer: B E

========================== New Questions (added on 6th-Dec-2019)

==========================

Question 38

Drag each SNMP term on the left to the matching definition on the right.

Answer:

Get: An operation that retrieves object variables

Notification: An operation that retrieves unsolicited information from an agent
Manager: A system that monitors and controls the activities of network hosts
Set: An operation that modifies object variables
Agent: A software component that maintains and reports data
MIB: virtual storage area for managed objects

Explanation

SNMP consists of 3 items:

+ SNMP Manager (sometimes called Network Management System – NMS): a software runs on

the device of the network administrator (in most case, a computer) to monitor the network.
+ SNMP Agent: a software runs on network devices that we want to monitor (router, switch,
server…)
+ Management Information Base (MIB): is the collection of managed objects. This components
makes sure that the data exchange between the manager and the agent remains structured. In
other words, MIB contains a set of questions that the SNMP Manager can ask the Agent (and the
Agent can understand them). MIB is commonly shared between the Agent and Manager.

In general, the GET messages are sent by the SNMP Manager to retrieve information from the
SNMP Agents while the SET messages are used by the SNMP Manager to modify or assign the
value to the SNMP Agents.

-PART. 5-
Question 1

Drag and drop the statements about NAT64 from the left onto the correct NAT64 types on the
right.

Answer:
Stateful:
+ It supports FTP64 for ALG
+ It supports PAT and overload
+ It allows IPv6 systems to use any type of IPv6 address

Stateless:
+ ALG is not supported
+ It supports one-to-one mapping only
+ It requires IPv6 systems to use RFC6052 IPv4-translatable addresses

Explanation

Differences Between Stateful NAT64 and Stateless NAT64 are shown below:

Supported Stateful NAT64 Stateless NAT64

Features

Address N:1 mapping for PAT or overload One-to-one mapping — one IPv4
savings configuration that saves IPv4 address is used for each IPv6 host
addresses

Address IPv6 systems may use any type of IPv6 systems must have IPv4-
space IPv6 addresses translatable addresses (based on
RFC 6052)

ALGs FTP64 None

supported

Protocols ICMP, TCP, UDP All

supported

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf

Question 2

Which statement about the metric calculation in EIGRP is true?

A. The maximum delay along the path is used

B. The mean value of bandwidth between the source and destination is used
C. The minimum bandwidth between the source and destination is used
D. The minimum delay along the path is used

Answer: C

Question 3

Which two steps must you perform to allow access to a device when the connection to a remote
TACACS+ authentication server fails? (Choose two)

A. Include the local keyword in the AAA configuration

B. Configure a local username and password on the device
C. Configure the device to accept Telnet and SSH connections
D. Configure accounting to reference the log of previously authenticated connections
E. Remove the aaa new model command from the global configuration

Answer: A B

Question 4

Refer to the exhibit.

 ip vrf BLUE
ip vrf RED
!
interface FastEthernet0/0
ip vrf forwarding RED
ip address 10.1.1.1
255.255.255.0
!
interface FastEthernet0/1
ip vrf forwarding BLUE
ip address 10.1.2.1
255.255.255.0

Network users on the 10.1.2.0/24 subnet have a default gateway of 10.1.2.254. Which command
will configure this gateway?

A. router(config)#ip route vrf RED 0.0.0.0 0.0.0.0 10.1.2.254

B. router(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.254
C. router(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/1
D. router(config)#ip route vrf BLUE 0.0.0.0 0.0.0.0 10.1.2.254

Answer: D

Question 5

Refer to the exhibit.

Router# show processes cpu sorted

Router# show processes memory sorted

Based on Cisco best practice, which statement about the output is true?

A. The output should be analyzed by a network engineer before allocating additional memory and
CPU usage to processes on an IOS router in production
B. The output should be analyzed by a network engineer before executing any configuration
commands on an IOS router in production
C. The output should be analyzed by a network engineer before executing any debug commands
on an IOS router in production
D. The output should be analyzed by a network engineer before executing other show commands
on an IOS router in production

Answer: C

Question 6

Users were moved from the local DHCP server to the remote corporate DHCP server. After the
move, none of the users were able to use the network. Which two issues wil prevent this setup
from working properly? (Choose two)

A. Auto-QoS is blocking DHCP traffic

B. The DHCP server IP address configuration is missing locally
C. 802.1X is blocking DHCP traffic
D. The broadcast domain is too large for proper DHCP propagation
E. The route to the new DHCP server is missing

Answer: B E

Question 7

Which two statements about the OSPF down bit are true? (Choose two)
A. It is set only when an OSPF virtual link is created
B. It is set only for LSA types 1,2, and 4
C. It is set when OSPF routes are redistributed into BGP
D. It is set only for LSA types 3,5, and 7
E. It is set when MP-BGP routes are redistributed into OSPF

Answer: D E

Explanation

To prevent possibility of a loop, when the routes are redistributed from MP-BGP into OSPF, then
they are marked with a DN Bit in LSA Type 3, 5, or 7 and have the domain tag for Type 5 and 7
LSA.

Good reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/118800-configure-ospf-00.html

Question 8

Which command can be entered on router R5 to configure 80 percent of the bandwidth of a link for
EIGRP Autonomous System 55?

A. R5(config-if)#ip bandwidth-percent eigrp 55 80

B. R5(config-pmap-c)#priori1y percent 80
C. R5(config-if)#ip bandwidth-percent eigrp 80 55
D. R5(config-if)#ipv6 bandwidth-percent eigrp 80 55
E. R5(config-if)#ipv6 bandwidth-percent eigrp 55 80

Answer: A

Question 9 (same as Q.12 at http://www.digitaltut.com/nat-questions)

Which two addresses types are included in NAT? (Choose two)

A. inside global
B. global outside
C. outside internet
D. inside internet
E. outside local

Answer: A E

Explanation

NAT use four types of addresses:

* Inside local address – The IP address assigned to a host on the inside network. The address is
usually not an IP address assigned by the Internet Network Information Center (InterNIC) or
service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider
that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.
Question 10

Refer to the exhibit.

Hostname R1
!
ip vrf Yellow
rd 100:1
interface Serial0/0
ip vrf forwarding Yellow
ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
network 192.168.1.1 0.0.0.0
no auto-summary
redistribute static
!
R1#ping vrf Yellow 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.1.2, timeout is 2
second:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1 is configured with VRF-Lite and can ping R2. R2 is fully configured, but it has no active EIGRP
neighbors in vrf Yellow If the configuration of R2 is complete, then which issue prevents the EIGRP
100 neighbor relationship in vrf Yellow from forming?

A. The no auto-summary command is preventing the EIGRP neighbor relationship from forming
B. There is a Layer 1 issue that prevents the EIGRP neighbor relationship from forming
C. The interface IP addresses are not in the same subnet
D. EIGRP 100 network 192 168 1 0/24 is configured in the global routing table on R1

Answer: D

Explanation

The “network 192.168.1.1 0.0.0.0” should be configured under vrf Yellow as follows:

router eigrp 100

 address-family vrf Yellow
 network 192.168.1.1 0.0.0.0
…

Question 11 (same as Q.1 of http://www.digitaltut.com/ospf-questions-3-2)

Which two LSA types were introduced to support OSPF for IPv6? (Choose two)

A. type 9
B. type 10
C. type 5
D. type 7
E. type 8

Answer: A E

Explanation

LSAs Type 8 (Link LSA) have link-local flooding scope.  A router originates a separate link-LSA for
each attached link that supports two or more (including the originating router itself) routers.  Link-
LSAs should not be originated for virtual links.

Link-LSAs have three purposes:

1.  They provide the router’s link-local address to all other routers attached to the link.
2.  They inform other routers attached to the link of a list of IPv6 prefixes to associate with the
link.
3.  They allow the router to advertise a collection of Options bits in the network-LSA originated by
the Designated Router on a broadcast or NBMA link.

LSAs Type 9 (Intra-Area Prefix LSA) have area flooding scope. An intra-area-prefix-LSA has one
of two functions:
1.  It either associates a list of IPv6 address prefixes with a transit network link by referencing a
network-LSA…
2.  Or associates a list of IPv6 address prefixes with a router by referencing a router-LSA.  A stub
link’s prefixes are associated with its attached router.

LSA Type 9 is breaking free of LSA Type 1 and LSA Type 2 as they were used in IPv4 OSPF to
advertise the prefixes inside the areas, giving us a change in the way the OSPF SPF algorithm is
ran.

Reference (and for more information): http://packetpushers.net/a-look-at-the-new-lsa-types-in-

ospfv3-with-vyatta-and-cisco/

Question 12

Which two statements about DMVPN are true? (Choose two)

A. IPsec encryption not supported with statically addressed spokes

B. It requires full-mesh connectivity on the network
C. It uses NHRP to create a mapping database of spoke addresses
D. Multicast traffic is not supported
E. It supports dynamic addresses for spokes in a hub-and-spoke VPN topology

Answer: C E

Question 13

A network engineer is configuring two dedicated Internet connections within the Internet module
One connection is the primary connection to all wired business communications while Che other is
the primary connection for all customer wireless traffic If one of the links goes down, the affected
traffic needs to be redirected to the redundant link Winch current technology should be deployed
to monitor the scenario?

A. IP SLA
B. MMC
C. IP SAA
D. PBR
E. IP QoS

 
Answer: A

Question 14

Refer to the exhibit.

access-list 1 permit 10.1.1.0

0.0.0.255
access-list 1 deny any

Which command we use to control the type of routes that are processed in incoming route
updates?

A. passive-interface
B. distribute-list 1 out
C. distribute-list 1 in
D. ip vrf forwarding

Answer: C

Question 15

Which two types of traffic can benefit from LLQ? (Choose two)

A. email
B. voice
C. telnet
D. video
E. file transfer

Answer: B D

Question 16

A network administrator is attempting to configure IP SLA to allow one time stamp to be logged
when a packet arrives on the interface and one time stamp to be logged when a packet leaves the
interface. Which IP SLA accuracy tool enables this functionality?

A. Trap
B. RTT
C. Responder
D. Trigger
E. Logging

Answer: C

Explanation

Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to respond
to Cisco IOS IP SLA request packets. The IP SLA source sends control packets before the operation
starts to establish a connection to the responder. Once the control packet is acknowledged, test
packets are sent to the responder. The responder inserts a time-stamp when it receives a
packet and factors out the destination processing time and adds time-stamps to the sent
packets. This feature allows the calculation of unidirectional packet loss, latency, and jitter
measurements with the kind of accuracy that is not possible with ping or other dedicated probe
testing

Reference: https://www.cisco.com/en/US/technologies/tk869/tk769/technologies_white_paper090
0aecd806bfb52.html

Question 17
Which two actions are common methods for migrating a network from one protocol to another?
(Choose two)

A. redistributing routes from the current routing protocol to the new routing protocol
B. removing the current routing protocol and implementing the new routing protocol
C. changing the relative administrative distances of the two routing protocols
D. changing the network IP addresses and bringing up the new IP addresses using the new routing
protocol
E. disabling IP routing globally and implementing the new routing protocol

Answer: A C

Question 18

Which statements best describes the following two OSPF commands, which are used to summarize
routes?

area 0 range 192.168.110.0 255.255.0.0

summary-address 192.168.110.0
255.255.0.0

A. The area range command defines the area where the network resides. The summary-address
command enables autosummanzation
B. The area range command defines the area where the network resides. The summary-address
command summarizes a subnet for an areas
C. The area range command specifies the area where the subnet resides and summarizes it to
other areas. The summary-address command summarizes external routes
D. The area range command summarizes subnets for a specific area. The summary address
command summaries a subnet for all areas

Answer: C

Explanation

An example of the use of “area range” command is shown below:

In order to RTB summarizes routes for the 192.168.16.0/22 supernet before injecting them into
Area 0, we use the command:

Router(config-router)#area 10 range 192.168.16.0 255.255.252.0

An example of using the command “summary-address” is shown below:

Recently the RIPv2 domain has been redistributed into our OSPF domain but the administrator
wants to configure a summarized route instead of 32 external type-5 LSAs (for 172.16.32.0/24 to
172.16.63.0/24) flooding into the OSPF network. In this case the administrator has to use the
“summary-address” command as follows:

Router(config-router)#summary-address 172.16.32.0 255.255.224.0

Question 19

Which action is the most efficient way to handle route feedback when converting a RIPv2 network
to OSPF?

A. Implement route tags

B. Implement IP prefix lists
C. Implement route maps with access lists
D. Implement distribute lists

Answer: A

Explanation

We should use route tag to tag any routes that are redistributed from RIPv2 to OSPF. Then when
redistributing from OSPF to RIPv2 we prevents these routes from getting back to RIPv2 domain
(route feedback) by the tags we set before.

Question 20

Which types of LSAs are present in the stub area?

A. LSA type 1, 2, 3, 4 and 5

B. LSA type 1, 2 and 3
C. LSA type 3 and 5
D. LSA type 1 and 2

Answer: B

Explanation

In the stub area no Type 5 AS-external LSA allowed. It only allows LSA type 1, 2 and 3.

Question 21

What is the hop count is advertised for an unreachable network by a RIP router that uses poison
reverse?

A. 16
B. 255
C. 0
D. 15

Answer: A

Question 22

Refer to the exhibit.

 aaa new-model
aaa authentication login default local-case enable
aaa authentication login ADMIN local-case
username CCNP secret Str0ngP@ssw0rd!
line 0 4
login authentication ADMIN

How can you change this configuration so that when user CCNP logs in, the show run command is
executed and the session is terminated?

A. Add the autocommand keyword to the aaa authentication command

B. Assign privilege level 15 to the CCNP username
C. Add the access-class keyword to the aaa authentication command
D. Assign privilege level 14 to the CCNP username
E. Add the access-class keyword to the username command
F. Add the autocommand keyword to the username command

Answer: F

Explanation

The “autocommand” causes the specified command to be issued automatically after the user logs
in. When the command is complete, the session is terminated. Because the command can be any
length and can contain embedded spaces, commands using the autocommand keyword must be
the last option on the line. In this specific question, we have to enter this line “username CCNP
autocommand show running-config”.

Question 23

Refer to the exhibit.

router ospf 10
router-id 192.168.1.1
log-adjacency-changes
redistribute bgp 1 subnets route-map BGP-TO-OSPF
!
route-map BGP-TO-OSPF deny 10
match ip address 50
route-map BGP-TO-OSPF permit 20
!
access-list 50 permit 172.16.1.0 0.0.0.255

Which statement about redistribution from BGP into OSPF process 10 is true?

A. Network 172.16.1.0/24 is not redistributed into OSPF

B. Network 10.10.10.0/24 is not redistributed into OSPF
C. Network 172.16.1.0/24 is redistributed with administrative distance of 1
D. Network 10.10.10.0/24 is redistributed with administrative distance of 20

Answer: A

Explanation

The first statement of the above route-map will prevent network 172.16.1.0/24 from being
redistributed into OSPF.

Question 24

Which functions are included in the two-message rapid exchange that a DHCPv6 client can receive
from a server?
A. solicit and reply
B. advertise and request
C. solicit and request
D. advertise and reply

Answer: A

Explanation

DHCPv6 can be implemented in two ways : Rapid-Commit and Normal Commit mode.

In Rapid-Commit mode , the DHCP client obtain configuration parameters from the server through
a rapid two message exchange (solicit and reply).
In Normal-Commit mode, the DHCP client uses four message exchanges (solicit, advertise, request
and reply). By default normal-commit is used.

Reference: https://community.cisco.com/t5/networking-documents/part-1-implementing-dhcpv6-
stateful-dhcpv6/ta-p/3145631

Question 25

Refer to the exhibit.

(exhibit missing)

Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?

A. KEY
B. MD5
C. EIGRP
D. CISCO

Answer: D

Question 26

Which two statements about redistributing EIGRP into OSPF are true? (Choose two)

A. The redistributed EIGRP routes appear as type 3 LSAs in the OSPF database
B. The redistributed EIGRP routes appear as type 5 LSAs in the OSPF database
C. The administrative distance of the redistributed routes is 170
D. The redistributed EIGRP routes appear as OSPF external type 1
E. The redistributed EIGRP routes as placed into an OSPF area whose area ID matches the EIGRP
autonomous system number
F. The redistributed EIGRP routes appear as OSPF external type 2 routes in the routing table

Answer: B F

Question 27

A network engineer executes the show ip flow interface command. Which type of information is

displayed on the interface?

A. route cache information

B. IP Cisco Express Forwarding statistics
C. error statistics
D. NetFlow configuration

Answer: D

Explanation
The command “show ip flow interface” displays NetFlow accounting configuration for interfaces.
Below is an example of the output of this command:

R1# show ip flow interface

 GigabitEthernet0/0
 ip flow ingress
 ip flow egress

Question 28

Which two statements are differences between AAA with TACACS+ and AAA with RADIUS?
(Choose two)

A. Only RADIUS uses TCP

B. Unlike TACACS+, RADIUS sends packets with only the password encrypted.
C. Unlike TACACS+, RADIUS supports accounting and authorization only
D. Only TACACS+ uses TCP
E. Only TACACS+ combines authentication and authorization

Answer: B D

Question 29

Which IOS commands can you use to limit the CPU impact of log generation and transmission on
an IOS router?

A. You can use the ip access-list logging interval command in conjunction with the logging rate-
limit command.
B. You can use the ip access-list logging limit command in conjunction with the logging rate-
interval command.
C. You can use the ip access-list syslog-logging interval command in conjunction with the logging
rate-limit command
D. You can use the ip access-list logged interval command in conjunction with the logged rate-limit
command.

Answer: A

Question 30

You are configuring a Microsoft client to call a PPP server using CHAP. Only the client will be
authenticated but the client’s password has expired and must be changed. Which PPP server
configuration allows the call to be completed?

A. ppp authentication ms-chap callin

B. ppp authentication chap
C. ppp authentication ms-chap-v2 callin
D. ppp authentication chap callin
E. ppp authentication ms-chap-v2

Answer: C

Explanation

The MSCHAP Version 2 supports the Password Aging feature, which notifies clients that the
password has expired and provides a generic way for the user to change the password.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-
mt/sec-usr-aaa-15-mt-book/mschap_version_2.pdf

Note: The “calling” keyword specifies that the router will refuse to answer CHAP authentication
challenges received from the peer, but will still require the peer to answer any CHAP challenges
the router sends -> Only the client will be authenticated.
Question 31

Which command creates a manual summary on an interface when using EIGRP?

A. area 100 range 172.32.0.0 255.255.254.0

B. summary-address eigrp 100 172.32.0.0 255.255.254.0
C. ip summary-address eigrp 100 172.32.0.0 255.255.254.0
D. ip summary-address 100 172.32.0.0 255.255 254.0

Answer: C

Question 32

A network engineer wants to implement an SNMP notification process for host machines using the
strongest security available. Which command accomplishes this task?

A. router(config)#snmp-server host 172.16.200.225 traps v2c auth

B. router(config)#snmp-server host 172 16.200.225 traps v1
C. router(config)#snmp-server host 172.16.200.225 traps v3
D. router(config)#snmp-server host 172.16.200.225 traps v2c

Answer: C

Explanation

Both SNMPv1 and v2 did not focus much on security and they provide security based
on community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception.

SNMPv3 provides significant enhancements to address the security weaknesses existing in the
earlier versions. The concept of community string does not exist in this version. SNMPv3 provides
a far more secure communication using entities, users and groups. This is achieved by
implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to encrypt the
contents of a packet.

Note: Although SNMPv3 offers better security but SNMPv2c however is still more common.

Question 33

Which issue is important to address when integrating two networks with different routing protocol?

A. preventing UDP starvation

B. handing IPv4 fragmentation
C. controlling unicast flooding
D. mitigating UDP latency
E. preventing asymmetric routing

Answer: E

Question 34

Drag and drop the DMVPN components from the left onto the correct descriptions on the right.
Answer:

hub – device that acts as the next-hop server

spoke – device that is usually identified with a dynamic address
mGRE – technology that allows one interface to support multiple tunnels
NHRP – protocol that allows spokes to communicate directly with one another

Question 35

Refer to the exhibit.

%Interfact GigabitEthernet1: IPv4 disabled and address(es) removed due to enabling VRF
CUST_A

An engineer is enabling VPN service for a customer and notices this output when placing the
customer-facing interface into a VRF. Which action corrects the issue?

A. Reconfigure the IP address on Gigabit Ethernet 1

B. Disabling the VRF CUST_A
C. Reset interface Gigabit Ethernet 1
D. Enabling IPv6 on the interface

Answer: A

Explanation

If the interface was assigned an IP address before joining to an VRF then that IP address would be
removed so we have to reconfigure it.

Question 36

Which two statements about VRF-Lite configurations are true? (Choose two)

A. They support the exchange of MPLS labels

B. Different customers can have overlapping IP addresses on different VPNs
C. They support a maximum of 512,000 routes
D. Each customer has its own dedicated TCAM resources
E. Each customer has its own private routing table.
F. They support IS-IS

Answer: B E

Explanation

In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and “allows customers
to be assigned overlapping addresses”. The below example shows overlapping IP addresses
configured on two interfaces which belong to two different VPNs:

Router(config)#ip vrf VRF_BLUE
Router(config-vrf)# rd 100:1
 Router(config-vrf)# exit
Router(config)#ip vrf VRF_GREEN
Router(config-vrf)# rd 100:2
Router(config-vrf)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip vrf forwarding VRF_BLUE
Router(config-if)# ip address 10.0.0.1 255.0.0.0
Router(config-vrf)# exit
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip vrf forwarding VRF_GREEN
Router(config-if)# ip address 10.0.0.1 255.0.0.0

Question 37

Which two statements about PPPoE packet types are true? (Choose two)

A. PADR is a broadcast packet sent from the client to request a new server
B. PADI is an initialization packet sent as a broadcast message
C. PADO is a unicast reply packet sent to the client
D. PADO is a broadcast reply packet sent to the client
E. PADR is a unicast confirmation packet sent to the client

Answer: B C

Explanation

+ PPPoE Active Discovery Initiation (PADI): The client initiates a session by broadcasting a
PADI packet to the LAN to request a service. 
+ PPPoE Active Discovery Offer (PADO): Any access concentrator that can provide the service
requested by the client in the PADI packet replies with a PADO packet that contains its own name,
the unicast address of the client, and the service requested. An access concentrator can also use
the PADO packet to offer other services to the client. 
+ PPPoE Active Discovery Request (PADR): From the PADOs it receives, the client selects one
access concentrator based on its name or the services offered and sends it a PADR packet to
indicate the service or services needed.
+ PPPoE Active Discovery Session-Confirmation (PADS): When the selected access concentrator
receives the PADR packet, it accepts or rejects the PPPoE session:
– To accept the session, the access concentrator sends the client a PADS packet with a unique
session ID for a PPPoE session and a service name that identifies the service under which it
accepts the session.
– To reject the session, the access concentrator sends the client a PADS packet with a service
name error and resets the session ID to zero.
+ After a session is established, the client or the access concentrator can send a PPPoE Active
Discovery Termination (PADT) packet anytime to terminate the session. The PADT packet contains
the destination address of the peer and the session ID of the session to be terminated. After this
packet is sent, the session is closed to PPPoE traffic. 

Question 38

Which two statements are examples of the differences between IPv4 and IPv6 EIGRP? (Choose
two)

A. Network command is used in IPv6

B. DUAL is not used for route calculations
C. DUAL is used for route calculations
D. IPv6 keyword is used in many EIGRP commands
E. Network command is not used in IPv6

Answer: D E

Explanation
Although the configuration and management of EIGRP for IPv4 and EIGRP for IPv6 are similar,
they are configured and managed separately. A few (not all) examples of differences include
these:
+ The network command is not used in IPv6; EIGRP is configured via links.
+ The ipv6 keyword is used in many of the EIGRP commands.
+ Needs to be explicitly enabled on each interface when configuring EIGRP.

Note:

The following are a few (not all) examples of similarities shared by IPv4 EIGRP and IPv6 EIGRP:
+ DUAL is used for route calculation and selection with the same metrics.
+ It is scalable to large network implementations.
+ Neighbor, routing, and topology tables are maintained.
+ Both equal-cost load balancing and unequal-cost load balancing are offered.

Reference: http://www.ciscopress.com/articles/article.asp?p=2137516&seqNum=4

Question 39

Refer to the exhibit.

VRF HUB (VRF Id = 3): default RD 100:10; VRF SPOKE (VRF Id = 4): default RD 200:20;
default VPNID <not set> default VPNID <not set>
New CLI format, supports multiple address- New CLI format, supports multiple
families address-families
Flags: 0x180C Flags: 0x180C
Interfaces: Interfaces:
G1/1 G1/2
Address family ipv4 unicast (Table ID = 0x3) Address family ipv4 unicast (Table ID = 0x4)
Flags: 0x0 Flags: 0x0
Export VPN route-target communities Export VPN route-target communities
RT 100:10 RT 200:20
Import VPN route-target communities Import VPN route-target communities
RT 100:10 RT 200:20 RT 200:20
No import route-map No import route-map
No global export route-map No global export route-map
No export route-map No export route-map
VRF label distribution protocol: not configured VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix VRF label allocation mode: per-prefix
Address family ipv6 unicast (Table ID = Address family ipv6 unicast (Table ID =
0x1E000001) 0x1E000001)

[Output omitted] [Output omitted]

A network engineer is modifying configurations for a customer that currently uses VPN connectivity
between their sites The customer has added a new spoke site but it does not have reachability to
servers located at the hub. Based on the output which statement describes the cause?

A. The interface of VRF HUB and VRF SPOKE do not match

B. The HUB VRF is not exporting Route-Target 200:20
C. The default VPNID is not set on VRF HUB or VRF SPOKE
D. The SPOKE VRF is not importing Route-Target 100:10

Answer: D

Question 40

Which statement about dynamic NAT is true?

A. It creates a one-to-one mapping of inside addresses to a global address

B. It uses the overload command to map addresses
C. It maps inside addresses to different port numbers
D. It maps inside addresses to a pool of global addresses

 
Answer: D

Question 41

Which statement about the IP SLA feature is true?

A. It ensures that there are appropriate levels of service for network applications
B. It classifies various traffic types by examining information within Layers 3 trough 7.
C. It measures how the network treats traffic for specific applications by generating traffic that
bears similar characteristics to application traffic
D. It keeps track of the number of packets and bytes that are observed in each flow by storing
information in a cache flow

Answer: C

Question 42

A network engineer is enabling conditional debugging and execute two commands: debug

condition interfaces serial0/0 and debug condition interfaces serial 0/1. Which debugging
output is displayed as a result?

A. Interface cannot be used as a debug condition.

B. Output is display for both specified interfaces.
C. Output is display for interface serial 0/1 only.
D. Output is display for interface 0/0 only.

Answer: B

============================= New Updated Questions (added on 12th-

Jan-2019) =============================

Question 43

What is the DHCP option to download TFTP info to a Cisco phone?

A. option 57
B. option 82
C. option 66
D. option 68

Answer: C

Explanation

For Cisco phones IP addresses can be assigned manually or by using DHCP. Devices also require
access to a TFTP server that contains device configuration name files (.cnf file format), which
enables the device to communicate with Cisco Call Manager.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if
it does not have both the IP address and TFTP server IP address pre-configured, it sends a request
with option 150 to the DHCP server to obtain this information.
DHCP Option 150 is Cisco proprietary. The IEEE standard that matches with this requirement is
Option 66. Like option 150, option 66 is used to specify the Name of the TFTP server.

Question 44

What type of address OSPFv3 uses to form adjacency and send updates?

A. FF02::5
B. link-local
C. IPv4 address
D. IPv6 address multicast

 
Answer: A

Question 45 (same as Question 7 of http://www.digitaltut.com/new-route-questions-part-2)

What security feature is supported across all SNMP version?

A. authpriv
B. noauthnopriv
C. authnopriv
D. noauthpriv

Answer: B

Question 46 (posted at Question 4 of http://www.digitaltut.com/ip-services-questions)

A network engineer executes the show crypto ipsec sa command. Which three pieces of
information are displayed in the output? (Choose three)

A. inbound crypto map

B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets

Answer: A B C

Explanation

This command shows IPsec Security Associations (SAs) built between peers. An example of the
output of above command is shown below:

Router#show crypto ipsec sa

interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
 slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:

The first part shows the interface and cypto map name that are associated with the interface. Then
the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this case, because
you used only ESP, there are no AH inbound or outbound SAs.

Note: Maybe “inbound crypto map” here mentions about crypto map name.

Question 47

Drag drop about AAA.

Answer:

+ Auth-proxy: It returns information about hosts using proxy service

+ Commands: It returns information about individual EXEC commands and permissions associated
with a privilege level
+ Connection: It returns information about outbound communications from the network access
server
+ Exec: It returns information about user EXEC terminal sessions with the network access server
+ Network: It returns information about SLIP, PPP and ARA sessions
+ Resources: It returns information about calls that have passed and failed user authentication

============================= New Updated Questions (added on 21st-

Feb-2019) =============================

Question 48

What are two reasons to use multicast to deliver video traffic, instead of unicast or broadcast?

A. It provides reliable TCP transport

B. It enables multiple servers to send video streams simultaneously
C. It enables multiple clients to send video stream simultaneously
D. It supports distributed applications
E. It enables multiple clients to receive the video stream simultaneously

Answer: D E

Question 48
Which two statements about PAP authentication in a PPP environment are true? (Choose two)

A. It is performed at the beginning of the session only

B. It sends the password in clear text
C. It uses a username with an MD5 password to authenticate
D. It hashes the password before sending it
E. It is performed at the beginning of the session and is repeated periodically for as long as the
session is maintained

Answer: A B

Explanation

PPP has two built-in security mechanisms which are Password Authentication Protocol (PAP)
and Challenge Handshake Authentication Protocol (CHAP).

Password Authentication Protocol (PAP) is a very simple authentication protocol. The client

who wants to access a server sends its username and password in clear text. The server checks
the validity of the username and password and either accepts or denies connection. This is called
two-way handshake. In PAP two-way handshake process, the username and password are sent in
the first message.

Another difference between PAP and CHAP is PAP performs authentication at the initial link
establishment only while CHAP performs authentication at the initial link establishment and
periodically after that. The challenge text is random and unique so the “result” is also unique from
time to time. This prevents playback attack (in which a hacker tries to copy the “result” text sent
from Client to reuse).

Question 49

Which two tasks should you perform to begin troubleshooting a network problem? (Choose two)

A. Gather all the facts

B. Define the problem as a set of symptoms and causes
C. Implement an action plan
D. Monitor and verify the resolution
E. Analyse the results

Answer: A B

Explanation

The main elements of diagnosis are as follows:

Gathering information: Gathering information happens after the problem has been reported by
the user (or anyone). This might include interviewing all parties (user) involved, plus any other
means to gather relevant information. Usually, the problem report does not contain enough
information to formulate a good hypothesis without first gathering more information. Information
and symptoms can be gathered directly, by observing processes, or indirectly, by executing tests.
Analyzing information: After the gathered information has been analyzed, the troubleshooter
compares the symptoms against his knowledge of the system, processes, and baselines to
separate normal behavior from abnormal behavior.
…

Reference: http://www.ciscopress.com/articles/article.asp?p=2273070

Question 50

Which two piece of information can you learn by viewing the routing table? (Choose two)

A. Whether an ACL was applied inbound or outbound to an interface

B. Whether the administrative distance was manually or dynamically configured
C. Which neighbor adjacencies are established
D. The EIGRP or BGP autonomous system
E. The length of time that a route has been known
 

Answer: B E

Question 51

Which two facts must you take into account when you deploy PPPoE? (Choose two)

A. DDR idle timers must be configured to support VPDN login.

B. PPPoE supports a maximum of 10 clients per customer premises equipment
C. DDR is not supported
D. You must manually configure IP addresses on the PPPoE interface
E. An individual PVC can support one PPPoE client

Answer: B E

Explanation

The PPPoE Client DDR Idle Timer feature supports the dial-on-demand routing (DDR) interesting
traffic control list functionality of the dialer interface with a PPP over Ethernet (PPPoE) client, but
also keeps original functionality (PPPoE connection up and always on after configuration) for those
PPPoE clients that require it.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbpecls.ht
ml

But it is just an optional feature and we don’t need DDR idle timers to be configured to support
VPDN login -> Answer A is not correct.

According to this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-

3s/bba-pppoe-client.html

The PPPoE client does not support the following:

+ More than ten clients per customer premises equipment (CPE)-> This means a CPE can support
up to 10 clients so answer B is correct.

DDR is support in PPPoE since IOS v12.2 -> Answer C is not correct.

We can assign IP addresses via DHCP on the PPPoE interface -> Answer D is not correct.

Prior to Cisco IOS Release 12.4(15)T, one ATM PVC supported one PPPoE client. With the
introduction of the Multiple PPPoE Client feature in Cisco IOS Release 12.4(15)T, one ATM PVC
supports multiple PPPoE clients, allowing second line connection and redundancy. Multiple PPPoE
clients can run concurrently on different PVCs, but each PPPoE client must use a separate dialer
interface and a separate dialer pool. Therefore answer E is still correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/15-mt/bba-15-
mt-book/bba-ppoe-client.pdf