Cisco Real-Exams 300-101 v2019-03-23 by Barbra 469q

300-101
Number: 300-101
Passing Score: 800
Time Limit: 120 min
File Version: 1
300-101
Sections
1. Network Principles
2. Layer 2 Technologies
3. Layer 3 Technologies
4. VPN Technologies
5. Infrastructure Security
6. Infrastructure Services
7. Mix Questions
Exam A
QUESTION 1
Which three problems result from application mixing of UDP and TCP streams within a network with no
QoS? (Choose three.)
A. starvation
B. jitter
C. latency
D. windowing
E. lower throughput
Correct Answer: ACE

Section: Network Principles
Explanation
Explanation/Reference:
Explanation:
It is a general best practice not to mix TCP-based traffic with UDP-based traffic (especially streaming video)
within a single service provider class due to the behaviors of these protocols during periods of congestion.
Specifically, TCP transmitters will throttle-back flows when drops have been detected. Although some UDP
applications have application-level windowing, flow control, and retransmission capabilities, most UDP
transmitters are completely oblivious to drops and thus never lower transmission rates due to dropping.
When TCP flows are combined with UDP flows in a single service provider class and the class experiences
congestion, then TCP flows will continually lower their rates, potentially giving up their bandwidth to drop-
oblivious UDP flows. This effect is called TCP-starvation/UDP-dominance. This can increase latency and
lower the overall throughput.
TCP-starvation/UDP-dominance likely occurs if (TCP-based) mission-critical data is assigned to the same
service provider class as (UDP-based) streaming video and the class experiences sustained congestion.
Even if WRED is enabled on the service provider class, the same behavior would be observed, as WRED
(for the most part) only affects TCP-based flows. 鞐ͤ
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it is beneficial to
be aware of this behavior when making such application-mixing decisions.
Reference: http://www.cisco.com/warp/public/cc/so/neso/vpn/vpnsp/spqsd_wp.htm
QUESTION 2
Which method allows IPv4 and IPv6 to work together without requiring both to be used for a single
connection during the migration process?
A. dual-stack method
B. 6to4 tunneling
C. GRE tunneling
D. NAT-PT
Correct Answer: A
Explanation
Explanation:
Dual stack means that devices are able to run IPv4 and IPv6 in parallel. It allows hosts to simultaneously
reach IPv4 and IPv6 content, so it offers a very flexible coexistence strategy. For sessions that support
IPv6, IPv6 is used on a dual stack endpoint. If both endpoints support Ipv4 only, then IPv4 is used.
Benefits:
Native dual stack does not require any tunneling mechanisms on internal networks
Both IPv4 and IPv6 run independent of each other
Dual stack supports gradual migration of endpoints, networks, and applications.
Reference: http://www.cisco.com/web/strategy/docs/gov/IPV6at_a_glance_c45-625859.pdf
QUESTION 3
Which two actions must you perform to enable and use window scaling on a router? (Choose two.)
A. Execute the command ip tcp window-size 65536.

B. Set window scaling to be used on the remote host.
C. Execute the command ip tcp queuemax.
D. Set TCP options to "enabled" on the remote host.
E. Execute the command ip tcp adjust-mss.
Correct Answer: AB
Explanation
Explanation:
The TCP Window Scaling feature adds support for the Window Scaling option in RFC 1323, TCP
Extensions for High Performance. A larger window size is recommended to improve TCP performance in
network paths with large bandwidth-delay product characteristics that are called Long Fat Networks (LFNs).
The TCP Window Scaling enhancement provides that support.
The window scaling extension in Cisco IOS software expands the definition of the TCP window to 32 bits
and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. The
window size can increase to a scale factor of 14. Typical applications use a scale factor of 3 when deployed
in LFNs.
The TCP Window Scaling feature complies with RFC 1323. The larger scalable window size will allow TCP
to perform better over LFNs. Use the ip tcp window-size command in global configuration mode to
configure the TCP window size. In order for this to work, the remote host must also support this feature and
its window size must be increased.
QUESTION 4
A network administrator uses IP SLA to measure UDP performance and notices that packets on one router
have a higher one-way delay compared to the opposite direction. Which UDP characteristic does this
scenario describe? 餐ͤ
A. latency
B. starvation
C. connectionless communication
D. nonsequencing unordered packets
E. jitter
Correct Answer: A
Explanation
Explanation:
Cisco IOS IP SLAs provides a proactive notification feature with an SNMP trap. Each measurement
operation can monitor against a pre-set performance threshold. Cisco IOS IP SLAs generates an SNMP
trap to alert management applications if this threshold is crossed. Several SNMP traps are available: round
trip time, average jitter, one-way latency, jitter, packet loss, MOS, and connectivity tests.
Here is a partial sample output from the IP SLA statistics that can be seen:
router#show ip sla statistics 1
Round Trip Time (RTT) for Index 55
Latest RTT: 1 ms
Latest operation start time: *23:43:31.845 UTC Thu Feb 3 2005
Latest operation return code: OK
RTT Values:
Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 milliseconds
Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Reference: http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/
technologies_white_paper09186a00802d5efe.html
QUESTION 5
Prior to enabling PPPoE in a virtual private dialup network group, which task must be completed?
A. Disable CDP on the interface.

B. Execute the vpdn enable command.
C. Execute the no switchport command.
D. Enable QoS FIFO for PPPoE support.
Correct Answer: B
Section: Layer 2 Technologies
Explanation
Explanation:
Enabling PPPoE in a VPDN Group
Perform this task to enable PPPoE in a virtual private dial-up network (VPDN) group.
Restrictions
This task applies only to releases prior to Cisco IOS Release 12.2(13)T.
SUMMARY STEPS
1. enable
2. configure terminal
3. vpdn enable
4. vpdn-group name
5. request-dialin
6. protocol pppoe
DETAILED STEPS
馠ͤ
Reference: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/
ftpppoec_support_TSD_Island_of_Content_Chapter.html
QUESTION 6
A network engineer has been asked to ensure that the PPPoE connection is established and authenticated
using an encrypted password. Which technology, in combination with PPPoE, can be used for
authentication in this manner?
A. PAP
B. dot1x
C. Ipsec
D. CHAP
E. ESP
Correct Answer: D
Explanation
Explanation:
With PPPoE, the two authentication options are PAP and CHAP. When CHAP is enabled on an interface
and a remote device attempts to connect to it, the access server sends a CHAP packet to the remote
device. The CHAP packet requests or “challenges” the remote device to respond. The challenge packet
consists of an ID, a random number, and the host name of the local router.
When the remote device receives the challenge packet, it concatenates the ID, the remote device’s
password, and the random number, and then encrypts all of it using the remote device’s password. The
remote device sends the results back to the access server, along with the name associated with the
password used in the encryption process.
When the access server receives the response, it uses the name it received to retrieve a password stored
in its user database. The retrieved password should be the same password the remote device used in its
encryption process. The access server then encrypts the concatenated information with the newly retrieved
password — if the result matches the result sent in the response packet, authentication succeeds.
The benefit of using CHAP authentication is that the remote device’s password is never transmitted
in clear text (encrypted). This prevents other devices from stealing it and gaining illegal access to the
ISP’s network.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/
scfathen.html
QUESTION 7
A corporate policy requires PPPoE to be enabled and to maintain a connection with the ISP, even if no
interesting traffic exists. Which feature can be used to accomplish this task?
A. TCP Adjust
B. Dialer Persistent
C. PPPoE Groups
D. half-bridging
E. Peer Neighbor Route
Correct Answer: B
Explanation
Explanation/Reference: connect to it, the access seȀer sends aϗ

Explanation:
A new interface configuration command, dialer persistent, allows a dial-on-demand routing (DDR) dialer
profile connection to be brought up without being triggered by interesting traffic. When configured, the
dialer persistent command starts a timer when the dialer interface starts up and starts the connection
when the timer expires. If interesting traffic arrives before the timer expires, the connection is still brought
up and set as persistent. The command provides a default timer interval, or you can set a custom timer
interval.
To configure a dialer interface as persistent, use the following commands beginning in global configuration
mode:
Ԍ
QUESTION 8
Which PPP authentication method sends authentication information in clear text?
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Correct Answer: D
Explanation
Explanation:
PAP authentication involves a two-way handshake where the username and password are sent across the
link in clear text; hence, PAP authentication does not provide any protection against playback and line
sniffing.
CHAP authentication, on the other hand, periodically verifies the identity of the remote node using a three-
way handshake. After the PPP link is established, the host sends a "challenge" message to the remote
node. The remote node responds with a value calc“lated usi”g a one-way hash function. The host checks
the response against its own calculation of the expected hash value. If the values match, the authentication
is acknowledged; otherwise, the connection is terminated.
Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/10241-ppp-callin-
hostname.html
QUESTION 9
Which protocol uses dynamic address mapping to request the next-hop protocol address for a specific
connection?
A. Frame Relay inverse ARP

B. static DLCI mapping
C. Frame Relay broadcast queue
D. dynamic DLCI mapping
Correct Answer: A
Explanation
Explanation:
Dynamic address mapping uses Frame Relay Inverse ARP to request the next-hop protocol address for a
specific connection, given its known DLCI. Responses to Inverse ARP requests are entered in an address-
to-DLCI mapping table on the router or access server; the table is then used to supply the next-hop protocol
address or the DLCI for outgoing traffic.
QUESTION 10
uthentication
Which statement is true about the PPP Sessiondoes not provi
Phase Ȁ any proteϗ
of PPPoE?
A. PPP options are negotiated and authentication is not performed. Once the link setup is completed,
PPPoE functions as a Layer 3 encapsulation method that allows data to be transferred over the PPP
link within PPPoE headers.
B. PPP options are not negotiated and authentication is performed. Once the link setup is completed,
PPPoE functions as a Layer 4 encapsulation method that allows data to be transferred over the PPP
link within PPPoE headers.
C. PPP options are automatically enabled and authorization is performed. Once the link setup is
completed, PPPoE functions as a Layer 2 encapsulation method that allows data to be encrypted over
the PPP link within PPPoE headers.
D. PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE
functions as a Layer 2 encapsulation method that allows data to be transferred over the PPP link within
PPPoE headers.
Correct Answer: D
Explanation
Explanation:
PPPoE is composed of two main phases:
Active Discovery Phase — In this phase, the PPPoE client locates a PPPoE server, called an access
concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.
PPP Session Phase — In this phase, PPP options are negotiated and authentication is
performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation
method, allowing data to be transferred over the PPP link within PPPoE headers.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-
pppoe.html
QUESTION 11
PPPoE is composed of which two phases?
A. Active Authentication Phase and PPP Session Phase

B. Passive Discovery Phase and PPP Session Phase
C. Active Authorization Phase and PPP Session Phase
D. Active Discovery Phase and PPP Session Phase
Correct Answer: D
Explanation
Explanation:
PPPoE is composed of two main phases:
Active Discovery Phase — In this phase, the PPPoE client locates a PPPoE server, called an access
concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.
PPP Session Phase — In this phase, PPP options are negotiated and authentication is performed. Once
the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be
transferred over the PPP link within PPPoE headers.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-
pppoe.html
QUESTION 12
Refer to the exhibit.
ԃ
Which one statement is true?
A. Traffic from the 172.16.0.0/16 network will be blocked by the ACL.

B. The 10.0.0.0/8 network will not be advertised by Router B because the network statement for the
10.0.0.0/8 network is missing from Router B.
C. The 10.0.0.0/8 network will not be in the routing table on Router B.
D. Users on the 10.0.0.0/8 network can successfully ping users on the 192.168.5.0/24 network, but users
on the 192.168.5.0/24 cannot successfully ping users on the 10.0.0.0/8 network.
E. Router B will not advertise the 10.0.0.0/8 network because it is blocked by the ACL.
Correct Answer: E
Explanation
Explanation:
You can filter what individual routes are sent (out) or received (in) to any interface within your EIGRP
configuration.
One example is noted above. If you filter outbound, the next neighbor(s) will not know about anything
except the 172.16.0.0/16 route and therefore won’t send it to anyone else downstream. If you filter inbound,
YOU won’t know about the route and therefore won’t send it to anyone else downstream.
QUESTION 13
A router with an interface that is configured with ipv6 address autoconfig also has a link-local address
assigned. Which message is required to obtain a global unicast address when a router is present?
A. DHCPv6 request
B. router-advertisement
C. neighbor-solicitation
D. redirect
Correct Answer: B
Explanation
Explanation:
Autoconfiguration is performed on multicast-enabled links only and begins when a multicast-enabled
interface is enabled (during system startup or manually). Nodes (both, hosts and routers) begin the process
by generating a link-local address for the interface. It is formed by appending the interface identifier to well-
known link-local prefix FE80::0. The interface identifier replaces the right-most zeroes of the link-local
prefix.
Before the link-local address can be assigned to the interface, the node performs the Duplicate Address
Detection mechanism to see if any other node is using the same link-local address on the link. It does this
by sending a Neighbor Solicitation message with target address as the "tentative" address and destination
address as the solicited-node multicast address corresponding to this tentative address. If a node responds
with a Neighbor Advertisement message with tentative address as the target address, the address is a
duplicate address and must not be used. Hence, manual configuration is required.
Once the node verifies that its tentative address is unique on the link, it assigns that link-local address to
the interface. At this stage, it has IP-connectivity to other neighbors on this link.
The autoconfiguration on the routers stop at this stage, further tasks are performed only by the hosts. The
routers will need manual configuration (or stateful configuration) to receive site-local or global addresses.
The next phase involves obtaining Router Advertisements from routers if any routers are present on the
link. If no routers are present, a stateful configuration is required. If routers are present, the Router
Advertisements notify what sort of configurations the hosts need to do and the hosts receive a global
unicast IPv6 address.
Reference: https://sites.google.com/site/amitsciscozone/home/important-tips/ipv6/ipv6-stateless-
autoconfiguration
QUESTION 14
An engineer has configured a router to use EUI-64, and was asked to document the IPv6 address of the
router. The router has the following interface parameters:
mac address 2201.420A.0004

subnet 2001:DB8:0:1::/64
Which IPv6 addresses should the engineer add to the documentation?
A. 2001:DB8:0:1:01:42AF:FE0F:4
B. 2001:DB8:0:1:FFFF:2201:420F:4
C. 2001:DB8:0:1:FE80:2201:420F:4
D. 2001:DB8:0:1:C601:42AE:800F:4
Correct Answer: A
Explanation
Explanation:
Extended Unique Identifier (EUI), as per RFC2373, allows a host to assign iteslf a unique 64-Bit IP Version
6 interface identifier (EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained through the 48-
bit MAC address. The Mac address is first separated into two 24-bits, with one being OUI (Organizationally
Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two
24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in
EUI-64 generated from the EUI-48 MAC address.
Here is an example showing how the Mac Address is used to generate EUI.
Next, the seventh bit from the left, or the universal/local (U/L) bit, needs to be inverted. This bit identifies
whether this interface identifier is universally or locally administered. If 0, the address is locally administered
and if 1, the address is globally unique. It is worth noticing that in the OUI portion, the globally unique
addresses assigned by the IEEE has always been set Ԁto 0 whereas the locally created addresses has 1
configured. Therefore, when the bit is inverted, it maintains its original scope (global unique address is still
global unique and vice versa). The reason for inverting can be found in RFC4291 section 2.5.1.
Reference: https://supportforums.cisco.com/document/100566/understanding-ipv6-eui-64-bit-address
QUESTION 15
What is the purpose of the autonomous-system {autonomous-system-number} command?
A. It sets the EIGRP autonomous system number in a VRF.

B. It sets the BGP autonomous system number in a VRF.
C. It sets the global EIGRP autonomous system number.
D. It sets the global BGP autonomous system number.
Correct Answer: A
Explanation
Explanation:
To configure the autonomous-system number for an Enhanced Interior Gateway Routing Protocol (EIGRP)
routing process to run within a VPN routing and forwarding (VRF) instance, use the autonomous-system
command in address-family configuration mode. To remove the autonomous-system for an EIGRP routing
process from within a VPN VRF instance, use the no form of this command.
Autonomous-system autonomous-system-number
no autonomous-system autonomous-system-number
Reference: http://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/
ire_a1.html#wp1062796
QUESTION 16
Router A and Router B are configured with IPv6 addressing and basic routing capabilities using oSPFv3.
The networks that are advertised from Router A do not show up in Router B's routing table. After debugging
IPv6 packets, the message "not a router" is found in the output. Why is the routing information not being
learned by Router B?
A. OSPFv3 timers were adjusted for fast convergence.

B. The networks were not advertised properly under the OSPFv3 process.
C. An IPv6 traffic filter is blocking the networks from being learned via the Router B interface that is
connected to Router A.
D. IPv6 unicast routing is not enabled on Router A or Router B.
Correct Answer: D
Explanation
Explanation:
幰Ԅ
Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/command/reference/ipv6_book/ipv6_16.html
QUESTION 17
After you review the output of the command show ipv6 interface brief, you see that several IPv6 addresses
have the 16-bit hexadecimal value of "fFFE" inserted into the address. Based on this information, what do
you conclude about these IPv6 addresses?
A. IEEE EUI-64 was implemented when assigning IPv6 addresses on the device.
B. The addresses were misconfigured and will not function as intended.
C. IPv6 addresses containing "FFFE" indicate that the address is reserved for multicast.
D. The IPv6 universal/local flag (bit 7) was flipped.
E. IPv6 unicast forwarding was enabled, but IPv6 Cisco Express Forwarding was disabled.
Correct Answer: A
Explanation
Explanation:
Extended Unique Identifier (EUI), as per RFC2373, allows a host to assign iteslf a unique 64-Bit IP Version
6 interface identify them EUI-64). This feature is a key benefit over IPv4 as it eliminates the need of manual
configuration or DHCP as in the world of IPv4. The IPv6 EUI-64 format address is obtained through the 48-
bit MAC address. The Mac address is first separated into two 24-bits, with one being OUI (Organizationally
Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two
24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only
appear in EUI-64 generated from the EUI-48 MAC address.
Here is an example showing how the Mac Address is used to generate EUI.
Next, the seventh bit from the left, or the universal/local (U/L) bit, needs to be inverted. This bit identifies
whether this interface identifier is universally or locally administered. If 0, the address is locally administered
and if 1, the address is globally unique. It is worth noticing that in the OUI portion, the globally unique
addresses assigned by the IEEE have always been set to 0 whereas the locally created addresses have 1
configured. Therefore, when the bit is inverted, it maintains its original scope (global unique address is still
global unique and vice versa). The reason for inverting can be found in RFC4291 section 2.5.1.
໐ԇ
Once the above is done, we have a fully functional EUI-64 format address.
Reference: https://supportforums.cisco.com/document/100566/understanding-ipv6-eui-64-bit-address
QUESTION 18
A packet capture log indicates that several router solicitation messages were sent from a local host on the
Ipv6 segment. What is the expected acknowledgment and its usage?
A. Router acknowledgment messages will be forwarded upstream, where the DHCP server will allocate
addresses to the local host.
B. Routers on the Ipv6 segment will respond with an advertisement that provides an external path from the
local subnet, as well as certain data, such as prefix discovery.
C. Duplicate Address Detection will determine if any other local host is using the same Ipv6 address for
communication with the Ipv6 routers on the segment.
D. All local host traffic will be redirected to the router with the lowest ICMPv6 signature, which is statically
defined by the network administrator.
Correct Answer: B
Explanation
Explanation:
Router Advertisements (RA) are sent in response to router solicitation messages. Router solicitation
messages, which have a value of 133in the Type field of the ICMP packet header, are sent by hosts at
system startup so that the host can immediately autoconfigure without needing to wait for the next
scheduled RA message. Given that router solicitation messages are usually sent by hosts at system startup
(the host does not have a configured unicast address), the source address in router solicitation messages
is usually the unspecified Ipv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the
unicast address of the interface sending the router solicitation message is used as the source address in
the message. The destination address in router solicitation messages is the all-routers multicast address
with a scope of the link. When an RA is sent in response to a router solicitation, the destination address in
the RA message is the unicast address of the source of the router solicitation message.
RA messages typically include the following information:
• One or more on link Ipv6 prefixes that nodes on the local link can use to automatically configure their Ipv6
addresses
• Lifetime information for each prefix included in the advertisement
• Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed
• Default router information (whether the router sending the advertisement should be used as a default
router and, if so, the amount of time (in seconds) the router should be used as a default router)
• Additional information for hosts, such as the hop limit and MTU a host should use in packets that it
originates
QUESTION 19
Scenario
You have been asked to evaluate an OSPF network setup in a test lab and to answer questions a customer
has about its operation. The customer has disabled your access to the show running-config command.
Instructions
- Enter IOS commands on the device to verify network operation and answer for multiple-choice questions.
- THIS TASK DOES NOT REQUIRE DEVICE CONFIGURATION.
໐ԇ to gain access to the console for each device.
- Click on the icon or the lab at the bottom of the screen
- No console or enable passwords are required.
- To access the multiple-choice questions, click on the numbered boxes on the left of the top panel.
- There are four multiple-choice questions with this task. Be sure to answer all four questions before
selecting the Next button.
䐀)
w
w
Ԁ
w
How old is the Type 4 LSA from Router 3 for area 1 on the router R5, based on the output you have
examined?
A. 1858
B. 1601
C. 600
D. 1569
Correct Answer: A
Explanation
Explanation:
Part of the “show ip ospf topology” command on R5 shows this:
The Link ID of R3 (3.3.3.3) shows the age is 1858.
QUESTION 20
Scenario
You have been asked to evaluate an OSPF network setup in a test lab and to answer questions a customer
has about its operation. The customer has disabled your access to the show running-config command.
Instructions
- Enter IOS commands on the device to verify network operation and answer for multiple-choice questions.
- THIS TASK DOES NOT REQUIRE DEVICE CONFIGURATION.
- Click on the icon or the lab at the bottom of the screen to gain access to the console for each device.
- No console or enable passwords are required.
- To access the multiple-choice questions, click on theԌnumbered boxes on the left of the top panel.
- There are four multiple-choice questions with this task. Be sure to answer all four questions before
selecting the Next button.
໐ԇ
w
w
Ԁ
Areas of Router 5 and 6 are not normal areas. Inspect their routing tables and determine which statement is
true.
A. R5’s Loopback and R6’s Loopback are both present in R5’s Routing table
B. R5’s Loopback and R6’s Loopback are both present in R6’s Routing table
C. Only R5’s loopback is present in R5’s Routing table
D. Only R6’s loopback is present in R5’s Routing table
E. Only R5’s loopback is present in R6’s Routing table
Correct Answer: A
Explanation
Explanation:
Here are the routing tables of R5 and R6:
Ԍ
ԃ
Here we see R5’s loopbacks in the routing table shown as connected, and the 6.6.6.6 loopback IP address
of R6 is also seen as an OSPF route in R5’s routing table.
QUESTION 21
A company has just opened two remote branch offices that need to be connected to the corporate network.
Which interface configuration output can be applied to the corporate router to allow communication to the
remote sites?
A.
B.
C.
D.
Correct Answer: A
Section: VPN Technologies
Explanation
Explanation:
The configuration of mGRE allows a tunnel to have multiple destinations. The configuration of mGRE on
one side of a tunnel does not have any relation to the tunnel properties that might exist at the exit points.
This means that an mGRE tunnel on the hub may connect to a p2p tunnel on the branch. Conversely, a p2p
GRE tunnel may connect to an mGRE tunnel. The distinguishing feature between an mGRE interface and a
p2p GRE interface is the tunnel destination. An mGRE interface does not have a configured destination.
Instead the GRE tunnel is configured with the command tunnel mode gre multipoint. This command is
used instead of the tunnel destination x.x.x.x found with p2p GRE tunnels. Besides allowing for multiple
destinations, an mGRE tunnel requires NHRP to resolve the tunnel endpoints. Note, tunnel interfaces by
w effectively they have the tunnel mode gre
default are point-to-point (p-p) using GRE encapsulation,
command, which is not seen in the configuration because it is the default.
The mGRE configuration is as follows:
!
interface Tunnel0
bandwidth 1536
ip address 10.62.1.10 255.255.255.0
tunnel source Serial0/0
tunnel mode gre multipoint
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/
DMVPN_2_Phase2.html
QUESTION 22
A network engineer executes the show crypto ipsec sa command. Which three pieces of information are
displayed in the output? (Choose three.)
A. inbound crypto map

B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets
Correct Answer: ABC

Explanation
Explanation:
show crypto ipsec sa
This command shows IPsec SAs built between peers. The encrypted tunnel is built between 12.1.1.1 and
12.1.1.2 for traffic that goes between networks 20.1.1.0 and 10.1.1.0. You can see the two Encapsulating
Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since
there are no AH SAs.
This output shows an example of the show crypto ipsec sa command (bolded ones found in answers for
this question).
interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #Recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas: ໐ԇ
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-
ipsec-debug-00.html
QUESTION 23
Refer to the following output:
Router#show ip nhrp detail

10.1.1.2/8 via 10.2.1.2, Tunnel1 created 00:00:12, expire 01:59:47
TypE. Dynamic, Flags: authoritative unique nat registered used
NBMA address: 10.12.1.2
What does the authoritative flag mean in regards to the NHRP information?
A. It was obtained directly from the next-hop server.

B. Data packets are process switches for this mapping entry.
C. NHRP mapping is for networks that are local to this router.
D. The mapping entry was created in response to an NHRP registration request.
E. The NHRP mapping entry cannot be overwritten.
Correct Answer: A
Explanation
Explanation:
Show NHRP: Examples
The following is sample output from the show ip nhrp command:
Router# show ip nhrp
10.0.0.2 255.255.255.255, tunnel 100 created 0:00:43 expire 1:59:16
Type: dynamic Flags: authoritative
NBMA address: 10.1111.1111.1111.1111.1111.1111.1111.1111.1111.11
10.0.0.1 255.255.255.255, Tunnel0 created 0:10:03 expire 1:49:56
Type: static Flags: authoritative
NBMA address: 10.1.1.2
The fields in the sample display are as follows:
The IP address and its network mask in the IP-to-NBMA address cache. The mask is always
255.255.255.255 because Cisco does not support aggregation of NBMA information through NHRP.
The interface type and number and how long ago it was created (hours:minutes:seconds).
The time in which the positive and negative authoritative NBMA address will expire
(hours:minutes:seconds). This value is based on the ip nhrp holdtime command.
Type of interface:
– dynamic — NBMA address was obtained from the NHRP Request packet.
– static — NBMA address was statically configured.
Flags:
– authoritative — Indicates that the NHRP information was obtained from the Next Hop Server or router
that maintains the NBMA-to-IP address mapping for a particular destination.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/configuration/xe-16/nhrp-xe-16-
book/config-nhrp.html
QUESTION 24
Which common issue causes intermittent DMVPN tunnel flaps?
䐀)
A. a routing neighbor reachability issue
B. a suboptimal routing table
C. interface bandwidth congestion
D. that the GRE tunnel to hub router is not encrypted
Correct Answer: A
Explanation
Explanation:
DMVPN Tunnel Flaps Intermittently
Problem
DMVPN tunnel flaps intermittently.
Solution
When DMVPN tunnels flap, check the neighborship between the routers as issues with neighborship
formation between routers may cause the DMVPN tunnel to flap. In order to resolve this problem, make
sure the neighborship between the routers is always up.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-
dcmvpn.html#Prblm1
QUESTION 25
A user is having issues accessing file shares on a network. The network engineer advises the user to open
a web browser, input a prescribed IP address, and follow the instructions. After doing this, the user is able
to access company shares. Which type of remote access did the engineer enable?
A. EZVPN
B. Ipsec VPN client access
C. VPDN client access
D. SSL VPN client access
Correct Answer: D
Explanation
Explanation:
The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote
users. Without a previously installed client, remote users enter the IP address in their browser of an
interface configured to accept SSL VPN connections. Unless the security appliance is configured to redirect
http:// requests to https://, users must enter the URL in the form https://<address>.
After entering the URL, the browser connects to that interface and displays the login screen. If the user
satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it
downloads the client that matches the operating system of the remote computer. After downloading, the
client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls
itself (depending on the security appliance configuration) when the connection terminates.
Reference: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/100936-asa8x-split-tunnel-anyconnect-config.html
QUESTION 26
Which Cisco IOS VPN technology leverages Ipsec, mGRE, dynamic routing protocol, NHRP, and Cisco
Express Forwarding?
A. FlexVPN
B. DMVPN
C. GETVPN
D. Cisco Easy VPN
Ԅ
Correct Answer: B
Explanation
Explanation:
Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private
network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on the
standard protocols, GRE, NHRP and Ipsec. This DMVPN provides the capability for creating a dynamic-
mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including
Ipsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management
Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring
the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept
new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on
demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh
capability alleviates the need for any load on the hub to route data between the spoke networks.
DMVPN is combination of the following technologies:
Multipoint GRE (mGRE)
Next-Hop Resolution Protocol (NHRP)
Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
Dynamic Ipsec encryption
Cisco Express Forwarding (CEF)
Reference: http://en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network
QUESTION 27
For troubleshooting purposes, which method can you use in combination with the “debug ip packet”
command to limit the amount of output data?
A. You can disable the IP route cache globally.

B. You can use the KRON scheduler.
C. You can use an extended access list.
D. You can use an IOS parser.
E. You can use the RITE traffic exporter.
Correct Answer: C
Section: Infrastructure Security
Explanation
Explanation:
The “debug ip packet” command generates a substantial amount of output and uses a substantial amount
of system resources. This command should be used with caution in production networks. Always use with
the access-list command to apply an extended ACL to the debug output.
Reference: http://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-
dmvpn-troubleshoot-00.html
QUESTION 28
Which address is used by the Unicast Reverse Path Forwarding protocol to validate a packet against the
routing table?
A. source address
B. destination address
C. router interface
D. default gateway
Correct Answer: A
Explanation
Explanation/Reference: Ԅ
Explanation:
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP
source address. For example, a number of common types of denial-of-service (DoS) attacks, including
Smurf and Tribal Flood Network (TFN), can take advantage of forged or rapidly changing source IP
addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers
(ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have
source addresses that are valid and consistent with the IP routing table. This action protects the network of
the ISP, its customer, and the rest of the Internet.
Reference: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html
QUESTION 29
What are the three modes of Unicast Reverse Path Forwarding?
A. strict mode, loose mode, and VRF mode

B. strict mode, loose mode, and broadcast mode
C. strict mode, broadcast mode, and VRF mode
D. broadcast mode, loose mode, and VRF mode
Correct Answer: A
Explanation
Explanation:
Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious
traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of
the source address in packets being forwarded. This capability can limit the appearance of spoofed
addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works
in one of three different modes: strict mode, loose Ԅmode, or VRF mode. Note that not all network
devices support all three modes of operation. Unicast RPF in VRF mode will not be covered in this
document.
When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the
router would use to forward the return packet. Unicast RPF configured in strict mode may drop legitimate
traffic that is received on an interface that was not the router's choice for sending return traffic. Dropping
this legitimate traffic could occur when asymmetric routing paths are present in the network.
When administrators use Unicast RPF in loose mode, the source address must appear in the routing table.
Administrators can change this behavior using the allow-default option, which allows the use of the default
route in the source verification process. Additionally, a packet that contains a source address for which the
return route points to the Null 0 interface will be dropped. An access list may also be specified that permits
or denies certain source addresses in Unicast RPF loose mode.
Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during
the deployment of this feature because it can drop legitimate traffic. Although asymmetric traffic flows may
be of concern when deploying this feature, Unicast RPF loose mode is a scalable option for networks that
contain asymmetric routing paths.
Reference: http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
QUESTION 30
What does the following access list, which is applied on the external interface FastEthernet 1/0 of the
perimeter router, accomplish?
A. It prevents incoming traffic from IP address ranges 10.0.0.0-10.0.0.255, 172.16.0.0-172.31.255.255,
192.168.0.0-192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to
the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion
attempts.
D. It prevents private internal addresses to be accessed directly from outside.
Correct Answer: C
Explanation
Explanation:
The private IP address ranges defined in RFC 1918 are as follows:
10.0.0.0 — 10.255.255.255
172.16.0.0 — 172.31.255.255
192.168.0.0 — 192.168.255.255
These IP addresses should never be allowed from external networks into a corporate network as they
would only be able to reach the network from the outside via routing problems or if the IP addresses were
spoofed. This ACL is used to prevent all packets with a spoofed reserved private source IP address to enter
the network. The log keyword also enables logging of this intrusion attempt.
QUESTION 31
A network engineer is configuring a routed interface to forward broadcasts of UDP 69, 53, and 49 to
172.20.14.225. Which command should be applied to the configuration to allow this?
A. router(config-if)#ip helper-address 172.20.14.225

B. router(config-if)#udp helper-address 172.20.14.225
C. router(config-if)#ip udp helper-address 172.20.14.225
D. router(config-if)#ip helper-address 172.20.14.225ԃ
69 53 49
Correct Answer: A
Explanation
Explanation:
To let a router forward broadcast packet the command ip helper-address can be used. The broadcasts will
be forwarded to the unicast address which is specified with the ip helper command.
ip helper-address {ip address}
When configuring the ip helper-address command, the following broadcast packets will be forwarded by the
router by default:
TFTP — UDP port 69
Domain Name System (DNS) – UDP port 53
Time service — port 37
NetBIOS Name Server — port 137
NetBIOS Datagram Server — port 138
Bootstrap Protocol (BOOTP) — port 67
TACACS – UDP port 49
QUESTION 32
A network engineer is configuring SNMP on network devices to utilize one-way SNMP notifications.
However, the engineer is not concerned with authentication or encryption. Which command satisfies the
requirements of this scenario?
A. router(config)#snmp-server host 172.16.201.28 traps version 2c CISCORO

B. router(config)#snmp-server host 172.16.201.28 informs version 2c CISCORO
C. router(config)#snmp-server host 172.16.201.28 traps version 3 auth CISCORO
D. router(config)#snmp-server host 172.16.201.28 informs version 3 auth CISCORO
Correct Answer: A
Section: Infrastructure Services
Explanation
Explanation:
Most network admins and engineers are familiar with SNMPv2c which has become the dominant SNMP
version of the past decade. It’s simple to configure on both the router/switch-side and just as easy on the
network monitoring server. The problem of course is that the SNMP statistical payload is not encrypted and
authentication is passed in cleartext. Most companies have decided that the information being transmitted
isn’t valuable enough to be worth the extra effort in upgrading to SNMPv3, but I would suggest otherwise.
Like IPv4 to Ipv6, there are some major changes under the hood. SNMP version 2 uses community strings
(think clear text passwords, no encryption) to authenticate polling and trap delivery. SNMP version 3 moves
away from the community string approach in favor of user-based authentication and view-based access
control. The users are not actual local user accounts, rather they are simply a means to determine who can
authenticate to the device. The view is used to define what the user account may access on the IOS device.
Finally, each user is added to a group, which determines the access policy for its users. Users, groups,
views.
QUESTION 33
When using SNMPv3 with NoAuthNoPriv, which string is matched for authentication?
A. username
B. password
C. community-string
D. encryption-key
Correct Answer: A
Explanation
Explanation:
The following security models exist: SNMPv1, SNMPv2, SNMPv3. The following security levels exits:
“noAuthNoPriv” (no authentiation and no encryption – noauth keyword in CLI),
“AuthNoPriv109thernet109ationre authenticated but not encrypted – auth keyword in CLI),
“AuthPriv” (messages are authenticated and encrypted – priv keyword in CLI). SNMPv1 and SNMPv2
models only support the “noAuthNoPriv” model since they use plain community string to match the
incoming packets. The SNMPv3 implementations could be configured to use either of the models on per-
group basis (in case if “noAuthNoPriv” is configured, username serves as a replacement for
community string).
Reference: http://blog.ine.com/2008/07/19/snmpv3-tutorial/
QUESTION 34
After a recent DoS attack on a network, senior management asks you to implement better logging
functionality on all IOS-based devices. Which two actions can you take to provide enhanced logging
results? (Choose two.)
A. Use the msec option to enable service time stamps.

B. Increase the logging history
C. Set the logging severity level to 1.
D. Specify a logging rate limit.
E. Disable event logging on all noncritical items.
Correct Answer: AB
Explanation
Explanation:
The optional msec keyword specifies the date/time format should include milliseconds. This can aid in
pinpointing the exact time of events, or to correlate the order that the events happened. To limit syslog
messages sent to the router’s history table and to an SNMP network management station based on
severity, use the logging history command in global configuration mode. By default, Cisco devices Log error
messages of severity levels 0 through 4 (emergency, alert, critical, error, and warning levels); in other
words, “saving level warnings or higher.” By increasing the severity level, more granular monitoring can
occur, and SNMP messages will be sent by the less sever (5-7) messages.
QUESTION 35
A network engineer finds that a core router has crashed without warning. In this situation, which feature can
the engineer use to create a crash collection?
A. secure copy protocol

B. core dumps
C. warm reloads
D. SNMP
E. NetFlow
Correct Answer: B
Explanation
Explanation:
When a router crashes, it is sometimes useful to obtain a full copy of the memory image (called a core
dump) to identify the cause of the crash. Core dumps are generally very useful to your technical support
representative. Ԅ
Four basic ways exist for setting up the router to generate a core dump:
Using Trivial File Transfer Protocol (TFTP)
Using File Transfer Protocol (FTP)
Using remote copy protocol (rcp)
Using a Flash disk
Reference: http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr19aa.html
QUESTION 36
A network engineer is trying to implement broadcast-based NTP in a network and executes the ntp
broadcast client command. Assuming that an NTP server is already set up, what is the result of the
command?
A. It enables receiving NTP broadcasts on the interface where the command was executed.
B. It enables receiving NTP broadcasts on all interfaces globally.
C. It enables a device to be an NTP peer to another device.
D. It enables a device to receive NTP broadcast and unicast packets.
Correct Answer: A
Explanation
Explanation:
The NTP service can be activated by entering any ntp command. When you use the ntp broadcast client
command, the NTP service is activated (if it has not already been activated) and the device is configured to
receive NTP broadcast packets on a specified interface simultaneously.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-xe-3se-3850-cr-book/
bsm-xe-3se-3850-cr-book_chapter_00.html
QUESTION 37
What is a function of NPTv6?
A. It interferes with encryption of the full IP payload.

B. It maintains a per-node state.
C. It is checksum-neutral.
D. It rewrites transport layer headers.
Correct Answer: C
Explanation
Explanation:
RFC 6296 describes a stateless Ipv6-to-Ipv6 Network Prefix Translation (NPTv6) function, designed to
provide address independence to the edge network. It is transport-agnostic with respect to transports that
do not checksum the IP header, such as SCTP, and to transports that use the TCP/UDP/DCCP (Datagram
Congestion Control Protocol) pseudo-header and checksum
NPTv6 provides a simple and compelling solution to meet the address-independence requirement in Ipv6.
The address-independence benefit stems directly from the translation function of the network prefix
translator. To avoid as many of the issues associatedṰԄ
with NAPT44 as possible, NPTv6 is defined to
include a two-way, checksum-neutral, algorithmic translation function, and nothing else.
Reference: http://tools.ietf.org/html/rfc6296
QUESTION 38
Ipv6 has just been deployed to all of the hosts within a network, but not to the servers. Which feature allows
Ipv6 devices to communicate with Ipv4 servers?
A. NAT
B. NATng
C. NAT64
D. dual-stack NAT
E. DNS64
Correct Answer: C
Explanation
Explanation:
NAT64 is a mechanism to allow Ipv6 hosts to communicate with Ipv4 servers. The NAT64 server is the
endpoint for at least one Ipv4 address and an Ipv6 network segment of 32-bits (for instance 64:ff9b::/96,
see RFC 6052, RFC 6146). The Ipv6 client embeds the Ipv4 address it wishes to communicate with using
these bits, and sends its packets to the resulting address. The NAT64 server then creates a NAT-mapping
between the Ipv6 and the Ipv4 address, allowing them to communicate.
Reference: http://en.wikipedia.org/wiki/NAT64
QUESTION 39
A network engineer executes the “ipv6 flowset” command. What is the result?
A. Flow-label marking in 1280-byte or larger packets is enabled.
B. Flow-set marking in 1280-byte or larger packets is enabled.
C. Ipv6 PMTU is enabled on the router.
D. Ipv6 flow control is enabled on the router.
Correct Answer: A
Explanation
Explanation:
Enabling Flow-Label Marking in Packets that Originate from the Device
This feature allows the device to track destinations to which the device has sent packets that are 1280
bytes or larger.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 flowset
4. exit
5. clear ipv6 mtu
DETAILED STEPS
໐ԇ
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/15-mt/ip6b-15-mt-
book/ip6-mtu-path-disc.html
QUESTION 40
A network engineer is configuring a solution to allow failover of HSRP nodes during maintenance windows,
as an alternative to powering down the active router and letting the network respond accordingly. Which
action will allow for manual switching of HSRP nodes?
A. Track the up/down state of a loopback interface and shut down this interface during maintenance.
B. Adjust the HSRP priority without the use of preemption.
C. Disable and enable all active interfaces on the active HSRP node.
D. Enable HSRPv2 under global configuration, which allows for maintenance mode.
Correct Answer: A
Explanation
Explanation:
The standby track command allows you to specify another interface on the router for the HSRP process to
monitor in order to alter the HSRP priority for a given group. If the line protocol of the specified interface
goes down, the HSRP priority is reduced. This means that another HSRP router with higher priority can
become the active router if that router has standby preempt enabled. Loopback interfaces can be tracked,
so when this interface is shut down the HSRP priority for that router will be lowered and the other HSRP
router will then become the active one.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/13780-6.html
QUESTION 41
A network engineer is notified that several employees are experiencing network performance related
issues, and bandwidth-intensive applications are identified as the root cause. In order to identify which
specific type of traffic is causing this slowness, information such as the source/destination IP and Layer 4
port numbers is required. Which feature should the engineer use to gather the required information?
docs/ios-xml/ios/ipv6_basic/Ȁnf
A. SNMP
B. Cisco IOS EEM
C. NetFlow
D. Syslog
E. WCCP
Correct Answer: C
Explanation
Explanation:
NetFlow Flows Key Fields
A network flow is identified as a unidirectional stream of packets between a given source and destination--
both are defined by a network-layer IP address and transport-layer source and des—nation port numbers.
Specifically, a flow is identified as the combination of the following key fields:
Source IP address
Destination IP address
Source Layer 4 port number
Destination Layer 4 port number
Layer 3 protocol type
Type of service (ToS)
Input logical interface
QUESTION 42
A network engineer has left a NetFlow capture enabled over the weekend to gather information regarding
excessive bandwidth utilization. The following command is entered:
switch#show flow exporter Flow_Exporter-1

What is the expected output?
A. configuration of the specified flow exporter

B. current status of the specified flow exporter
C. status and statistics of the specified flow monitor
D. configuration of the specified flow monitor
Correct Answer: B
Explanation
Explanation:
Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-mt/cfg-de-fnflow-
exprts.html
ῐԄ
QUESTION 43
A company’s corporate policy has been updated to require that stateless, 1-to-1, and Ipv6 to Ipv6
translations at the Internet edge are performed. What is the best solution to ensure compliance with this
new policy?
A. NAT64
B. NAT44
C. NATv6
D. NPTv4
E. NPTv6
Correct Answer: E
Explanation
Explanation:
NPTv6 provides a mechanism to translate the private internal organization prefixes to public globally
reachable addresses. The translation mechanism is stateless and provides a 1:1 relationship between the
internal addresses and external addresses. The use cases for NPTv6 outlined in the RFC include peering
with partner networks, multi homing, and redundancy and load sharing.
Reference: http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/August2012/
Cisco_SBA_BN_IPv6AddressingGuide-Aug2012.pdf
QUESTION 44
Which two functions are completely independent when implementing NAT64 over NAT-PT? (Choose two.)
A. DNS
B. NAT
C. port redirection
D. stateless translation
E. session handling
Correct Answer: AB
Explanation
Explanation:
Work Address Translation IPv6 to IPv4, or NAT64, technology facilitates communication between IPv6-only
and IPv4-only hosts and networks (whether in a transit, an access, or an edge network). This solution
allows both enterprises and ISPs to accelerate IPv6 adoption while simultaneously handling IPv4 address
depletion. The DnS64 and NAT64 functions are completely separated, which is essential to the superiority
of NAT64 over NAT-PT.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/
white_paper_c11-676278.html
QUESTION 45
Which two methods of deployment can you use when implementing NAT64? (Choose two.)
A. stateless
B. stateful
C. manual
D. automatic
E. static
F. functional
G. dynamic ໐ԇ
Correct Answer: AB
Explanation
Explanation:
While stateful and stateless NAT64 perform the task of translating IPv4 packets into IPv6 packets and vice
versa, there are important differences. The following table provides a high-level overview of the most
relevant differences.
Table 2. Differences Between Stateless NAT64 and Stateful NAT64
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/
QUESTION 46
Which NetFlow component is applied to an interface and collects information about flows?
A. flow monitor
B. flow exporter
C. flow sampler
D. flow collector
Correct Answer: A
Explanation
Explanation:
Flow monitors are the NetFlow component that is applied to interfaces to perform network traffic monitoring.
Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the
flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the
first interface. Flow data is collected from the network traffic during the monitoring process based on the
key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor
cache.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/
fnf_01.html#wp1314030
QUESTION 47
Which type of traffic does DHCP snooping drop?
A. discover messages
B. DHCP messages where the source MAC and client MAC do not match
C. traffic from a trusted DHCP server to client
D. ԇ
DHCP messages where the destination MAC and໐client MAC do not match
Correct Answer: B
Explanation
Explanation:
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping
enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case
the packet is dropped):
1. The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY

packet) from a DHCP server outside the network or firewall.
2. The switch receives a packet on an untrusted interface, and the source MAC address and the
DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC
address verification option is turned on.
3. The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry
in the DHCP snooping binding table, and the interface information in the binding table does not match the
interface on which the message was received.
4. The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable
the DHCP option-82 on untrusted port feature, which enables untrusted aggregation-switch ports to accept
DHCP packets that include option-82 information. Configure the port on the edge switch that connects to
the aggregation switch as a trusted port.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/
book/snoodhcp.html
QUESTION 48
A network engineer has set up VRF-Lite on two routers where all the interfaces are in the same VRF. At a
later time, a new loopback is added to Router 1, but it cannot ping any of the existing interfaces. Which two
configurations enable the local or remote router to ping the loopback from any existing interface? (Choose
two.)
A. adding a static route for the VRF that points to the global route table
B. adding the loopback to the VRF
C. adding dynamic routing between the two routers and advertising the loopback
D. adding the IP address of the loopback to the export route targets for the VRF
E. adding a static route for the VRF that points to the loopback interface
F. adding all interfaces to the global and VRF routing tables
Correct Answer: AB
Section: Mix Questions
Explanation
QUESTION 49
Refer to the exhibit. The network setup is running the RIP routing protocol. Which two events will occur
following link failure between R2 and R3? (Choose two.)
A. R2 will advertise network 192.168.2.0/27 with a hop count of 16 to R1.

B. R2 will not send any advertisements and will remove route 192.168.2.0/27 from its routing table.
C. R1 will reply to R2 with the advertisement for network 192.168.2.0/27 with a hop count of 16.
D. After communication fails and after the hold-down timer expires, R1 will remove the 192.168.2.0/27
route from its routing table.
E. R3 will not accept any further updates from R2, due to the split-horizon loop prevention mechanism.
Correct Answer: AC
Explanation
QUESTION 50
Which three benefits does the Cisco Easy Virtual Network provide to an enterprise network? (Choose
three.)
A. simplified Layer 3 network virtualization

B. improved shared services support
C. enhanced management, troubleshooting, and usability
D. reduced configuration and deployment time for dot1q trunking
E. increased network performance and throughput
F. decreased BGP neighbor configurations
Correct Answer: ABC

Explanation
QUESTION 51
Which technology was originally developed for routers to handle fragmentation in the path between end
points?
A. PMTUD
B. MSS
C. windowing
D. TCP
E. global synchronization
Correct Answer: A
Explanation
Explanation:
Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the
maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts,
usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet
Protocol Version 4 (IPv4).[1] However, all modern operating systems use it on endpoints. In IPv6, this
function has been explicitly delegated to the end points of a communications session.[2]
PMTUD is standardized for IPv4 in RFC 1191 and for IPv6 in RFC 1981. RFC 4821 describes an extension
to the techniques that works without support from Internet Control Message Protocol.
໐ԇ
QUESTION 52
Which traffic characteristic is the reason that UDP traffic that carries voice and video is assigned to the
queue only on a link that is at least 768 kbps?
A. typically is not fragmented

B. typically is fragmented
C. causes windowing
D. causes excessive delays for video traffic
Correct Answer: A
Explanation
QUESTION 53
What is the primary service that is provided when you implement Cisco Easy Virtual Network?
A. It requires and enhances the use of VRF-Lite.

B. It reduces the need for common services separation.
C. It allows for traffic separation and improved network efficiency.
D. It introduces multi-VRF and label-prone network segmentation.
Correct Answer: C
Explanation
QUESTION 54
How does an IOS router process a packet that should be switched by Cisco Express Forwarding without an
FIB entry?
໐ԇ
A. by forwarding the packet
B. by dropping the packet
C. by creating a new FIB entry for the packet
D. by looking in the routing table for an alternate FIB entry
Correct Answer: B
Explanation
QUESTION 55
Which PPP authentication method sends authentication information in cleartext?
A. MS CHAP
B. CDPCP
C. CHAP
D. PAP
Correct Answer: D
Explanation
Explanation:
PAP authentication involves a two-way handshake where the username and password are sent across the
link in clear text; hence, PAP authentication does not provide any protection against playback and line
sniffing.
CHAP authentication, on the other hand, periodically verifies the identity of the remote node using a three-
way handshake. After the PPP link is established, the host sends a "challenge" message to the remote
node. The remote node responds with a value calc"lated usi"g a one-way hash function. The host checks
the response against its own calculation of the expected hash value. If the values match, the authentication
is acknowledged; otherwise, the connection is terminated.
Reference:
http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/10241-ppp-callin-hostname.html
QUESTION 56
Refer to the exhibit. When summarizing these routes, which route is the summarized route?
A. OI 2001:DB8::/48 [110/100] via FE80::DDBB:CCFF:FE00:6F00, Ethernet0/0

B. OI 2001:DB8::/24 [110/100] via FE80::DDBB:CCFF:FE00:6F00, Ethernet0/0
C. OI 2001:DB8::/32 [110/100] via FE80::DDBB:CCFF:FE00:6F00, Ethernet0/0
D. OI 2001:DB8::/64 [110/100] via FE80::DDBB:CCFF:FE00:6F00, Ethernet0/0
Correct Answer: A
Explanation
QUESTION 57
Refer to the exhibit. After configuring GRE between two routers running EIGRP that are connected to each
other via a WAN link, a network engineer notices that the two routers cannot establish the GRE tunnel to
begin the exchange of routing updates. What is the reason for this?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 57.
Correct Answer: A
Explanation
QUESTION 58
Which Cisco VPN technology uses AAA to implement group policies and authorization and is also used for
the XAUTH authentication method?
A. DMVPN
B. Cisco Easy VPN
C. GETVPN
D. GREVPN
Correct Answer: B
Explanation
QUESTION 59
Which parameter in an SNMPv3 configuration offers authentication and encryption?
A. auth
B. noauth
C. priv
Ԍ
D. secret
Correct Answer: C
Explanation
QUESTION 60
Refer to the exhibit. The DHCP client is unable to receive a DHCP address from the DHCP server.
Consider the following output:
hostname RouterB
!
interface fastethernet 0/0
ip address 172.31.1.1 255.255.255.0
interface serial 0/0
ip address 10.1.1.1 255.255.255.252
!
ip route 172.16.1.0 255.255.255.0 10.1.1.2
Which configuration is required on the Router B fastEthernet 0/0 port in order to allow the DHCP client to
successfully receive an IP address from the DHCP server?
A. RouterB(config-if)# ip helper-address 172.16.1.2
B. RouterB(config-if)# ip helper-address 172.16.1.1
C. RouterB(config-if)# ip helper-address 172.31.1.1
D. RouterB(config-if)# ip helper-address 255.255.255.255
Correct Answer: A
Explanation
QUESTION 61
Which statement about the NPTv6 protocol is true?
A. It is used to translate IPv4 prefixes to IPv6 prefixes.

B. It is used to translate an IPv6 address prefix to another IPv6 prefix.
C. It is used to translate IPv6 prefixes to IPv4 subnets with appropriate masks.
D. It is used to translate IPv4 addresses to IPv6 link-local addresses.
Correct Answer: B
Explanation
Explanation:
NPT stands for Network Prefix Translation.
IPv6-to-IPv6 Network Prefix Translation (NPTv6) performs a stateless, static translation of one IPv6 prefix
to another IPv6 prefix thereby allowing private Unique Local Addresses (ULA) to be able to access the
Internet, by translating it to Global Routable Addresses
NPTv6 does not do a port translation, hence, the ports remain the same for incoming and outgoing packets.
QUESTION 62
Refer to the exhibit. Which statement about the configuration is true?
A. 20 packets are being sent every 30 seconds.
B. The monitor starts at 12:05:00 a.m.
C. Jitter is being tested with TCP packets to port 65051.
D. The packets that are being sent use DSCP EF.
Correct Answer: A
Explanation
QUESTION 63
Refer to the exhibit. Which statement about the command output is true?
໐ԇ
A. The router exports flow information to 10.10.10.1 on UDP port 5127.

B. The router receives flow information from 10.10.10.2 on UDP port 5127.
C. The router exports flow information to 10.10.10.1 on TCP port 5127.
D. The router receives flow information from 10.10.10.2 on TCP port 5127.
Correct Answer: A
Explanation
QUESTION 64
A network engineer is trying to modify an existing active NAT configuration on an IOS router by using the
following command:
(config)# no ip nat pool dynamic-nat-pool 192.1.1.20 192.1.1.254 netmask 255.255.255.0
Upon entering the command on the IOS router, the following message is seen on the console:
%Dynamic Mapping in Use, Cannot remove message or the %Pool outpool in use, cannot destroy
What is the least impactful method that the engineer can use to modify the existing IP NAT configuration?
A. Clear the IP NAT translations using the clear ip nat traffic * " command, then replace the NAT
configuration quickly, before any new NAT entries are populated into the translation table due to active
NAT traffic.
B. Clear the IP NAT translations using the clear ip nat translation * " command, then replace the NAT
NAT traffic.
C. Clear the IP NAT translations using the reload command on the router, then replace the NAT
NAT traffic.
D. Clear the IP NAT translations using the clear ip nat table * " command, then replace the NAT
NAT traffic. tion from 10.10.ɼ汆
Correct Answer: B
Explanation
QUESTION 65
Which IPv6 address type is seen as the next-hop address in the output of the show ipv6 rip RIPng database
command?
A. link-local
B. global
C. site-local
D. anycast
E. multicast
Correct Answer: A
Explanation
QUESTION 66
What are the default timers for RIPng?
A. Update: 30 seconds Expire: 180 seconds Flush: 240 seconds

B. Update: 20 seconds Expire: 120 seconds Flush: 160 seconds
C. Update: 10 seconds Expire: 60 seconds Flush: 80 seconds
D. Update: 5 seconds Expire: 30 seconds Flush: 40 seconds
Correct Answer: A
Explanation
Explanation:
Update Timer
The update timer controls the interval between two gratuitous Response Messages. By default the value is
30 seconds. The response message is broadcast to all its RIP enabled interface.[8]
Invalid Timer
The invalid timer specifies how long a routing entry can be in the routing table without being updated. This
is also called as expiration Timer. By default, the value is 180 seconds. After the timer expires the hop
count of the routing entry will be set to 16, marking the destination as unreachable.
Flush Timer
The flush timer controls the time between the route is invalidated or marked as unreachable and removal of
entry from the routing table. By default the value is 240 seconds. This is 60 seconds longer than Invalid
timer. So for 60 seconds the router will be advertising about this unreachable route to all its neighbours.
This timer must be set to a higher value than the invalid timer.[8]
Hold-down Timer
The hold-down timer is started per route entry, when the hop count is changing from lower value to higher
value. This allows the route to get stabilized. During this time no update can be done to that routing entry.
This is not part of the RFC 1058. This is Cisco's implementation. The default value of this timer is 180
seconds.
Reference:
http://www.brocade.com/content/html/en/configuration-guide/fastiron-08030b-l3guide/GUID-97023AC1-
C034-40EA-B02D-1E3E9DACCAC7.html
QUESTION 67
A network engineer has configured a tracking object to monitor the reachability of IP SLA 1. In order to
update the next hop for the interesting traffic, which feature must be used in conjunction with the newly
created tracking object to manipulate the traffic flow as required?
A. SNMP
B. PBR
C. IP SLA
D. SAA
E. ACLs
F. IGP
Correct Answer: B
Explanation
QUESTION 68
Various employees in the same department report to the network engineer about slowness in the network
connectivity to the Internet. They are also having latency issues communicating to the network drives of
various departments. Upon monitoring, the engineer finds traffic flood in the network. Which option is the
problem?
A. network outage
B. network switching loop
C. router configuration issue
D. wrong proxy configured
Correct Answer: B
Explanation
QUESTION 69
Which two authentication protocols does PPP support? (Choose two.)
A. WAP
B. PAP
C. CHAP
D. EAP
E. RADIUS ໐ԇ
Correct Answer: BC
Explanation
QUESTION 70
Which statement is a restriction for PPPoE configuration?
A. Multiple PPPoE clients can use the same dialer interface.

B. Multiple PPPoE clients can use the same dialer pool.
C. A PPPoE session can be initiated only by the client.
D. A PPPoE session can be initiated only by the access concentrator.
Correct Answer: C
Explanation
Explanation:
Restrictions for PPPoE on Ethernet
The following restrictions apply when the PPPoE on Ethernet feature is used:
• PPPoE is not supported on Frame Relay.
• PPPoE is not supported on any other LAN interfaces such as FDDI and Token Ring.
• Fast switching is supported. PPP over Ethernet over RFC 1483 fibswitching is supported for IP. All other
protocols are switched over process switching.
QUESTION 71
Which statement about the configuration is true?
A. This configuration is incorrect because the MTU must match the ppp-max-payload that is defined.
B. This configuration is incorrect because the dialer interface number must be the same as the dialer pool
number.
C. This configuration is missing an IP address on the dialer interface.
D. This configuration represents a complete PPPoE client configuration on an Ethernet connection.
Correct Answer: D
Explanation
QUESTION 72
A company has their headquarters located in a large city with a T3 frame relay link that connects 30 remote
locations that each have T1 frame relay connections. Which technology must be configured to prevent
remote sites from getting overwhelmed with traffic and prevent packet drops from the headquarters?
A. traffic shaping
B. IPsec VPN
C. GRE VPN
D. MPLS
Correct Answer: A
Explanation
QUESTION 73
In IPv6, SLAAC provides the ability to address a host based on a network prefix that is advertised from a
local network router. How is the prefix advertised?
A. routing table
B. router advertisements
C. routing protocol
D. routing type
Correct Answer: B
Explanation
QUESTION 74
໐ԇ
Which option prevents routing updates from being sent to the DHCP router, while still allowing routing
update messages to flow to the Internet router and the distribution switches?
A. DHCP(config-router)# passive-interface default DHCP(config-router)# no passive-interface Gi1/0

Internet(config-router)# passive-interface Gi0/1 Internet (config-router)# passive-interface Gi0/2
B. Core(config-router)# passive-interface Gi0/0 Core(config-router)# passive-interface Gi3/1 Core(config-
router)# passive-interface Gi3/2 DHCP(config-router)# no passive-interface Gi1/0
C. Core(config-router)# passive-interface default Core(config-router)# no passive-interface Gi0/0 Core
(config-router)# no passive-interface Gi3/1 Core(config-router)# no passive-interface Gi3/2
D. Internet(config-router)# passive-interface default Core(config-router)# passive-interface default DSW1
(config-router)# passive-interface default DSW2(config-router)# passive-interface default
Correct Answer: C
Explanation
QUESTION 75
A network engineer is considering enabling load balancing with EIGRP. Which consideration should be
analyzed?
A. EIGRP allows a maximum of four paths across for load balancing traffic.
B. By default, EIGRP uses a default variance of 2 for load balancing.
C. EIGRP unequal path load balancing can result in routing loops.
D. By default, EIGRP performs equal cost load balancing at least across four equal cost paths.
Correct Answer: D
Explanation
QUESTION 76
The OSPF database of a router shows LSA types 1, 2, 3, and 7 only. Which type of area is this router
connected to?
A. stub area
B. totally stubby area
C. backbone area
D. not-so-stubby area
Correct Answer: D
Explanation
QUESTION 77
An engineer is configuring a GRE tunnel interface in the default mode. The engineer has assigned an IPv4
address on the tunnel and sourced the tunnel from an Ethernet interface. Which option also is required on
the tunnel interface before it is operational?
A. tunnel destination address

B. keepalives
C. IPv6 address
幰Ԅ
D. tunnel protection
Correct Answer: A
Explanation
QUESTION 78
Which statement is true?
A. RADIUS uses TCP, and TACACS+ uses UDP.

B. RADIUS encrypts the entire body of the packet.
C. TACACS+ encrypts only the password portion of a packet.
D. TACACS+ separates authentication and authorization.
Correct Answer: D
Explanation
QUESTION 79
Which option is invalid when configuring Unicast Reverse Path Forwarding?
A. allow self ping to router

B. allow default route
C. allow based on ACL match
D. source reachable via both
Correct Answer: D
Explanation
Explanation:
QUESTION 80
Which option represents the minimal configuration that allows inbound traffic from the 172.16.1.0/24
network to successfully enter router R, while also limiting spoofed 10.0.0.0/8 hosts that could enter router
R?
A.
B.
C.
D.
Correct Answer: A
Explanation
QUESTION 81
Which outbound access list, applied to the WAN interface of a router, permits all traffic except for http traffic
sourced from the workstation with IP address 10.10.10.1?
A. ip access-list extended 200

deny tcp host 10.10.10.1 eq 80 any
permit ip any any
B. ip access-list extended 10
deny tcp host 10.10.10.1 any eq 80
permit ip any any
C. ip access-list extended NO_HTTP
D. ip access-list extended 100
permit ip any any
Correct Answer: D
Explanation
w
QUESTION 82
Which two statements indicate a valid association mode for NTP synchronization? (Choose two.)
A. The client polls NTP servers for time.

B. The client broadcasts NTP requests.
C. The client listens to NTP broadcasts.
D. The client creates a VPN tunnel to an NTP server.
E. The client multicasts NTP requests.
Correct Answer: AC
Explanation
QUESTION 83
An engineer is asked to monitor the availability of the next-hop IP address of 172.16.201.25 every 3
seconds using an ICMP echo packet via an ICMP echo probe. Which two commands accomplish this task?
(Choose two.)
A. router(config-ip-sla)#icmp-echo 172.16.201.25 source-interface FastEthernet 0/0

B. router(config-ip-sla-echo)#timeout 3
C. router(config-ip-sla)#icmp-jitter 172.16.201.25 interval 100
D. router(config-ip-sla-echo)#frequency 3
E. router(config-ip-sla)#udp-echo 172.16.201.25 source-port 23
F. router(config-ip-sla-echo)#threshold 3
Correct Answer: AD
Explanation
QUESTION 84
What is the function of the snmp-server manager command?
A. to enable the device to send and receive SNMP requests and responses
B. to disable SNMP messages from getting to the SNMP engine
C. to enable the device to send SNMP traps to the SNMP server
D. to configure the SNMP server to store log data
Correct Answer: A
Explanation
Explanation:
The SNMP manager process sends SNMP requests to agents and receives SNMP responses and
notifications from agents. When the SNMP manager process is enabled, the router can query other SNMP
agents and process incoming SNMP traps.
Most network security policies assume that routers will be accepting SNMP requests, sending SNMP
responses, and sending SNMP notifications. With the SNMP manager functionality enabled, the router may
also be sending SNMP requests, receiving SNMP responses, and receiving SNMP notifications. The
security policy implementation may need to be updated prior to enabling this functionality.
SNMP requests are typically sent to UDP port 161. SNMP responses are typically sent from UDP port 161.
SNMP notifications are typically sent to UDP port 162
QUESTION 85
ᛐԄ
Refer to the following configuration command.:
router(config)# ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80
Which statement about the command is true?
A. Any packet that is received in the inside interface with a source IP port addresses of 172.16.10.8:80 is
translated to 172.16.10.8:8080.
B. Any packet that is received in the inside interface with a source IP address of 172.16.10.8is redirected
to port 8080 or port 80.
C. The router accepts only a TCP connection from port 8080 and port 80 on IP address 172.16.10.8.
D. Any packet that is received in the inside interface with a source IP port address of 172.16.10.8:8080 is
translatedto 172.16.10.8:80.
Correct Answer: D
Explanation
Reference: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-
12.html#topic9
QUESTION 86
When a tunnel interface is configured in the default mode, which statement about routers and the tunnel
destination address is true?
A. The router must have WCCP redirects enabled inbound from the tunnel destination.
B. The router must have redirects enabled outbound toward the tunnel destination.
C. The router must have a route installed toward the tunneldestination.
D. The router must have Cisco Discovery Protocol enabled on the tunnel to form a CDP neighborship with
the tunnel destination.
Correct Answer: C
Explanation
QUESTION 87
Other than a working EIGRP configuration, which option must be the same on all routers for EIGRP
authentication key role over to work correctly?
A. SMTP
B. SNMP
C. passwords
D. time
Correct Answer: D
Explanation
Explanation:
Requirements for EIGRP authentication

The time must be properly configured on all routers. Refer to Configuring NTP for more information.
A working EIGRP configuration is recommended.
If we have option "Key-Chain", instead of "Passwords" then option C would also be correct.
줐Ԅ
References: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-
eigrp/82110-eigrp-authentication.html
QUESTION 88
Which two statements about NTP operation are true? (Choose two.)
A. Locally configured time overrides time received from an NTP server.

B. If multiple NTP servers are configured, the one with the lowest stratum is preferred.
C. If multiple NTP servers are configured, the one with the highest stratum is preferred.
D. “Stratum” refers to the number of hops between the NTP client and the NTP server.
E. By default, NTP communications use UDP port 123.
Correct Answer: BE
Explanation
Explanation:
NTP is designed to synchronize the time on a network of machines. NTP runs over the User Datagram
Protocol (UDP), using port 123 as both the source and destination, which in turn runs over IP. NTP Version
3 RFC 1305 leavingcisco.com is used to synchronize timekeeping among a set of distributed time servers
and clients. A set of nodes on a network are identified and configured with NTP and the nodes form a
synchronization subnet, sometimes referred to as an overlay network. While multiple masters (primary
servers) may exist, there is no requirement for an election protocol.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic
clock attached to a time server. NTP then distributes this time across the network. An NTP client makes a
transaction with its server over its polling interval (from 64 to 1024 seconds) which dynamically changes
over time depending on the network conditions between the NTP server and the client. The other situation
occurs when the router communicates to a bad NTP server (for example, NTP server with large
dispersion); the router also increases the poll interval. No more than one NTP transaction per minute is
needed to synchronize two machines. It is not possible to adjust the NTP poll interval on a router.
NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an
authoritative time source. For example, a stratum 1 time server has a radio or atomic clock directly attached
to it. It then sends its time to a stratum 2 time server through NTP, and so on. A machine running NTP
automatically chooses the machine with the lowest stratum number that it is configured to communicate
with using NTP as its time source. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP performs well over the non-deterministic path lengths of packet-switched networks, because it makes
robust estimates of the following three key variables in the relationship between a client and a time server
Reference:
http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html
QUESTION 89
Which type of IPv6 address is an identifier for a single interface on a single node?
A. broadcast
B. multicast
C. anycast
D. unicast
Correct Answer: D
Explanation
Explanation:
An IPv6 unicast address is an identifier for a single interface,on a single node. A packet that is sent to a
unicast address is delivered to the interface identified by that address.
References:
QUESTION 90 ԟ
Refer to the exhibit. Which three NTP features can be deduced on the router? (Choose three.)
A. only updates its time from 192.168.1.4

B. only accepts time requests from 192.168.1.1
C. only updates its time from 192.168.1.1
D. only accepts time requests from 192.168.1.4
E. only handles four requests at a time
F. only is in stratum 4
Correct Answer: ABF

Explanation
Explanation:
The access group options are scanned in the following order, from least restrictive to most restrictive.
However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not
continue to the next access group option.
• The peer keyword enables the device to receive time requests and NTP control queries and to
synchronize itself to the servers specified in the access list.
• The serve keyword enables the device to receivetime requests and NTP control queries from the servers
specified in the access list but not to synchronize itself to the specified servers.
• The serve-only keyword enables the device to receive only time requests from servers specified in the
access list.
• The query-only keyword enables the device to receive only NTP control queries from the servers specified
in the access list.
QUESTION 91
A network engineer receives reports about poor voice quality issues at a remote site. The network engineer
does a packet capture and sees out-of-order packets being delivered. Which option can cause the VoIP
quality to suffer?
A. speed duplex link issues

B. misconfigured voice VLAN
C. load balancing over redundant links
D. traffic over backup redundant links
Correct Answer: C
Explanation
Explanation:
In traditional packet forwarding systems, using different paths have varying latencies that cause out of order
packets, eventually resulting in far lower performance for the network application. Also , if some packets are
process switched quickly by the routing engine of the router while others are interrupt switched (which takes
more time) then it could result in out of order packets.ԇThe other options would cause packet drops or
latency, but not out of order packets.
QUESTION 92
Refer to the exhibit. A network engineer is troubleshooting a DMVPN setup between the hub and the spoke.
The engineer executes the command show crypto isakmp sa and observes the output that is displayed.
What is the problem?
A. that ISAKMP is using default settings

B. an incompatible ISAKMP policy
C. an incompatible IPsec transform set
D. that ISAKMP is not enabled
Correct Answer: A
Explanation
Explanation:
Reference:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-
00.html
QUESTION 93
Which two attributes describe UDP within a TCP/IP network? (Choose two.)
A. acknowledgments
B. unreliable delivery
C. connection-oriented communication
D. increased headers
E. connectionless communication
Correct Answer: BE
Explanation
Explanation:
UDP Characteristics
presents the structure of a UDP segment header. Because UDP is considered to be an unreliable protocol,
it lacks the sequence numbering, window size, and connectionless acknowledgment numbering present in
the header of a TCP segment.
Rather the UDP segment's
Because a UDP segment header is so much smaller than a TCP segment header, UDP becomes a good
candidate for the transport layer protocol serving applications that need to maximize bandwidth and do not
require acknowledgments.
QUESTION 94
A network administrator notices that the BGP state and logs are generated for missing BGP hello
keepalives. What is the potential problem?
A. hello timer mismatch

B. MTU mismatch
C. incorrect neighbor options ԇ
D. BGP path MTU enabled
Correct Answer: B
Explanation
Explanation:
Introduction
This document describes how to determine if internal or external Border Gateway Protocol (BGP) neighbor
flaps are caused by maximum transmission unit (MTU) issues.
Problem
BGP neighbors form; however, at the time of prefix exchange, the BGP state drops and the logsgenerate
missing BGP hello keepalives or the other peer terminates the session.
References:
QUESTION 95
Which IP SLA operation can be used to measure round-trip delay for the full path and hop-by hop round-trip
delay on the network?
A. HTTP
B. ICMP echo
C. TCP connect
D. ICMP path echo
Correct Answer: D
Explanation
Explanation:
The ICMP Path Echo operation computes hop-by-hop response time between a Cisco router and any IP
device on the network.
References:
http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/
QUESTION 96
In which form does PAP Authentication send the user name and password across the link?
A. clear text
B. hashed
C. encrypted
D. password protected
Correct Answer: A
Explanation
Explanation:
QUESTION 97
What is the administrative distance for EBGP?
A. 200
B. 20
C. 30
D. 70
Correct Answer: B
Explanation
Explanation:
QUESTION 98
What is the optimal location from which to execute a debug command that produces an excessive amount
of information?
A. vty lines
B. a console port
C. SNMP commands
D. an AUX port
Correct Answer: A
Explanation
Explanation:
Excessive debugs to the console port of a router can cause it to hang. This is because the router
automatically prioritizes console output ahead of other router functions. Hence if the router is processing a
large debug outputto the console port, it may hang. Hence, if the debug output is excessive use the vty
(telnet) ports or the log buffers to obtain your debugs. More information is provided below.
References:
http://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-
associated-signaling-cas/10374-debug.html
QUESTION 99
ꎰԇ
w
w
缠0
뢠+
缠0
媐Ԉ
뤐+
How many times was SPF alrogithm executed on R4 for Area 1?
A. 1
B. 5
C. 9
D. 20
E. 54
F. 224
Correct Answer: B
Explanation
Explanation:
Answers vary, some answers will be 3. To find the answer, you can check the number of times the
execcuted SPF algorithm ran via the “show ip ospf”command on R4:
ԇ
In this case it was 3. Again, answers will vary.
QUESTION 100
An engineer is using a network sniffer to troubleshoot DHCPv6 between a router and hosts on the LAN with
the following configuration:
interface Ethernet0
ipv6 dhcp server DHCPSERVERPOOL rapid-commit
!
Which two DHCP messages will appear in the sniffer logs? (Choose two.)
A. reply
B. request
C. advertise
D. Acknowledge
E. solicit
F. accept
Correct Answer: AE
Explanation
Explanation:
The DHCPv6 client can obtain configuration parameters from a server either through a rapid two-message
exchange (solicit, reply) or through a four-message exchange (solicit, advertise, request, and reply). By
default, the four-message exchange is used. When the rapid-commit option is enabled by both the client
and the server, the two-message exchange is used.
References:
QUESTION 101
At which layer does Cisco Express Forwarding use adjacency tables to populate addressing information?
A. Layer 4
B. Layer 3
C. Layer 2
D. Layer 1
Correct Answer: C
Explanation
Explanation: Adjacency table - Nodes in the network are said to be adjacent if they can reach each other
with a single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2
addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.
References:
http://www.cisco.com/c/en/us/support/docs/routers/12000-series-routers/47321-ciscoef.html
QUESTION 102
A network engineer wants to ensure an optimal end-to-end delay bandwidth product. The delay is less than
64 ms. Which TCP feature ensures steady state throughput?
A. network buffers
焀Ԉ
B. TCP acknowledgments
C. widows scaling
D. round-trip timers
Correct Answer: C
Explanation
Explanation:
Options can be carried in a TCP header. Those relevant to TCP performance include Window- scale option
: This option is intended to address the issue of the maximum window size in the face of paths that exhibit a
high-delay bandwidth product. This option allows the window size advertisement to be right-shifted by the
amount specified (in binary arithmetic, a right-shift corresponds to a multiplication by 2). Without this option,
the maximum window size that can be advertised is 65,535 bytes (the maximum value obtainable in a 16-bit
field). The limit of TCP transfer speed is effectively one window size in transit between the sender and the
receiver. For high-speed, long-delay networks, this performance limitation is a significant factor, because it
limits the transfer rate to at most 65,535 bytes per round-trip interval, regardless of available network
capacity. Use of the window- scale option allows the TCP sender to effectively adapt to high-band-width,
high-delay network paths, by allowing more data to be held in flight.
The maximum window size with this option.
Reference:
http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-5/ipj-archive/
article09186a00800c8417.html
QUESTION 103
Which two functionalities are specific to stateless NAT64? (Choose two.)
A. It does not conserve IPv4 addresses.

B. No requirement exists for the characteristics of IPv6 address assignment.
C. It uses address overloading.
D. State or bindings are created on the translation.
E. It provides 1-to-1 translation.
Correct Answer: AE
Explanation
Explanation:
Comparison Between Stateless and Stateful NAT64

Stateless NAT64
Stateful NAT64
1:1 translation, hence applicable for limited number of endpoints
1: N translation, hence no constraint on thenumber of end points therefore, also applicable for carrier grade
NAT (CGN)
No conservation of IPv4 address
Conserves IPv4 address
Helps ensure end-to-end address transparency and scalability
Uses address overloading; hence lacks end-to-end address transparency
No state or bindings created on the translation
State or bindings created on every unique translation
Requires IPv4-translatable IPv6 address assignment (mandatory requirement)
No requirement for the characteristics of IPv6 address assignment
Requires either manual or Domain Host Configuration Protocol Version 6 (DHCPv6)-based address
assignment for IPv6 hosts
Capability to choose any mode of IPv6 address assignment: manual, DHCPv6, or stateless address
autoconfiguration (SLAAC)
QUESTION 104
A network administrator creates a static route that points directly to a multi-access interface, instead of the
next-hop IP address. The administrator notices that Cisco Express Forwarding ARP requests are being
sent to all destinations. Which issue might this configuration create?
A. Cisco Express Forwarding routing loop

B. IP route interference
C. high memory usage
D. high bandwidth usage
E. low bandwidth usage
Correct Answer: A
Explanation
Reference:
http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/26083-trouble-cef.html
QUESTION 105
During which DMVPN phase is spoke-to-spoke communication enabled?
A. Phase 1
B. Phase 6
C. Phase 2
D. Phase 5
E. Phase 4
Correct Answer: C ԇ
Explanation
QUESTION 106
Which two tasks does a DHCP relay agent perform? (Choose two.)
A. It forwards DHCPHELLO and DHCPREQUEST messages to the DHCP server.

B. It forwards DHCPREQUEST and DHCPACK messages to the DHCP server.
C. It forwards DHCPOFFER and DHCPCOMPLETE messages to the DHCP client.
D. It forwards DHCPDISCOVER and DHCPREQUEST messages to the DHCP server.
E. It forwards DHCPOFFER and DHCPACK messages to the DHCP client.
Correct Answer: DE
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/
configuration/rtg_brdg/guide/rtbrgdgd/dhcp.pdfpage 3
QUESTION 107
Which two address types are included in NAT? (Choose two.)
A. outside Internet
B. outside local
C. inside global
D. global outside
E. inside Internet
Correct Answer: BC
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/4606-8.html
QUESTION 108
A network engineer is modifying RIPng timer configuration. Which configuration mode should the engineer
use?
A. router(config-if)#
B. router(config-rtr)#
C. router(config)#
D. router(config-ripng)#
Correct Answer: B
Explanation
Explanation:
This is how to change the timers for RIPng:
R1(config)#ipv6 router rip test
R1(config-rtr)#timers 5 15 10 30 (5: Update period; 15: Route timeout period; 10: Route holddown period;
30: Route garbage collection period)
QUESTION 109 䐀)
Which two statements about IP access lists are true? (Choose two.)
A. IP access lists without at least one deny statement permit all traffic by default.
B. They support wildcard masks to limit the address bits to which entries are applied.
C. Extended access lists must include port numbers.
D. They end with an implicit permit.
E. Entries are applied to traffic in the order in which they appear.
Correct Answer: BE
Explanation
QUESTION 110
Which option is one way to mitigate asymmetric routing on an active/active firewall setup for TCP-based
connections?
A. disabling asr-group commands on interfaces that are likely to receive asymmetric traffic
B. disabling stateful TCP checks
C. performing packet captures
D. replacing them with redundant routers and allowing load balancing
Correct Answer: B
Explanation
QUESTION 111
A network engineer executes the show ip cache flow command. Which two types of information are
displayed in the report that is generated? (Choose two.)
A. flow samples for specific protocols

B. IP packet distribution
C. top talkers
D. flow export statistics
E. MLS flow traffic
Correct Answer: AB
Explanation
QUESTION 112
Which two statements about NetFlow version 9 are true? (Choose two.)
A. It is IEEE standards based.

B. It is a Cisco proprietary technology.
C. It is IETF standards based.
D. It supports egress flows only.
E. It supports ingress flows only.
F. It supports ingress and egress flows.
Correct Answer: CF 娀Ԉ
Explanation
QUESTION 113
Which three statements about SNMP are true? (Choose three.)
A. The manager polls the agent using UDP port 161.

B. SNMPv3 supports authentication and encryption.
C. The manager configures and send traps to the agent.
D. The manager sends GET and SET messages.
E. The MIB database can be altered only by the SNMP agent.
F. The agent is the monitoring device.
Correct Answer: ABD

Explanation
Explanation:
"A manager can send the agent requests to get and set MIB values."
" The security features provided in SNMPv3 are as follows: Message integrity, Authentication, Encryption."
"SNMP requests typically are sent to User Datagram Protocol (UDP) port 161."
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf014.html
QUESTION 114
In which two areas does OSPF send a summary route by default? (Choose two.)
A. NSSA
B. totally stubby
C. normal
D. backbone
E. stub
Correct Answer: BE
Explanation
QUESTION 115
Which DHCP options provides a TFTP server that Cisco phones can use to download a configuration?
A. DHCP Option 57
B. DHCP Option 66
C. DHCP Option 82
D. DHCP Option 68
Correct Answer: B
Explanation
Explanation: ԇ
QUESTION 116
Which two commands must you configure on a DMVPN hub to enable phase 3? (Choose two.)
A. ip nhrp map
B. ip redirects
C. ip nhrp shortcut
D. ip nhrp interest
E. ip nhrp redirect
F. ip network-id
Correct Answer: CE
Explanation
Explanation:
DMVPN in Phase 3
--ip nhrp shortcut is require only to the Spoke,
--ip nhrp shortcut and ip nhrp redirect are both requires to the Hub
Reference: http://blog.ine.com/2008/12/23/dmvpn-phase-3/
QUESTION 117
By default, which type of IPv6 address is used to build the EUI-64 bit format?
A. IPv4-compatible IPv6 address

B. aggregatable-local address
狠Ԉ
C. unique-local address
D. link-local address
Correct Answer: D
Explanation
Explanation:
https://howdoesinternetwork.com/2013/slaac-ipv6-stateless-address- autoconfiguration
QUESTION 118
Which two statements about GRE tunnel interfaces are true? (Choose two.)
A. To establish a tunnel, the source interface must be a loopback.

B. To establish a tunnel, the source interface must be in the up/up state.
C. A tunnel destination must be a physical interface that is in the up/up state.
D. A tunnel can be established when the source interface is in the up/down state.
E. A tunnel destination must be routable, but it can be unreachable.
Correct Answer: BE
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-
technote-gre-00.html
QUESTION 119
A network engineer executes the commands logging host 172.16.200.225 and logging trap 5. Which action
results when these two commands are executed together?
A. Logging messages that have a debugging severity level are sent to the remote server 172.16.200.225.
B. Logged information is stored locally, showing the source as 172.16.200.225.
C. Logging messages that have any severity level are sent to the remote server 172.16.200.225.
D. Logging messages that have a severity level of “notifications” and above (numerically lower) are sent to
the remote server 172.16.200.225.
Correct Answer: D
Explanation
QUESTION 120
Which problem can be caused by latency on a UDP stream?
A. The device that sends the stream is forced to hold data in the buffer for a longer period of time.
B. The device that receives the stream is forced to hold data in the buffer for a longer period of time.
C. The devices at each end of the stream are forced to negotiate a smaller windows size.
D. The overall throughput of the stream is decreased.
Correct Answer: B
Explanation
QUESTION 121
Which Cisco Express Forwarding components maintains Layer 2 addressing information?
A. adjacency table
B. RIB
C. FIB
D. fast switching
Correct Answer: A
Explanation
QUESTION 122
Why is the default route not removed when 172.20.20.2 stops replying to ICMP echos?
A. The source-interface is configured incorrectly. ԇ

B. The default route is missing the track feature.
C. The destination must be 172.30.30.2 for icmp-echo.
D. The threshold value is wrong.
Correct Answer: B
Explanation
QUESTION 123
In which scenario can asymmetric routing occur?
A. active/active firewall setup

B. redundant routers running VRRP
C. active/standby firewall setup
D. single path in and out of the network
Correct Answer: A
Explanation
Explanation:
What is Asymmetric Routing?
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different
path when it returns to the source. This is commonly seen in Layer-3 routed networks.
Asymmetric routing is when a packet returns on a patch that is different from a path that the traffic was
sent. This can be seen in normal situations when there are multiple paths to/from a destination. It can also
be seen in misconfiguration situations such as a server having two NIC's for load balancing and it's instead
routing between them.
QUESTION 124
Which feature can mitigate fragmentation issues within network segments that are between GRE
endpoints?
A. TCP Flow Control

B. TCP MSS
C. PMTU
D. ICMP DF bit
Correct Answer: C
Explanation
QUESTION 125
After reviewing the EVN configuration, a network administrator notices that a predefined EVN, which is
known as “vnet global”, was configured. What is the purpose of this EVN?
A. It aggregates and carries all dot1qtagged traffic.

B. It refers to the global routing context and corresponds to the default RIB.
C. It safeguards the virtual network that is preconfigured to avoid mismatched routing instances.
D. It defines the routing scope for each particular EVN edge interface.
Correct Answer: B
珐Ԉ
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-
overview.html
QUESTION 126
Which two debug commands can you use to view issues with CHAP and PAP authentication? (Choose
two.)
A. debug radius
B. debug tacacs
C. debug aaa authentication
D. debug ppp negotiation
E. debug ppp authentication
Correct Answer: DE
Explanation
Explanation:
Reference:
http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-
chap.html
QUESTION 127
Which option is the minimum privilege level that allows the user to execute all user-level commands but
prohibits enable-level commands by default?
A. level 0
B. level 1
C. level 14
D. level 15
E. level 16
Correct Answer: B
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-
control-system-tacacs-/23383-showrun.html#priv
QUESTION 128
Refer to the exhibit. Which effect of this configuration is true?
A. R1 acts as an authoritative clock at stratum 5.

B. R1 acts as an authoritative clock with a priority ID of 1.
C. R1 synchronizes with systems that include authentication key 5 in their packets.
D. R1 is the NTP client for a stratum 1 server.
Correct Answer: A
Explanation
QUESTION 129
Which next hop is going to be used for 172.17.1.0/24 ?
A. 10.0.0.1
B. 192.168.1.2
C. 10.0.0.2
D. 192.168.3.2
Correct Answer: C
Explanation
Explanation:
The > indicates the best route to the destination 172.17.1.0/24

Reference: https://www.cisco.com/c/en/us/td/docs/ios/iproute_bgp/command/reference/irg_book/
irg_bgp5.html#wp1156281
QUESTION 130
Which two OSPF router types can perform summarization in an OSPF network? (Choose two.)
A. autonomous system boundary router

B. backbone router
C. internal router
D. summary router
E. area border router
Correct Answer: AE
Explanation
析Ԉ
QUESTION 131
Which option is the minimum logging level that displays a log message when an ACL drops an incoming
packet?
A. Level 5
B. Level 7
C. Level 3
D. Level 6
Correct Answer: D
Explanation
Explanation:
When the ACL logging feature is configured, the system monitors ACL flows and logs dropped packets and
statistics for each flow that matches the deny conditions of the ACL entry.
The log and log-input options apply to an individual ACE and cause packets that match the ACE to be
logged.
The sample below illustrates the initial message and periodic updates sent by an IOS device with a default
configuration using the log ACE option.
*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) ->

192.168.2.1(22), 1 packet
From the example above we can see when an ACL drops a packet, it generates a level 6 Syslog (%SEC-
6-)
Reference: https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html
QUESTION 132
Which two features does RADIUS combine? (Choose two.)
A. SSH
B. authorization
C. Telnet
D. authentication
E. accounting
Correct Answer: BD
Explanation
QUESTION 133
After testing various dynamic IPv6 address assignment methods, an engineer decides that more control is
needed when distributing addresses to clients. Which two advantages does DHCPv6 have over EUI-64?
(Choose two.)
A. DHCPv6 requires less planning and configuration than EUI-64 requires.

B. DHCPv6 does not require the configuration of prefix pools.
C. DHCPv6 provides tighter control over the IPv6 addresses that are distributed to clients.
D. DHCPv6 does not require neighbor and router discovery on the network segment.
䐀)
E. DHCPv6 allows for additional parameters to be sent to the client, such as the domain name and DNS
server.
Correct Answer: CE
Explanation
QUESTION 134
What does stateful NAT64 do that stateless NAT64 does not do?
A. Stateful NAT64 maintains bindings or session state while performing translation

B. Stateful NAT64 maintains bindings of IPv4 to IPv6 link-local addresses
C. Stateful NAT64 translates IPv4 to IPv6
D. Stateful NAT64 translates IPv6 to IPv4
Correct Answer: A
Explanation
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/
QUESTION 135
Which version or versions of NetFlow support MPLS?
A. NetFlow version 9
B. NetFlow version 8
C. all versions of NetFlow
D. NetFlow versions 8 and 9
E. NetFlow version 5
Correct Answer: A
Explanation
Explanation:
MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow exports up to three
labels of interest from the incoming label stack, the IP address associated with the top label, as well as
traditional NetFlow data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html
QUESTION 136
Which value does a Cisco router use as its default username for CHAP authentication?
A. ppp
B. its own hostname
C. cisco
D. chap
Correct Answer: B
Explanation
娀Ԉ
Reference:
https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-
chap.html
QUESTION 137
A network engineer wants an NTP client to be able to update the local system without updating or
synchronizing with the remote system. Which option for the ntp access-group command is needed to
accomplish this?
A. peer
B. query-only
C. serve-only
D. serve
Correct Answer: D
Explanation
QUESTION 138
Refer to the exhibit. You have correctly identified the inside and outside interfaces in the NAT configuration
of this device. Which effect of this configuration is true?
A. NAT64
B. dynamic NAT
C. PAT
D. static NAT
Correct Answer: C
Explanation
QUESTION 139
The Neighbor Discovery Protocol in ipv6 is replaced with which discovery protocol in ipv4?
A. ARP
B. ICMP
C. UDP
D. TCP
E. RFC
Correct Answer: A
Explanation
Explanation:
Neighbor Discovery -- or ND -- is the protocol used by
栐ԈIPv6 to determine neighboring hosts, and will replace
ARP which was used in IPv4. It will perform similar tasks of the Address Resolution Protocol (ARP) and
ICMP Router Discovery Protocol. It's purpose remains to get the MAC/Link Layer addresses of available
hosts, and the connection information of available routers in the network.
QUESTION 140
Which two protocols can cause TCP starvation? (Choose two)
A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP
Correct Answer: AB
Explanation
Explanation: TFTP (69) and SNMP (161) are UDP protocols
QUESTION 141
What is the international standard for transmitting data over a cable system?
A. PPPoE
B. DOCSIS
C. CMTS
D. AAL5
Correct Answer: B
Explanation
QUESTION 142
ALWAYS block the outbound web traffic on Saturdays and Sunday between 1:00 to 23:59
A. periodic Saturday Sunday 01:00 to 23:59 and IN

B. periodic Saturday Sunday 01:00 to 23:59 and OUT
C. periodic Saturday Sunday 01:00 to 11:59 and IN
D. Absolute Saturday Sunday 01:00 to 11:59 and IN
Correct Answer: B
Explanation
QUESTION 143
What is IPv6 router solicitation?
A. A request made by a node to join a specified multicast group

B. A request made by a node for its IP address
C. A request made by a node for the IP address of the DHCP server
D. A request made by a node for the IP address of the local router
Correct Answer: D 䐀)
Explanation
QUESTION 144
What is the default value of TCP maximum segment size?
A. 536
B. 1492
C. 1500
D. 1508
E. 3340
F. 4096
Correct Answer: A
Explanation
Explanation:
THE TCP MAXIMUM SEGMENT SIZE IS THE IP MAXIMUM DATAGRAM SIZE MINUS FORTY.
The default IP Maximum Datagram Size is 576.
The default TCP Maximum Segment Size is 536.
http://www.ietf.org/rfc/rfc879.txt?referring_site=bodynav
QUESTION 145
If routers in a single area are configured with the same priority value, what value does a router use for the
OSPF Router ID in the absence of a loopback interface?
A. The lowest IP address of any physical interface
B. The highest IP address of any physical interface
C. The lowest IP address of any logical interface
D. The highest IP address of any logical interface
Correct Answer: B
Explanation
QUESTION 146
A network engineer applies the command ip tcp adjust-mss <bytes> under interface configuration mode.
What is the result?
A. The probability of SYN packet truncation is increased.

B. The UDP session is inversely affected.
C. The probability of dropped or segmented TCP packets is decreased.
D. The optimum MTU value for the interface is set.
Correct Answer: C
Explanation
QUESTION 147 娀Ԉ
Which two commands do you need to implement on the CALLING router to support the PPPoE client?
(choose Two)
A. peer default ip address pool

B. mtu
C. bba-group pppoe
D. pppoe enable group
E. pppoe-client dialer-pool-number
Correct Answer: BE
Explanation
Explanation:
Configuration at Client side (PPPoE Client):
interface Dialer 2
encapsulation ppp
ip address negotiated
ppp chap hostname TUT
ppp chap password MyPPPoE
ip mtu 1492
dialer pool 1
Then the next page: http://www.digitaltut.com/ppp-over-ethernet-pppoe-tutorial/2
Configuration at Server side (PPPoE Server)

1. First we configure a broadband aggregation (BBA) group
bba-group pppoe MyPPPoEProfile
virtual-template 1
2. Now we will create the virtual template 1 interface
interface Virtual-Template 1
ip address 10.0.0.1 255.255.255.0
peer default ip address pool PPPoE_Pool
ppp authentication chap
3. Finally link the PPPoE profile to the physical E0/0 interface, which is connected to the PPPoE client.
interface Ethernet0/0
pppoe enable group MyPPPoEProfile
For the above we ca see that mtu and pppoe-client dialer-pool-number are commands to pppoe CLIENT
and
peer default ip address pool, bba-group pppoe, and pppoe enable group are commands to pppoe
SERVER
QUESTION 148
Which two commands must you configure in the calling router to support the PPPoE client? (Choose two.)
A. pppoe enable group

B. peer default ip address pool
C. pppoe-client-dial-pool-number
D. bba-group pppoe
E. mtu
Correct Answer: AE
Explanation
ԇ
QUESTION 149
Frame Relay LMI autosense. Which statements are true? (Choose two.)
A. Line should be up and protocol should be down

B. Protocol must be up
C. It only works on DTEs
D. It only works on DCEs
Correct Answer: AC
Explanation
Explanation:
LMI autosense is active in the following situations:
-The router is powered up or the interface changes state to up.
-The line protocol is down but the line is up.
-The interface is a Frame Relay DTE.
-The LMI type is not explicitly configured.
QUESTION 150
Which value does Frame Relay use to identify a connection between a DTE and DCE?
A. DLCI
B. IP address
C. MAC address
D. VLAN ID
Correct Answer: A
Explanation
QUESTION 151
Which two statements about configuring Frame Relay point-to-multipoint connections are true? (Choose
two)
A. They ignore the broadcast keyword in the frame-relay DLCI mapping

B. They require the same DLCI on each side of the link.
C. Changing a point-to-multipoint subinterface to a different type requires the interface to be deleted and
recreated.
D. They require the frame-relay mapping command to be configured.
E. They require inverse ARP.
Correct Answer: DE
Explanation
QUESTION 152
Which cisco Express Forwarding component maintains Layer 2 addressing information?
A. dCEF 媐Ԉ
B. Adjacency table
C. FIB
D. Fast switching
E. RIB
Correct Answer: B
Explanation
Explanation:
Adjacency TablesNodes in the network are said to be adjacent if they can reach each other with a single
hop across a link layer. In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing
information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.html
QUESTION 153
What configurations does PPPoE allow? (Choose two.)
A. Client can be installed on the same network devices as server

B. 8 clients can be configured on 1 CPE
C. Clients can connect to multiple hosts over DMVPN
D. Client connecting over ATM PVC
E. Client installed on native IPv6 network
Correct Answer: BC
Explanation
QUESTION 154
Which command instruct a PPPoE client to obtain its IP address from the PPPoe server?
A. Interface dialer
B. IP address negotiated
C. PPPoE enable
D. IP address DHCP
E. IP address dynamic
Correct Answer: B
Explanation
QUESTION 155
Refer to the exhibit. Router 1 cannot ping router 2 via the Frame Relay between them.
Which two statements describe the problems? (Chooses two.)
娀Ԉ
A. Encapsulation is mismatched.
B. Frame Relay map is configured.
C. DLCI is active.
D. DLCI is inactive or deleted.
E. An access list is needed to allow ping
Correct Answer: AD
Explanation
Explanation:
Frame Relay: Cannot ping Remote Router:
1-Encapsulation mismatch has occurred.
2-DLCI is inactive or has been deleted.
3-DLCI is assigned to the wrong subinterface.
4-An access list was misconfigured.
5-The frame-relay map command is missing.
6-No broadcast keyword is found in frame-relay map statements.
QUESTION 156
How should a router that is being used in a Frame Relay network be configured to keep split horizon issues
from preventing routing updates?
A. Configure a separate subinterface for each PVC with a unique DLCI and subnet assigned to the
subinterface
B. Configure each Frame Relay circuit as a point-to-point line to support multicast and broadcast traffic
C. Configure many subinterfaces in the same subnet.
D. Configure a single subinterface to establish multiple PVC connections to multiple remote router
interfaces
Correct Answer: A
Explanation
Explanation:
If you have a serial port configured with multiple DLCIs connected to multiple remote sites, split horizon
rules, stop route updates received on an interface from being sent out the same interface. By creating
subinterfaces for each PVC, you can avoid the split horizon issues when using Frame Relay.
http://www.indiabix.com/networking/wide-area-networks/015004
QUESTION 157
In which two ways can split horizon issues be overcome in a Frame Relay network environment? (Choose
two.)
A. Configuring one physical serial interface with Frame Relay to various remote sites.
B. Configure a loopback interface with Frame Relay to various remote sites
C. Configuring multiple subinterfaces on a single physical interface to various remote sites.
D. Enabling split horizon.
椀Ԉ
E. Disabling split horizon.
Correct Answer: CE
Explanation
Explanation:
1/ IP split horizon checking is disabled by default for Frame Relay encapsulation to allow routing updates to
go in and out of the same interface. An exception is the Enhanced Interior Gateway Routing Protocol
(EIGRP) for which split horizon must be explicitly disabled. 2/Configuring Frame Relay subinterfaces
ensures that a single physical interface is treated as multiple virtual interfaces. This capability allows you to
overcome split horizon rules so packets received on one virtual interface can be forwarded to another
virtual interface, even if they are configured on the same physical interface.
Reference:
http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/14168-fr-faq.html
QUESTION 158
Your network consists of a large hub-and-spoke Frame Relay network with a CIR of 56 kb/s for each
spoke.
Which statement about the selection of a dynamic protocol is true? Choose the best response.
A. EIGRP would be appropriate if LMI type ANSI is NOT used.

B. EIGRP would be appropriate, because the Frame Relay spokes could be segmented into their own
areas.
C. EIGRP would be appropriate, because by default, queries are not propagated across the slow speed
Frame Relay links.
D. EIGRP would be appropriate, because you can manage how much bandwidth is consumed over the
Frame Relay interface.
Correct Answer: D
Explanation
Explanation:
By default, EIGRP will limit itself to using no more than 50% of the interface bandwidth. The primary benefit
of controlling EIGRP's bandwidth usage is to avoid losing EIGRP packets, which could occur when EIGRP
generates data faster than the interface line can absorb it. This is of particular benefit on Frame Relay
networks, where the access interface bandwidth and the PVC capacity may be very different.
QUESTION 159
A network engineer enables OSPF on a Frame Relay WAN connection to various remote sites, but no
OSPF adjacencies come up.
Which two actions are possible solutions for this issue? (Choose two)
A. Change the network type to point-to-multipoint under WAN interface.

B. Enable virtual links.
C. Change the network type to nonbroadcast multipoint access.
D. Configure the neighbor command under OSPF process for each remote site.
E. Ensure that the OSPF process number matches among all remote sites.
Correct Answer: AD
Explanation
䐀)
QUESTION 160
Which of the following SNMPv2 uses for authentication?
A. HMAC-MD5
B. HMAC-SHA
C. CBC-DES
D. Community strings
Correct Answer: D
Explanation
QUESTION 161
Which statement about stateless and stateful IPv6 autoconfiguration are true?
A. Both stateless and stateful autoconfiguration require additional setup

B. Stateless autoconfiguration requires no additional setup, whereas stateful autoconfiguration requires
additional setup
C. Stateless autoconfiguration requires additional setup, whereas stateful autoconfiguration requires no
additional setup
D. Both stateless and stateful autoconfiguration require no additional setup
Correct Answer: B
Explanation
Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6 (and based
closely on DHCP), is used to pass out addressing and service information in the same way that DHCP is
used in IPv4. This is called “stateful” because the DHCP server and the client must both maintain state
information to keep addresses from conflicting, to handle leases, and to renew addresses over time.
Stateless Autoconfiguration allows an interface to automatically “lease” an IPv6 address and does not
require the establishment of an server to delve out address space. Stateless autoconfiguration allows a
host to propose an address which will probably be unique (based on the network prefix and its Ethernet
MAC address) and propose its use on the network. Because no server has to approve the use of the
address, or pass it out, stateless autoconfiguration is simpler. This is the default mode of operation for most
IPv6 systems, including servers
QUESTION 162
What is true about peer groups? (Choose two.)
A. Optimize backdoor routes.

B. If you change configuration then it effects all peers in the group.
C. Peer groups can send soft updates to all.
D. Updates can be sent with multicast.
Correct Answer: BC
Explanation
QUESTION 163
If you want to migrate an IS-IS network to another routing protocol with _____. (Choose two)
娀Ԉ
A. UDP
B. Internal BGP
C. TCP/IP
D. EIGRP
E. OSPF
F. RIP
Correct Answer: DE
Explanation
QUESTION 164
Refer to the exhibit. In the network diagram, Area 1 is defined as a stub area. Because redistribution is not
allowed in the stub area, EIGRP routes cannot be propagated into the OSPF domain. How does defining
area 1 as a not-so-stubby area (NSSA) make it possible to inject EIGRP routes into the OSPF NSSA
domain?
A. By creating type 5 LSAs
B. By creating type 7 LSAs
C. By creating a link between the EIGRP domain and the RIP domain, and redistributing EIGRP into RIP
D. By manually changing the routing metric of EIGRP so that it matches the routing metric of OSPF
Correct Answer: B
Explanation
QUESTION 165
What attribute is used to influce traffic form AS200 and AS300 so that it uses link1 to reach AS100?
ԇ
A. MED
B. AS_path
C. Weight
D. Local preference
Correct Answer: A
Explanation
QUESTION 166
What is true about EIGRP's redistributed static routes and summarized routes? (Choose two.)
A. Summary routes have AD of 5

B. Static redistributed routes have AD of 190
C. Summary routes have AD of 20
D. Static redistributed routes have AD of 200
Correct Answer: AB
Explanation
QUESTION 167
You have a router has some interface configured with 10Gb interface and giga interface.
Which command you use to optimize higher BW?
A.
B.
C.
D.
Correct Answer: A
Explanation
QUESTION 168
RIPng ____________.
A. Firewall Port block UDP 520

B. Firewall Port block TCP 520
C. Firewall Port block UDP 521
D. Firewall Port block TCP 521
碀Ԉ
Correct Answer: C
Explanation
QUESTION 169
Which are new LSA types in OSPF for IPv6 (OSPFv3)? (Choose two.)
A. LSA Type 8
B. LSA Type 9
C. LSA Type 10
D. LSA Type 12
Correct Answer: AB
Explanation
QUESTION 170
Which of the below mentioned conditions form a neighbor relationship in EIGRP? (Choose three.)
A. Hello or ACK received

B. AS number match
C. Hello timer match
D. Identical metric (k values
E. Dead Timer Match
Correct Answer: ABD

Explanation
QUESTION 171
A network engineer is disabling split horizon on a point-to-multipoint interface that is running RIPng. Under
which configuration mode can split horizon be disabled?
A. router(config-riping)#
B. router(config-rtr)#
C. router(config-if)#
D. router(config)#
Correct Answer: B
Explanation
QUESTION 172
An EUI-64-bit address is formed by adding a reserved 16-bit value in which position of the Mac address?
A. Between the vendor OID and the NIC-specific part of the MAC address.
뵐+
B. After the NIC-specific part of the MAC address.
C. Before the vendor OID part of the MAC address.
D. Anywhere in the Mac address, because the value that is added is reserved.
Correct Answer: A
Explanation
QUESTION 173
An EUI-64 bit address is formed by inserting which 16-bit value into the MAC address of a device?
A. 3FFE
B. FFFE
C. FF02
D. 2001
Correct Answer: B
Explanation
QUESTION 174
Which IPV6 address type does RIPng use for next-hop addresses?
A. Anycast
B. Global
C. Multicas
D. Site-local
E. Link-local
Correct Answer: E
Explanation
QUESTION 175
Which type of message does a device configured with the eigrp stub command send in response to EIGRP
queries?
A. Invalid request
B. Unavailable
C. Stuck in active
D. Stub-only
E. Reject
F. Inaccessible
Correct Answer: F
Explanation
Explanation:
When using the EIGRP Stub Routing feature, you need ԇ to configure the distribution and remote routers to
use EIGRP, and to configure only the remote router as a stub. Only specified routes are propagated from
the remote (stub) router. The router responds to queries for summaries, connected routes, redistributed
static routes, external routes, and internal routes with the message "inaccessible." A router that is
configured as a stub will send a special peer information packet to all neighboring routers to report its status
as a stub router.
QUESTION 176
Which two statements about route targets that are configured with VRF-Lite are true? (Choose two.)
A. Route targets uniquely identify the customer routing table

B. Route targets control the import and export of routes into a customer routing table
C. Route targets are supported only when BGP is configured
D. When IS-IS is configured, route targets identify the circuit level in which the customer resides
E. When BGP is configured, route targets are transmitted as BGP standard communities
F. Route targets allos customers to be assigned overlapping adresses
Correct Answer: BC
Explanation
QUESTION 177
What is the output of the following command:
show ip vrf
A. Show's default RD values.

B. Displays IP routing table information associated with a VRF.
C. Show's routing protocol information associated with a VRF.
D. Displays the ARP table (static and dynamic entries) in the specified VRF.
Correct Answer: A
Explanation
QUESTION 178
What command would you use to set EIGRP routes to be prioritized?
A. Distance 100
B. Distance 89
C. Distance eigrp 100
D. Distance eigrp 89
Correct Answer: D
Explanation
QUESTION 179
Which routing protocol does DMVPN support? (Choose three.)
A. ISIS
媐Ԉ
B. RIP
C. EIGRP
D. OSPF
E. BGP
Correct Answer: CDE

Explanation
QUESTION 180
Routers R1 and R2 are IPv6 BGP peers that have been configured to support a neighbor relationship over
an IPv4 internet work. Which three neighbor IP addresses are valid choices to use in the highlighted section
of the exhibit? (Choose three.)
A. ::0A43:0002
B. 0A43:0002:: 娀Ԉ
C. ::10.67.0.2
D. 10.67.0.2::
E. 0:0:0:0:0:0:10.67.0.2
F. 10.67.0.2:0:0:0:0:0:0
Correct Answer: ACE

Explanation
Explanation:
The automatic tunneling mechanism uses a special type of IPv6 address, termed an "IPv4- compatible"
address. An IPv4-compatible address is identified by an all-zeros 96-bit prefix, and holds an IPv4 address in
the low-order 32-bits. IPv4-compatible addresses are structured as follows:
Therefore, an IPv4 address of 10.67.0.2 will be written as ::10.67.0.2 or

0:0:0:0:0:0:10.67.0.2 or ::0A43:0002 (with 10[decimal] = 0A[hexa] ; 67[decimal] = 43[hexa] ; 0[hexa] = 0
[decimal] ; 2[hexa] = 2[decimal])
QUESTION 181
Refer to the exhibit. Based upon the configuration, you need to understand why the policy routing match
counts are not increasing. Which would be the first logical step to take?
A. Confirm if there are other problematic route-map statements that precede divert.
B. Check the access list for log hits.
C. Check the routing table for 212.50.185.126.
D. Remove any two of the set clauses. (Multiple set clause entries will cause PBR to use the routing table.)
Correct Answer: B
Explanation
Explanation:
First we should check the access-list log, if the hit count does not increase then no packets are matched
the access-list -> the policy based routing match counts will not increase.
橠Ԉ
QUESTION 182
The OSPF which type of Router CAN BE aggregated? (Choose two.)
A. the ABR
B. the ASBR
C. Backbone Router
D. Intra Router
Correct Answer: AB
Explanation
QUESTION 183
You need the IP address of the devices with which the router has established an adjacency. Also, the
retransmit interval and the queue counts for the adjacent routers need to be checked. What command will
display the required information?
A. show ip eigrp adjacency

B. show ip eigrp topology
C. show ip eigrp interfaces
D. show ip eigrp neighbor
Correct Answer: D
Explanation
QUESTION 184
Which is an “invalid” option when redistributing from EIGRP into OSPF?
A. ACL
B. Tag
C. Metric
D. Route map
Correct Answer: A
Explanation
QUESTION 185
What does the show ip route vrf CISCO command display?
A. Directly connected routes for VRF CISCO

B. The routing table for VRF CISCO
C. The global routing table.
D. All routing tables that start with VRF CISCO.
E. The route distinguisher for VRF CISCO
Correct Answer: B
Explanation 穠Ԉ
QUESTION 186
Refer to Exhibit.
R1 is unable to ping interface S0/0 of R2.
What is the issue the configuration that is shown here?
A. The route-target configuration command is missing.
B. The interface IP addresses are not in the same subnet.
C. the syntax of the ping command is wrong.
D. The default route configuration is missing.
E. The serial interfaces belong to the global table instead of vrf Yellow.
Correct Answer: E
Explanation
QUESTION 187
Which option describes why the EIGRP neighbors of this router are not learning routes that are received
from OSPF?
A. The subnet defined in OSPF is not part of area 0.

B. Default metrics are not configured under EIGRP.
C. There is no overlap in the subnets advertised.
D. The routing protocols do not have the same AS number.
Correct Answer: B
Explanation
QUESTION 188
By default, which statement is correct regarding the redistribution of routes from other routing protocols into
OSPF? Select the best response.
A. They will appear in the OSPF routing table as type E1 routes.

B. They will appear in the OSPF routing table as type E2 routes
C. Summarized routes are not accepted.
D. All imported routes will be automatically summarized when possible.
E. Only routes with lower administrative distances will be imported.
Correct Answer: B
Explanation
Explanation:
Type E1 external routes calculate the cost by adding the external cost to the internal cost of each link that
the packet crosses while the external cost of E2 packet routes is always the external cost only. E2 is useful
if you do not want internal routing to determine the path. E1 is useful when internal routing should be
included in path selection. E2 is the default external metric when redistributing routes from other routing
protocols into OSPF.
QUESTION 189 e the same AS nuʉ艆ﾏԟ

Which statement about local policy routing is true?
A. It is used to policy route packets that are generated by the device.

B. It requires all packets to be packet switched.
C. It is used to policy route packets that pass through the device.
D. It requires all packets to be CEF switched.
E. It supports IPv4 packets only.
F. It requires an ip address or access list as the matching criteria.
Correct Answer: A
Explanation
QUESTION 190
What appears in the other router routing table?
#loopback EIGRP STUB
A. loopback of the stub router advertised

B. loopback of the stub router was not advertised
Correct Answer: A
Explanation
QUESTION 191
Which three configuration parameters can a DHCPV6 pool contain? (Choose three.)
A. Domain search list

B. Router IP
C. Default gateway
D. Prefix delegation
E. DNS servers
F. Subnet mask
Correct Answer: ADE

Explanation
Explanation:
Each configuration pool can contain the following configuration parameters and operational information:
-Prefix delegation information, which includes:
-A prefix pool name and associated preferred and valid lifetimes
-A list of available prefixes for a particular client and associated preferred and valid lifetimes
-A list of IPv6 addresses of DNS servers
-A domain search list, which is a string containing domain names for the DNS resolution
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3s/dhcp-xe-3s-book/ip6-
dhcp-prefix-xe.pdf
QUESTION 192
What are two BGP neigborship states? (Choose two.)ԇ
A. Full
B. Open Sent
C. 2WAY
D. Connect
E. DROTHER
F. Stuck in active
Correct Answer: BD
Explanation
QUESTION 193
What is the effect of the following two commands? (Choose two.)
area 1 range 10.1.0.0 255.255.0.0

summary address 10.1.0.0 255.255.0.0
A. area 1 range: command applied to summarize internal OSPF routes (ABR)

B. area 1 range: command applied to summarize external OSPF routes (ASBR)
C. Summary address: command applied to summarize external OSPF routes (ASBR)
D. Summary address: command applied to summarize internal OSPF routes (ABR)
Correct Answer: AC
Explanation
QUESTION 194
Which access list entry checks for an ACK within a packet TCP header?
A. access-list 49 permit ip any any eq 21 tcp-ack

B. access-list 49 permit tcp any any eq 21 tcp-ack
C. access-list 149 permit tcp any any eq 21 established
D. access-list 49 permit tcp any any eq 21 established
Correct Answer: C
Explanation
QUESTION 195
Which type of access list allows granular session filtering for upper-level protocols?
A. Content-based access lists

B. Context-based access lists
C. Reflexive access lists
D. Extended access lists
Correct Answer: C
Explanation ԇ
QUESTION 196
Which two options are requirements for EIGRP authentication? (Choose two.)
A. A crypto map must be configured.

B. The Authentication key must be configured under the interface running EIGRP.
C. The authentication key must be configured within the EIGRP routing configuration.
D. The authentication key IDs must match between two neighbors.
E. A separate key chain must be configured.
F. AN IPsec profile must be configured.
Correct Answer: BD
Explanation
QUESTION 197
Which command prevents routers from sending routing updates through a router interface?
A. default-metric 0
B. distribute-list in
C. passive-interface
D. distribute-list out
Correct Answer: C
Explanation
Explanation:
To prevent routing updates through a specified interface, use the passive-interface type number command
in router configuration mode.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/iri-xe-3s-book/iri-default-
passive-interface.html
QUESTION 198
Which three options are valid DHCPv6 functions? (Choose three.)
A. Server
B. Client
C. Approver
D. Requester
E. Repeater
F. ACK
G. Relay
Correct Answer: ABG

Explanation
樀Ԉ
QUESTION 199
Refer to the exhibit. A network engineer executes the show ipv6 ospf database command and is presented
with the output that is shown.
Which flooding scope is referenced in the link-state type?

A. Link-local
B. Area
C. As (OSPF domain)
D. Reserved
Correct Answer: B
Explanation
QUESTION 200
Which type of address does OSPFv3 use to form neighbor adjacencies and to send LSAs?
A. Unicast IPv6 addresses

B. Link-local addresses
C. Multicast address FF02::5
D. Unicast IPv4 addresses
Correct Answer: C
Explanation
QUESTION 201
Which the Valid range for BGP private ASNs?
简Ԉ
A. 64512-65535
B. 62464-65024
C. 64512-65024
D. 62464-64511
Correct Answer: A
Explanation
QUESTION 202
OSPF chooses routes in which order, regardless of route's administrative distance and metric? (Choose all
that apply.)
A. Intra-Area (O)
B. Inter-Area (O IA)
C. External Type 1 (E1)
D. External Type 2 (E2)
E. NSSA Type 1 (N1)
F. NSSA Type 2 (N2)
Correct Answer: ABCDEF

Explanation
Explanation:
Regardless of a route’s metric or administrative distance, OSPF will choose routes in the following order:
Intra-Area (O)
Inter-Area (O IA)
External Type 1 (E1)
NSSA Type 1 (N1)
NSSA Type 2 (N2)
To demonstrate this, take the following topology:
䐀)
QUESTION 203
When ospf is forming an adjacency, in which state does the actual exchange of information in the link-state
database occur?
A. INIT
B. Loading
C. Exstart
D. Exchange
Correct Answer: B
Explanation
Explanation:
Down
This is the first OSPF neighbor state. It means that no information (hellos) has been received from this
neighbor, but hello packets can still be sent to the neighbor in this state.
During the fully adjacent neighbor state, if a router doesn't receive hello packet from a neighbor within the
RouterDeadInterval time (RouterDeadInterval = 4*HelloInterval by default) or if the manually configured
neighbor is being removed from the configuration, then the neighbor state changes from Full to Down.
Attempt
This state is only valid for manually configured neighbors in an NBMA environment. In Attempt state, the
router sends unicast hello packets every poll interval to the neighbor, from which hellos have not been
received within the dead interval.
Init
This state specifies that the router has received a hello packet from its neighbor, but the receiving router's
ID was not included in the hello packet. When a router receives a hello packet from a neighbor, it should list
the sender's router ID in its hello packet as an acknowledgment that it received a valid hello packet.
2-Way
This state designates that bi-directional communication has been established between two routers. Bi-
directional means that each router has seen the other's hello packet. This state is attained when the router
receiving the hello packet sees its own Router ID within the received hello packet's neighbor field. At this
state, a router decides whether to become adjacent with this neighbor. On broadcast media and non-
broadcast multiaccess networks, a router becomes full only with the designated router (DR) and the backup
designated router (BDR); it stays in the 2-way state with all other neighbors. On Point-to-point and Point-to-
multipoint networks, a router becomes full with all connected routers.
At the end of this stage, the DR and BDR for broadcast and non-broadcast multi-acess networks are
elected. For more information on the DR election process, refer to DR Election.
Note: Receiving a Database Descriptor (DBD) packet from a neighbor in the init state will also a cause a
transition to 2-way state.
Exstart
Once the DR and BDR are elected, the actual process of exchanging link state information can start
between the routers and their DR and BDR.
In this state, the routers and their DR and BDR establish a master-slave relationship and choose the initial
sequence number for adjacency formation. The router 콐+with the higher router ID becomes the master and
starts the exchange, and as such, is the only router that can increment the sequence number. Note that
one would logically conclude that the DR/BDR with the highest router ID will become the master during this
process of master-slave relation. Remember that the DR/BDR election might be purely by virtue of a higher
priority configured on the router instead of highest router ID. Thus, it is possible that a DR plays the role of
slave. And also note that master/slave election is on a per-neighbor basis.
Exchange
In the exchange state, OSPF routers exchange database descriptor (DBD) packets. Database descriptors
contain link-state advertisement (LSA) headers only and describe the contents of the entire link-state
database. Each DBD packet has a sequence number which can be incremented only by master which is
explicitly acknowledged by slave. Routers also send link-state request packets and link-state update
packets (which contain the entire LSA) in this state. The contents of the DBD received are compared to the
information contained in the routers link-state database to check if new or more current link-state
information is available with the neighbor.
Loading
In this state, the actual exchange of link state information occurs. Based on the information provided by the
DBDs, routers send link-state request packets. The neighbor then provides the requested link-state
information in link-state update packets. During the adjacency, if a router receives an outdated or missing
LSA, it requests that LSA by sending a link-state request packet. All link-state update packets are
acknowledged.
Full
In this state, routers are fully adjacent with each other. All the router and network LSAs are exchanged and
the routers' databases are fully synchronized.
Full is the normal state for an OSPF router. If a router is stuck in another state, it is an indication that there
are problems in forming adjacencies. The only exception to this is the 2-way state, which is normal in a
broadcast network. Routers achieve the FULL state with their DR and BDR in NBMA/broadcast media and
FULL state with every neighbor in the remaining media such as point-to-point and point-to-multipoint.
Note: The DR and BDR that achieve FULL state with every router on the segment will display FULL/
DROTHER when you enter the show ip ospf neighbor command on either a DR or BDR. This simply means
that the neighbor is not a DR or BDR, but since the router on which the command was entered is either a
DR or BDR, this shows the neighbor as FULL/DROTHER.
ԇ
QUESTION 204
During a recent OSPF election among three routers, RTA was elected the DR and RTB was elected the
BDR, as seen in the graphic. Assume that RTA fails, and that RTB takes the place of the DR while RTC
becomes the new BDR. What will happen when RTA comes back online?
A. RTA will take the place of DR immediately upon establishing its adjacencies
B. RTA will take the place of DR only if RTB fails.
C. RTA will take the place of DR only if both RTB and RTC fail.
D. A new election will take place establishing an all new DR and BDR based on configured priority levels
and MAC addresses.
Correct Answer: C 趀Ԉ
Explanation
Explanation:
If a router with a higher priority value gets added to the network, it does not preempt the DR
and BDR. The only time a DR and BDR changes is if one of them is out of service. If the DR
is out of service, the BDR becomes the DR, and a new BDR is selected. If the BDR is out of
service, a new BDR is elected. In a multi-access network, the router that is powered on first
will generally become the DR, since the DR/BDR process is not pre-emptive.
CCNP Self-Study Second Edition P.243
QUESTION 205
Refer to the exhibit. EIGRP is configured on all routers in the network. On a basis of the show ip eigrp
topology output provided, what conclusion can be derived? Select the best response.
A. Router R1 can send traffic destined for network 10.6.1.0/24 out of interface FastEthernet0/0.
B. Router R1 is waiting for a reply from the neighbor 10.1.2.1 to the hello message sent out before it
declares the neighbor unreachable.
C. Router R1 is waiting for a reply from the neighbor 10.1.2.1 to the hello message sent out inquiring for a
second successor to network 10.6.1.0/24.
D. Router R1 is waiting for a reply from the neighbor 10.1.2.1 in response to the query sent out about
network 10.6.1.0/24.
Correct Answer: D
Explanation
쿐+
QUESTION 206
An administrator types in the command router ospf 1 and receives the error message:
"OSPF process 1 cannot start." (Output is omitted.)
What should be done to correctly set up OSPF? Select the best response.
A. Ensure that an interface has been configured with an IP address.

B. Ensure that an interface has been configured with an IP address and is up.
C. Ensure that IP classless is enabled.
D. Ensure that the interfaces can ping their directly connected neighbors.
Correct Answer: B
Explanation
QUESTION 207
The following exhibit shows ipv6 route output. What would the metric be for a summary route that
summarizes all three OSPFv3 routes displayed?
A. 160
B. 140
C. 120
D. 100
Correct Answer: D
Explanation
QUESTION 208
The Dev-1 and Dev-3 routers are OSPF neighbors over the Ethernet 0/0 connection. Based on the show ip
ospf neighbor output from the Dev-1 and Dev-3 routers, which statement is true? Select the best response.
籰Ԉ
A. Dev-1 is the DR because it has a higher OSPF router priority.

B. Dev-1 is the DR because it has a lower OSPF router ID.
C. Dev-3 is the DR because it has a higher OSPF router priority.
D. Dev-3 is the DR because it has a lower OSPF router ID.
E. Both Dev-1 and Dev-3 are using the default OSPF router priority.
Correct Answer: A
Explanation
QUESTION 209
Refer to the exhibit. Which three statements accurately describe the result of applying the exhibited route
map? (Choose three.)
A. The map prohibits the redistribution of all type 2 external OSPF routes with tag 6 set.
B. The map prohibits the redistribution of all type 2 external OSPF routes.
C. The map redistributes into EIGRP all routes that match the pfx prefix list and the five metric values
40000, 1000, 255, 1, and 1500.
D. The map prohibits the redistribution of all external OSPF routes with tag 6 set.
E. All routes that do no match clauses 10 and 20 of the route map are redistributed with their tags set to 8.
F. The map permits the redistribution of all type 1 external OSPF routes.
蹰Ԉ
Correct Answer: AEF
Explanation
Explanation:
In the route-map:
route-map ospf-to-eigrp deny 10

match tag 6
match route-type external type-2
The deny clause rejects route matches from redistribution. If several match commands are present in a
clause, all must succeed for a given route in order for that route to match the clause (in other words, the
logical AND algorithm is applied for multiple match commands). In this question, both the “match tag 6” and
“match route-type external type-2” must be matched for this route to be denied -> A is correct.
If a match command is not present, all routes match the clause. In this question, all routes that reach
clause 30 match and their tags are set to 8 -> E is correct.
If a route is not matched with clause 10 or 20 then it will be matched with clause 30 for sure -> F is correct.
Option C is incorrect because it says the route will be redistributed if it matches the prefix-list pfx AND the
metric values. This is not true.
The route-map statement 20 SETS the seed metric for the prefixes identified by the prefix-list pfx. So the
statement in option C is missing the "SET" keyword.
Option F is correct because the only deny statement in route-map is statement 10 which only denies Type-2
External routes that have a tag value of 6. This means all Type-1 External routes will be redistributed
because they will match either permit statement 20 or 30.
Note: Route-maps that are applied to redistribution behave the same way as ACLs: if the route does not
match any clause in a route-map then the route redistribution is denied, as if the route-map contained deny
statement at the end.
Reference:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml
QUESTION 210
Which IPv4-mapped IPv6 address is equivalent to IPv6 address ::ffff:AC11:AC11? Choose the best
response.
A. ::ffff:10.12.10.12
B. ::ffff:10.14.10.14
C. ::ffff44.49.44.49
D. ::ffff161.193.161.193
E. ::ffff 172.17.172.17
F. ::ffff193.11.193.11
Correct Answer: E
Explanation
QUESTION 211
Which statement is true about IPv6? Choose the best response.
A. Only one IPv6 address is assigned per node.

B. Only one IPv6 address can be assigned to each interface.
큀+
C. Each host can autoconfigure its address without the aid of a DHCP server.
D. IPv6 hosts use anycast addresses to assign IP addresses to interfaces.
Correct Answer: C
Explanation
QUESTION 212
Which statement is true about EBGP? Select the best response.
A. An internal routing protocol can be used to reach an EBGP neighbor.

B. The next hop does not change when BGP updates are exchanged between EBGP neighbors.
C. A static route can be used to form an adjacency between neighbors.
D. EBGP requires a full mesh.
Correct Answer: C
Explanation
QUESTION 213
EIGRP has been configured on all routers in the network. What additional configuration statement should
be included on router R4 to advertise a default route to its neighbors?
A. R4(config)# ip default-network 10.0.0.0

B. R4(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1
C. R4(config)# ip route 10.0.0.0 255.0.0.0 10.1.1.1
D. R4(config-router)# default-information originate
Correct Answer: A
Explanation ԇ
Explanation:
The “ip default-network ” command will direct other routers to send its unknown traffic to this network. Other
router (R1,R2,R3) will indicate this network as the “Gateway of last resort”.
There is another way to route unknown traffic to 10.1.1.0/24 network: create a static route using “ip route
0.0.0.0 0.0.0.0 10.1.1.2” command then inject this route using the “network 0.0.0.0” command, or using
“redistribute static” command.
Note: In EIGRP, default routes cannot be directly injected (as they can in OSPF with the default-information
originate command. Also, EIGRP does not have the “default-information originate” command).
QUESTION 214
Which two statements are true about 6to4 tunnels? (Choose two.)
A. In a 6to4 tunnel, the first two bytes of the IPv6 address will be 2002 and the next four bytes will be the
hexadecimal equivalent of the IPv4 address.
B. In a 6to4 tunnel, the first two bytes of the IPv6 address will be locally derived and the next two bytes will
be the hexadecimal equivalent of the IPv4 address.
C. In a 6to4 tunnel, the IPv4 address 192.168.99.1 would be converted to the 2002:c0a8:6301::/48 IPv6
address.
D. In a 6to4 tunnel, the IPv4 address 192.168.99.1 would be converted to the 2002:c0a8:6301::/16 IPv6
address.
E. In a 6to4 tunnel, the IPv4 address 192.168.99.1 would be converted to the 2002:1315:4463:1::/64 IPv6
address.
Correct Answer: AC
Explanation
Explanation:
In a 6to4 tunnel, the first two bytes of the IPv6 address will be 0x2002 and the next four bytes will be the
hexadecimal equivalent of the IPv4 address. The IPv4 address 192.168.99.1 would be converted to the
2002:c0a8:6301::/48 IPv6 address.
QUESTION 215
What does the command clear ipv6 ospf process accomplish? Select the best response.
A. The OSPF adjacencies are cleared and initiated again.

B. The route table is cleared. Then the OSPF neighbors are reformed.
C. The shortest path first (SPF) algorithm is performed on the LSA database.
D. The OSPF database is repopulated. Then the shortest path first (SPF) algorithm is performed.
Correct Answer: D
Explanation
Explanation:
The command "clear ipv6 ospf" will clear the present routing table and force the OSPFv3 process to build a
new one. This command is often used when something in the network was changed or for debugging
purpose.
When the "process" keyword is added, which means "clear ipv6 ospf process", the OSPF database is
cleared and repopulated then the SPF algorithm is performed.
QUESTION 216
檐Ԉ
When implementing OSPFv3, which statement describes the configuration of OSPF areas? Select the best
response.
A. In interface configuration mode, the OSPFv3 area ID combination assigns interfaces to OSPFv3 areas.
B. In router configuration mode, the network wildcard area ID combination assigns networks to OSPFv3
areas.
C. In interface configuration mode, the IPv6 OSPF process area ID combination assigns interfaces to
OSPFv3 areas.
D. In router configuration mode, the IPv6 OSPF interface area ID combination assigns interfaces to
OSPFv3 areas.
Correct Answer: C
Explanation
QUESTION 217
You have implemented mutual route redistribution between OSPF and EIGRP on a border router. When
checking the routing table on one of the OSPF routers within the OSPF routing domain, you are seeing
some, but not all of the expected routes. Which two things should you verify to troubleshoot this problem?
(Choose two.)
A. The border router is using a proper seed metric for OSPF.

B. The border router is using a proper seed metric for EIGRP.
C. The administrative distance is set for OSPF and EIGRP.
D. The missing EIGRP routes are present in the routing table of the border router.
E. The subnet keyword on the border router in the redistribute EIGRP command.
Correct Answer: DE
Explanation
Explanation:
We are checking the routing table on EIGRP routers not OSPF so we don’t need to check the seed metric
for OSPF. Besides OSPF doesn’t need to specify seed metric as all external routes get a default metric of
20 (except for BGP, which is 1) -> A is not correct.
We must specify seed metrics when redistributing into EIGRP (and RIP). If not all the redistributed routes
will not be seen but the question says only some routes are missing -> B is not correct.
The default administrative distance for external routes redistributed into EIGRP is 170 so we don’t need to
set it -> C is not correct.
We should check the routing table of the border router to see the missing OSPF routes are there or not. An
incorrect distribute-list can block some routes and we can’t see it in other EIGRP routers -> D is correct.
--------------------------------------------------------
Answer D is obvious that we should check all the routes we want to redistribute are present in the routing
table of the border router. Let’s discuss about answer E.
A rule of thumb when redistributing into OSPF is we should always include the “subnets” keyword after the
redistributed route. For example:
router ospf 1
redistribute eigrp 100 subnets
This keyword makes sure all of the routes, including subnets are redistributed correctly into OSPF. For
example these routes are learned via EIGRP:
+ 192.168.1.0/24
+ 192.168.2.0/25
+ 192.168.3.0/26
Then without the keyword “subnets”, only 192.168.1.0/24 network is redistributed into OSPF.
QUESTION 218
What is the NHRP role in DMVPN? (Choose two.)
A. Obtains the next-hop to be used for routing

B. Routes the packet through the tunnel
C. Identifies the PIM-SM RP used to route the packet
D. Can authenticate VPN endpoints
E. It requires each tunnel endpoint to have a unique network ID
Correct Answer: AD
Explanation
QUESTION 219
Which two statements about EVNs are true? (Choose two.)
A. VRFs using MPLS require a trunk interface that uses EVN

B. VRF-Lite requires a trunk interface that uses EVN
C. All EVNs within a trunk interface can share the same IP infrastructure
D. Each EVN within a trunk interface must be configured separately
E. Commands that are specified once under a trunk interface can be inherited by all EVNs
Correct Answer: CE
Explanation
QUESTION 220
A network administrator uses GRE over IPSec to connect two branches together via VPN tunnel. Which
one of the following is the reason for using GRE over IPSec?
A. GRE over IPSec provides better QoS mechanism and is faster than other WAN technologies
B. GRE over IPSec decreases the overhead of the header.
C. GRE supports use of routing protocol, while IPSec supports encryption.
D. GRE supports encryption, while IPSec supports use of routing protocol.
Correct Answer: C
Explanation
Explanation:
Following are the management protocols that the MPP feature supports.
These management protocols are also the only protocols affected when MPP is enabled.
QUESTION 221
Which statement is true about an IPsec/GRE tunnel?
A. The GRE tunnel source and destination addresses

ԇare specified within the IPsec transform set.
B. An IPsec/GRE tunnel must use IPsec tunnel mode.
C. GRE encapsulation occurs before the IPsec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.
Correct Answer: C
Explanation
QUESTION 222
For a GRE tunnel to be up between two routers, which of the following must be configured?
A. Loopback Interface
B. IP reachability between the loopback interfaces
C. Dynamic Routing between routers.
D. Tunnel interfaces must be in the same subnet.
Correct Answer: D
Explanation
QUESTION 223
Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel was configured,
but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?
檐Ԉ
A. The crypto isakmp configuration is not correct.

B. The crypto map configuration is not correct.
C. The interface tunnel configuration is not correct.
D. The network 172.16.1.0 is not included in the OSPF process
Correct Answer: A
Explanation
Explanation:
The address of the crypto isakmp key should be 192.168.1.2, not 172.16.1.2 -> A is correct.
QUESTION 224

A. The crypto map is not configured correctly
B. The crypto ACL is not configured correctly. 터+
C. The crypto map is not applied to the correct interface.
D. The OSPF network is not configured correctly.
Correct Answer: B
Explanation
Explanation:
The access-list must also support GRE traffic with the “access-list 102 permit gre host 192.168.1.1 host
192.168.2.1” command -> B is correct.
Below is the correct configuration for GRE over IPsec on router B1 along with descriptions.
QUESTION 225
緐Ԉ
A. The crypto isakmp configuration is not correct.

B. The crypto map configuration is not correct.
C. The network 172.16.1.0 is not included in the OSPF process.
D. The interface tunnel configuration is not correct.
Correct Answer: D
Explanation
Explanation:
The “tunnel destination” in interface tunnel should be 192.168.1.2, not 172.16.1.2 -> D is correct.
QUESTION 226
Refer to exhibit. A user calls from another branch office with a request to establish a simple VPN tunnel to
test a new router's tunneling capability Based on the configuration in the exhibit, which type of tunnel was
configured?
cluded in the OSʉﾏԟ
A. PPTP
B. IPsec site-to-site
C. 6to4
D. EZVPN
Correct Answer: C
Explanation
QUESTION 227
Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and
IPsec tunnel, over the DSL connection, destined for an Enterprise network. Which of the following answers
best describes the router's logic that tells the router, for a given packet, to apply GRE encapsulation to the
packet?
A. When the packet received on the LAN interface is permitted by the ACL listed on the tunnel gre acl
command under the incoming interface
B. When routing the packet, matching a route whose outgoing interface is the GRE tunnel interface
C. When routing the packet, matching a route whose outgoing interface is the IPsec tunnel interface
D. When permitted by an ACL that was referenced in the associated crypto map
Correct Answer: B
Explanation
Explanation:
As for the correct answer: the process of routing a packet out a GRE tunnel interface triggers the GRE
encapsulation action.
As for the incorrect answers: There is no tunnel gre acl command. There is no IPsec tunnel interface.
Finally, one answer refers to logic that would describe a router's logic when determining whether to
encapsulate a packet into an IPsec tunnel.
QUESTION 228
What is a key benefit of using a GRE tunnel to provide connectivity between branch offices and
headquarters?
A. Authentication, integrity checking, and confidentiality

B. Less overhead
C. Dynamic routing over the tunnel
D. Granular QoS support
E. Open standard
F. Scalability
Correct Answer: C
Explanation
Explanation:
Generic routing encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety
of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote
points over an IP internetwork.
QUESTION 229 톰+
Which two statement about GRE tunnel interface are true? (Choose two.)
A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel Destination must be Routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To Establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state
Correct Answer: BD
Explanation
Explanation:
Reference:
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-
00.html
QUESTION 230
Which two statements about EVN are true? (Choose two.)
A. Virtual network tags are assigned per-VRF.

B. It is supported only on access ports.
C. Virtual network tags are assigned globally.
D. Routing metrics can be manipulated only from directly within the routing-context configuration.
E. The VLAN ID in the 802.1q frame carries the virtual network tag.
F. The VLAN ID is the ISL frame carries the virtual network tag.
Correct Answer: AE
Explanation
QUESTION 231
Which two GRE features can you configure to prevent fragmentation? (Choose two.)
A. TCP MSS
B. DF Bit Clear
C. IP MTU
D. PMTUD
E. MTU ignore
F. UDP windows sizes
Correct Answer: AD
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-
ipfrag.html
QUESTION 232
When the tunnel interface is configured in default mode, which statement about routers and the tunnel
destination address is true?
A. The router must have a route installed towards the tunnel destination
ԇ
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP neigborship with
the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination
Correct Answer: A
Explanation
QUESTION 233
One of the AAA Authentication PPP Methods if PAP used ____.
A. krb5
B. ssl
C. transliteration methods
D. UPN
Correct Answer: A
Explanation
Explanation:
Uses Kerberos 5 for authentication (can only be used for PAP authentication)
QUESTION 234
What to configure on routes if TACACS+ authentication fails? (Choose two.)
A. Configure local username and password
B. Include ‘local’ keyword in AAA config
C. aaa accounting exec default start-stop tacacs+
D. ip ssl certificate-data-file tftp 192.168.9.210 certfile
Correct Answer: AB
Explanation
Explanation:
device(config)#enable telnet authentication
device(config)#aaa authentication login default tacacs local
The commands above cause TACACS/TACACS+ to be the primary authentication method for securing
Telnet/SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server,
authentication is performed using local user accounts instead.
Reference:
http://www.brocade.com/content/html/en/configuration-guide/FI_08030_SECURITY/GUID-162894DA-A189-
4A10-AE28-BD31214D62BA.html
QUESTION 235
Which two statements about password-protecting device access are true? (Choose two.)
A. The more system: running-config command displays encrypted passwords in clear text
B. The service password-encryption command forces a remote device to encrypt the password before
transmitting it
C. A network administrator can recover an encrypted password
檐Ԉ a specific user can execute
D. The privilege level command controls the commands
E. The password can be encrypted in the running configuration
Correct Answer: DE
Explanation
QUESTION 236
The Cisco SA 500 Series Security Appliances are built specifically for businesses with less than 100
employees. What are three important benefits of this device? (Choose three.)
A. Business-grade firewall
B. Premium support via SMART net
C. Site-to-site VPN for remote offices
D. Cisco IOS software-based
E. Email security
F. XML support
Correct Answer: ACE

Explanation
QUESTION 237
Which two methods use IPsec to provide secure connectivity from the branch office to the headquarters
office? (Choose two.)
A. DMVPN
B. MPLS VPN
C. Virtual Tunnel Interface (VTI)
D. SSL VPN
E. PPPoE
Correct Answer: AC
Explanation
Explanation:
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by
combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution
Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the
requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.
The use of VTI greatly simplifies the configuration process when you need to configure IPsec. A major
benefit associated with IPsec VTIs is that the configuration does not require a static mapping of IPsec
sessions to a physical interface.
Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/
technologies_configuration_example09186a008014bcd7.shtml
QUESTION 238
What are 2 protocols used for user with authentication on network device?
A. CHAP 樀Ԉ
B. Radius
C. 802.1x
D. PAP
E. TACACS+
Correct Answer: BE
Explanation
QUESTION 239
Other than a working EIGRP configuration, which components must be the same on all routers for EIGRP
authentication key rollover to work correctly?
A. SMTP
B. time
C. SNMP
D. passwords
Correct Answer: B
Explanation
QUESTION 240
Which of the following are characteristics of TACACS+? (Choose two.)
A. Uses UDP
B. Encrypts an entire packet
C. Offers robust accounting
D. Cisco-proprietary
Correct Answer: BD
Explanation
Explanation:
CHARACTERISTICS O TACACS+
1-TACACS+ encrypts the entire body of the packet
2- TACACS+ uses TCP
3-TACACS+ uses the AAA architecture, which separates AAA 4-TACACS+ offers multiprotocol support.
5-TACACS+ is Cisco proprietary protocol
6-TACACS+ is a heavy-weight protocol consuming more resources 7-TACACS+ uses TCP port 8-Mainly
used for Device Administration
9-TACACS+ supports 15 privilege levels
Reference:
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-
radius/13838-10.html
QUESTION 241
Which access list used to filter upper layer protocol?
A. Extended acl
ԇ
B. Standart acl
C. Reflexive acl
D. Time based acl
E. Dynamic acl
Correct Answer: A
Explanation
Explanation:
Remember the three Ps Per protocol, Per direction, and Per interface
One ACL per protocol- To control traffic flow on an interface an ACL must be defined for each protocol
enabled on the interface (example IP, IPX, AppleTalk)
One ACL per direction- ACLs control traffic in one direction at one time on an interface. You must create
two separate ACLs to control traffic in both inbound and outbound connections.
One ACL per interface- ACLs control traffic for an interface such as Fast Ethernet.
Dynamic ACLs
Dynamic or lock-and-key ACLs are available for Internet Protocol traffic only. Dynamic ACLs starts with the
application of an extended ACL to block traffic through the router.
Common reasons to use Dynamic ACLs are:
When you want a specific remote user or group of remote users to access a host within your network.
Connecting to the outside of your network (Internet) Lock-and-key authenticates the user and then permits
limited access through your firewall router.
You want a subset of hosts on a local network to access a host from a remote network that is protected by
a firewall.
Lock-and-key requires users to authenticate through an AAA, TACACS server or other security server
before it allows access.
Reflexive ACLs
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. Generally are
used to allow outbound traffic and to limit inbound traffic by using sessions that originate inside the router.
When a router sees a new outbound connection it adds an entry to a temporary ACL to allow replies back
into the network. Reflexive ACLs can be defined only with an extended named IP ACL. They cannot be
defined with numbered or standard named ACLs or with other protocols.
Time-Based ACLs
Time-Based ACLs are like extended ACLs in function, but they allow access control based on time. To use
time-based ACLs you create a time range that defines specific times of the day and days of the week. You
use the time range with a name and then refer to it by a function. The time range relies on the router
system clock. This feature works with NTP (Network Time Protocol) synchronization, but the router clock
can also be used.
Numbered ACL
You can assign a number based on whether your ACL is standard or extended
1 to 99 and 1300 to 1999 are Standard IP ACL

100 to 199 and 2000 to 2699 are Extended IP ACL
You cannot add or delete entries within the ACL (You have to totally delete the ACL in order to edit it)
Named ACL
You can assign names to the ACL instead of numbers.
Names can contain alphanumeric characters

Recommended to type the name in all CAPITAL LETTERS
檐Ԉ
Names cannot contain spaces or punctuation and must begin with an alphabetic character
You can add or delete entries within the ACL
You can specify whether the ACL is standard or extended
QUESTION 242
Which allowing website access between certain times?
A. Filters using Time-Based ACLs

B. Standard ACL
C. Extended ACL
D. Reflexive ACL
Correct Answer: A
Explanation
QUESTION 243
Which configuration is applied to a device so that it blocks outbound web traffic on Saturdays and Sundays
between the hours of 1:00 AM and 11:59 PM?
A. time-range SATSUN absolute Saturday Sunday 1:00 to 23:59

access-list 102 deny tcp any any eq 80 time-range SATSUN
interface Vlan303
ip address 10.9.5.3 255.255.255.0
ip access-group 102 in
B. time-range SATSUN periodic Saturday Sunday 1:00 to 23:59
interface VLAN303
ip address 10.9.5.3 255.255.255.0
C. time-range SATSUN periodic Saturday Sunday 1:00 to 11:59
interface Vlan303
ip address 10.9.5.3 255.255.255.0
D. time-range SATSUN periodic Saturday Sunday 1:00 to 23:59
access-list 102 deny udp any any eq 80 time-range SATSUN
interface Vlan303
ip address 10.9.5.3 255.255.255.0
ip access-group 102 out
Correct Answer: B
Explanation
QUESTION 244
Refer to Exhibit.
樀Ԉ
Which two reasons for IP SLA tracking failure are likely true? (Choose two.)
A. The source-interface is configured incorrectly.

B. The destination must be 172.30.30.2 for icmp-echo.
C. A route back to the R1 LAN network is missing in R2.
D. The default route has wrong next hop IP address.
E. The threshold value is wrong.
Correct Answer: AC
Explanation
QUESTION 245
What is the minimum level that displays a log message when an ACL drops an incoming packet?
A. 4
B. 5
C. 3
D. 7
E. 6
Correct Answer: E
Explanation
QUESTION 246
Which Netflow version supports MPLS?
罀Ԉ
A. None
B. All of them
C. Version 8 and 9
D. Version 9
Correct Answer: D
Explanation
Explanation:
MPLS-aware NetFlow uses the NetFlow Version 9 export format. If you are exporting MPLS data to a
NetFlow collector or a data analyzer, the collector must support NetFlow Version 9 flow export format, and
you must configure NetFlow export in Version 9 format on the router.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf25.html
QUESTION 247
Which option is a prerequisite for stateful NAT64?
A. IPsec for IPv6

B. DNS64
C. Application Layer Gateway
D. ICMP64
Correct Answer: B
Explanation
QUESTION 248
Which of the following are features of Netflow version 9?
A. Cisco proprietary
B. IEEE standard
C. IETF standard
D. ingress
E. egress
F. ingress/egress
Correct Answer: CF
Explanation
QUESTION 249
What do we prioritize with LLQ?
A. Voice
B. Data
C. Video
D. Queues
Correct Answer: AC
Section: Mix Questions 䐀)
Explanation
Explanation:
Low Latency Queueing with Priority Percentage Support
Specifying the Bandwidth Percentage: Example

The following example uses the priority percent command to specify a bandwidth percentage of 10 percent
for the class called voice-percent. Then the bandwidth remaining percent command is used to specify a
bandwidth percentage of 30 percent for the class called data1, and a bandwidth percentage of 20 percent
for the class called data2.
Router> enable
Router# configure terminal
Router(config)# policy-map policy1
Router(config-pmap)# class voice-percent
Router(config-pmap-c)# priority percent 10
Router(config-pmap-c)# class data1
Router(config-pmap-c)# bandwidth remaining percent 30
Router(config-pmap-c)# class data2
Router(config-pmap-c)# bandwidth remaining percent 20
Router(config-pmap-c)# end
As a result of this configuration, 10 percent of the interface bandwidth is guaranteed for the class called
voice-percent. The classes called data1 and data2 get 30 percent and 20 percent of the remaining
bandwidth, respectively.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12sllqpc.html
QUESTION 250
Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and
IPsec tunnel, over the DSL connection, and into the core of an Enterprise network. The branch also allows
local hosts to communicate directly with public sites in the Internet over this same DSL connection. Which
of the following answers defines how the branch NAT config avoids performing NAT for the Enterprise
directed traffic but does perform NAT for the Internet-directed traffic?
A. By not enabling NAT on the IPsec tunnel interface

B. By not enabling NAT on the GRE tunnel interface
C. By configuring the NAT-referenced ACL to not permit the Enterprise traffic
D. By asking the ISP to perform NAT in the cloud
Correct Answer: C
Explanation
Explanation:
The NAT configuration acts only on packets permitted by a referenced ACL. As a result, the ACL can
permit packets destined for the Internet, performing NAT on those packets. The ACL also denies packets
going to the Enterprise, meaning that the router does not apply NAT to those packets.
QUESTION 251
Which two addresses types are included in NAT?
A. Inside global
B. Global outside
C. Outside internet
D. Inside internet
E. Outside local
樀Ԉ
Correct Answer: AE
Explanation
QUESTION 252
Refer to the exhibit. Given the partial configuration in the exhibit, which IPv6 statement is true?
A. The configuration is an example of an encrypted IPv6 VPN tunnel.

B. The configuration is an example of a one to one IPv6 tunnel.
C. The configuration is an example of a 6to4 tunnel.
D. The configuration is an example of a 4to6 tunnel.
Correct Answer: C
Explanation
QUESTION 253
The network engineer types the follow commands in a router:
logging host 172.16.10.12

logging trap 5
What do these commands do?
A. Export messages of notifications for an external server

B. Show notifications in cli
C. Sends info to host 172.16.10.12 with notifications less than or equal to 5
D. Sends info to host 172.16.10.12 with notifications greater than or equal to 5
Correct Answer: C
Explanation
羰Ԉ
QUESTION 254
Which SNMP version provides both encryption and authentication?
A. SNMPv4
B. SNMPv2c
C. SNMPv3
D. SNMPv1
Correct Answer: C
Explanation
QUESTION 255
Refer to the Exhibit.
Which statement about the configuration on the Cisco router is true?
A. The router sends only NTP traffic using the loopback interface, and it disables eth0/0 from sending NTP
traffic.
B. Eth0/0 sends NTP traffic on behalf of the loopback interface
C. The router sends only NTP traffic, using the eth0/0 interface, and it disables loopback0 from sending
NTP traffic.
D. The router never sends NTP traffic, as using the loopback interface for NTP traffic is not supported on
IOS routers.
Correct Answer: A
Explanation
QUESTION 256
Which option to the command service timestamps debug enables the logging server to capture the greatest
amount of information from the router?
A. Uptime
B. Show-timezone
C. Year
D. msec
Correct Answer: D
Explanation
Explanation:
The “msec” keyword enables millisecond (msec) timestamps for the debug, which indicates the date and
time according to the system clock in the format MMM DD HH:MM:SS.
销Ԉ
Reference:
https://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-
associated-signaling-cas/10374-debug.html
QUESTION 257
Which option can you use to monitor voice traffic when configuring an IP SLA?
A. udp-jitter
B. tcp-jitter
C. ip sla logging traps
D. ip sla reaction-configuration
Correct Answer: A
Explanation
QUESTION 258
Technologies used in preparing Service Provider IPv6? (Choose two.)
A. 6ND
B. 6RD
C. 6VPE
D. VRF-Lite
E. DS-Lite
F. Dual-stackA
Correct Answer: BE
Explanation
QUESTION 259
What show command is used here?
TCB Local Address Foreign Address (state)

6523A4FC 10.1.25.3.11000 10.1.25.3.23 ESTAB
65239A84 10.1.25.3.23 10.1.25.3.11000 ESTAB
653FCBBC *.1723 *.* LISTEN
A. show tcp brief

B. show tcp brief all
C. show tcp brief numeric
D. show tcp brief ip
Correct Answer: C
Explanation
Explanation:
The following example shows the IP activity and the addresses in DNS hostname format.
Router# show tcp brief all

36AE9520 a00.lsanca04.us..37888 a02.lsanca04.us..179 ESTAB
36B861F8 a00.lsanca04.us..23 gnat.cisco.com.33908 ESTAB
32F0A0A4 a00.lsanca04.us..179 a01.lsanca04.us..11002 ESTAB
369CEAD4 a00.lsanca04.us..23 gnat.cisco.com.33948 ESTAB
36B873A8 ge-1-2.a00.lsanc.11266 d3-0-1-0.r01.roc.23 ESTAB
35C918A4 a00.lsanca04.us..179 a03.lsanca04.us..1035 ESTAB
The following example shows the IP activity by using the numeric keyword to display the addresses in IP
format.
Router# show tcp brief numeric

6523A4FC 10.1.25.3.11000 10.1.25.3.23 ESTAB
65239A84 10.1.25.3.23 10.1.25.3.11000 ESTAB
653FCBBC *.1723 *.* LISTEN
QUESTION 260
Under which circumstance will a branch ISR router contain interface vlan configurations?
A. Performing inter-VLAN routing

B. Performing 802.1Q trunking
C. Performing ISL trunking
D. Ethernet Switch Module installed
E. ADSL WIC installed
F. Running Call Manager Express
Correct Answer: D
Explanation
Explanation:
In smaller offices, a single ISR may be used for a both remote connectivity and inter-VLAN routing. In that
case, know that an Ethernet Switch Module would be required for the ISR router
QUESTION 261
How to set up IP SLA to monitor Bandwidth between the certain limits?
A. Timer
B. Frequency
C. Threshold
D. Queue-limit
Correct Answer: C
Explanation
QUESTION 262
Which command is used to check IP SLA when an interface is suspected to receive lots of traffic with
options?
A. Show track
B. Show threshold
C. Show timer
D. Show delay
ԇ
Correct Answer: A
Explanation
QUESTION 263
Where the output will be shown of the command debug condition interface fa0/1?
A. It will show on interface f0/1

B. It will show on interface f0/0
C. Both interfaces will show debugging output
D. An interface cannot be used as condition
Correct Answer: A
Explanation
Explanation:
The command “debug condition interface <interface>” command is used to disable debugging messages
for all interfaces except the specified interface so in this case the debug output will be shown on Fa0/1
interface only.
Note: If in this question there was another “debug condition interface fa0/0” command configured then the
answer should be C (both interfaces will show debugging ouput).
QUESTION 264
A network engineer executes the show ip sla statistics command.
What does the output of this command show?
A. Operation availability
B. Device CPU utilization
C. Interface packet statistics
D. Packet sequencing
Correct Answer: A
Explanation
QUESTION 265
Which alerts will be seen on the console when running the command: logging console warnings?
A. Warnings only
B. Warnings, notifications, error, debugging, informational
C. Warnings, errors, critical, alerts, emergencies
D. Notifications, warnings, errors
E. Warnings, errors, critical, alerts
Correct Answer: C
Explanation
檐Ԉ
QUESTION 266
A network engineer is asked to create an SNMP-enabled proactive monitoring solution to ensure that jitter
levels remain between particular boundaries.
Which IP SLA option should the engineer use?
A. Threshold
B. Frequency
C. Verify-data
D. Timeout
Correct Answer: A
Explanation
QUESTION 267
IP SLA network with a configuration snippet
A. Apply the ipv6 acl under a vty

B. Ip access-class
C. Ipv6 access class
D. Access-list IN
E. Access-list OUT
Correct Answer: AD
Explanation
Explanation:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
QUESTION 268
Given ((diagram with R1 SLA config)) with configuration written on Picture as
R(Config)#ip sla 1
R1(Config-ip-sla)#icmp-echo 172.20.20.2 source-interface f1/0
R1(Config-ip-sla)#frequency 10
R1(Config-ip-sla)#threshold 100
R1(Config)#ip sla schedule 1 start-time now life forever
R1(Config)#track 10 ip sla ???-
R1(Config)#ip route 0.0.0.0.0 0.0.0.0 172.20.20.2
What make default route not removed when SLA state down or failed?
A. The destination must be 172.30.30.2 for icmp-echo

B. The threshold value is wrong
C. Missing of track feature on default static route command
Correct Answer: C
Explanation
Explanation:
Remember: If you want to use the “state”, remember that the “track state” will be down also if the the
threshold is reached.
樀Ԉ
Note: with Cisco IOS Release 12.4(20)T, 12.2(33)SXI1, 12.2(33)SRE and Cisco IOS XE Release 2.4, the
track rtr command is replaced by the track ip sla command. See the track ip sla command for more
information.
Reference:
http://www.ciscozine.com/using-ip-sla-to-change-routing/
QUESTION 269
Which option must be configured on a target device to use time stamping to accurately represent response
times using IP SLA?
A. Responder
B. Jitter value
C. TCP Connect
D. ICMP Echo
Correct Answer: A
Explanation
QUESTION 270
A network engineer receives a command output from a customer that indicates an issue with. What are two
reasons for the output? (Choose two.)
A. NTP traffic is blocked.

B. NTP is not configured.
C. The router is the NTP master.
D. NTP update-calendar is missing.
E. There is an NTP authentication failure.
Correct Answer: AE
Explanation
Explanation:
NTP uses a value, called a stratum value, to indicate the believability of a time source.
Valid stratum values are in the range 0-15, with a value of 16 being used to indicate that a device does not
have its time synchronized. However, Cisco IOS only permits you to set stratum values in the range 1-15.
QUESTION 271
Where can NetFlow export data for long term storageԇ
and analysis?
A. Syslog
B. Collector
C. Another network device
D. Flat file
Correct Answer: B
Explanation
QUESTION 272
Which option is the first task that a device that is configured with NAT64 performs when it receives an
incoming IPv6 packet that matches the stateful NAT64 prefix?
A. It translates the IPv6 header into an IPv4 header.

B. It checks the IPv6 packet against the NAT64 stateful prefix.
C. It translates the IPv6 source address to an IPv4 header.
D. It translates the^ IPv4 destination address into a new NAT64 state.
E. It performs an IPv6 route lookup.
Correct Answer: A
Explanation
QUESTION 273
When use NPTv6 for IPV6 to IPV6 Address translation? (Choose two.)
A. Stateful address translation

B. A limit of 32 1-to-1 translations
C. Lack of overloading functionality
D. Identify all interface NAT inside or outside
E. One-to-one prefix rewrite
F. Mismatched prefix allocations
Correct Answer: CE
Explanation
QUESTION 274
Which command do you enter to display log messages with a timestamp that includes the length of time
since the device was last rebooted?
A. Service timestamps log uptime

B. Logging facility 20
C. Service timestamps debugging localtime msec
D. Logging console errors
E. Logging monitor 7
F. Service timestamps log datetime msec
雠Ԉ
Correct Answer: A
Explanation
QUESTION 275
Which SNMP verification command shows the encryption and authentication protocols that are used in
SNMPV3?
A. Show snmp group

B. Show snmp user
C. Show snmp
D. Show snmp view
Correct Answer: B
Explanation
QUESTION 276
Up/down interface... what is the log severity level?
A. Level 3
B. Level 4
C. Level 5
D. Level 0
Correct Answer: A
Explanation
Explanation:
QUESTION 277
Which NAT Command do you enter to disable dynamic ARP learning on an interface?
A. R(config-if) # ip nat enable

B. R(config-if) # ip nat inside
C. R(config-if)# ip nat outside
D. R(config)# ip nat allow-static-host
E. R(config)# ip nat service
Correct Answer: D
Explanation
QUESTION 278
Your company uses Voice over IP (VoIP). The system sends UDP datagrams containing the voice data
between communicating hosts. When areas of the network become busy, some of the datagrams arrive at
their destination out of order. What happens when this occurs?
A. UDP will send an ICMP Information request message to the source host.
B. UDP will pass the information in the datagrams up to the next OSI layer in the order in which they arrive.
C. UDP will drop the datagrams that arrive out of order.
D. UDP will use the sequence numbers in the datagram headers to reassemble the data into the correct
order.
Correct Answer: B
Explanation
Explanation:
脠Ԉ
QUESTION 279
A network engineer is troubleshooting connectivity issues with a directly connected RIPng neighbor. Which
command should directly connected RIPng neighbor adjacencies only?
A. Router#show ipv6 rip next-hops

B. Router#show ip rip neighbors
C. Router#show ipv6 routers
D. Router#show ipv6 rip database
Correct Answer: A
Explanation
QUESTION 280
Which three NTP operating modes must the trusted-Key command be configured on for authentication to
operate properly? (Choose three.)
A. Interface
B. Client
C. Peer
D. Server
E. Broadcast
F. Stratum
Correct Answer: BCE
Explanation
Explanation:
Client/Server Mode
Configuring an association in client mode, usually indicated by a server declaration in the configuration file,
indicates that one wishes to obtain time from the remote server, but that one is not willing to provide time to
the remote server.
Symmetric Active/Passive Mode (Peer)

A peer is configured in symmetric active mode by using the peer command and specifying the DNS name
or address of the other peer. The other peer is also configured in symmetric active mode in this way.
Note: If the other peer is not specifically configured in this way, a symmetric passive association is activated
upon arrival of a symmetric active message. Since an intruder can impersonate a symmetric active peer
and inject false time values, symmetric mode should always be authenticated.
Broadcast and/or Multicast Mode

Broadcast mode is intended for configurations involving one or a few servers and a potentially large client
population. A broadcast server is configured using the broadcast command and a local subnet address. A
broadcast client is configured using the broadcastclient command, allowing the broadcast client to respond
to broadcast messages received on any interface. Since an intruder can impersonate a broadcast server
and inject false time values, this mode should always be authenticated
QUESTION 281
Which two types of threshold can you configure for tracking objects? (Choose two.)
A. Percentage
B. MTU
C. Bandwidth 檐Ԉ
D. Weight
E. Delay
F. Administrative distance
Correct Answer: AD
Explanation
Explanation:
Object Track List
An object track list allows you to track the combined states of multiple objects. Object track lists support the
following capabilities:
-Boolean "and" function — Each object defined within the track list must be in an up state so that the track
list object can become up.
-Boolean "or" function — At least one object defined within the track list must be in an up state so that the
tracked object can become up.
-Threshold percentage — The percentage of up objects in the tracked list must be greater than the
configured up threshold for the tracked list to be in the up state. If the percentage of down objects in the
tracked list is above the configured track list down threshold, the tracked list is marked as down.
-Threshold weight — Assign a weight value to each object in the tracked list, and a weight threshold for
the track list. If the combined weights of all up objects exceeds the track list weight up threshold, the track
list is in an up state. If the combined weights of all the down objects exceeds the track list weight down
threshold, the track list is in the down state.
QUESTION 282
A router was configured with the eigrp stub command.
The router advertises which types of routes?
A. Connected, static, and summary

B. Static and summary
C. Connected and static
D. Connected and summary
Correct Answer: D
Explanation
QUESTION 283
Consider this scenario. TCP traffic is blocked on port 547 between a DHCPv6 relay agent and a DHCPv6
server that is configured for prefix delegation.
Which two outcomes will result when the relay agent is rebooted? (Choose two.)
A. Routers will not obtain DHCPv6 prefixes.

B. DHCPv6 clients will be unreachable.
C. Hosts will not obtain DHCPv6 addresses.
D. The DHCPv6 relay agent will resume distributing addresses.
E. DHCPv6 address conflicts will occur on downstream clients.
Correct Answer: AD
Explanation
Explanation:
The DHCPv6 use UDP protocol for distribution IPv6 addresses and prefixes. The routers dont need in the
DHCPv6 prefixes from DHCPv6 server, its work for network administrator. DHCPv6 messages are
exchanged over UDP port 546 and 547. Clients listen for DHCP messages on UDP port 546 while servers
and relay agents listen for DHCP messages on UDP port 547.
DHCPv6 messages are exchanged over UDP port 546 and 547. Clients listen for DHCP messages on UDP
port 546 while servers and relay agents listen for DHCP messages on UDP port 547. The basic message
format is as follows:
dhcpv6-client 546/tcp DHCPv6 Client

dhcpv6-client 546/udp DHCPv6 Client
dhcpv6-server 547/tcp DHCPv6 Server
dhcpv6-server 547/udp DHCPv6 Server
Client -> Server messages (msg-type):

Solicit, Request, Confirm, Renew, Rebind, Release, Decline, Information-Request
Server -> Client messages (msg-type):
Advertise, Reply, Reconfigure
Relay -> Relay/Server messages (msg-type):
Relay-Forw
Server/Relay -> Relay (msg-type):
Relay-Reply
SOLICIT (1)
A DHCPv6 client sends a Solicit message to locate DHCPv6 servers.
ADVERTISE (2)
A server sends an Advertise message to indicate that it is available for DHCP service, in response to a
Solicit message received from a client.
REQUEST (3)
A client sends a Request message to request configuration parameters, including IP addresses or
delegated prefixes, from a specific server.
CONFIRM (4)
A client sends a Confirm message to any available server to determine whether the addresses it was
assigned are still appropriate to the link to which the client is connected. This could happen when the client
detects either a link-layer connectivity change or if it is powered on and one or more leases are still valid.
The confirm message is used to confirm whether the client is still on the same link or whether it has been
moved. The actual lease(s) are not validated; just the prefix portion of the addresses or delegated prefixes.
RENEW (5)
A client sends a Renew message to the server that originally provided the client's addresses and
configuration parameters to extend the lifetimes on the addresses assigned to the client and to update
other configuration parameters.
REBIND (6)
A client sends a Rebind message to any available server to extend the lifetimes on the addresses assigned
to the client and to update other configuration parameters; this message is sent after a client receives no
response to a Renew message.
REPLY (7)
A server sends a Reply message containing assigned addresses and configuration parameters in response
to a Solicit, Request, Renew, Rebind message received from a client. A server sends a Reply message
containing configuration parameters in response to an Information-request message. A server sends a
Reply message in response to a Confirm message confirming or denying that the addresses assigned to
the client are appropriate to the link to which the client is connected. A server sends a Reply message to
acknowledge receipt of a Release or Decline message.
RELEASE (8)
A client sends a Release message to the server that assigned addresses to the client to indicate that the
client will no longer use one or more of the assigned addresses.
ԇ
DECLINE (9)
A client sends a Decline message to a server to indicate that the client has determined that one or more
addresses assigned by the server are already in use on the link to which the client is connected.
RECONFIGURE (10)
A server sends a Reconfigure message to a client to inform the client that the server has new or updated
configuration parameters, and that the client is to initiate a Renew/Reply or Information-request/Reply
transaction with the server in order to receive the updated information.
INFORMATION-REQUEST (11)
A client sends an Information-request message to a server to request configuration parameters without the
assignment of any IP addresses to the client.
RELAY-FORW (12)
A relay agent sends a Relay-forward message to relay messages to servers, either directly or through
another relay agent. The received message, either a client message or a Relay-forward message from
another relay agent, is encapsulated in an option in the Relay-forward message.
RELAY-REPL (13)
A server sends a Relay-reply message to a relay agent containing a message that the relay agent delivers
to a client. The Relay-reply message may be relayed by other relay agents for delivery to the destination
relay agent. The server encapsulates the client message as an option in the Relay-reply message, which
the relay agent extracts and relays to the client.
QUESTION 284
When policy-based routing (PBR) is being configured, which three criteria can the set command specify?
(Choose three.)
A. All interfaces through which the packets can be routed
B. All interfaces in the path toward the destination
C. Adjacent next hop router in the path toward the destination
D. All routers in the path toward the destination 檐Ԉ
E. All networks in the path toward the destination
F. Type of service and precedence in the IP packets
Correct Answer: ACF

Explanation
Explanation:
The set command specifies the action(s) to take on the packets that match the criteria. You can specify any
or all of the following:
* precedence: Sets precedence value in the IP header. You can specify either the precedence number or
name.
* df: Sets the “Don’t Fragment” (DF) bit in the ip header.
* vrf: Sets the VPN Routing and Forwarding (VRF) instance.
* next-hop: Sets next hop to which to route the packet.
* next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not
adjacent.
* interface: Sets output interface for the packet.
* default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
* default interface: Sets output interface for the packet if there is no explicit route for this destination.
핰+
Reference:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/
qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
QUESTION 285
Case study.
舐Ԉ
Some notices from above configuration:

+The OSPF network type between R2&R3 is non broadcast.
Q1: Show ip ospf database

Q2: Show ip ospf interface serial 1/0
Q3: Show ip ospf
Q4: Show ip route
You have been asked to evaluate an OSPF network and to answer questions a customer has about its
operation. Note: You are not allowed to use the show running-config command.
Although in this sim we are not allowed to use “show running-config” command but we post the
configuration here so that you can understand more about the topology.
R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no shut
interface Serial0/0 挀Ԉ
ip address 192.168.13.1 255.255.255.0
ip ospf network non-broadcast
no shut
router ospf 1
network 192.168.13.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 0
_______________________________________
R2
interface Loopback 0
ip address 2.2.2.2 255.255.255.255
no shut
interface S0/0
ip address 192.168.23.2 255.255.255.0
no shut
router ospf 1
network 192.168.23.0 0.0.0.255 area 0
network 2.2.2.2 0.0.0.0 area 0
neighbor 192.168.23.3
_________________________________________________
R3
ip address 3.3.3.3 255.255.255.255
no shut
interface fa0/0
ip address 192.168.34.3 255.255.255.0
no shut
interface S0/1
ip address 192.168.23.3 255.255.255.0
no shut
interface S0/0
ip address 192.168.13.3 255.255.255.0
no shut
router ospf 1
network 192.168.13.0 0.0.0.255 area 0
network 192.168.23.0 0.0.0.255 area 0
network 192.168.34.0 0.0.0.255 area 1
network 3.3.3.3 0.0.0.0 area 0
area 1 virtual-link 4.4.4.4
neighbor 192.168.23.2
_______________________________________________________________
R4
ip address 4.4.4.4 255.255.255.255
interface FastEthernet0/0
ip address 192.168.34.4 255.255.255.0
interface Fa0/1
ip address 192.168.45.4 255.255.255.0
no shut
interface Fa1/0
ip address 192.168.46.4 255.255.255.0
no shut
router ospf 1
network 192.168.34.0 0.0.0.255 area 1
network 192.168.45.0 0.0.0.255 area 2
network 192.168.46.0 0.0.0.255 area 3
network 4.4.4.4 0.0.0.0 area 1
area 2 nssa
area 3 stub no-summary
_________________________________________________________________
R5 헠+
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback1
ip address 5.5.1.1 255.255.255.255
interface Loopback2
ip address 5.5.2.1 255.255.255.255
interface Loopback3
ip address 5.5.3.1 255.255.255.255
interface Loopback4
ip address 5.5.4.1 255.255.255.255
no shut
interface Fa0/0
ip address 192.168.45.5 255.255.255.0
no shut
router ospf 1
network 192.168.45.0 0.0.0.255 area 2
network 5.5.0.0 0.0.255.255 area 2
area 2 nssa
_______________________________________________
R6
interface Fa0/0
ip address 192.168.46.6 255.255.255.0
no shut
ip address 6.6.6.6 255.255.255.255
no shut
router ospf 1
network 192.168.46.0 0.0.0.255 area 3
network 6.6.6.6 0.0.0.0 area 3
area 3 stub
Which of the following statements is true about the serial links that terminate in R3?
A. The R1-R3 link needs the neighbor command for the adjacency to stay up
B. The R2-R3 link OSPF timer values are 30, 120, 120
C. The R1-R3 link OSPF timer values should be 10,40,40
D. R3 is responsible for flooding LSUs to all the routers on the network.
Correct Answer: B
Explanation
Explanation:
Check the Serial1/0 interface of R3 which is connected to R2 with the “show ip ospf interface serial 1/0”
command:
ԇ
There are two things we should notice from the output above:
+ The “network type” connection between R2-R3 is “NON_BROADCAST” (usually we have
“BROADCAST”). OSPF neighbors are discovered using multicast Hello packets. In non broadcast
environment, multicast (and broadcast) messages are not allowed so OSPF neighborship cannot be
formed automatically. Therefore we have to establish OSPF neighborship manually by using “neighbor ”
command under OSPF process (OSPF will send unicast Hello message to this address). For example on
R2 we have to use these commands:
router ospf 1
neighbor 192.168.23.3
And on R3:
router ospf 1
neighbor 192.168.23.2
+ For non broadcast environment the default Hello timer is 30 seconds; Dead timer (time to wait before
declaring a neighbor dead) is 120 seconds and Wait timer (causes the interface to exit out of the wait
period and select a DR on a broadcast network. This timer is always equal to the dead timer interval) is 120
seconds. In the output we also see the default timers for non broadcast network.
QUESTION 286
Case study.
Ԍ
Some notices from above configuration:

+The OSPF network type between R2&R3 is non broadcast.
Q1: Show ip ospf database

Q2: Show ip ospf interface serial 1/0
Q3: Show ip ospf
Q4: Show ip route
You have been asked to evaluate an OSPF network and to answer questions a customer has about its
operation. Note: You are not allowed to use the show running-config command.
Although in this sim we are not allowed to use “show running-config” command but we post the
configuration here so that you can understand more about the topology.
R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no shut
interface Serial0/0 홠+
ip address 192.168.13.1 255.255.255.0
no shut
router ospf 1
network 192.168.13.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 0
_______________________________________
R2
ip address 2.2.2.2 255.255.255.255
no shut
interface S0/0
ip address 192.168.23.2 255.255.255.0
no shut
router ospf 1
network 192.168.23.0 0.0.0.255 area 0
network 2.2.2.2 0.0.0.0 area 0
neighbor 192.168.23.3
_________________________________________________
R3
ip address 3.3.3.3 255.255.255.255
no shut
interface fa0/0
ip address 192.168.34.3 255.255.255.0
no shut
interface S0/1
ip address 192.168.23.3 255.255.255.0
no shut
interface S0/0
ip address 192.168.13.3 255.255.255.0
no shut
router ospf 1
network 192.168.13.0 0.0.0.255 area 0
network 192.168.23.0 0.0.0.255 area 0
network 192.168.34.0 0.0.0.255 area 1
network 3.3.3.3 0.0.0.0 area 0
neighbor 192.168.23.2
_______________________________________________________________
R4
ip address 4.4.4.4 255.255.255.255
interface FastEthernet0/0
ip address 192.168.34.4 255.255.255.0
interface Fa0/1
ip address 192.168.45.4 255.255.255.0
no shut
interface Fa1/0
ip address 192.168.46.4 255.255.255.0
no shut
router ospf 1
network 192.168.34.0 0.0.0.255 area 1
network 192.168.45.0 0.0.0.255 area 2
network 192.168.46.0 0.0.0.255 area 3
network 4.4.4.4 0.0.0.0 area 1
area 2 nssa
area 3 stub no-summary
_________________________________________________________________
R5 茀Ԉ
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback1
ip address 5.5.1.1 255.255.255.255
interface Loopback2
ip address 5.5.2.1 255.255.255.255
interface Loopback3
ip address 5.5.3.1 255.255.255.255
interface Loopback4
ip address 5.5.4.1 255.255.255.255
no shut
interface Fa0/0
ip address 192.168.45.5 255.255.255.0
no shut
router ospf 1
network 192.168.45.0 0.0.0.255 area 2
network 5.5.0.0 0.0.255.255 area 2
area 2 nssa
_______________________________________________
R6
interface Fa0/0
ip address 192.168.46.6 255.255.255.0
no shut
ip address 6.6.6.6 255.255.255.255
no shut
router ospf 1
network 192.168.46.0 0.0.0.255 area 3
network 6.6.6.6 0.0.0.0 area 3
area 3 stub
Areas of Router 5 and 6 are not normal areas, inspect their routing tables and determine which statement is
true?
A. R5′s Loopback and R6′s Loopback are both present in R5′s Routing table
B. R5′s Loopback and R6′s Loopback are both present in R6′s Routing table
C. Only R5′s loopback is present in R5′s Routing table
D. Only R6′s loopback is present in R5′s Routing table
E. Only R5′s loopback is present in R6′s Routing table
Correct Answer: A
Explanation
Explanation:
Area 2 (of R5) is a Not-so-Stubby area (NSSA). You can check it by the “show ip ospf” command on R4 or
R5 (in Area 2 section). For example, below is the output of “show ip ospf” command on R5:
In general, NSSA is same as normal area except that it can generate LSA Type 7 (redistribute from another
domain) so we can see both Loopback interfaces of R5 & R6 in the routing table of R5.
훐+
Note: NSSA does not receive a default route by default so you will not see a default route on R5.
Area 3 (of R6) is a Totally-Stubby area so R6 only has one default route to outside world. You can check
with the “show ip ospf” command on R4 and R6 (area 3 section):
by area so R6 only has one d脈au
Notice that on R4 you will get more detail (shows “stub area, no summary LSA”) than on R6 (only shows
“stub area”).
R6 is in a totally-stubby area so we will not see any R5’s Loopback interfaces in R6 routing table:
Note: You can see a default (summary) route to the outside (O*IA 0.0.0.0/0 o)
Even though this exercise looks complicated, it can be solve with simple commands:
Q1: show ip ospf database
Q2: show ip ospf database int s0/1
Q3: Show ip ospf
Q4: show ip ospf and show ip route
QUESTION 287
The configuration of R1 to R6 are posted below for your reference, useless lines are omitted:
흐+
Traffic from R1 to R61 s Loopback address is load shared between R1-R2-R4-R6 and R1- R3-R5-R6
paths. What is the ratio of traffic over each path?
A. 1:1
B. 1:5
C. 6:8
D. 19:80
Correct Answer: D
Explanation
Explanation:
First we need to get the IP address of R6’s loopback address by “show ip interface brief” command on R6:
Now we learned the R6’s loopback address is 150.1.6.6. To see the ratio of traffic that is load shared
between paths, use the “show ip route 150.1.6.6” command on R1:
攐Ԉ
This means that after 19 packets are sent to 192.168.13.3, R1 will send 80 packets to 192.168.12.2 (ratio
19:80). This is unequal cost path Load balancing (configured with “variance” command).
QUESTION 288
What type of route filtering is occurring on R6?
A. Distribute-list using an ACL

B. Distribute-list using a prefix-list
C. Distribute-list using a route-map
D. An ACL using a distance of 255
Correct Answer: A
Explanation
Use the “show running-config” on R6 we will see a distribute-list applying under EIGRP:
+
With this distribute-list, only networks 192.168.46.0; 192.168.56.0 and 150.1.6.6 are advertised out by R6.
QUESTION 289
葠Ԉ
Which key chain is being used for authentication of EIGRP adjacency between R4 and R2?
A. CISCO
B. EIGRP
C. key
D. MD5
Correct Answer: A
Explanation
Explanation:
Check on both R2 and R4:
To successfully authenticate between two EIGRP neighbors, the key number and key-string must match.
The key chain name is only for local use. In this case we have key number “1” and key-string “CISCO” and
they match so EIGRP neighbor relationship is formed.
QUESTION 290 旐Ԉ
+
What is the advertised distance for the 192.168.46.0 network on R1?
A. 333056
B. 1938688
C. 1810944
D. 307456
Correct Answer: C
Explanation
Explanation:
To check the advertised distance for a prefix we cannot use the “show ip route” command because it only
shows the metric (also known as Feasible Distance). Therefore we have to use the “show ip eigrp topology”
command:
뫠-
Update: Although the “show ip eigrp topology” does not work in the exam but the “show ip eigrp 1 topology”
does work so please use this command instead and we will find out the advertised distance on R1.
There are two parameters in the brackets of 192.168.46.0/24 prefix: (1810944/333056). The first one
“1810944” is the Feasible Distance (FD) and the second “333056” is the Advertised Distance (AD) of that
route -> A is correct.
Just for your reference, this is the output of the “show ip route” command on R1:
brackets of 192.168.46.0/24 褀ef
In the first line:
D 192.168.46.0/24 [90/ 1810944] via 192.168.12.2, 00:10:01, Ethernet0/0

The first parameter “90” is the EIGRP Administrative Distance. The second parameter “1810944” is the
metric of the route 192.168.46.0/24. R1 will use this metric to advertise this route to other routers but the
+
question asks about “the advertised distance for the 192.168.46.0 network on R1” so we cannot use this
command to find out the answer.
QUESTION 291
Refer to the exhibit. A network engineer is working on the network topology and executes the command no
ip split-horizon on interface SO/0 of the hub router. What is the result of this command?
A. The spoke routers can see the routers are advertised by the hub router.
B. Each of the spoke routers can see the routers that are advertised from the other spoke routers.
C. A routing loop is created.
D. The hub router can see the routes that are advertised by the spoke routers.
Correct Answer: B
Explanation
QUESTION 292
뺰ͤ
Refer to the exhibit. All interfaces on each router are participating in the EIGRP 100 process. Interface
Loopback 2 on NQ-R2 is currently in shutdown mode. An engineer issues the eigrp stub command on
router BR1. Which statement about the query messages sent from router HQ-R2 for a route to reach the
12.12.12.12/32 network is true?
A. Router HQ-R1 receives query messages from HQ-R2 for a route to 12.12.12.12/32 network.
B. Router HQ-R1 and BR1 receives query massages from HQ-R2 for a route 12.12.12.12/32 network.
C. Router HQ-R2 sends a query message to the feasible successor for a route to 12.12.12.12/32 network
D. BR1 receives query messages from HQ-R2 for route to 12.12.12.12/32 network
Correct Answer: B
Explanation
QUESTION 293
Refer to the exhibit. Which option prevents routing updates for 10.255.255.0/30 from being sent to the
DHCP router, while still allowing all other routing update messages?
A. ꁀԈ
B.
C.
D.
Correct Answer: A
Explanation
QUESTION 294
A network engineer configured an IOS router to send syslog messages to a Window syslog server. Several
events occurred on the IOS router, and the network engineer noticed that Windows syslog server had not
received any messages from the IOS router. What is the reason for this?
A. Either a firewall between the two devices or an ACL on the router is blocking TCP port 514.
B. Either a firewall between the two devices or an ACL on the router is blocking UDP port 514.
C. Either a firewall between the two devices or an ACL on the router is blocking IP protocol number 514.
D. Either a firewall between the two devices or an ACL on the router is blocking UDP port 512.
Correct Answer: B
Explanation
QUESTION 295
Which Cisco Express Forwarding table or tables hold forwarding information?
A. FIB and adjacency tables only

B. adjacency tables only
C. FIB, RIB, and adjacency tables
D. FIB table only
Correct Answer: A
Explanation
Explanation:
Information conventionally stored in a route cache is stored in several data structures for Cisco Express
Forwarding switching.
The data structures provide optimized lookup for efficient
+ packet forwarding. The two main components of
Cisco Express Forwarding operation are the forwarding information base (FIB) and the adjacency tables.
The FIB is conceptually similar to a routing table or information base. A router uses this lookup table to
make destination-based switching decisions during Cisco Express Forwarding operation. The FIB is
updated when changes occur in the network and contains all routes known at the time. For more
information, see the FIB Overview section.
Adjacency tables maintain Layer 2 next-hop addresses for all FIB entries. For more information, see the
CEF Adjacency Tables Overview section.
This separation of the reachability information (in the Cisco Express Forwarding table) and the forwarding
information (in the adjacency table), provides a number of benefits:
The adjacency table can be built separately from the Cisco Express Forwarding table, allowing both to be
built without any packets being process-switched.
The MAC header rewrite used to forward a packet is not stored in cache entries, so changes in a MAC
header rewrite string do not require validation of cache entries.
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-mt/isw-cef-15-mt-book/isw-
cef-overview.html
QUESTION 296
A network engineer is configuring a DHCP server to support a specialized application. Which additional
DHCP feature must be enabled to support the delivery of various additional parameters to DHCP clients?
A. vendor extensions
B. modules
C. options
D. scopes
Correct Answer: C
Explanation
QUESTION 297
Which two statements about Frame Relay LMI autosense are true on a Router? (Choose two.)
A. It operates when the line is up but the line protocol is down.

B. It requires the line protocol to be up.
C. It operates on Frame relay DTE interfaces.
D. It requires the LMI type to be explicitly configured.
E. It operates on frame Relay DCE interfaces.
Correct Answer: AC
Explanation
Explanation:
LMI autosense is automatically enabled in the following situations:
+ The router is powered up or the interface changes state to up

+ The line protocol is down but the line is up
+ The interface is a Frame Relay DTE
+ The LMI type is not explicitly configured on the interface
https://www.cisco.com/c/en/us/td/docs/ios/12_2/wan/configuration/guide/fwan_c/wcffrely.html
QUESTION 298
What does the number 16 in the following command ԇ
represent?
router (config)#snmp-server user abcd public v2c access 16
A. the user ID that is allowed to use the community string public

B. the number of concurrent users who are allowed to query the SNMP community
C. the mask of the files that are allowed to use community string public.
D. the standard named access list 16, which contains the access rules that apply to user abcd
Correct Answer: D
Explanation
QUESTION 299
What is the function of the snmp-server enable traps and snmp-server host 192.168.1.3 traps version
2c public commands?
A. to allow private communications between the router and the host

B. to disable all SNMP informs that are on the system
C. to collect information about the system on a network management server
D. to allow only 192.168.1.3 to access the system using the community string public.
Correct Answer: D
Explanation
QUESTION 300
Which two options for authenticating a user who is attempting to access a network device are true?
(Choose two.)
A. PAP
B. 802.1x
C. CHAP
D. TACACS+
E. RADIUS
Correct Answer: DE
Explanation
QUESTION 301
Which three statements about IPv6 EIGRP are true? (Choose three.)
A. EIGRP neighbor relationships can be formed only on the configured IPv6 address.
B. It supports EUI-64 addresses only.
C. EIGRP route advertisement is configured under the interface configuration.
D. EIGRP neighbor relationships are formed using the link-local address.
E. EIGRP route advertisement is configured under the ipv6 router eigrp configuration.
F. An IPv6 EIGRP router ID is required.
Correct Answer: CDF 檐Ԉ

Explanation
QUESTION 302
The Neighbor Discovery Protocol in IPv6 replaces which protocol in IPv4?
A. ICMP
B. CDP
C. ARP
D. IGMP
Correct Answer: C
Explanation
QUESTION 303
Which keyword of the aaa authentication ppp command applies to PAP only?
A. local
B. local-case
C. krb5
D. enable
E. Line
Correct Answer: C
Explanation
QUESTION 304
Which three functionalities are specific to stateful NAT64? (Choose three.)
A. It requires IPv4-translatable IPv6 addresses.

B. It requires either manual or DHCPv6-based address assignment for IPv6 hosts.
C. It conserves IPv4 addresses.
D. It helps ensure end-to-end address transparency and scalability.
E. No constraint is put on the number of endpoints due to 1:N translation.
F. A state or bindings are created on every unique translation.
Correct Answer: CEF

Explanation
Explanation:
Differences Between Stateless NAT64 and Stateful NAT64
樀Ԉ
QUESTION 305
Which technology does Easy Virtual Network use?
A. MP-BGP
B. MPLS
C. DMVPN
D. VRF-Lite
Correct Answer: D
Explanation
QUESTION 306
虀Ԉ
Refer to exhibit. A network engineer is unable to make VRF lite EIGRP adjacency work. There is nothing
wrong with communication between R1 and R2. What command will eliminate the issue when executed on
both routers?
A. (config-router-af)#network 209.165.202.128.0.0.0.31
B. (config)#ip multicast-routing
C. (config-router-af)#autonomous-system 100
D. (config-vrf)#route target both 100:1
Correct Answer: C
Explanation
Explanation:
To configure the autonomous-system number for EIGRP to run within a VPN routing and forwarding (VRF)
instance, use the “autonomous-system” command in address-family configuration mode. In particular:
Router(config)# router eigrp 100

Router(config-router)# address-family ipv4 vrf Yellow
Router(config-router-af)# autonomous-system 100
QUESTION 307
Which type of NetFlow information is displayed when the show ip flow export command is executed?
A. export interface configurations

B. top talkers
C. sent status and statistics
D. local status and statistics
Correct Answer: C
Explanation
QUESTION 308 00:1ʙʉ◌ॆ

Which statement describes what this command accomplishes when inside and outside interfaces are
correctly identified for NAT?
ip nat inside static tcp 192.168.1.50 80 209.165.201.1 8080 extendable
A. It allows host 192.168.1.50 to access external websites using TCP port 8080.
B. It represents an incorrect NAT configuration because it uses standard TCP ports.
C. It allows external clients to connect to a web server hosted on 192.168.1.50.
D. It allows external clients coming from public IP 209.165.201.1 to connect to a web server at
192.168.1.50.
Correct Answer: C
Explanation
QUESTION 309
Which command denies the default route?
A. ip prefix-list deny-route seq 5 deny 0.0.0.0/0

B. ip prefix-list deny-route seq 5 deny 0.0.0.0/16
C. ip prefix-list deny-route seq 5 deny 0.0.0.0/32
D. ip prefix-list deny-route seq 5 deny 0.0.0.0/8
Correct Answer: A
Explanation
QUESTION 310
Refer to the exhibit. A network engineer has configured NTP on a Cisco router, but the time on the router
us still incorrect. What is the reason for this problem?
A. The router is not syncing with the peer, and the NTP request and response packets are not being
exchanged.
B. The router is not syncing with the peer, even though the NTP request and response packets are being
exchanged. 䐀)
C. The router is syncing with the peer, and the NTP request and response packets are being exchanged.
D. The router is dropping all NTP packets.
Correct Answer: B
Explanation
Explanation:
A pound sign (#) displayed next to a configured peer in the show ntp associations command output
indicates that the router isn't syncing with the peer even though NTP request and response packets are
being exchanged.
Reference: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
110/15171-ntpassoc.html
QUESTION 311
Based on the configuration command below, which statement is true?
router(config)#service timestamps log datetime msec
A. All syslog messages that are generated will indicate the date and time when the event occurred.
B. All high-priority syslog messages that are generated will indicate the data and time when the event
occurred.
C. All IOS services will indicate the data and time when the service was last used.
D. All IOS services will indicate the data and time when the service was started.
Correct Answer: A
Explanation
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/
SysMsgLogging.html#wp1055126
QUESTION 312
Which two options can you use to configure an EIGRP stub router? (Choose two.)
A. not-so-stubby
B. receive-only
C. totally-stubby
D. external
E. summary-only
F. summary
Correct Answer: BF
Explanation
Explanation:
eigrp stub [ [receive-only] || [connected] [static] [summary] [redistributed] ] The following options are
available:
Receive-only: router only accepts, but does not explicitly advertise, any routes. This option may not be
used in combination with any other options.
Connected: router advertises directly-connected networks
Static: router advertises any configured static routes
Summary: router advertises any configured summarized routes
Redistributed: router advertises any routes learnedԟ, from another protocol, such as OSPF The eigrp stub
configuration need only be entered on the spoke routers. The hub routers determine that they are talking
to a stub router by examining the TLV in the HELLO packet.
Reference: https://www.cisco.com/en/US/technologies/tk648/tk365/
technologies_white_paper0900aecd8023df6f.html
QUESTION 313
Which security level is supported throughout all SNMP versions?
A. authPriv
B. authNoPriv
C. noAuthNoPriv
D. noAuthoPriv
Correct Answer: C
Explanation
QUESTION 314
An administrator needs to setup an NTP client to provide updates to local without synchronizing to server.
What is the command?
A. Serve
B. Serve-only
C. peer
D. query
Correct Answer: B
Explanation
Explanation:
Serve:
--Permits router to reply NTP request;
--Reject NTP updates;
--NTP queries are Accepted.
Serve-Only:
--Permits router to respond to NTP request ONLY;
--Reject to synchronize local time;
--Not access control queries
QUESTION 315
An engineer is enabling VPN service for a customer and notices this output when placing the customer-
facing interface into a VRF. Which action corrects the issue?
A. Reset interface Gigabit Ethernet 1.

B. Disabling the VRF CUST_A 窐Ԉ
C. Reconfigure the IP address on Gigabit Ethernet 1.
D. Enabling IPv6 on the interface.
Correct Answer: C
Explanation
QUESTION 316
Which two reductions are the correct reductions if the IPv6 address
2001:0d02:0000:0000:0014:0000:0000:0095? (Choose two)
A. 2001:0d02:::0014:::0095
B. 2001:d02::14::95
C. 2001:d02:0:0:14::95
D. 2001:d02::14:0:0:95
Correct Answer: CD
Explanation
Explanation:
We can't use triple colons (:::) in IPv6 presentation. Also we can't use double colons (::) twice. You can use
it only once in any address because if two double colons are placed in the same address, there will be no
way to identify the size of each block of 0s.
Remember the following techniques to shorten an IPv6 address:
- Omit leading 0s in the address field, so :0000 can be compressed to just and :0d02 can be compressed to
:d02 (but :1d00 can not be compressed to :1d)
- Use double colons (::), but just once, to represent a contiguous block of 0s,
So
2001:0d02:0000:0000:0014:0000:0000:0095 can be compressed to
2001:d02:0:0:14::95
OR
2001:d02::14:0:0:95
QUESTION 317
What happens when an IPv6 enabled router running 6to4 must send a packet to a remote destination and
the next hop is the address of 2002::/16?
A. The IPv6 packet has its header removed and replaced with an IPv4 header
B. The IPv6 packet is encapsulated in an IPv4 packet using an IPv4 protocol type of 41
C. The IPv6 packet is dropped because that destination is unable to route IPv6 packets
D. The packet is tagged with an IPv6 header and the IPv6 prefix is included
Correct Answer: B
Explanation
Explanation:
6to4 and Teredo are dynamic tunneling techniques used by desktop operating systems to help their users
gain access to the IPv6 Internet. These techniques tunnel the IPv6 packets within IPv4 packets.
ԟ,
The 6to4 method places the IPv6 packets within IPv4 protocol 41 packets.
The Teredo method places the IPv6 packets within IPv4 packets with a UDP 3544 header.
QUESTION 318
Which functionality is required within an IP router that is situated at the boundary of an IPv4 network and an
IPv6 network to allow communication between IPv6-only and IPv4-only nodes?
A. Autoconfiguration
B. Automatic 6to4 Tunnel
C. Automatic 6to4 Relay
D. Network Address Translator-Protocol Translator (NAT-PT)
E. Intrasite Automatic Tunnel Address Protocol (ISATAP)
Correct Answer: D
Explanation
Explanation:
NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the boundary of an
IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4 and IPv6 network, all IPv4 users
are given access to the IPv6 network without modification in the local IPv4-hosts (and vice versa). Equally,
all hosts on the IPv6 network are given access to the IPv4 hosts without modification to the local IPv6-
hosts. This is accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic
basis as sessions are initiated across IPv4-IPv6 boundaries.
QUESTION 319
Which IPv6 address correctly compresses the IPv6 unicast address 2001:0:0:0:0DB8:0:0:417A?
A. 2001:0DB8:417A
B. 2001::0DB8::417A
C. 2001:::0DB8::417A
D. 2001:0DB8:0:0:417A
E. 2001::DB8:0:0:417A
F. 2001:::0DB8:0:0:417A
Correct Answer: E
Explanation
Explanation:
The point of this question is the about the different form of Ipv6 address.
The IPv6 address is 128 bits long, written as eight 16-bit pieces, separated by colons.
Each piece is represented by four hexadecimal digits. You can compact multiple contiguous fields of zero
even further. This is the exception to the rule that at least one digit must be present in every field. You can
replace multiple fields of zeros with double colons (::).
Note that :: can replace only one set of contiguous zero fields.
Multiple ::s would make the address ambiguous.
QUESTION 320
Refer to the exhibit. What two statements are true? (Choose two)
窐Ԉ
A. Interface FastEthernet 0/0 was configured with the ipv6 ospf 1 area 1 command.
B. OSPF version 2 has been enabled to support IPv6.
C. The IP address of the backup designated router (BDR) is FE80::100:AABB:1731:5808.
D. The output was generated by the show ip interface command.
E. The router was configured with the commands: router ospf 1 network 172.16.6.0 0.0.0.255 area 1
F. This is the designated router (DR) on the FastEtheroet 0/0 link.
Correct Answer: AC
Explanation
Explanation:
OSPFv3 supports IPv6.
The configuration of OSPFv3 is not a subcommand mode of the router ospf command as it is in OSPFv2
confguration.
For example, instead of using the network area command to identify networks that are part of the OSPFv3
network, the interfaces are directly configured to
specify that IPv6 networks are part of the OSPFv3 network.
The following describes the steps to configure OSPF for IPv6:
There are several commonly used OSPFv3 show commands, including the show ipv6 ospf [process-id]
[area-id] interface [interface] command.
QUESTION 321
Refer to the exhibit. Which interoperability technique implemented on the dual-stack routers would allow
　,
connectivity between IPv6 sites across automatic created tunnels using the 2002::/16 prefix?
A. Dual Stack
B. NAT-PT
C. 6to4 tunnel
D. GRE tunnel
E. ISATAP tunnel
Correct Answer: C
Explanation
QUESTION 322
Your Company trainee asks you, in the context of IPv6 and OSPF, what best describes a type 9 LSA?
A. Link LSA
B. Interarea prefix LSA for ABRs
C. Router LSA
D. Switch LSA
E. Intra-area prefix LSA
F. None of the above
Correct Answer: E
Explanation
QUESTION 323
What number is a valid representation for the 200F:0000:AB00:0000:0000:0000:0000/56 IPv6 prefix?
A. 200F:0:0:AB/56
B. 200F:0:AB00::/56
C. 200F::AB00/56
D. 200F:AB/56
Correct Answer: B 榐Ԉ
Explanation
Explanation:
The 0s are truncated.
QUESTION 324
Company has migrated to IPv6 in their network.
Which three IPv6 notations represent the same address? (Select three.)
A. 2031::130F::9C0:876A:130B
B. 2031:0000:130F:0000:0000:09C0:876A:130B
C. 2031:0:130F:::9C0:876A:130B
D. 2031::130F:0::9C0:876A:130B
E. 2031:0:130F:0:0:09C0:876A:130B
F. 2031:0:130F::9C0:876A:130B
Correct Answer: BEF

Explanation
Explanation:
With IP version 6, octets containing all zero's can be simply represented as :, while consecutive zero fields
can be represented as ::.
ANSWER choices E and F are simply the shorthand version of the fully written IPv6 address shown in
choice.
QUESTION 325
In a comparison of an IPv4 header with an IPv6 header, which three statements are true? (Choose three)
A. An IPv4 header includes a checksum. However, an IPv6 header does not include one.
B. A router has to recompute the checksum of an IPv6 packet when decrementing the TTL.
C. An IPv6 header is half the size of an IPv4 header.
D. An IPv6 header has twice as many octets as an IPv4 header.
E. An IPv6 header is simpler and more efficient than an IPv4 header.
F. The 128-bit IPv6 address makes the IPv6 header more complicated than an IPv4 header.
Correct Answer: ADE

Explanation
Explanation:
The image below shows the differences between an IPv4 header and an IPv6 header:
頀Ԉ
Reference:
https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-13/ipv6-
internals.html
QUESTION 326
Which statement about conditional debugging is true?
A. You can limit the output to a specific interface.

B. It is limited to Ethernet, serial, and multilink interfaces.
C. It can support only one condition at a time.
D. It generates debug messages only for packets entering the router.
Correct Answer: A
Explanation
QUESTION 327
An IPv6 overlay tunnel is required to communicate with isolated IPv6 networks across an IPv4
infrastructure. There are currently five IPv6 overlay tunnel types. Which three IPv6 overlay tunnel
statements are true? (Choose three)
A. Overlay tunnels can only be configured between border routers capable of supporting IPv4 and IPv6.
B. Overlay tunnels can be configured between border routers or between a border router and a host
capable of supporting IPv4 and IPv6.
C. Cisco IOS supports manual, generic, routing encapsulation (GRE), IPv6-compatible, 4to6, and
multiprotocol Label Switching (MPLS) Overlay tunneling mechanism.
D. Cisco IOS supports manual, generic routing encapsulation (GRE), IPv4-compatible, 6to4, and IntraSite
Automatic Tunnel Addressing Protocol (ISATAP) overlay tunneling mechanisms.
E. A manual overlay tunnel supports point-to-multipoint tunnels capable of carrying IPv6 and
Connectionless Network Service (CLNS) packets.
F. Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure.
Correct Answer: BDF

Explanation
Explanation: Ԉ
B: Overlay tunnels can be configured between border routers or between a border router and a host
capable of supporting IPv4 and IPv6.
D. Cisco IOS supports manual, generic routing encapsulation (GRE), IPv4-compatible, 6to4, and IntraSite
Automatic Tunnel Addressing Protocol (ISATAP) overlay tunneling mechanisms.
F: Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure.
QUESTION 328
Which of the following NSAP addresses is a private, locally administered address?
A. 39.0f01.0002.0000.0c00.1111.00
B. 48.0f01.0002.0000.0c00.1111.00
C. 49.0004.30ac.0000.3090.c7df.00
D. 52.0f01.0002.0000.0c00.1111.00
Correct Answer: C
Explanation
QUESTION 329
What is the correct configuration to enable router P4 to exchange RIP routing updates with router P1 but
not with router P3?
A. P4(Config)# interface fa0/0

P4(Config-if)# neighbor 192.168.10.3
P4(config-if)# passive-interface fa0/0
B. P4(config)# router rip
P4(config-router)# neighbor 192.168.10.3
P4(Config-router)# passive-interface fa0/0
C. P4(config)# interface fa0/0
P4(config-if)# neighbor 192.168.10.3
P4(config-if)# passive interface 192.168.10.34
D. P4(config)# router rip
P4(config-router)# neighbor 192.168.10.34 no broadcast
P4(config-router)# passive-interface fa0/0
Correct Answer: B
Explanation
Explanation:
When you configure router P1 to be the neighbor of P4 with a passive interface, the RIP routing updates will
be exchanged with the neighbor ONLY.
QUESTION 330
To configure 6to4 tunneling on a dual-stack edge router. Which three of the following are valid components
in 6to4 Tunneling configuration? (Choose Three)
A. IPv4 Tunnel IP address

B. Tunnel mode (6to4)
C. Tunnel Keepalives
D. IPv4 Tunnel Destination
E. IPv4 Tunnel Source
F. 6to4 IPv6 address (within 2002::/16)
Correct Answer: BEF
Explanation
QUESTION 331
Which three statements about configuring OSPF in a IPv6 network are true? (Choose three)
A. OSPF version 2 will support IPv6.

B. OSPF version 3 will support IPv6.
C. Multiple instances of OSPF for IPv6 can be run on a link.
D. Networks must be explicitly configured using the network command in router OSPF configuration mode.
E. IPv4 addresses cannot be used as the router ID in OSPF for IPv6.
F. The interface command ipv6 ospf <process-id> area <area-id> is all that is required to enable OSPF for
IPv6 on an interface.
Correct Answer: BCF

Explanation
QUESTION 332
Ԉ
Which two statements are true about the router configuration? (Choose two)
A. This configuration allows applications on the same segment to communicate via IPv4 or IPv6.
B. This configuration is referred to as a dual-stack 6to4 tunnel.
C. This configuration is referred to as a dual stack.
D. This configuration will attempt to route packets using IPv4 first, and if that fails, then IPv6.
Correct Answer: AC
Explanation
Explanation:
This router demonstrates an example of an IPv6 Dual Stack configuration.
Dual stack (Figure 1 below) runs both IPv4 and IPv6 protocol stacks on a router in parallel, making it similar
to the multiprotocol network environments of the past, which often ran Internetwork Packet Exchange (IPX),
AppleTalk, IP, and other protocols concurrently.
The technique of deploying IPv6 using dual-stack backbones allows IPv4 and IPv6 applications to coexist in
a dual IP layer routing backbone.
The IPv4 communication uses the IPv4 protocol stack, and the IPv6 communication uses the IPv6 stack.
As a transition strategy, dual stack is ideal for campus networks with a mixture of IPv4 and IPv6
applications.
Figure 1: Dual-Stack Example
QUESTION 333
When implementing a 6to4 tunnel, which IPv6 address is the correct translation of the IPv4 address
192.168.99.1?
A. c0a8:6301:2002::/48
B. 2002:c0a8:6301::/48
C. 2002:c0a8:6301::/8
D. 2002::/16
Correct Answer: B
Explanation
Explanation: 䃰,
16 bits for the most significant 6to4 reserved bits (2002::/16) + 32 bits source ipv4 address (traslated in
HEX format) = 48 bits.
QUESTION 334
Refer to the exhibit. Will redistributed RIP routes from OSPF Area 2 be allowed in Area 1?
A. Because Area 1 is an NSSA, redistributed RIP routes will not be allowed.

B. Redistributed RIP routes will be allowed in Area 1 because they will be changed into type 5 LSAs in
Area 0 and passed on into Area 1.
C. Because NSSA will discard type 7 LSAs, redistributed RIP routes will not be allowed in Area 1.
D. Redistributed RIP routes will be allowed in Area 1 because they will be changed into type 7 LSAs in
Area 0 and passed on into Area 1.
E. RIP routes will be allowed in Area 1 only if they are first redistributed into EIGRP.
Correct Answer: A
Explanation
Explanation:
Area 1 is a NSSA so we can inject EIGRP routes into this area with Type 7 LSAs. Notice that Type 7 LSAs
can only be existed in a NSSA. The NSSA ABR of area 1 must converted it into LSA Type 5 before flooding
to the whole OSPF domain.
When redistribute RIP into area 2, LSA Type 5 will be created an sent through area 0. But a NSSA is an
extension of a stub area. The stub area characteristics still exist, which includes no type 5 LSAs allowed.
Note: A stub area only allows LSA Type 1, 2 and 3.
QUESTION 335
Study this exhibit below carefully.
Ԉ
What is the effect of the distribute-list command in the R1 configuration?
A. R1 will permit only the 10.0.0.0/24 route in the R2 RIP updates

B. R1 will not filter any routes because there is no exact prefix match
C. R1 will filter the 10.1.0.0/24 and the 172.24.1.0/24 routes from the R2 RIP updates
D. R1 will filter only the 172.24.1.0/24 route from the R2 RIP updates
Correct Answer: C
Explanation
Explanation:
The command “distribute-list 10 in Serial0” will create an incoming distribute list for interface serial 0 and
refers to access list 10.
So it will permit routing updates from 10.0.x.x network while other entries (in this case the 10.1.0.0/24 and
172.24.1.0/24 networks) will be filtered out from the routing update received on interface S0.
QUESTION 336
Router RTA is configured as follows:
RTA (config)# router rip

RTA(config-router)# network 10.0.0.0
RTA(config-router)# distribute-list 44 in interface BRIO
RTA(config-router)# exit
RTA(config)# access-list 44 deny 172.16.1.0 0.0.0.255
RTA(config)# access-list 44 permit any
What are the effects of this RIP configuration on router

䅀,RTA? (Choose two)
A. no routing updates will be sent from router RTA on interface BRIO to router RTX
B. router RTA will not advertise the 10.0.0.0 network to router RTX
C. the route to network 172.16.1.0 will not be entered into the routing table on router RTA
D. user traffic from the 172.16.1.0 network is denied by access-list 44
E. the routing table on router RTA will be updated with the route to router RTW
Correct Answer: CE
Explanation
Explanation:
Distribute list are used to filter routing updates and they are based on access lists. In this case, an access
list of 44 was created to deny the route from network 172.16.1.0/24 so this route will not be entered into the
routing table of RTA.
But the route from RTW can be entered because it is not filtered by the access list.
A and B are not correct because the distribute list is applied to the inbound direction of interface BRIO so
outgoing routing updated will not be filtered.
D is not correct because distribute list just filters routing updates so user traffic from network 172.16.1.0 will
not be denied.
QUESTION 337
Ԉ
Which two statements are correct regarding the routes to be redistributed into OSPF? (Choose two)
A. The network 192.168.1.0 will be allowed and assigned a metric of 100.

B. The network 192.168.1.0 will be allowed and assigned a metric of 200.
C. All networks except 10.0.0.0/8 will be allowed and assigned a metric of 200.
D. The network 172.16.0.0/16 will be allowed and assigned a metric of 200.
E. The network 10.0.10.0/24 will be allowed and assigned a metric of 200.
Correct Answer: AD
Explanation
QUESTION 338
What two situations could require the use of multiple routing protocols? (Choose two)
A. when using UNIX host-based routers

B. when smaller broadcast domains are desired
C. because having multiple routing protocols confuses hackers
D. when migrating from an older Interior Gateway Protocol (IGP) to a new IGP
E. when all equipment is manufactured by Cisco
F. when there are multiple paths to destination networks
Correct Answer: AD
Explanation
Explanation:
Simple routing protocols work well for simple networks, but networks grow and become more complex.
While running a single routing protocol throughout your entire IP internetwork is desirable, multiprotocol
routing is common for a number of reasons, including company mergers, multiple departments managed by
multiple network administrators, multivendor environments, or simply because the original routing protocol
is no longer the best choice.
Often, the multiple protocols are redistributed into each other during a migration period from one protocol to
the other.
QUESTION 339
How is network layer addressing accomplished in the OSI protocol suite?
A. Internet Protocol address

B. Media Access Control address
C. Packet Layer Protocol address
D. Network Service Access Point address
E. Authority and Format Identifier address
Correct Answer: D
Section: Mix Questions 䆐,
Explanation
Explanation:
OSI network-layer addressing is implemented by using two types of hierarchical addresses: network service
access-point addresses and network-entity titles.
A network service-access point (NSAP) is a conceptual point on the boundary between the network and the
transport layers.
The NSAP is the location at which OSI network services are provided to the transport layer.
Each transport-layer entity is assigned a single NSAP, which is individually addressed in an OSI
internetwork using NSAP addresses.
Network Service Address Point (NSAP) address is the equivalent of an IP address for an OSI network; A
NSAP address is a hexadecimal address with a length of up to 40 hexadecimal digits.
NSAP addresses are used in ATM and IS-IS.
QUESTION 340
Which routing protocol will continue to receive and process routing updates from neighbors after the
passive interface router configuration command is entered?
A. EIGRP
B. RIP
C. OSPF
D. IS-IS
Correct Answer: B
Explanation
QUESTION 341
Which three statements are true when configuring redistribution for OSPF? (Choose three)
A. The default metric is 10.

B. The default metric is 20.
C. The default metric type is 2.
D. The default metric type is 1.
E. Subnets do not redistribute by default.
F. Subnets redistribute by default.
Correct Answer: BCE

Explanation
QUESTION 342
A network administrator is troubleshooting a redistribution of OSPF routes into EIGRP.
窐Ԉ
Given the exhibited commands, which statement is true?
A. Redistributed routes will have an external type of 1 and a metric of 1.

B. Redistributed routes will have an external type of 2 and a metric of 20.
C. Redistributed routes will maintain their original OSPF routing metric.
D. Redistributed routes will have a default metric of 0 and will be treated as reachable and advertised.
E. Redistributed routes will have a default metric of 0 but will be treated as unreachable and not
advertised.
Correct Answer: B
Explanation
Explanation:
By default, all routes redistributed into OSPF will be tagged as external type 2 (E2) with a metric of 20,
except for BGP routes (with a metric of 1).
Note:
The cost of a type 2 route is always the external cost, irrespective of the interior cost to reach that route.
A type 1 cost is the addition of the external cost and the internal cost used to reach that route.
QUESTION 343
A router is configured for redistribution to advertise EIGRP routes into OSPF on a boundary router.
Given the configuration:
router ospf 1
redistribute eigrp 1 metric 25 subnets
What is the function of the 25 parameter in the redistribute command?
A. It specifies the seed cost to be applied to the redistributed routes.

B. It specifies the administrative distance on the redistributed routes.
C. It specifies the metric limit of 25 subnets in each OSPF route advertisement.
D. It specifies a new process-id to inject the EIGRP routes into OSPF.
Correct Answer: A
Explanation
QUESTION 344
䇠,
R1 and R2 belong to the RIP routing domain that includes the networks 10.20.0.0/16 and 10.21.0.0/16.
R3 and R4 are performing two-way route redistribution between OSPF and RIP.
A network administrator has discovered that R2 is receiving OSPF routes for the networks 10.20.0.0/16 and
10.21.0.0/16 and a routing loop has occurred.
Which action will correct this problem?
A. Apply an inbound ACL to the R2 serial interface.

B. Change the RIP administrative distance on R3 to 110.
C. Configure distribute-lists on R3 and R4.
D. Set the OSPF default metric to 20.
E. Change the OSPF administrative distance on R3 to 110.
Correct Answer: C
Explanation
Explanation:
Distribute List is Like an access-list, use to deny or permit the routing update to pass through a router/
interface.
Distribute List allow you apply an access list to a routing updates.
It can be applied on in or out bond of an interface under a routing process. e.g in fig.
R1 want to send a routing update to it neighbor, this update will go through from interface S0/0, router will
check, is there some Distribute List apply to this interface. If there is a Distribute List which would contain
the allow route to pass through this interface.
QUESTION 345
Observe the exhibit.
If the command variance 3 were added to RTE, which path or paths would be chosen to route traffic to
network X?
Ԉ
A. E-B-A
B. E-B-A and E-C-A
C. E-C-A and E-D-A
D. E-B-A, E-C-A and E-D-A
Correct Answer: B
Explanation
Explanation:
Advertised distance of RTD is greater than FD of RTE-RTC-RTA, so the route through D will not be used.
Please notice that routes must first satisfy the feasible condition to be considered for “variance” command:
The feasible condition states:
“To qualify as a feasible successor, a router must have an AD less than the FD of the current successor
route”.
In this case, the current successor route is E -> C -> A and the FD of this successor route is 20. But the AD
of route E-D-A is 25 which is bigger than the FD of the successor route -> It will not be put into the routing
table even if the “variance 3” command is used.
QUESTION 346
A network administrator recently redistributed RIP routes into an OSPF domain.
However, the administrator wants to configure the network so that instead of 32 external type-5 LSAs
flooding into the OSPF network, there is only one.
What must the administrator do to accomplish this?
A. Configure summarization on R1 with area 1 range 172.16.32.0 255.255.224.0

B. Configure summarization on R1 with summary-address 172.16.32.0 255.255.224.0
C. Configure area 1 as a stub area with area 1 stub
D. Configure area 1 as a NSSA area with area 1 stub nssa
Correct Answer: B
Explanation
Explanation:
In many cases, the router doesn't even need specific routes to each and every subnet (for example,
172.16.1.0/24).
It would be just as happy if it knew how to get to the major network (for example, 172.16.0.0/16) and let
another router take it from there.
In our telephone network example, the local telephone switch should only need to know to route a phone
call to the switch for the called area code. 䈰,
Similarly, a router's ability to take a group of subnetworks and summarize them as one network (in other
words, one advertisement) is called route summarization.
Besides reducing the number of routing entries that a router must keep track of, route summarization can
also help protect an external router from making multiple changes to its routing table due to instability within
a particular subnet.
For example, let's say that we were working on a router that connected to 172.16.2.0/24. As we were
working on the router, we rebooted it several times. If we were not summarizing our routes, an external
router would see each time 172.16.2.0/24 went away and came back. Each time, it would have to modify its
own routing table. However, if our external router were receiving only a summary route (i.e., 172.16.0.0/16),
then it wouldn't have to be concerned with our work on one particular subnet. This is especially a problem
for EIGRP, which can create stuck in active (SIA) routes that can lead to a network melt-down.
Summarization Example We have the following networks that we want to advertise as a single summary
route:
* 172.16.100.0/24 * 172.16.101.0/24 * 172.16.102.0/24 * 172.16.103.0/24 * 172.16.104.0/24 *
172.16.105.0/24 * 172.16.106.0/24
QUESTION 347
If R1 is configured for 6to4 tunneling, what will the prefix of its IPv6 network be?
A. 1723:1100:1::/48
B. FFFF:AC1F:6401::/16
C. AC1F:6401::/32
D. 2002:AC1F:6401::/48
E. 3FFE:AC1F:6401::/32
Correct Answer: D
Explanation
QUESTION 348
An EUl-64 bit address is formed by inserting which 16-bit value into the MAC address of a device?
A. 3FFE
B. FFFE
C. FF02
D. 2001
Correct Answer: B
Explanation
QUESTION 349 Ԉ
By default, which type of IPv6 address is used to build the EUl-64 bit format?
A. unique-local address
B. IPv4-compatible IPv6 address
C. link-local address
D. aggregatable-local address
Correct Answer: C
Explanation
Reference:
https://howdoesinternetwork.com/2013/slaac-ipv6-stateless-address-autoconfiguration
QUESTION 350
What is the minimum privilege level to enter all commands in usermode?
A. Level 1
B. Level 0
C. Level 14
D. Level 15
Correct Answer: A
Explanation
QUESTION 351
Which of the following situations results in a routing loop?
A. when you have a single point of redistribution

B. when you use NAT translation on the edge of your network
C. when you implement contiguous IP routing blocks
D. when you implement noncontiguous IP routing blocks
E. when you have multiple points of redistribution
Correct Answer: E
Explanation
QUESTION 352
Which two options are limitations of stateful NAT64? (Choose Two)
A. It is unable to route VRF traffic.

B. It is unable to route multicast traffic.
C. It supports FTP traffic only with an ALG.
D. It supports DNS64 only.
E. Layer 4 supports TCP only
Correct Answer: AB
Explanation
Explanation:
Restrictions for Configuring Stateful Network Address Translation 64
• Applications without a corresponding application-level gateway(ALG) may not work properly with the
Stateful NAT64 translator.
• IP Multicast is not supported.
• The translation of IPv4 options,IPv6 routing headers,hop-by-hop extension headers,destination option
headers,and source routing headers is not supported.
• Virtual routing and forwarding(VRF)-aware NAT64 is not supported.
• When traffic flows from IPv6 to IPv4,the destination IP address that you have configured mustmatch a
stateful prefix to prevent hairpinning loops.However,the source IPaddress (source address of the IPv6 host)
must not match the stateful prefix.If the source IP address matches the stateful prefix,packets are dropped.
Hair pinning allows two endpoints inside Network Address Translation(NAT) to communicate with each
other,even when the endpoints use only each other's external IPaddresses and ports for communication.
• Only TCP and UDP Layer4 protocols are supported for header translation.
• Route maps are not supported.
• Application-level gateways (ALGs) FTP and ICMP are not supported.
• In the absence of apre-existing state in NAT64,stateful translation only supports IPv6-initiated sessions.
• If a static mapping host-binding entry exists for an IPv6 host,the IPv4 nodes can initiate communication. In
dynamic mapping,IPv4 nodes can initiate communication only if a host-binding entry is created for the IPv6
host through a previously established connection to the same or a different IPv4 host. Dynamic mapping
rules that use Port-Address Translation(PAT),host-binding entries cannot be created because IPv4-initiated
communication not possible through PAT.
• Both NAT44 (static,dynamic and PAT)configuration and stateful NAT64 configuration are not supported on
the same interface.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-
stateful-nat64.pdf
QUESTION 353
Which next hop is going to be used for 172.17.1.0/24 ?
A. 10.0.0.1
B. 192.168.1.2
C. 10.0.0.2
D. 192.168.3.2
Correct Answer: A
Explanation
Explanation:
The > indicates the best route to the destination 172.17.1.0/24
Reference: https://www.cisco.com/c/en/us/td/docs/ios/iproute_bgp/command/reference/irg_book/
irg_bgp5.html#wp1156281
QUESTION 354 窐Ԉ
What are two limitations when in use of NPTv6 for IPV6 vs IPV6 Address translation?
A. stateful address translation

B. a limit of 32 1-to-1 translations
C. lack of overloading functionality
D. identify all interfaces NAT inside or outside
E. 1-to-1 prefix rewrite
F. mismatched prefix allocations
Correct Answer: CF
Explanation
Explanation:
So what is NPTv6? NPTv6 is simply rewriting IPv6 prefixes. If your current IPv6 prefix is 2001:db8:cafe::/48
then using NPTv6 it would allow you to change it to 2001:db8:fea7::/48 – that is it.
It is a one for one prefix rewrite – you can’t overload it, have mismatching prefix allocations sizes, re-write
ports or anything else. Importantly, it doesn’t touch anything other than the prefix. Your network/host portion
remains intact with no changes.
http://www.howfunky.com/2012/02/ipv6-to-ipv6-network-prefix-translation.html
QUESTION 355
Which set of actions does a network engineer perform to set the IPv6 address of a DHCP relay server at
the VLAN interface level?
A. Enter the VLAN interface configuration mode and define the IPv6 address of a DHCP relay server
B. Enter the global configuration mode and enable the IPv6 DHCP relay
C. Enter the global configuration mode, enable IPv6 DHCP relay from interface configuration mode and
define the IPv6 address of a DHCP relay server
D. Enter the VLAN interface configuration mode, enable IPv6 DHCP relay, and define the IPv6 address of
a DHCP relay server
Correct Answer: D
Explanation
Explanation:
You can accept DHCP requests from clients on the associated context or VLAN interface and enable the
DHCP relay agent by using the ipv6 dhcp relay enable command (for IPv6) or the ip dhcp relay enable
command (for IPv4).
The DHCP relay starts forwarding packets to the DHCP server address specified in the ipv6 dhcp relay
server command or the ip dhcp relay server command for the associated context or VLAN interface.
An example of how to set the IPv6 address of a DHCP relay server at the VLAN interface level:
host1/Admin(config)# interface vlan 50

host1/Admin(config-if)# ipv6 dhcp relay enable
host1/Admin(config-if)# ipv6 dhcp relay server 2001:DB8:1::1/64
Reference: https://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/
command/reference/ACE_cr/if.html
QUESTION 356
Which two types of authentication does EIGRP offer? (Choose two)
A. TKIP 䋐,
B. MD5
C. WPA
D. Plain text
Correct Answer: BD
Explanation
Explanation:
The router uses two types of authentication:

• Simple password authentication (also called plain text authentication)—Supported by Integrated System-
Integrated System (IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol Version 2
(RIPv2)
• MD5 authentication—Supported by OSPF, RIPv2, BGP, and EIGRP
If the service password-encryption command is not used when implementing EIGRP authentication, the
key-string will be stored as plain text in the router configuration. If you configure the service password-
encryption command, the key-string will be stored and displayed in an encrypted form; when it is displayed,
there will be an encryption-type of 7 specified before the encrypted key-string.
EIGRP originally only supported MD5 authentication but since IOS 15.1(2)S and 15.2(1)T we can also use
SHA-256 authentication. Nowadays, this form of authentication is far more secure than MD5.
They ask for 2 options. The one that we know MD5 and the must lose to the reality is plain text. However I
didn´t find and official article that mentioned plain Text.
The router uses two types of authentication:
• Simple password authentication (also called plain text authentication)—Supported by Integrated System-
Integrated System (IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol Version 2
(RIPv2)
• MD5 authentication—Supported by OSPF, RIPv2, BGP, and EIGRP
Plaint text is NOT supported in EIGRP.

In EIGRP supported only MD5 and SHA but this is the more acceptable choice
QUESTION 357
Refer to the following:
Logging Console 7
Which option is one of the effects entering this command on a Cisco IOS router, with no additional logging
configuration?
A. Debug messages can be seen on the console by enabling "terminal monitor."

B. Debug messages are logged only on active console connections.
C. A user that is connected via SSH sees level 7 messages
D. The router can experience high CPU utilization
Correct Answer: B
Explanation
Explanation:
Console logging: By default, the router sends all log messages to its console port. Hence only the users that
are physically connected to the router console port can view these messages.
Ԉ
The router does not check if a user is logged into the窐console port or a device is attached to it; if console
logging is enabled, messages are always sent to the console port that can cause CPU load.
To stop the console logging, use the “no logging console” global configuration command. You might want to
limit the amount of messages sent to the console with the “logging console level” configuration command
(for example, logging console Informational).
Reference:
http://blog.router-switch.com/2013/12/configure-logging-in-cisco-ios/
QUESTION 358
After configuring the routes, the network engineer executes the show ip route command. What is the
expected results?
A. Gateway of last resort is 10.0.2.1 to network 0.0.0.0 10.0.0.0/24 is subnetted, 2 subnets

C 10.0.2.0 is directly connected, FastEthernet0/0 10.0.1.0 is directly connected, FastEthernet0/1
S*0.0.0.0/0 [1/0] via 10.0.2.1(1/0] via 10.0.1.1
B. Gateway of last resort is 10 0.2 1 to network 0.0.0.0 10 0.0 0/24 is subnetted, 1 subnet
C 10.0.2.0 is directly connected, FastEthernet0/0
S* 0.0.0 0/0 [1/0] via 10.0.2.1
C. Gateway of last report is not set
D. Gateway of test resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/24 is subnetted 1 subnet
C 10.0.1.0 is directly connected FastEthernet0/1
S*0.0.0.0/0 [1/0] via 10.0.1.1
Correct Answer: C
Explanation
QUESTION 359
Which two statements about NTP stratum are true? (Choose two)
A. Stratum 15 indicates a device that is not synchronized

B. Stratum 1 devices receive their time from a peer that is connected directly to an authoritative time
source.
C. The highest stratum level a synchronized device can have is 16.
D. Stratum 2 devices receive their time from a peer that is connected directly to an authoritative time
source
E. Stratum 0 devices are connected directly to an authoritative time source
F. Stratum 1 devices are connected directly to an authoritative time source
Correct Answer: DF
Explanation
Explanation:
䌠,
Reference:
https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/bsm/16-6-1/b-bsm-xe-16-6-1-
asr920/bsm-time-calendar-set.html
QUESTION 360
Which two statements about OSPF E1 routes are true? (Choose two)
A. They are preferred over interarea routes
B. They use the OSPF cost from redistribution and the OSPF cost to the ASBR.
C. They are preferred over E2 routes
D. They use only the OSPF cost to the ASBR
E. They use only the OSPF cost from redistribution
Correct Answer: BC
Explanation
Reference:
http://blog.ine.com/2011/04/04/understanding-ospf-external-route-path-selection/
QUESTION 361
The excerpt was taken from the routing table of router SATX.
Which option ensures that routes from 51.51.51.1 are preferred over routes from 52.52.52.2?
A. SATX(config-router)distance 90 51.51.51.1 0.0.0.0

B. SATX(config-router)distance 89.52.52.52.2
E1 routes 0.0.0.0
are true? (Choose 脈o)
C. SATX(config-router)distance 90.52.52.52.2 0.0.0.0
D. SATX(config-router)administrative distance 91 51.51.51 0.0.0.0
E. SATX(config-router)distance 89 51.51.51.1 0.0.0.0
F. SATX(config-router)administrative distance 91 52.52.52.2 0.0.0.0
Correct Answer: E
Explanation
QUESTION 362
If this configuration is applied to a device that redistributes EIGRP routes into OSPF. which two statements
about the behavior of the device are true? (Choose Two )
A. EIGRP routes appears in the routing table as E2 OSPF routes

B. The device router ID is set to Loopback0 automatically
C. The device redistributes all EIGRP networks into OSPF
D. EIGRP routes appears in the routing table as N2 OSPF routes
E. The device redistributes only classful EIGRP networks into OSPF.
F. EIGRP routes appears as type 3 LSAs in the OSPF database.
Correct Answer: AE
Explanation
QUESTION 363
䍰,
A network engineer has configured NTP on a Cisco router, but the time on the router is still incorrect. What
is the reason for this problem?
A. The router is not syncing with the peer, even though the NTP request and response packets are being
exchanged.
B. The router is not syncing with peer, and the NTP request and response packets are not being
exchanged.
C. The router is syncing with the peer, and the NTP request and response packets are being exchanged.
D. The router is dropping all NTP packets.
Correct Answer: A
Explanation
Explanation:
In the output you can see a * next to the ip address that is the primary NTP server.
Also the 377 that means everything was received and processed.
Negotiation done.
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/15171-
ntpassoc.html
377 = 1 1 1 1 1 1 1 1 Time 0: Last eight responses from server were received

376 = 1 1 1 1 1 1 1 0 Time 1: Last NTP response was NOT received (lost in network)
Values below this 376 is that Last NTP response was received
QUESTION 364
Which value does a point-to-point GRE tunnel use to identify a peer?
A. MAC address
B. configured multicast address.
C. DLCI
D. IP address
E. VC ID
Correct Answer: D
Explanation
QUESTION 365
Where must a network engineer configure the ip helper-address command on a router?
A. on the global configuration mode

B. on the DHCP configuration
C. on the interface that will receive the broadcasts
D. on the interface that is closest to the destination DHCP server
Correct Answer: C
Explanation Ԉ
QUESTION 366
Which two routers can do OSPF route summarization? (Choose two)
A. ABR
B. ASBR
C. Summary router
D. Internal router
E. Backbone router
Correct Answer: AB
Explanation
QUESTION 367
What from the following can cause an issue for uRPF?
A. Asymetric routing
B. CEF not enabled
C. uRPF not applied to the traffic source
D. if it is used as ingress filtering
Correct Answer: A
Explanation
QUESTION 368
What is supported RADIUS server? (Choose two)
A. telnet
B. authentication
C. accounting
D. authorization
E. SSH
Correct Answer: BD
Explanation
QUESTION 369
What is show on logging console 7?
A. Debugging and all above level

B. Information and all above level
C. Error and all above level
D. Emergencies and all above level
Correct Answer: A
Explanation
Explanation:
QUESTION 370
Choose the best IP SLA deployment cycle that reduce deployment time. (Choose four.)
A. baseline (network performance)
B. understand (network performance baseline)
C. Understand Quality results
D. quantify (results)
E. fine tune and optimize
F. Update Understanding
Correct Answer: ABDE

Explanation
Explanation:
baseline (network performance), understand (network performance baseline), fine tune and optimize,
quantify (results)
Reference:
https://www.cisco.com/en/US/technologies/tk648/tk362/tk920/
technologies_white_paper0900aecd8017f8c9.html
QUESTION 371
Which two protocols are used to deploy a single Hub-DMVPN supporting Spoke-to Spoke tunnels?
(Choose two)
A. MPLS
B. RSVP
C. NHRP
D. BFB 窐Ԉ
E. Multipoint GRE
Correct Answer: CE
Explanation
QUESTION 372
What would you configure on SNMPv3 to allow authentication and encryption?
A. authpriv
B. authnopriv
C. noauthnopriv
D. authmember
Correct Answer: B
Explanation
Explanation:
The SNMPv3 Agent supports the following set of security levels:
+ NoAuthnoPriv: Communication without authentication and privacy.

+ AuthNoPriv: Communication with authentication and without privacy. The protocols used for
Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for Authentication are MD5
and SHA ; and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard)
protocols can be used. For Privacy Support, you have to install some third-party privacy packages
QUESTION 373
If you run the command auto-cost reference-bandwidth 10000 on one of the router in the network, what will
happen?
A. It will make 10 Gbps on all of them

B. it will make 1 Gbps on all of them
C. it will make 10 Gbps on this router only
D. it will remain the same on all links of the router
Correct Answer: C
Explanation
Explanation:
This command affects all the OSPF costs on the local router as all links are recalculated with formula:
cost = reference-bandwidth (in Mbps) / interface bandwidth
Therefore, in this case the command “auto-cost reference-bandwidth 10000” allows the local router to
calculate the link up to 10Gbps.
QUESTION 374
What does the command show ip vrf purple TOPOLOGY shows?
A. shows the feasible successors for a specific route table

B. shows routing table for vrf purple
C. show topology table
D. show protocols to be used
Correct Answer: A
Explanation
Explanation:
From EIGRP Stub Score 95X
QUESTION 375
Which of the following is true?
A. Master is syncing and exchanging NTP packets successfully

B. Master is not syncing but exchanging NTP packets successfully
C. Master is not syncing and not exchanging NTP packets
D. All NTP packets are dropped
Correct Answer: C
Explanation
Explanation:
In the output you can see a * next to the ip address that is the primary NTP server.
Also the 377 that means everything was received and processed. Negotiation done.
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/15171-ntpassoc
377 = 1 1 1 1 1 1 1 1 Time 0: Last eight responses from server were received

376 = 1 1 1 1 1 1 1 0 Time 1: Last NTP response was NOT received (lost in network)
Values below this 376 is that Last NTP response was received
A pound sign (#) displayed next to a configured peer in the show ntp associations command output
indicates that the router isn’t syncing with the peer but NTP request and response packets are NOT
exchanged.
Reference: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
110/15171-ntpassoc.html
QUESTION 376
Which of these can be used for IPv4 to IPv6 communication?
A. NAT-PT
B. ISATAP
C. L2 to L3 VPN
D. IPSec
Correct Answer: A
Section: Mix Questions Ԉ
Explanation
Explanation:
NAT-PT provides IPv4/IPv6 protocol translation.

It resides within an IP router, situated at the boundary of an IPv4 network and an IPv6 network. By installing
NAT-PT between an IPv4 and IPv6 network, all IPv4 users are given access to the IPv6 network without
modification in the local IPv4-hosts (and vice versa).
Equally, all hosts on the IPv6 network are given access to the IPv4 hosts without modification to the local
IPv6-hosts.
This is accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as
sessions are initiated across IPv4-IPv6 boundaries.
QUESTION 377
How to set up IP SLA to monitor jitter between the certain limits?
A. Timeout (not timer)

B. Frequency
C. Threshold
D. Queue-limit
Correct Answer: C
Explanation
QUESTION 378
How can you mitigate fragmentation issues between endpoints separated by a GRE tunnel?
A. PMTU
B. TCP MSS
C. windowing
D. ICMP DF bit
Correct Answer: B
Explanation
Explanation:
The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length
of an IP datagram is 65535, most transmission links enforce a smaller maximum packet length limit, called
an MTU. The value of the MTU depends on the type of the transmission link. The design of IP
accommodates MTU differences since it allows routers to fragment IP datagrams as necessary. The
receiving station is responsible for the reassembly of the fragments back into the original full size IP
datagram.
Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to
determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with
the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all
modern operating systems use it on endpoints.
The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to
accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS
value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports
its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts.
The sending host is required to limit the size of data in a single TCP segment to a value less than or equal
to the MSS reported by the receiving host.
TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the
case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed
in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the
lowest MTU along the path from a packet’s source to its destination.
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html
(there is some examples of how TCP MSS avoids IP Fragmentation in this link but it is too long so if you
want to read please visit this link)
Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled
later.
QUESTION 379
Windows Server Syslog blocked by ACL ando.?
A. port UDP 514

B. port UDP 541
C. port UDP 520
D. port UDP 521
Correct Answer: A
Explanation
QUESTION 380
Which two statements are benefits of BGP peer groups? (Choose two.)
A. Each neighbor in a peer group can have different inbound BGP policies.
B. A configuration change can be applied simultaneously to all peers in the peer group.
C. They use soft updates to minimize bandwidth consumption.
D. They can optimize backdoor routes.
E. They support groups of paths.
F. They can be updated via multicast.
Correct Answer: BC
Explanation
QUESTION 381
Which two statements about AAA with the local database are true? (Choose two.)
A. It supports a limited number of usernames and passwords.

B. The local database can server only as a backup authentication method.
C. By default, it is queried before a TACACS+ or RADIUS server.
D. Accounting is not supported locally.
E. Authorization is available only for one-time use logins.
Correct Answer: AC
Explanation
窐Ԉ
QUESTION 382
Which three causes of unicast flooding are true? (Choose three.)
A. asymmetric routing
B. forwarding table overflow
C. excess space in the forwarding table
D. consistent STP topology
E. symmetric routing
F. changes in the STP topology
Correct Answer: ABF

Explanation
QUESTION 383
A company is deploying a multicast application that must be accessible between sites, but must not be
accessible outside of the organization. Based on the scoping requirements, the multicast group address for
the application will be allocated out of which range?
A. FF02::/16
B. FF08::/16
C. FFOE::/16
D. FF00::/16
Correct Answer: B
Explanation
QUESTION 384
What is the default authentication in RIPv2 when authentication is enabled?
A. SHA1 authentication
B. MD5 authentication
C. plaintext authentication
D. enable password authentication
Correct Answer: C
Explanation
Explanation:
Cisco implementation of RIPv2 supports two modes of authentication: plain text authentication and
Message Digest 5 (MD5) authentication. Plain text authentication mode is the default setting in every RIPv2
packet, when authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13719-50.html
QUESTION 385
Which LSA type on OSPFv3 is used for link-local updates?
A. Link LSA type 8

B. Link LSA type 5 稀Ԉ
C. Link LSA type 6
D. Link LSA type 4
Correct Answer: A
Explanation
Explanation:
LSAs that are responsible to carry IPv6 Routes:
LSA Type 8: Link LSA
Link Local scope: LSA is only flooded on the local link and is further used for the LINK-LSA
Reference: https://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/212828-link-lsa-lsa-type-8-and-
intra-area-pr.html
QUESTION 386
What is the role of a route distinguisher in a VRF-Lite setup implementation?
A. It manages the import and export of routes between two or more VRF instances.
B. It enables multicast distribution for VRF-Lite setups to enhance EGP routing protocol capabilities.
C. It extends the IP address to identify which VRF instance it belongs to.
D. It enables multicast distribution for VRF-Lite setups to enhance IGP routing protocol capabilities.
Correct Answer: C
Explanation
QUESTION 387
A customer asks its service provider for VPN support IPv4 and IPv6 address families.
Which command enables a VRF that supports these requirements?
A. Router (config-vrf)#rd 004:006

B. Router (config-vrf)#route-target 004:006
C. Router (config)#vrf definition CUSTOMER
D. Router(config)#ip vrf CUSTOMER
Correct Answer: C
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/ios/software/15_4_1_cg/
vrf_cgr1000.html
QUESTION 388
Which two tasks must you perform to configure a BGP peer group? (Choose two.)
A. Activate each neighbor.

B. Activate the default route.
C. Configure the soft-update value.
D. Assign neighbor to the peer-group.
E. Set the advertisement interval.
Correct Answer: AD
Section: Mix Questions 窐Ԉ
Explanation
QUESTION 389
Refer to the exhibit. Which effect of this configuration is true?
A. It removes VTP from the interface.

B. It designates the interface as a GRE tunnel endpoint.
C. It designates the interface as an EVN trunk.
D. It configures 802.1q trunking on the interface.
Correct Answer: C
Explanation
QUESTION 390
Which two features were added in MSCHAP version 2? (Choose two.)
A. backwards-compatibility with MSCHAP version 1

B. using the MD5 hash for stronger security
C. mutual authentication between peers
D. ability to change an expired password
E. using three-way handshakes for authentication
Correct Answer: CD
Explanation
Explanation:
MSCHAP V2 authentication is an updated version of MSCHAP that is similar to but incompatible with
MSCHAP Version 1 (V1). MSCHAP V2 introduces mutual authentication between peers and a Change
Password feature.
Reference: https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-mschap-
ver2.html
QUESTION 391
A network engineer wants to monitor hop-by-hop response time on the network. Which IP SLA operation
accomplishes this task?
A. ICMP path jitter

B. ICMP-echo
C. ICMP path echo
D. UDP-echo
䔀,
Correct Answer: C
Explanation
QUESTION 392
Which location within the network is preferred when using a dedicated router for Cisco IP SLA operations?
A. user edge
B. distribution edge
C. access edge
D. provider edge
Correct Answer: D
Explanation
Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/tk920
QUESTION 393
Routers R2, R3, R4, and R5 have OSPF enabled.
What should be configured on the routers in area 1 to ensure that all default summary routes and
redistributed EIGRP routes will be forwarded from R6 to area 1, and only a default route for all other OSPF
routes will be forwarded from R5 to area 1.
A. R5(config-router)# area 1 stub

R6(config-router)# area 1 stub
B. R5(config-router)# area 1 stub no-summary
R6(config-router)# area 1 stub
C. R5(config-router)# area 1 nssa
R6(config-router)# area 1 nssa
D. R5(config-router)# area 1 nssa no-summary 窐Ԉ
R6(config-router)# area 1 nssa
Correct Answer: D
Explanation
QUESTION 394
When a new PC is connected to the network, which step must it take first to receive a DHCP address?
A. It sends a DHCPREQUEST message to 255.255.255.255.

B. It sends a DCHPDISCOVER message to 255.255.255.255.
C. It sends a DHCPHELLO message to the DHCP server IP address.
D. It sends a DHCPREQUEST message to the DHCP server IP address
Correct Answer: B
Explanation
QUESTION 395
Which IP SLA operation can be used to simulate voice traffic on a network?
A. TCP-connect
B. ICMP-echo
C. ICMP-jitter
D. UDP-jitter
Correct Answer: D
Explanation
QUESTION 396
How can you minimize unicast flooding in a network?
A. Set the router’s ARP timeout value to less than the timeout value for Layer 2 forwarding table entries.
B. Set the router’s ARP timeout value to be the same as timeout value for Layer 2 forwarding table entries.
C. Configure HSRP on two routers, with one subnet preferred on the first router and a different subnet
preferred on the second router.
D. Set the router’s ARP timeout value to greater than the timeout value for Layer 2 forwarding table entries.
Correct Answer: B
Explanation
QUESTION 397
Which two statements about DMVPN are true? (Choose two.)
A. Multicast traffic is not supported.

䕐,
B. It requires full-mesh connectivity on the network.
C. IPsec encryption is not supported with statically addressed spokes.
D. It uses NHRP to create a mapping database of spoke addresses.
E. It supports dynamic addresses for spokes in a hub-and-spoke VPN topology.
Correct Answer: DE
Explanation
QUESTION 398
Which two actions are common methods for migrating a network from one protocol to another? (Choose
two.)
A. changing the relative administrative distances of the two routing protocols

B. changing the network IP addresses and bringing up the new Ip addresses using the new routing
protocol.
C. removing the current routing protocol to the new routing protocol
D. redistributing routes from the current routing protocol to the new routing protocol
E. disabling IP routing globally and implementing the new routing protocol
Correct Answer: AD
Explanation
QUESTION 399
Which statement about redistribution from BGP into OSPF process 10 is true?
A. Network 172.16.1.0/24 is not redistributed into OSPF.

B. Network 172.16.1.0/24 is redistributed with administrative distance of 1.
C. Network 10.10.10.0/24 is not redistributed into OSPF.
D. Network 10.10.10.0/24 is redistributed with administrative distance of 20.
Correct Answer: A
Explanation
窐Ԉ
QUESTION 400
Which two statements are differences between AAA with TACACS+ and AAA with RADIUS? (Choose two.)
A. Unlike TACACS+, RADIUS sends packets with only the password encrypted.
B. Only TACACs+ uses TCP.
C. Only RADIUS uses TCP.
D. Unlike TACACS+, RADIUS supports accounting and authorization only.
E. Only TACACS+ combines authentication and authorization.
Correct Answer: AB
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-
service-radius/13838-10.html#comp_udp_tcp
QUESTION 401
Which statement about the metric calculation in EIGRP is true?
A. The mean value of bandwidth between the source and destination is used.
B. The minimum bandwidth between the source and destination is used.
C. The minimum delay along the path is used.
D. The maximum delay along the path is used.
Correct Answer: C
Explanation
QUESTION 402
Which statement best describes the following two OSPF commands, which are used to summarize routes?
area 0 range 192.168.110.0 255.255.0.0

summary-address 192.168.110.0 255.255.0.0
A. The area range command specifies the area where the subnet resides are summarizes it to other
areas. The summary-address command summarized external routes.
B. The area range command summarized subnets for a specific area. The summary-address command
summarizes a subnet for all areas.
C. The area range command defines the area where the network resides. The summary-address
command enables autosummarization.
D. the area range command defines the area where the network resides. The summary-address command
summarizes a subnet for all areas.
Correct Answer: A
Explanation
QUESTION 403
䖠,
Network users on the 10.1.2.0/24 subnet have a default gateway of 10.1.2.254.
Which command will configure this gateway?
A. router(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/1

B. router(config)#ip route vrf BLUE 0.0.0.0 0.0.0.0 10.1.2.254
C. router(config)#ip route vrf RED 0.0.0.0 0.0.0.0 10.1.2.254
D. router(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.254
Correct Answer: B
Explanation
QUESTION 404
Which two statements about PPPoE packet types are true? (Choose two.)
A. PADR is a broadcast packet sent from the client to request a new server.
B. PADO is a broadcast reply packet sent to the client.
C. PADO is a unicast reply sent to the client.
D. PADI is an initialization packet sent as a broadcast message.
E. PADR is a unicast confirmation packet sent to the client.
Correct Answer: CD
Explanation
QUESTION 405
What is VRF-Lite?
A. VRF without MPLS

B. VRF without VPN
C. VRF without Cisco Express Forwarding switching
D. VRF without independent routing tables
Correct Answer: A
Explanation Ԉ
QUESTION 406
How can you change this configuration so that when user CCNP logs in, the show run command is
executed and the session is terminated?
A. Assign privilege level 15 to the CCNP username

B. Assign privilege level 14 to the CCNP username
C. Add the access-class keyword to the aaa authentication command.
D. Add the autocommand keyword to the username command.
E. Add the autocommand keyword to the aaa authentication command.
F. Add the access-class keyword to the username command.
Correct Answer: D
Explanation
Reference: https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/
username.htm
QUESTION 407
A network engineer executes the show ip flow interface command. Which type of information is displayed
on the interface?
A. NetFlow configuration
B. IP Cisco Express Forwarding statistics
C. route cache information
D. error statistics
Correct Answer: A
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/command/nf-cr-book.pdf
QUESTION 408
Which IOS commands can you use to limit the CPU impact of log generation and transmission on an IOS
router?
䗰, in conjunction with the logging rate-interval

A. You can use the ip access-list logging limit command
command.
B. You can use the ip access-list syslog-logging interval command in conjunction with the logging rate-
limit command.
C. You can use the ip access-list logged interval command in conjunction with the logged rate-limit
command.
D. You can use the ip access-list logging interval command in conjunction with the logging rate-limit
command.
Correct Answer: D
Explanation
Reference: https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html
QUESTION 409
A network engineer wants to implement an SNMP notification process for host machines using the
strongest security available. Which command accomplishes this task?
A. router(config)#snmp-server host 172.16.200.225 traps v1

B. router(config)#snmp-server host 172.16.200.225 traps v2c auth
C. router(config)#snmp-server host 172.16.200.225 traps v3
D. router(config)#snmp-server host 172.16.200.225 traps v2c
Correct Answer: C
Explanation
QUESTION 410
窐Ԉ
R1 is configured with VRF-Lite and can ping R2. R2 is fully configured, but it has no active EIGRP
neighbors in vrf Yellow. If the configuration of r2 is complete, then which issue prevents the EIGRP 100
neighbor relationship in vrf Yellow from forming?
A. The interface IP address are not in the same subnet.

B. The no auto-summary command is preventing the EIGRP neighbor relationship from forming.
C. EIGRP 100 network 192.168.1.0/24 is configured in the global routing table on R1.
D. There is a Layer 1 issue that prevents the EIGRP neighbor relationship from forming.
Correct Answer: C
Explanation
QUESTION 411
If you want to migrate an IS-IS network to another routing protocol with a lower AD, which two protocols do
you consider? (Choose two.)
A. RIP
B. UDP
C. TCP/IP
D. EIGRP
E. OSPF
F. internal BGP
Correct Answer: DE
Explanation
Reference: https://en.wikipedia.org/wiki/Administrative_distance
QUESTION 412
Which action is the most efficient way to handle route feedback when converting a RIPv2 network to
OSPF?
A. Implementing IP prefix lists

B. Implementing distribute lists
C. Implementing route maps with access lists.
D. Implement route tags.
Correct Answer: D
Explanation
䙀,
QUESTION 413
Which functions are included in the two-message rapid exchange that a DHCPv6 client can receive from a
server?
A. advertise and request

B. solicit and reply
C. solicit and request
D. advertise and reply
Correct Answer: B
Explanation
whitepaper_c11-689821.html
QUESTION 414
Which two statements are examples of the differences between IPv4 and IPv6 EIGRP? (Choose two.)
A. Network command is not used in IPv6.

B. DUAL is used for route calculations.
C. IPv6 keyword is used in many EIGRP commands.
D. DUAL is not used for route calculations.
E. Network command is used in IPv6.
Correct Answer: AC
Explanation
Reference: http://www.ciscopress.com/articles/article.asp?p=2137516&seqNum=4
QUESTION 415
Which statement about the split-horizon rule for distance vector routing protocols is true?
A. A router advertises a route to an unreachable network with an infinite metric.

B. A router does not advertise routes to any neighboring router.
C. A router advertises routes back out the interface on which it learned them with an infinite metric.
D. A router does not advertise routes back out the interface on which it learned them.
Correct Answer: D
Explanation
QUESTION 416
A customer requests policy-based routing. Packets arriving from source 209.165.200.225 should be sent to
the next hop at 209.165.200.227, with the precedence bit set to priority. Packets arriving from source
209.165.200.226 should be sent to the next hop at 209.165.200.228, with the precedence bit set to critical.
Which configuration completes these requirements?
A. access-list 1 permit 209.165.200.225

access-list 2 permit 209.165.200.226
!
route-map Texas permit 10 窐Ԉ
match ip address 1
set ip precedence critical
set ip next –hop 209.165.200.227
!
route-map Texas permit 20
match ip address 2
set ip precedence priority
set ip next-hop 209.165.200.228
!
interface ethernet 1
ip policy route-map Texas
B. access-list 1 permit 209.165.200.225
!
match ip address 1
set ip next –hop 209.165.200.227
!
match ip address 2
set ip next-hop 209.165.200.228
!
C. access-list 1 permit 209.165.200.228
!
match ip address 1
set ip next –hop 209.165.200.226
!
match ip address 2
set ip next-hop 209.165.200.225
!
D. access-list 1 permit 209.165.200.227
!
match ip address 1
set ip next –hop 209.165.200.225
!
Correct Answer: B
Explanation
QUESTION 417
頀Ԉ
Which routes from OSPF process 5 are redistributed into EIGRP?
A. E1 and E2 subnets matching access list TO-OSPF

B. E1 and E2 subnets matching prefix list TO-OSPF
C. only E2 subnets matching access list TO-OSPF
D. only E1 subnets matching prefix list TO-OSPF
Correct Answer: A
Explanation
QUESTION 418
Which SNMP security level is available across all versions of the protocol?
A. authPriv
B. NoAuthPriv
C. AuthNoPriv
D. NoAuthNoPriv
Correct Answer: D
Explanation
QUESTION 419
Which address is an IPv6 multicast address?
A. 2002:0:0:0:0:0:0:2
B. 0002:0:0:0:0:0:0:2
C. FF02:0:0:0:0:0:0:2
D. FE02:0:0:0:0:0:0:2
Correct Answer: C
Explanation
QUESTION 420
Which two statements about VRF-Lite configurations are true? (Choose two.)
A. They support IS-IS.

B. Each customer has its own dedicated TCAM resources.
C. Different customers can have overlapping IP addresses on different VNs.
Ԉ
D. They support the exchange of MPLS labels.
E. They support a maximum of 512,000 routes.
F. Each customer has its own private routing table.
Correct Answer: CF
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/
conf/vrf.pdf
QUESTION 421
What is the default maximum segment size for TCP traffic?
A. 536
B. 1492
C. 1500
D. 1508
E. 3340
F. 4096
Correct Answer: A
Explanation
Reference: https://en.wikipedia.org/wiki/Maximum_segment_size
QUESTION 422
A network engineer has configured an IOS router to synchronize its clock with a Windows server. After
several minutes, the network engineer notices that the local time on the router does not match the time on
the Windows server. What is the reason for this?
A. Either a firewall between the two devices or on ACL on the router is blocking UDP port 123.
B. Either a firewall between the two devices or an ACL on the router is blocking TCP port 958.
C. Either a firewall between the two devices or an ACL on the router is blocking UDP port 958.
D. Either a firewall between the two devices or an ACL on the router is blocking TCP port 123.
Correct Answer: A
Explanation
QUESTION 423
Which types of LSAs are present in the stub area?
A. LSA type 1, 2, 3, 4, and 5

B. LSA type 3 and 5
C. LSA type 1 and 2
D. LSA type 1, 2 and 3
Correct Answer: D
Explanation
QUESTION 424
Which command creates a manual summary on an interface when using EIGRP?
A. summary-address eigrp 100 172.32.0.0 255.255.254.0

B. ip summary-address eigrp 100 172.32.0.0 255.255.254.0
C. area 100 range 172.32.0.0 255.255.254.0
D. ip summary-address 100.172.32.0.0 255.255.254.0
Correct Answer: B
Explanation
QUESTION 425
Which two steps must you perform to allow access to a device when the connection to a remote TACACS+
authentication server fails? (Choose two.)
A. Configure accounting to reference the log of previously authenticated connections.

B. Include the local keyword in the AAA configuration.
C. Configure the device to accept Telnet and SSH connections.
D. Remove the aaa new model command from the global configuration.
E. Configure a local username and password on the device.
Correct Answer: BE
Explanation
QUESTION 426
Which statement about the IP SLA feature is true?
A. It keeps track of the number of packets and bytes that are observed in each flow by storing information
in a cache flow.
B. It classifies various traffic types by examining information within Layers 3 through 7.
C. It measures how the network treats traffic for specific applications by generating traffic that bears similar
characteristics to application traffic.
D. It ensures that there are appropriate levels of service for network applications.
Correct Answer: C
Explanation
QUESTION 427
Which feature mitigates fragmentation issues caused by endpoint hosts?
A. TCP Flow Control

B. ICMP DF bit
C. PMTUD
D. TCP MSS
窐Ԉ
Correct Answer: C
Explanation
QUESTION 428
Which two LSA types were introduced to support OSPF for IPv6? (Choose two.)
A. type 9
B. type 5
C. type 10
D. type 8
E. type 7
Correct Answer: AD
Explanation
QUESTION 429
Which two types of traffic can benefit from LLQ? (Choose two.)
A. email
B. video
C. file transfer
D. telnet
E. voice
Correct Answer: BE
Explanation
QUESTION 430
Refer to the exhibit. Based on Cisco best practice, which statement about the output is true?
A. The output should be analyzed by a network engineer before executing other show commands on an
IOS router in production.
B. The output should be analyzed by a network engineer before executing any debug commands on an
IOS router in production.
C. The output should be analyzed by a network engineer before allocating additional memory and CPU
usage to processes on an IOS router in production.
D. The output should be analyzed by a network engineer before executing any configuration commands on
an IOS router in production.
Correct Answer: B
Explanation
稀Ԉ
QUESTION 431
Users were moved from the local DHCP server to the remote corporate DHCP server. After the move, none
of the users were able to use the network.
Which two issues will prevent this setup from working properly? (Choose two.)
A. The route to the new DHCP server is missing.

B. The broadcast domain is too large for proper DHCP propagation.
C. 802.1X is blocking DHCP traffic.
D. Auto-QoS is blocking DHCP traffic.
E. The DHCP server IP address configuration is missing locally.
Correct Answer: AE
Explanation
QUESTION 432
Choose correct statement about Dynamic NAT. (Choose two.)
A. inside local
B. outside local
C. this list will be translated to this subnet (which is pool)
D. outside global
Correct Answer: AC
Explanation
QUESTION 433
Which two conditions can cause BGP neighbor establishment to fail? (Choose two.)
A. There is an access list blocking all TCP traffic between the two BGP neighbors
B. The IBGP neighbor is not directly connected.
C. BGP synchronization is enabled in a transit autonomous system with fully-meshed IBGP neighbors.
D. The BGP update interval is different between the two BGP neighbors
E. The BGP neighbor is referencing an incorrect autonomous system number in its neighbor statement.
Correct Answer: AE
Explanation
QUESTION 434
A network access server using TACACS+ for AAA operations receives an error message from the
TACACS server.
Which action does the network access server take next?
A. It attempts to authenticate the user against RADIUS

B. Ԉ server
It restarts and attempts to reconnect to the TACACS+
C. It rejects the user access request the
D. It checks the method list for an additional AAA option
Correct Answer: D
Explanation
QUESTION 435
Which purpose of the AAA accounting feature is true when you use TACACS+ authentication?
A. It prompts users to change their passwords when they expire

B. It saves a timestamped record of user activity
C. It controls the activities that the user is permitted to perform
D. It verifies the user identity
Correct Answer: B
Explanation
QUESTION 436
Which LAN feature enables a default gateway to inform its end devices when a better path to a destination
is available?
A. HSRP
B. ICMP unreachable messages
C. ICMP redirects
D. Proxy ARP
Correct Answer: C
Explanation
QUESTION 437
Which routing protocol searches for a better route through other autonomous systems to achieve
convergence?
A. Link-state
B. Hybrid
C. Path vector
D. Distance vector
Correct Answer: C
Explanation
QUESTION 438
For RIPv2, how long a static route remains if the point to point interface is down?
A. 30s
B. 60s
C. 180s
D. 240s
Correct Answer: D
Explanation
QUESTION 439
Which task must you perform to implement EIGRP for IPv6 on a device?
A. Use the ipv6 cef command to enable Cisco Express Forwarding on the device.
B. Configure a loopback interface on the device.
C. Manually configure the router ID
D. Statically configure a neighbor statement
Correct Answer: C
Explanation
QUESTION 440
Which criterion does the BGP maximum paths feature use for load balancing?
A. MED
B. local preference
C. weight
D. router ID
Correct Answer: C
Explanation
QUESTION 441
Which option is the best for protecting CPU utilization on a device?
A. fragmentation
B. COPP
C. ICMP redirects
D. ICMP unreachable messages
Correct Answer: B
Explanation
QUESTION 442 窐Ԉ
What are two important differences between OSPFv2 and OSPFv3? (Choose two.)
A. Only OSPFv3 provides support for IPv6.

B. Only OSPFv3 automatically chooses a router ID for the local device.
C. Only OSPFv3 automatically enable interfaces when you create them in device configuration mode.
D. Only OSPFv3 supports multiple OSPF instances on a single link.
E. Only OSPFv3 automatically detects OSPF neighbors on an NBMA interface.
Correct Answer: AD
Explanation
QUESTION 443
Which adverse event can occur as a consequence of asymmetric routing on the network?
A. vulnerability to a man-in the - middle atack

B. inadvertent HSRP active router preemption
C. errdisabled port
D. unicast flooding
Correct Answer: D
Explanation
QUESTION 444
Which STP feature can reduce TCNs on ports that are connected to end devices?
A. BPDU guard
B. Root guard
C. PortFast
D. BackboneFast
Correct Answer: C
Explanation
QUESTION 445
Which command must you configure globally to support RIPng?
A. ip routing
B. ip cef
C. ipv6 enable
D. ipv6 unicast-routing
Correct Answer: D
Explanation
稀Ԉ
QUESTION 446
Which protocol does VRF-Lite support?
A. IS-IS
B. ODR
C. EIGRP
D. IGRP
Correct Answer: C
Explanation
QUESTION 447
Which two statements about NAT in a DMVPN environment are true? (Choose two.)
A. A hub router can be behind a dynamic NAT on a device.

B. Spoke routers can reside only on the public side of a NAT device.
C. Two spokes can establish session among themselves using PAT behind different NAT devices.
D. A spoke router can be represented by a static NAT on a device.
E. A hub router can user static NAT for its public UP address.
Correct Answer: DE
Explanation
QUESTION 448
Which adverse circumstance can the TTL feature prevent?
A. routing loops
B. DoS attacks
C. link saturation
D. CAM table overload
Correct Answer: B
Explanation
QUESTION 449
Refer to the exhibit. You want router r1 to perform unequal-cost routing to the 172.168.10.0/24 network.
窐Ԉ
What is the smallest EIGRP variance value that you can configure on R1 to achieve this result?
A. 1
B. 2
C. 3
D. 4
Correct Answer: C
Explanation
QUESTION 450
Which IP SLA operation can be used to simulate voice traffic on a network?
A. TCP connect
B. UDP-jitter
C. ICMP-echo
D. ICMP-jitter
Correct Answer: B
Explanation
QUESTION 451
Device R1 has 1 Gigabit and 10 Gigabit Ethernet interfaces. Which command do you enter so that takes
full advantage of OSPF costs?
A. R1(config router)#auto-cost reference-bandwidth 10000

B. R1(config route-map)#set metric 10000000000
C. R1(config if)#ip ospf cost 10000
D. R1(config router)#auto*cost reference-bandwidth 10000000000
E. R1(config if)# ip ospf cost 100000000
F. R1(config route-map)#set metric 10000
Correct Answer: A
Explanation
QUESTION 452
In which network environment is AAA with RADIUS most
䠠,
appropriate?
A. when Apple Talk Remote Access is in user

B. when NetBIOS Frame Control Protocol is in use
C. when users require access to only one device at a time
D. when you need to separate all AAA services
Correct Answer: C
Explanation
QUESTION 453
Which value determines the amount of traffic that a network path can hold in transit?
A. route cache setting

B. maximum windows size
C. bandwidth delay product
D. MSS
Correct Answer: C
Explanation
QUESTION 454
A user is attempting to authentication on the device connected to a TACACS+ server but the server require
more information from the user to complete authentication.
Which response does the TACACS+ daemon return?
A. ACCEPT
B. ERROR
C. REJECT
D. CONTINUE
Correct Answer: D
Explanation
QUESTION 455
Which security feature can protect DMVPN tunnels?
A. IPsec
B. TACACS+
C. RTBH
D. RADIUS
Correct Answer: A
Explanation
Explanation/Reference: 窐Ԉ
QUESTION 456
What happens when two EIGRP peers have mismatched K values?
A. The two devices are unable to correctly perform equal-cost routing

B. The two devices fail to perform EIGRP graceful shutdown when one device goes down
C. The two devices fail to from an adjacency
D. The two devices are unable to correctly perform unequal-cast load balancing
Correct Answer: C
Explanation
QUESTION 457
When an EIGRP router discovers a new neighbor, which packet type does the router send to help the
neighbor build its topology table?
A. Replies
B. Requests
C. Updates
D. Queries
Correct Answer: C
Explanation
QUESTION 458
Which two statements about ICMP unreachable messages are true? (Choose two.)
A. They are sent when a route to the destination is missing from the routing table
B. They can be enable and disable on a device only on a global level
C. They are sent when a destination address responds to an ARP request
D. They include the entire packet so that the source can identify the process that generated the message
E. They include a portion of the original data so that the source can identify the process that generated the
message
Correct Answer: AE
Explanation
QUESTION 459
Which password takes precedence if you configure multiple passwords for Telnet connections to a Cisco
IOS device?
A. Console line password

B. Enable secret password
C. Enable password
D. Aux line password
稀Ԉ
Correct Answer: B
Explanation
QUESTION 460
Which two statements about GRE tunnel keys are true? (Choose two.)
A. The key ID must be the same on each device.

B. They prevent the injection of unwanted frames.
C. They prevent the injection of unwanted packets.
D. They must be stored to a keychain.
E. They provide the highe level of security that is available.
Correct Answer: AC
Explanation
QUESTION 461
Which criterion does BGP evaluate first when determining the best path?
A. MED value
B. neighbor address
C. local preference value
D. weight
Correct Answer: D
Explanation
QUESTION 462
When does a Cisco router send an ICMP redirect?
A. when the packet's source and destination VRFs are different

B. when the packet is source-routed
C. when the packet's destination has load-balanced entries in the route table
D. when the packet's ingress and egress interface are the same
Correct Answer: D
Explanation
QUESTION 463
You are configuring a static route. Which action must you take to avoid the possibility of recursive row?
A. Use the ip route command to specify the next-hop IP address only

B. Specify the next hop a directly connected interface
C. Use the ip route command to specify both the next-hop IP address and the connected interface
窐Ԉ
D. User the ip route command to specify the connected interface only
Correct Answer: C
Explanation
QUESTION 464
Refer to the exhibit. R1 and R2 are unable to establish an EIGRP adjacency.
Which action corrects the problem? 飀Ԉ
A. Change the eigrp route-id on one of the routers so that values on the two routers are different.
B. Add the no auto-summary command to the R2 configuration so that it matches the R1 configuration
C. Change the autonomous system number on one of the routers so that each router has different values
D. Change the IP address and subnet mask on R2 so that is on the same subnet as R1.
Correct Answer: D
Explanation
QUESTION 465
Which routing protocol routers traffic through the best path and second best path at the same time?
A. EIGRP
B. BGP
C. OSPF
D. RIP
Correct Answer: A
Explanation
QUESTION 466
A router with default RIPv2 settings loses connectivity to it's next-hop neighbor.
How long downs the router wait before removing the route to the next hop from its route table?
A. 30 seconds
B. 60 seconds
C. 180 seconds
D. 240 seconds
Correct Answer: D
Explanation
QUESTION 467
Refer to the exhibit. You notice that traffic from R1 to the 192.168.10.0/24 network prefers the path through
R3 instead of the least-cost path through R2.
What is the most likely reason for this router selection?
䣰,
A. OSPF prefers external routers over interarea router.

B. OSPF prefers interarea routers over intra-area routers.
C. OSPF prefers external routers over intra-area routers.
D. OSPF prefers intra-area routers over interarea routers.
Correct Answer: D
Explanation
QUESTION 468
OSPF chooses routes in which order, regardless of route's administrative distance and metric?
A. Intra-Area (O) - Inter-Area (O IA) - External Type 1 (E1) - External Type 2 (E2) - NSSA Type 1 (N1) -
NSSA Type 2 (N2)
B. Intra-Area (O) - Inter-Area (O IA) - NSSA Type 1 (N1) - NSSA Type 2 (N2) - External Type 1 (E1) -
C. Intra-Area (O) - Inter-Area (O IA) - NSSA Type 1 (N1) - External Type 1 (E1) - NSSA Type 2 (N2) -
D. Intra-Area (O) - NSSA Type 1 (N1) - External Type 1 (E1) - Inter-Area (O IA) - NSSA Type 2 (N2) -
E. Intra-Area (O) - Inter-Area (O IA) - NSSA Type 1 (N1) - External Type 1 (E1) - NSSA Type 2 (N2) -
F. NSSA Type 1 (N1) - NSSA Type 2 (N2) - Intra-Area (O) - Inter-Area (O IA) - External Type 1 (E1) -
Correct Answer: A
Explanation
Explanation:
Regardless of a route’s metric or administrative distance, OSPF will choose routes in the following order:
Intra-Area (O)
Inter-Area (O IA)
NSSA Type 1 (N1)
NSSA Type 2 (N2)
QUESTION 469
Which condition must be met before two EVN devices can connect?
A. One VLAN interface must be configured between devices.

B. An EtherChannel configured with at least 2 interfaces connected between the devices.
C. A trunk interface must be configured between devices
D. A fiber connection must be established between the devices.
Correct Answer: C
Explanation
䤐,

Cisco Real-Exams 300-101 v2019-03-23 by Barbra 469q

Uploaded by

Copyright:

Available Formats

Cisco Real-Exams 300-101 v2019-03-23 by Barbra 469q

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Real-Exams 300-101 v2019-03-23 by Barbra 469q

Uploaded by

Copyright:

Available Formats

300-101

Correct Answer: ACE

A. Execute the command ip tcp window-size 65536.

A. Disable CDP on the interface.

Explanation/Reference: connect to it, the access seȀer sends aϗ

A. Frame Relay inverse ARP

A. Active Authentication Phase and PPP Session Phase

Which one statement is true?

A. Traffic from the 172.16.0.0/16 network will be blocked by the ACL.

mac address 2201.420A.0004

Which IPv6 addresses should the engineer add to the documentation?

A. It sets the EIGRP autonomous system number in a VRF.

A. OSPFv3 timers were adjusted for fast convergence.

A. inbound crypto map

Correct Answer: ABC

Router#show ip nhrp detail

A. It was obtained directly from the next-hop server.

A. You can disable the IP route cache globally.

A. strict mode, loose mode, and VRF mode

A. router(config-if)#ip helper-address 172.20.14.225

ip helper-address {ip address}

A. router(config)#snmp-server host 172.16.201.28 traps version 2c CISCORO

A. Use the msec option to enable service time stamps.

A. secure copy protocol

A. It interferes with encryption of the full IP payload.

switch#show flow exporter Flow_Exporter-1

A. configuration of the specified flow exporter

Table 2. Differences Between Stateless NAT64 and Stateful NAT64

1. The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY

A. R2 will advertise network 192.168.2.0/27 with a hop count of 16 to R1.

A. simplified Layer 3 network virtualization

Correct Answer: ABC

A. typically is not fragmented

A. It requires and enhances the use of VRF-Lite.

A. OI 2001:DB8::/48 [110/100] via FE80::DDBB:CCFF:FE00:6F00, Ethernet0/0

A. It is used to translate IPv4 prefixes to IPv6 prefixes.

A. The router exports flow information to 10.10.10.1 on UDP port 5127.

(config)# no ip nat pool dynamic-nat-pool 192.1.1.20 192.1.1.254 netmask 255.255.255.0

A. Update: 30 seconds Expire: 180 seconds Flush: 240 seconds

A. Multiple PPPoE clients can use the same dialer interface.

Which statement about the configuration is true?

A. DHCP(config-router)# passive-interface default DHCP(config-router)# no passive-interface Gi1/0

A. tunnel destination address

A. RADIUS uses TCP, and TACACS+ uses UDP.

A. allow self ping to router

A. ip access-list extended 200

A. The client polls NTP servers for time.

A. router(config-ip-sla)#icmp-echo 172.16.201.25 source-interface FastEthernet 0/0

router(config)# ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80

Which statement about the command is true?

Requirements for EIGRP authentication

A. Locally configured time overrides time received from an NTP server.

A. only updates its time from 192.168.1.4

Correct Answer: ABF

A. speed duplex link issues

A. that ISAKMP is using default settings

A. hello timer mismatch

How many times was SPF alrogithm executed on R4 for Area 1?

In this case it was 3. Again, answers will vary.